The Weaponâ€™s Edge
|Back to Security|
|Doug Bernard||March 27th 2012|
On January 17th, 1991, as the 34-nation coalition of Operation Desert Storm prepared for its first aerial bombardment of targets in Iraq, the U.S. military sprung a surprise.
Iraqi radar screens suddenly blinked and went dark, momentarily blinding Saddam Husseinâ€™s military. The â€œKariâ€ radar control system had been infected with a computer virus, planted and controlled by the Pentagon. â€œIt was a French system,â€ notes intelligence historian Matthew Aid of the Iraqi radar control. â€œThey gave us the schematics and we found a way to insert some buggies into their system as the first wave of American bombers streaked toward Baghdad.â€
It worked brilliantly. Iraqâ€™s defenses were paralyzed, allied bombers faced no serious opposition, and the U.S. became the first-ever nation to launch a documented cyber-attack.
Since then, war and conflictâ€”like many other thingsâ€”have increasingly moved online. In Kosovo, Lebanon, Estonia, Georgia and elsewhere, digital weapons have been deployed to create mischief, havoc and damage. Now, as tensions rise between Iran and the U.S. and Israel, serious questions are being asked about whether the coming months may bring a new cyberwar, and what it may mean for the world.
Cyber-Doom or Cyber-Hype?
â€œThe term cyberwar is really just a marketing gimmick,â€ says Aid, whose book The Secret Sentry is considered the definitive history of the super-secret National Security Agency (NSA). Aid says thereâ€™s no clear definition of what online war is because, by its very nature, it defies clear definition:
â€œThereâ€™s offensive war, which runs the gamut from hackers trying to steal your banking information, but also the use of intelligence agencies such as the NSA hacking into the governments of foreign nations and terrorist organizations to find out what their intentions and capabilities are. Then thereâ€™s the defensive side, with varying government agencies squabbling about who has the authority to defend American corporations and citizens from cyber-attacks from abroad. There was no one term, so they slapped the label â€˜cyberwarâ€™ on it.â€
Among those who have embraced the term is Richard Clarke, former counter-terrorism adviser on the National Security Council and author of the best-selling Cyber War. Since its publication in 2010, Clarke has popularized the phrase and warned the public about the risks of online warfare with a series of worrisome predictions. â€œA cyber-attack could disable trains all over the country,â€ he recently told Fresh Air radio host Terry Gross:
â€œIt could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out and confuse financial records, so that we would not know who owned what, and the financial system would be badly damaged. It could do things like disrupt traffic in urban areas by knocking out control computers. It could, in nefarious ways, do things like wipe out medical records.â€
Planes could fall from the skies, says Clarke; water systems could be flooded with sewage; and panicked mobs could run riot. More alarmingly, he claims all this could happen in just 15 minutes.
Pretty scary stuff. So scary, in fact, that Clarkeâ€™s 15 minute claim has led the University of Utahâ€™s Sean Lawson to coin his own somewhat mocking term: â€œcyber-doom.â€
â€œThings are exploding, planes are crashing, thousands of people die,â€ says Lawson of predictions of digital apocalypse. â€œAnd of course in reality we havenâ€™t seen any cyber-attacks that come anywhere close to causing these kinds of impacts.â€ Lawson chides those like Clarke who frighten the public with a combination of worst-case events and a mish-mash of Internet jargon. War is war, he says, and no nation hasâ€”yetâ€”launched a digital war on another:
â€œThe conflation of lots of very different kinds of threats into one sort of umbrella term of cyberwar is actually a rhetorical tactic thatâ€™s used to try to help motivate a response. We get very ambiguous in our use of language. But also weâ€™re getting sloppy with our use of terms like war and attack. In this way of thinking, itâ€™s not just physical damage against property or damage or injury caused to people or death and destruction that are the key components of war, but now stealing information or taking down a website or defacing a website gets lumped under the term war. Which really cheapens what the word war means.â€
To be certain, everyone we spoke with for this piece, Lawson included, agrees that digital weapons exist and have been used. Nearly all observers now believe that Russian authorities, working unofficially with crime rings and patriotic youth groups like the Nashi, launched significant attacks on Estonia and Georgia, crashing computer systems and creating short-term Internet mayhem. The hacker-hive Anonymous targeted various autocratic Arab regimes, recently stealing a cache of private emails and embarrassing documents from Syrian President Bashar al-Assad. And of course in 2010, Iranian centrifuges, used in nuclear fuel processing, were damaged by the Stuxnet virusâ€”an attack that no-one has yet claimed responsibility for.
