Mankind has been developing new weapons of mass destruction (WMD) almost from the beginning of armed conflict. In modern history, WMD typically has referred to nuclear, chemical, biological, and radiological weapons. Since the early 1990s, however, a new type of WMD – a weapon of mass disruption – has evolved from a relative nuisance to, potentially, the equivalent of the worst traditional WMDs.
In less than two decades, the Internet and its graphical user interface (GUI) – the World Wide Web – have changed the way mankind creates and exchanges information, at both the individual and nation-state levels. E-mail and social networks such as Facebook, Twitter, and other online services have significantly replaced paper communications through the postal services for everything from birthday greetings to “distance learning,” to financial transactions to the exchange of critical information.
Originally designed in the 1960s by the Defense Advanced Research Projects Agency (DARPA, then known as ARPA) to simplify and speed up collaborations on defense projects by the military services and labs, academia, and industry, the ARPANET went public in the 1980s. It was not until the following decade, however, that it began to gain acceptance, thanks to the introduction of the Web, a GUI that gave it the look, feel, and comparative simplicity of use generally thought of as the Internet today.
Combined with the increasingly inexpensive availability of personal computers, the Web enabled the Internet to grow and expand into every facet of life – personal, business, financial, government, military, etc. – with unprecedented speed. By the dawn of the 21st century, after less than a decade, it had become indispensable to all those uses and users. And with that growth came a new breed of online criminals, vandals, spies, terrorists, and cyberwarriors.
A term that only would have been used in science fiction less than a generation ago, cyberwar has now become a major part of every nation’s military planning, both offensive and defensive. With its ties to nearly every major institution and infrastructure component – even those whose primary command and control are considered secure because they do not link to the public Internet – much of what makes modern society function is vulnerable to non-physical attack from anywhere on Earth. Or in orbit above it.
“Secure” systems, using their own highly encrypted private intranets – some restricted to a single building or even an individual room, others connecting multiple sites – also are targets. With the right bits of computer code and access, an attacker could shut down a power grid – from a few city blocks to an entire continent – halt multiple levels of financial transactions, halt communications by cell phone, landline, radio, TV, the Internet – or interfere with military and other government data flow.
According to NATO Secretary-General Anders Fogh Rasmussen, “It’s no exaggeration to say that cyber attacks have become a new form of permanent, low-level warfare.”
Defense Department (DoD) officials report tens of thousands of attacks every day against DoD systems alone, although the vast majority appears to be the work of amateur hackers testing their skills against some of the most secure computers and networks in the world. Some, however, are serious attempts to penetrate government firewalls, mostly for information, but potentially to disrupt or even gain control of vital systems. Overall, officials estimate the number of cyber attacks against all U.S. government computers and networks to be in the hundreds of millions a month.
Such attacks can come from anywhere – an official cyberwarfare military unit, a government-sanctioned but “unofficial” group of hackers, computer experts working for a non-state criminal or terrorist group, or even a lone wolf hacker with a personal agenda. And tracing the source of the attack, to a level of confidence upon which a counterattack might be based, can be difficult, at best.
The U.S. government is sufficiently concerned that, in addition to cybersecurity units within the Department of Homeland Security and every federal and state agency, DoD stood up Cyber Command (CYBERCOM) in May 2010. A component of Strategic Command, CYBERCOM has a mandate to take what had been individual service cybersecurity efforts and create a unified, coordinated defense covering the entire U.S. military.
“As a doctrinal matter, the DoD has declared this a domain, the cyberspace domain,” USAF Maj. Gen. Suzanne Vautrinot, CYBERCOM’s director of plans and policy, told a security conference in June. “This is the only [domain] that’s not controlled by God or Mother Nature, depending on your proclivities.”
Under the command of Army Gen. Keith Alexander, who also serves as director of the National Security Agency (NSA), CYBERCOM will coordinate – as its active force – the pre-existing capabilities of the Army Forces Cyber Command, Marine Corps Forces Cyberspace Command, 24th Air Force, and Navy Fleet Cyber Command/10th Fleet. Also brought into the new structure are the staffs of DoD’s Joint Functional Component Command for Network Warfare and the Joint Task Force-Global Network Operations.
The 24th Air Force, a component of the Air Force Space Command, became the first formal military cyber force in August 2009. It was given responsibility for operating the Air Force piece of DoD’s Global Information Grid (GIG), but, given its heritage, also took on the defense of America’s space-based assets against cyber attack. That has become increasingly critical with the military’s growing reliance on GPS satellites for navigation and precision guidance of weapons, as well as satellite-based communications, surveillance, data sharing, weather tracking, etc.
The Marine Corps was the second service to stand up a dedicated cyber command in January 2010, followed in February by the Navy, which also designated its command as the 10th Fleet (last used during World War II for anti-submarine operations). The Army component was the only service command created after CYBERCOM stood up, officially launching ARCYBER on Oct. 1, 2010.
