The Weapon’s Edge
|Back to Security|
|Doug Bernard||March 27th 2012|
On January 17th, 1991, as the 34-nation coalition of Operation Desert Storm prepared for its first aerial bombardment of targets in Iraq, the U.S. military sprung a surprise.
Iraqi radar screens suddenly blinked and went dark, momentarily blinding Saddam Hussein’s military. The “Kari” radar control system had been infected with a computer virus, planted and controlled by the Pentagon. “It was a French system,” notes intelligence historian Matthew Aid of the Iraqi radar control. “They gave us the schematics and we found a way to insert some buggies into their system as the first wave of American bombers streaked toward Baghdad.”
It worked brilliantly. Iraq’s defenses were paralyzed, allied bombers faced no serious opposition, and the U.S. became the first-ever nation to launch a documented cyber-attack.
Since then, war and conflict—like many other things—have increasingly moved online. In Kosovo, Lebanon, Estonia, Georgia and elsewhere, digital weapons have been deployed to create mischief, havoc and damage. Now, as tensions rise between Iran and the U.S. and Israel, serious questions are being asked about whether the coming months may bring a new cyberwar, and what it may mean for the world.
Cyber-Doom or Cyber-Hype?
“The term cyberwar is really just a marketing gimmick,” says Aid, whose book The Secret Sentry is considered the definitive history of the super-secret National Security Agency (NSA). Aid says there’s no clear definition of what online war is because, by its very nature, it defies clear definition:
“There’s offensive war, which runs the gamut from hackers trying to steal your banking information, but also the use of intelligence agencies such as the NSA hacking into the governments of foreign nations and terrorist organizations to find out what their intentions and capabilities are. Then there’s the defensive side, with varying government agencies squabbling about who has the authority to defend American corporations and citizens from cyber-attacks from abroad. There was no one term, so they slapped the label ‘cyberwar’ on it.”
Among those who have embraced the term is Richard Clarke, former counter-terrorism adviser on the National Security Council and author of the best-selling Cyber War. Since its publication in 2010, Clarke has popularized the phrase and warned the public about the risks of online warfare with a series of worrisome predictions. “A cyber-attack could disable trains all over the country,” he recently told Fresh Air radio host Terry Gross:
“It could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out and confuse financial records, so that we would not know who owned what, and the financial system would be badly damaged. It could do things like disrupt traffic in urban areas by knocking out control computers. It could, in nefarious ways, do things like wipe out medical records.”
Planes could fall from the skies, says Clarke; water systems could be flooded with sewage; and panicked mobs could run riot. More alarmingly, he claims all this could happen in just 15 minutes.
Pretty scary stuff. So scary, in fact, that Clarke’s 15 minute claim has led the University of Utah’s Sean Lawson to coin his own somewhat mocking term: “cyber-doom.”
“Things are exploding, planes are crashing, thousands of people die,” says Lawson of predictions of digital apocalypse. “And of course in reality we haven’t seen any cyber-attacks that come anywhere close to causing these kinds of impacts.” Lawson chides those like Clarke who frighten the public with a combination of worst-case events and a mish-mash of Internet jargon. War is war, he says, and no nation has—yet—launched a digital war on another:
“The conflation of lots of very different kinds of threats into one sort of umbrella term of cyberwar is actually a rhetorical tactic that’s used to try to help motivate a response. We get very ambiguous in our use of language. But also we’re getting sloppy with our use of terms like war and attack. In this way of thinking, it’s not just physical damage against property or damage or injury caused to people or death and destruction that are the key components of war, but now stealing information or taking down a website or defacing a website gets lumped under the term war. Which really cheapens what the word war means.”
To be certain, everyone we spoke with for this piece, Lawson included, agrees that digital weapons exist and have been used. Nearly all observers now believe that Russian authorities, working unofficially with crime rings and patriotic youth groups like the Nashi, launched significant attacks on Estonia and Georgia, crashing computer systems and creating short-term Internet mayhem. The hacker-hive Anonymous targeted various autocratic Arab regimes, recently stealing a cache of private emails and embarrassing documents from Syrian President Bashar al-Assad. And of course in 2010, Iranian centrifuges, used in nuclear fuel processing, were damaged by the Stuxnet virus—an attack that no-one has yet claimed responsibility for.
