Welcome to another edition of the "Rear Guard" Security Podcast. In this episode we're going to be discussing the problem with cyberwar.
Cyberwar was originally known as "information warfare" and burst on the InfoSec scene in 1994 when Winn Schwartau published a book entitled "Information Warfare." It was a fun book and it read like a cheap novel - partly because it was, pretty much, a cheap novel. There was a lot of exciting stuff in there about HERF guns, Van Eyck monitoring, bringing down aircraft, cyberterrorism, and so on. It struck a chord in the computer security community because the Soviet Union had just collapsed and there was a sense of "realignment of mission" in the intelligence community. There were beltway bandits looking for how to spend the "peace dividend." Meanwhile, the computer security community was just beginning to wake up to the fact that we were building critical infrastructure that was vulnerable to certain attacks that could potentially lead to loss of life or tremendously expensive damage.
The concept of cyberwar originally started off from a perspective of terrorist activities or a state attacking another state using electronic means in accordance with Winn's book. And since that time we really didn't see very much of it actually happening. One of the reasons that the topic of cyberwar is confusing is that there are multiple different concepts that get conflated underneath the umbrella of cyberwar, specifically cybercrime, cyberterror, cyberespionage, and cyberwar. When you talk to someone about cyberwar and you say, "thus and such really isn't a problem," they'll say, "Well, what about the attacks that were launched against Estonia in late 2007 which basically brought the government down? That was cyberwar." No, actually, it really wasn't. It was later proven that the Russian Republic was not behind those attacks, it was a disgruntled individual who had a large botnet.
It is an interesting problem when something that appear to be "cyberwar" is later revealed to be a single disgruntled individual. Whether or not an individual can declare war on a country meaningfully is a really interesting question, but we're not going to try to address that here. For the purposes of today's discussion, when we're talking about warfare, we're talking about warfare in the classical sense, which is two nation states engaging in some kind of combat operations against each other. There's a possible fourth axis here and I don't really know what to call it. My friend Paul Robertson likes to refer to it as "economic spoiling operations" - in which one nation might deliberately damage another's economy through electronic or other means simply as a way of dragging them back a little bit to clear a niche for them to move ahead. That sort of spoiling operation also doesn't fall under the rubric of cyberwarfare because really we're talking about in a warfare context, we're talking about military operations, which, as Von Clausewitz would say, are politics by other means. It's the extension of state versus state political activity moved into cyberspace.
Mao, when he wrote his famous treatise on guerrilla warfare, got this correct. He said that "guerrilla warfare is not useful in the absence of a political agenda." I'm reminded of back in the late 1980s when you had organizations, the terrorist organizations like the Baader-Meinhof and the Red Brigades, which I don't think you can really say were going to seriously affect the political lives of any of the people on the receiving end of their attentions. They were just sort of random crazies who were out there attached to an ideology causing trouble. That's another aspect of this fourth axis that we're not going to talk about much today and that looks something like this: What if some crazy individual who has deep knowledge of computers decides for whatever individual reason that he is going to declare war personally on a superpower and prosecute that war? Kind of a cyberKaczynski, if you will, or a cyberUnabomber. We don't really have a whole lot to say about that. Crazies like that probably exist, whoever was mailing Anthrax around in 2001 was technically knowledgeable. We have a history of individuals like that but, again, we don't call that "warfare" because it's not in the context of a political process where one state is attempting to achieve its goals through military activity.
So there are three completely different topics that we're going to kind of touch on and then we'll talk a little bit about cyberwar. One is crime, another is terror, then espionage. Then we'll look at warfare.
The cybercriminal is a different animal from the cyberspy or cyberterrorist. The agenda of a cybercriminal is not aligned with any particular politics other than money. And as a result of the fact that they're profit-driven, they're simply trying to make a quick buck or quick 100 bucks or whatever the number is, they are not ideological. They are also extremely diffuse. Every cybercriminal who is out there is going to adopt whatever technique he comes up with at whatever particular time that's going to be most effective and most likely to make him some money. So by definition, cybercriminals don't represent a practical force. What they're almost more like viruses in a biological model - they're mutating rapidly and each one of them is doing their own different thing and you'll get different strains of cybercriminals that are out there attempting different strains of scams. We develop responses to those on a per strain basis and they're not coordinating amongst each other. One of the greatest strengths of the guerrilla groups that Mao ran during the war and during the Chinese Revolution was that he was able to achieve a level of diffuse activity that was centrally coordinated. You had these independent-seeming actors that were all pushing in the same direction. With cybercriminals we don't have anything like that type of asymmetric warfare. We simply have diffuse activity that is diffuse and is going to remain diffuse. So the threat of cybercriminals is the electronic smash-and-grab. They're going to come in, they're going to grab their money, they're going to go on and they're going to do something else.