Part of its effort will include monitoring the activities of other nations known to be pursuing advanced offensive cyberwarfare capabilities, which include China, France, Israel, and Russia, as well as al Qaeda and other global terrorist groups. And while the United States has sought to assure both friends and potential foes it is primarily focused on defense, there is no doubt CYBERCOM also will be working to develop and advance the nation’s offensive capability with this new breed of WMD.
A major cyber attack could produce all of the immediate damage of a nuclear explosion, but without directly killing those in the target area and leaving all physical components intact, ready to be reactivated with the proper countermanding code. Which is not to say such an attack would always be bloodless – any disruption of electric power and other utilities could, almost certainly would, result in fatalities from plane crashes, car wrecks, the loss of critical medical systems, etc.
In testimony to Congress in September, Alexander said an enemy cyberwarrior’s ability to scale an attack from temporary disruption to permanent damage – especially if mounted against the U.S. power grid or financial sector – could be difficult to prevent. And if conducted in a war zone, potentially devastating to military command and control systems.
“What concerns me the most is destructive attacks that are coming – and we’re concerned that those are the next things that we will see,” he warned, adding his new CYBERCOM currently does not have the authority needed to respond to such an attack. “We need to come up with a more dynamic or active defense. That is what we are working on right now.”
The potential damage of a major cyber attack is so great the Strategic Defense and Security Review issued by the U.K. in October – basically the British version of DoD’s Quadrennial Defense Review – ranked it as a Tier 1 threat, two tiers above a conventional large-scale military invasion. But in an era of financial crisis that is forcing all governments to make budget cuts, convincing the public and their elected representatives to spend millions, if not billions, of dollars to combat a threat that is not fully understood is a major challenge.
China was one of the first to identify the potential of cyberwarfare, not only establishing full-time military units devoted to cyberwar weapons and tactics – offensive and defensive – but proclaiming a national intent to become the world’s first and most potent cyber superpower.
In August, DoD’s annual assessment of the Chinese military said numerous attacks against computer systems in the United States and elsewhere around the world during 2009 “appear to have originated within the PRC [People’s Republic of China].”
“These intrusions focused on exfiltrating information, some of which could be of strategic or military utility. The accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks,” the report stated. “It remains unclear if these intrusions were conducted by, or with the endorsement of, the PLA [People’s Liberation Army] or other elements of the PRC government.
“However, developing capabilities for cyberwarfare is consistent with authoritative PLA military writings. In March 2009, Canadian researchers uncovered an electronic spy network, apparently based mainly in China, which had reportedly infiltrated Indian and other nations’ government offices around the world. More than 1,300 computers in 103 countries were identified.”
The report also noted the PLA has identified the seizure of what the Chinese term “electromagnetic dominance” as the key to future battlefield success – and a capability in which China is determined to be the world leader.
“PLA theorists have coined the term ‘integrated network electronic warfare’ to describe the use of electronic warfare, computer network operations and kinetic strikes to disrupt battlefield information systems that support an adversary’s warfighting and power projection capabilities. PLA writings on future models of joint operations identify ‘integrated network electronic warfare’ as one of the basic forms of ‘integrated joint operations,’ suggesting the centrality of seizing and dominating the electromagnetic spectrum in PLA campaign theory,” the authors noted. “The PLA is investing in electronic countermeasures, defenses against electronic attack and computer network operations [CNO].
“China’s CNO concepts include computer network attack, computer network exploitation and computer network defense. The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks and tactics and measures to protect friendly computer systems and networks. These units include elements of the militia, creating a linkage between PLA network operators and China’s civilian information technology professionals. Under the rubric of Integrated Network Electronic Warfare, the PLA seeks to employ both computer network operations and electronic warfare to deny an adversary access to information essential to conduct combat operations.”
The PLA, which rejected the DoD report as an attempt to blacken China’s name, officially opened what it described as its first “cyber base headquarters” in mid-2010, but quickly announced the facility was dedicated to defend against cyber threats and has no offensive mission.
“The setting up of the base just means that our army is strengthening its capacity and is developing potential military officers to tackle information-based warfare,” an unidentified “top army official” was quoted as telling The Times of India in July. “It is a ‘defensive’ base for information security, not an offensive headquarters for cyber war.”
However, The Times of London reported NATO and European Union officials have warned member nations to increase electronic security measures in the wake of alleged significant increases in Chinese attacks on government and military computers and networks in the past year. Echoing the DoD report, the warnings said the attacks have been a combination of attempts to disrupt computer systems and efforts to extract sensitive information.
While the United States, European Union, India, and others consider China the No. 1 cyberwarfare threat, officials acknowledge other nations – both allies and potential foes – are scrambling to develop their own skills and weapons in this new domain – as are non-state terrorists, according to FBI Director Robert Mueller.
“Terrorists have shown a clear interest in pursuing hacking skills, and they will either train their own recruits or hire outsiders, with an eye towards combining physical attacks with cyber attacks,” he told a security conference in March 2010, adding a well-planned cyber attack could equal a “well-placed bomb” in causing damage or creating havoc.