But scenarios of full blown digital disasters, like Clarke’s, can make for jumpy nerves. And that can lead to bad assumptions.
Notoriously Interconnected … and Wrong
Consider the case of a water treatment plant (the name of which has not been released publicly) in Springfield, Illinois. On November 8th last year, a critical water pump at the plant failed, temporarily shutting down operations. Little more than a week later, state officials blamed cyberterrorists and warned of more Stuxnet-like attacks.
“This is a big deal,” blogged Joe Weiss, president of Applied Control Solutions and a self-identified control-system security expert. “It’s arguably the first case where we’ve had critical infrastructure targeted by people outside the US and equipment damaged as a result. But the really big issue is that someone hacked … just to get at the user-IDs and passwords for the utilities that were its customers.” Illinois officials pointed the finger at Russia.
Except Weiss and the terror officials were wrong. It turns out the pump just failed, and that by coincidence a contract worker at the plant logged into its control system while traveling in Russia. The error was quickly pointed out, but consider for a moment: even if true, Illinois couldn’t retaliate against a foreign nation. The United States can. If the same thing happened amid heightened public jitters, with officials blaming Iran and an increasingly bellicose Persian Gulf, the U.S. military could possibly have responded—with either digital bombs or real ones.
The lesson: industrial, financial, and communications digital systems are notoriously interconnected on the Internet; often in ways that aren’t apparent. And tracking down those responsible for attacks is even more complicated.
“You just may never know,” says Stewart Baker. “One of the problems with our industrial control systems is there’s no forensic, look-back capability. If it blows up, pretty much all you know is it blew up.”
Baker is a former Asst. Secretary of Homeland Security and currently a partner at the legal firm Steptoe and Johnson. Baker says a large-scale attack on the U.S. could be devastating (although probably not reaching “cyber-doom” levels.) But, he says, such an attack is unlikely since the Department of Defense announced its new cyberwar policies in 2011, giving itself a free hand to respond to an Internet attack in any way it sees fit, including blowing things up for real.
Recently, Washington Post‘s Ellen Nakashima had the eye-opening story “Pentagon Ups Ante on Cyber Front.” Nakashima reports that the Pentagon is “accelerating efforts to develop a new generation of cyberweapons,” that could disrupt adversaries in a variety of ways. However few specific weapons are discussed in the story, which is not surprising, considering the nature of Internet combat.
“You pretty much only get to use these weapons once,” says Baker, noting that after a specific device like Stuxnet is deployed, it’s quickly countered by computer engineers. For his part, Baker likens cyberweapons to the first airplanes used in the First World War—as instruments primarily of surveillance:
“In order to plant a cyber-weapon you have to break into somebody’s electronic systems. If you’re in their systems, you might as well gather intelligence about them first. I hope we’re breaking into the systems of nations we think are likely to be adversaries, and I would think it would make sense for us to try to take over those systems and make them work for us. Iraqi generals got messages over their secure networks telling them how to surrender. That has a profound psychological impact. I’m not sure that’s a weapon, but it sure works. Whether we go beyond that and start breaking things, as we’ve realized the shoe can be on the other foot; we’ve gotten much more cautious about that idea.”
Iran and the Online Battlefield
Debate about what it actually looks like aside, digital battle has its limits. For example, in 2001, when the U.S. military was preparing to battle the Taliban, cyberwar was considered. However, says Matthew Aid, “We tried to use it in Afghanistan but we found the Taliban’s computer systems were so antique that cyberwar didn’t work.”
Or take 2003, when the U.S. invaded Iraq. While the radar-bug trick had worked in 1991, it didn’t work this time. Nor would other possible options, writes Charles Smith:
“Military officials had planned to attack the Iraqi banking and financial network during the opening phase of the USAF campaign against Saddam Hussein. However, planners later rejected the idea because the Iraqi banking network is linked to a financial communications network located in France. According to Pentagon sources, an information warfare attack on the Iraqi financial network might also bring down banks and ATM machines in Europe as well.”
