In the March/April 2012 issue of Foreign Policy Magazine, Thomas Rid wrote an article called Think Again: Cyberwar. The subtitle was: Don’t Fear the Digital Bogeyman Virtual Conflict is Still More Hype Than Reality. He states his premise up front:
“Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.”
He then goes on to build some powerful arguments to support his case. I thought the article was well written but he missed a couple of key points. First, his definition of war is outdated and doesn’t take in the new reality of how wars are and will be conducted in the 21st century. In terms of warfare, cyber is many things. It’s a weapon and it’s a domain that military forces operate in. Cyber is also the backbone of how our highly technical military operates. Cyber attacks have the potential to cripple military operations. A generation used to computers doing a lot of work that was done manually in past conflicts would be forced to learn new ways of doing business on the fly and possibly in the midst of simultaneously conducting combat operations.
Here I’m talking about a potential situation of Country A launching a land based cruise missile at a US ship as it transits through a strait. Now computers provide tracking information that helps you know its location as it heads towards your ship so you can direct weapons to shoot it down. If the country launching the missile used a cyber weapon to shut down the ships computers before launching the missile, these calculations would have to be done manually.
Another related point is that cyber can be used as a stand alone weapon or as one of many (bombs, missiles, etc) used in a war plan. As stated by former Deputy Secretary of Defense William Linn III in a September 2011 article in Foreign Affairs magazine: “In the twenty-first century, bits and bytes are as threatening as bullets and bombs.”
It’s not just the definition of war, but many of the laws and regulations addressing cyber are either outdated or simply don’t exist in a form needed to adequately address cyber issues. Nations, to include our own, are still debating what constitutes a cyber attack and what constitutes a cyber act of war and what constitutes a cyber crime.
On May 17 during the U.S.Counter Terror Expo, one of the panels was titled Hacktivism: A New Terror Vector? The session was opened referencing a “statement from FBI Director Mueller that the network disruptions and intrusions common to groups like Anonymous may soon be classified as terrorism.” One of the panel participants, Melissa Hathaway, who led the 60 day White House Cyber Policy Review, discussed how “how the Internet was leveraged by terrorists both in the planning and operational stages of the 2008 Mumbai attacks. Cyber enables non-state actors to shorten their decision cycle, giving them a distinct advantage over law enforcement officials hamstrung by obsolete policies and technology, according to Ms. Hathaway”.
As to whether or not the cyberwar threat is mostly hype, I don’t believe it is. The challenge in writing about the topic gets me to the second criticism I have of the Thomas Rid article. Unless you’re working for those portions of the government evaluating the cyber threat you simply don’t have access to all of the information needed to determine what is and is not going on with cyber threats. A lot of the details remain classified or in the case of many companies remain unreported. This is an issue currently being worked on in the various proposed Congressional legislation.
Case in point, on 22 May during a meeting of the Homeland Security and Governmental Affairs Committee it was reported that al Qaeda had released a video calling for an “Electronic Jihad.” A report on the Committee’s web site stated:
“The video explicitly calls for cyber attacks against the networks of both government and life-sustaining critical infrastructure, including the electric grid, and compares vulnerabilities in U.S. critical cyber networks to the vulnerabilities in our aviation system prior to 9/11.
‘This is the clearest evidence we’ve seen that Al Qaeda and other terrorist groups want to attack the cyber systems of our critical infrastructure,’ Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., said.”
What jumped out at me was the FBI obtained the video a year ago through open sources. The information may be unclassified but I suspect the various government agencies have lots of classified information from various sources supporting this and other threats of cyberwar. This brings me to the main reason I sat down today to write this blog. On May 14th, I participated in a Department of Defense Bloggers Roundtable With Eric Rosenbach, Deputy Assistant Secretary of Defense for Cyber Policy, and Richard Hale, Deputy Chief Information Officer for Cybersecurity Via Teleconference Subject: The Pentagon’s Recent Initiatives to Improve Defense Industrial Base (DIB) Network Defenses and Allow DIB Companies and the Government to Reduce Damage to Critical Programs When Defense Information is Compromised.
I’ll provide the details of the Bloggers Roundtable this weekend, but would like to conclude with a little more background. In a 2011 Foreign Affairs article, Mr. Linn discussed the Department of Defenses strategy for cyberwar:
“To meet this growing threat, the Department of Defense developed a strategy for operating in cyberspace that has five pillars: treating cyberspace as an operational domain, like land, air, sea, and outer space; employing active defenses to stop malicious code before it affects our networks; protecting commercial networks that operate the critical infrastructure that our military relies upon; joining with allies to mount a collective cyberdefense; and mobilizing industry to redesign network technology with security in mind. Extending advanced cyberdefenses to critical infrastructure is one of the strategy’s most crucial objectives. Cyber intrusions have been directed at nearly every sector of our economy infrastructure….Current countermeasures have not stopped this outflow of sensitive information. In response, the Department of Defense, in partnership with DHS and a handful of defense companies, has established a pilot program to provide more robust protection for private networks. In the Defense Industrial Base (DIB) Cyber Pilot, the government shares classified threat intelligence with private companies or their Internet service providers. The intelligence is then integrated into companies’ own network defenses. Because it builds off commercial technologies, the DIB Cyber Pilot provides additional protection for only an incremental increase in cost.
Moreover, the project does not entail U.S.government monitoring, intercepting, or storing of private sector communications, and it is voluntary for all participants.”
Thank I’ll end here. As always, my views are my own.