But scenarios of full blown digital disasters, like Clarkeâ€™s, can make for jumpy nerves. And that can lead to bad assumptions.
Notoriously Interconnected â€¦ and Wrong
Consider the case of a water treatment plant (the name of which has not been released publicly) in Springfield, Illinois. On November 8th last year, a critical water pump at the plant failed, temporarily shutting down operations. Little more than a week later, state officials blamed cyberterrorists and warned of more Stuxnet-like attacks.
â€œThis is a big deal,â€ blogged Joe Weiss, president of Applied Control Solutions and a self-identified control-system security expert. â€œItâ€™s arguably the first case where weâ€™ve had critical infrastructure targeted by people outside the US and equipment damaged as a result. But the really big issue is that someone hacked â€¦ just to get at the user-IDs and passwords for the utilities that were its customers.â€ Illinois officials pointed the finger at Russia.
Except Weiss and the terror officials were wrong. It turns out the pump just failed, and that by coincidence a contract worker at the plant logged into its control system while traveling in Russia. The error was quickly pointed out, but consider for a moment: even if true, Illinois couldnâ€™t retaliate against a foreign nation. The United States can. If the same thing happened amid heightened public jitters, with officials blaming Iran and an increasingly bellicose Persian Gulf, the U.S. military could possibly have respondedâ€”with either digital bombs or real ones.
The lesson: industrial, financial, and communications digital systems are notoriously interconnected on the Internet; often in ways that arenâ€™t apparent. And tracking down those responsible for attacks is even more complicated.
â€œYou just may never know,â€ says Stewart Baker. â€œOne of the problems with our industrial control systems is thereâ€™s no forensic, look-back capability. If it blows up, pretty much all you know is it blew up.â€
Baker is a former Asst. Secretary of Homeland Security and currently a partner at the legal firm Steptoe and Johnson. Baker says a large-scale attack on the U.S. could be devastating (although probably not reaching â€œcyber-doomâ€ levels.) But, he says, such an attack is unlikely since the Department of Defense announced its new cyberwar policies in 2011, giving itself a free hand to respond to an Internet attack in any way it sees fit, including blowing things up for real.
Recently, Washington Postâ€˜s Ellen Nakashima had the eye-opening story â€œPentagon Ups Ante on Cyber Front.â€ Nakashima reports that the Pentagon is â€œaccelerating efforts to develop a new generation of cyberweapons,â€ that could disrupt adversaries in a variety of ways. However few specific weapons are discussed in the story, which is not surprising, considering the nature of Internet combat.
â€œYou pretty much only get to use these weapons once,â€ says Baker, noting that after a specific device like Stuxnet is deployed, itâ€™s quickly countered by computer engineers. For his part, Baker likens cyberweapons to the first airplanes used in the First World Warâ€”as instruments primarily of surveillance:
â€œIn order to plant a cyber-weapon you have to break into somebodyâ€™s electronic systems. If youâ€™re in their systems, you might as well gather intelligence about them first. I hope weâ€™re breaking into the systems of nations we think are likely to be adversaries, and I would think it would make sense for us to try to take over those systems and make them work for us. Iraqi generals got messages over their secure networks telling them how to surrender. That has a profound psychological impact. Iâ€™m not sure thatâ€™s a weapon, but it sure works. Whether we go beyond that and start breaking things, as weâ€™ve realized the shoe can be on the other foot; weâ€™ve gotten much more cautious about that idea.â€
Iran and the Online Battlefield
Debate about what it actually looks like aside, digital battle has its limits. For example, in 2001, when the U.S. military was preparing to battle the Taliban, cyberwar was considered. However, says Matthew Aid, â€œWe tried to use it in Afghanistan but we found the Talibanâ€™s computer systems were so antique that cyberwar didnâ€™t work.â€
Or take 2003, when the U.S. invaded Iraq. While the radar-bug trick had worked in 1991, it didnâ€™t work this time. Nor would other possible options, writes Charles Smith:
â€œMilitary officials had planned to attack the Iraqi banking and financial network during the opening phase of the USAF campaign against Saddam Hussein. However, planners later rejected the idea because the Iraqi banking network is linked to a financial communications network located in France. According to Pentagon sources, an information warfare attack on the Iraqi financial network might also bring down banks and ATM machines in Europe as well.â€
Different theaters of war require different weapons, and potentially different rules, says former Department of Homeland Security Asst. Secretary Stewart Baker. â€œThere are people today who believe that war is evolving in such a way as to allow very detailed rules as to what warriors can do,â€ he says. However:
â€œThe real law of war, putting aside political constraints, tends to be much more ad hoc. It is the things that both sides decide they are not prepared to do. And usually thatâ€™s a mix of humanity, basic morality, and hard-headed assessment that it wonâ€™t do much good but will cause massive pain if the enemy does it to you. Iâ€™m sure there are plenty of international law professors who would be appalled at what I just said, but I do think when youâ€™re in an existential struggle, the â€˜law of warâ€™ is very much based on what did the other guy do to me, and am I willing to do that back to him.â€
So what weapons might Iran, Israel and the U.S. possess, and what could a battle look like? Answering that is one part intuition, one part experience, and a whole lot of guesswork.