Different theaters of war require different weapons, and potentially different rules, says former Department of Homeland Security Asst. Secretary Stewart Baker. “There are people today who believe that war is evolving in such a way as to allow very detailed rules as to what warriors can do,” he says. However:
“The real law of war, putting aside political constraints, tends to be much more ad hoc. It is the things that both sides decide they are not prepared to do. And usually that’s a mix of humanity, basic morality, and hard-headed assessment that it won’t do much good but will cause massive pain if the enemy does it to you. I’m sure there are plenty of international law professors who would be appalled at what I just said, but I do think when you’re in an existential struggle, the ‘law of war’ is very much based on what did the other guy do to me, and am I willing to do that back to him.”
So what weapons might Iran, Israel and the U.S. possess, and what could a battle look like? Answering that is one part intuition, one part experience, and a whole lot of guesswork.
“The Iranians … have a fairly robust cyberwar capability,” says Matthew Aid. “If they think the threat is real, they could unleash the weapons that they have available to them in sort of a preemptive mode, or in a post-attack retaliatory mode. There are a couple universities outside Tehran that specialize in real-time research into cyberwar, offensive and defensive. My concern is that if the Iranians think the balloon is about to go up they could launch that capability.”
In small-level hacks, both Iran and Israel have demonstrated skill at fouling up each others online activities. But Baker and Aid agree both nations probably possess far more potent “logic bombs” and other digital weaponry they haven’t yet used. A genuine online war between the two could get ugly very quickly.
That said, the battles might actually start small. Think online skirmishes between angry bands of nationalist hackers, busting into systems and defacing websites, but doing no serious long-term damage. Or perhaps, says Matthew Aid, should Israel decide to strike Iranian targets, it might begin with online operations to knock out crucial defense systems, “… like the artillery barrage before the cavalry goes up the hill.” That, cautions professor Sean Lawson, would probably elicit a response from Iran, and soon after from allies like Hezbollah, Syria, and possibly even North Korea. And if that were to happen, hacker havens like Russia, China, and those in Europe and North America might soon join the fray. One genuine danger of cyberwar, says Lawson, is how quickly it could spread around the globe.
Another possibility is that the U.S. may then punch first, yet most agree that’s unlikely. More probable is a punch back with undetermined weaponry, followed up with proxy attacks on a wide range of targets. Or perhaps, if a more severe conflict were in the offing, digital warriors might try to disable the FALCON and Gulf Bridge International submarine communications cables—the primary links between Iran and the rest of the digital world. That, however, could also affect Kuwait, Bahrain, and other Persian Gulf nations. As has been said, everything on the Internet is connected to something else.
Whatever the tools at hand, everyone agrees the U.S. has the most sophisticated digital weaponry available. And if the Pentagon were to hit Iran online, it would probably start from Fort Meade, Maryland—home to the U.S. Cyber Command and the NSA. If the past holds true, any digital weapons launched from there would serve mostly as a support function for other military activities—much like blinding Iraq’s radar before aerial bombardment. “Like all weapons, you use the mix of whatever you have available to you in order to ensure maximal effect,” says intelligence historian Matthew Aid. “If you put a little bug into someone’s air defense system, it makes a big difference. If the computer tells the radar systems to suddenly drop, take a nap, that makes the job of the bombers that much easier.” But then again, the world has yet to see the full arsenal of computer bombs and digital missiles on display.
The University of Utah’s Sean Lawson agrees that online combat, in any of its many forms, could deliver a hard blow to the U.S. or its adversaries. But those, like Richard Clarke, who warn of a “cyber Pearl Harbor” or “digital September 11th” are missing the mark, he says.
“We’ve heard this story before, we’ve heard it for a long time. When you add in the fact that a lot of people who are trumpeting cyber-war the loudest also have a bureaucratic, institutional or economic stake in getting us to believe these things. That’s not to say there aren’t threats; we seen a lot of instances of private intellectual property being stolen, we’ve seen instances of espionage. What I’m concerned about is the use of doom scenarios and inflated hype that might cause us to over react, or under react, because we’re focusing on the worst possible cases.”
Doug Bernard writes from the digital frontier for VOA News, from where this article is adapted.