Reports of attempts to hack government websites or networks often come across to the public, however, as being in the same category as the thousands of computer viruses, worms, Trojans, and even spam everyone with a computer and Internet connection faces every day. That cyberwarfare-level attacks are more than inconveniences was demonstrated in mid-2010 when a sophisticated worm called “Stuxnet” – which some have described as the first acknowledged “cyber weapon” – disrupted Iran’s nuclear power plants.
While accusations quickly arose that the United States, Israel, or even China were behind that malware, the threat quickly spread beyond Iran, although some 60 percent of all infections were reported there. Apparently designed specifically to attack industrial control systems software from German engineering conglomerate Siemens, Stuxnet eventually was discovered in more than 44,000 systems worldwide, including Germany, Russia, China, and the United States.
“This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product, and indicate to the operator and your anti-virus software that everything is functioning as expected,” Sean McGurk, head of the Department of Homeland Security’s Cybersecurity Center, told the Senate Homeland Security Committee on Nov. 17.
McGurk termed Stuxnet a “game-changer” in cyber weapons, giving the attacker major new capabilities to threaten critical infrastructure anywhere in the world, especially when modified for use against control software other than Siemens. He and other officials also voiced concern at the ability of its creators to effectively cover their tracks, the latest in a growing level of sophistication making it difficult, if not impossible, to identify the source of an attack.
Dave Clemente, an international security research assistant at the U.K.’s Royal Institute of International Affairs – more typically known as Chatham House – warned the sophistication of Stuxnet, in the long run, may be less important than the ability of its users to get into the Iranian nuclear facility network.
“Governments would be wise to wake up and take notice of this attack and its lessons. The Iranian nuclear facilities are extremely isolated, with tightly controlled access. Though ringed with safeguards, critical national infrastructure around the world is generally more accessible than the Iranian sites [both physically and electronically] and therefore more vulnerable,” he wrote in a September 2010 report.
“There are very few, perhaps only a handful, of nation-states or corporate entities capable of mustering the resources needed to guide this particular weapon from creation to destruction. The Stuxnet worm demonstrates that, with enough time and resources, even a highly isolated target can be compromised.”
In “The Military Balance 2010,” the London-based International Institute for Strategic Studies (IISS) identified the future of warfare, whether against state-less terrorist groups such as al Qaeda or nation-on-nation, as most likely to be characterized by asymmetric techniques.
“Chief among these may be the use of cyber warfare to disable a country’s infrastructure, meddle with the integrity of another country’s internal military data, try to confuse its financial transactions or to accomplish any number of other possibly crippling aims,” according to the document’s foreword. “Despite evidence of cyber attacks in recent political conflicts, there is little appreciation internationally of how properly to assess cyber-conflict. We are now, in relation to the problem of cyber warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war.”
The IISS identified a number of questions that will need to be answered to successfully combat the growing cyber threat:
- When is an attack to be recognized?
- What is legitimate defense?
- Is there a doctrine of preemption applicable to the risk of cyber attacks?
- Can cyber attacks be deterred?
- Is there a method of arms control that could be applied to cyber capabilities?
- What international law can be brought to bear to regulate the risks?
In an October 2010 speech to the IISS, Iain Lobban, director of the U.K. equivalent of the NSA – the Government Communications Headquarters (GCHQ) – urged all responsible parties to find answers to such questions as part of an urgent need to address “a real and credible” threat to critical national infrastructure.
“Cyberspace is contested every day, every hour, every minute, every second. I can vouch for that from the displays in our own operations center of minute-by-minute cyber attempts to penetrate systems around the world,” he said. “Cyber is a real, live issue, bringing both threat and opportunity. It’s not a narrow security issue for the spooks, but a wide economic issue that demands a holistic response.
“Perhaps 80 percent of what we need to do is stuff we already know how to do – getting the basics of Information Assurance right will, of itself, raise the bar for malicious activity. But ‘patch and pray’ will not be enough. At the national level, getting the rest of cyber – the more difficult 20 percent – right will involve new technology, new partnerships, and investment in the right people.”
With everyone creating specialized military commands and civilian agencies and departments to defend against – or initiate – cyber attacks, from espionage to full-scale warfare, one element of this new, 21st century WMD sets it apart from all others, even the simplest chemical and biological weapons: Anyone can do it.
While the complexity of Stuxnet – and how and where it was placed – currently is considered something only a state-sponsored agent could create, the experts agree devastating cyber weapons are not outside the capability of any group or even individual with the requisite skills and education. Even the smallest cell on the fringes of racial supremacist or other fanatical organizations, such as al Qaeda, could hire or “grow” such expertise, then launch nation-crippling attacks from anywhere on the Internet.
“Dependency on computer networks to perform complex tasks and control sensitive systems continues to grow. The human element remains an enduring avenue of weakness – and one which no technical solution will fully resolve,” Clemente concluded.
“Agility and robust risk management strategies are required to keep these dependencies from morphing into vulnerabilities, and there is substantial work to be done in this arena. Government ministers and captains of industry beware – the pointy end of cyberwarfare just got a lot sharper.”
This article first appeared in The Year in Defense, 2010 Review, Winter 2011 Edition.