â€œThe Iranians â€¦ have a fairly robust cyberwar capability,â€ says Matthew Aid. â€œIf they think the threat is real, they could unleash the weapons that they have available to them in sort of a preemptive mode, or in a post-attack retaliatory mode. There are a couple universities outside Tehran that specialize in real-time research into cyberwar, offensive and defensive. My concern is that if the Iranians think the balloon is about to go up they could launch that capability.â€
In small-level hacks, both Iran and Israel have demonstrated skill at fouling up each others online activities. But Baker and Aid agree both nations probably possess far more potent â€œlogic bombsâ€ and other digital weaponry they havenâ€™t yet used. A genuine online war between the two could get ugly very quickly.
That said, the battles might actually start small. Think online skirmishes between angry bands of nationalist hackers, busting into systems and defacing websites, but doing no serious long-term damage. Or perhaps, says Matthew Aid, should Israel decide to strike Iranian targets, it might begin with online operations to knock out crucial defense systems, â€œâ€¦ like the artillery barrage before the cavalry goes up the hill.â€ That, cautions professor Sean Lawson, would probably elicit a response from Iran, and soon after from allies like Hezbollah, Syria, and possibly even North Korea. And if that were to happen, hacker havens like Russia, China, and those in Europe and North America might soon join the fray. One genuine danger of cyberwar, says Lawson, is how quickly it could spread around the globe.
Another possibility is that the U.S. may then punch first, yet most agree thatâ€™s unlikely. More probable is a punch back with undetermined weaponry, followed up with proxy attacks on a wide range of targets. Or perhaps, if a more severe conflict were in the offing, digital warriors might try to disable the FALCON and Gulf Bridge International submarine communications cablesâ€”the primary links between Iran and the rest of the digital world. That, however, could also affect Kuwait, Bahrain, and other Persian Gulf nations. As has been said, everything on the Internet is connected to something else.
Whatever the tools at hand, everyone agrees the U.S. has the most sophisticated digital weaponry available. And if the Pentagon were to hit Iran online, it would probably start from Fort Meade, Marylandâ€”home to the U.S. Cyber Command and the NSA. If the past holds true, any digital weapons launched from there would serve mostly as a support function for other military activitiesâ€”much like blinding Iraqâ€™s radar before aerial bombardment. â€œLike all weapons, you use the mix of whatever you have available to you in order to ensure maximal effect,â€ says intelligence historian Matthew Aid. â€œIf you put a little bug into someoneâ€™s air defense system, it makes a big difference. If the computer tells the radar systems to suddenly drop, take a nap, that makes the job of the bombers that much easier.â€ But then again, the world has yet to see the full arsenal of computer bombs and digital missiles on display.
The University of Utahâ€™s Sean Lawson agrees that online combat, in any of its many forms, could deliver a hard blow to the U.S. or its adversaries. But those, like Richard Clarke, who warn of a â€œcyber Pearl Harborâ€ or â€œdigital September 11thâ€ are missing the mark, he says.
â€œWeâ€™ve heard this story before, weâ€™ve heard it for a long time. When you add in the fact that a lot of people who are trumpeting cyber-war the loudest also have a bureaucratic, institutional or economic stake in getting us to believe these things. Thatâ€™s not to say there arenâ€™t threats; we seen a lot of instances of private intellectual property being stolen, weâ€™ve seen instances of espionage. What Iâ€™m concerned about is the use of doom scenarios and inflated hype that might cause us to over react, or under react, because weâ€™re focusing on the worst possible cases.â€
Doug Bernard writes from the digital frontier for VOA News, from where this article is adapted.