Because of the evolutionary properties of cybercrime and the way that it works, I don't think that we're ever going to eradicate it, just like we're probably never going to eradicate regular human on human crime. Because as we close down one avenue for crime another one will almost by definition have to take its place because the criminals are going to go and scratch their heads and come up with a new point of attack. They rapidly shift to where the money is.
The cyberterrorist has a completely different agenda from the cybercriminal. They are ideological but they're attempt is not to gain direct benefit from their actions; their object is to cost the target. Consqeuently, the cyberterrorist's agenda is completely non-aligned with the cybercriminal's. They're trying to adjust the ideology of the target by costing them so much that the target will do anything in order to make them stop or will give in to their demands to make them go somewhere else. That is slightly different from the psychotic, crazed terrorist who is not really ideological and we can't really do anything about those guys except give them anti-psychotic drugs and therapy when we catch them. The cyberterrorist agenda is going to be maximum damage attacks and they want to produce as much fear as possible. That is why we call them "terror"ists. This is one of the reasons why historically, a few security practitioners have been somewhat derisive of the notion of cyberterror.
Back in the early 1990s, when the book "Information Warfare" came out people were talking about cyberterror scenarios in which ATM networks were going to crash and people weren't going to be able to get cash - the U.S. economy was going to crater and we would all be eating dog food in a week. Those kinds of claims are just simply not true. You can see when there is a railroad strike that the country doesn't completely collapse or you can see that when the Blackberry network goes off the air for 24 hours, people don't immediately lose their minds. We've shown that basic attacks against even important pieces of our electronic infrastructure generally result in a period in which people hunker down patiently and wait things out.
There is reason to doubt whether cyberterror is going to be effective, unless cyberterror is able to cause real world damage. That is a place where many of us security practitioners are deeply concerned and I agree with them: if somebody is able to get into a system control for a dam and cause flooding that can result in physical damage, death and fear - economic damage as well. That is something that is not at all to be taken lightly. Nothing that I say in my remarks against cyberwarfare should in any way be construed as being dismissive of the threat of cyberterror.
The fascinating thing about cyberterror is the cyberterror paradox: there is huge room for potential growth in cyberterror but it just simply hasn't happened yet. Whenever I am sitting at a conference in a hotel bar with a bunch of info sect practitioners and we are sitting around scratching our heads. We go, "If I were a cyberterrorist, I would do this, this and this." We come up with all these horrifying scenarios that really scare us. The interesting question then is:; why have the enemies of certain societies not done that kind of thing? I don't know - it's a really interesting question. It's possible that terrorists and terrorist organizations simply do not have the electronic warfare skills or do not think in the terms necessary to engage practical covert operations.
If you really want to scare yourself about the cyberterror threat you can concoct really frightening scenarios in which a dedicated attacker was willing to devote things on a five year to ten year horizon, to put agents in place to cause long-term damage at a specified time. That is very different from the way the terrorists have historically operated. They are going for ideological smash and grabs. It is quite possible that the reason they have been reluctant to attempt long-term covert operations is because their own security is not that good. The U.S. national security establishment has done a fairly good job of representing al-Qaeda as a highly technical terrorist organization. But the fact is, it is widely known that Osama bin Laden used to coordinate his operations using a satellite phone that was being monitored by the National Security Agency. When Khalid Sheikh Mohammed was captured his laptop had operational information unencrypted on the hard drive. These are not the actions of sophisticated cyberterrorists. These are the actions of terrorists who are certainly a threat but they are not this threat in information space yet.
So one of the interesting questions in the future for cyberterror is going to be: will some IT sophisticate eventually cross over the line and join a terrorist force. If that happens, things will be extremely interesting.
Another of the paradoxes of cyberterror is the fact that the most technologically sophisticated ones are the ones that are the easiest to attack if you are a cyberterrorist. Obviously, I'm referring here to the United States or other countries in the first world. But they are also the ones that generally have strong enough, robust enough infrastructure that they are going to be more likely to successfully whether those kinds of attacks. If there was a large cyberattack focused on crushing the United States' electronic backbone there are literally thousands of experienced network administrators all over the U.S. who would be able to step in and start trying to fight this problem. We have the depth and the technical sophistication to be able to try to address it.
That is fairly important because if you are talking about a cyberterror attack, the asymmetricality of the problem goes in both directions. If the defending force is extremely technically sophisticated and the attacking force is extremely technically sophisticated, you have a numbers effect in that quantity does have a quality all of its own. In cyberspace, our ability to react and defend is actually pretty good. But the high tech countries are the ones that are probably the easiest to hurt with non-technical, high-impact attacks such as flying airplanes into buildings. That is one of the reasons that I suspect that cyberterror has not been a particularly big problem to date. It simply that the terrorists that are out there have established methods that produce some predictable results and do not require them to establish a high tech strike force.
Another player in this space, which I haven't talked about yet, is the cyberspy - I'd like to discuss them briefly and then we can put cyberspies away. Cyberspies have an agenda that in a lot of cases, once again, opposed to the cybercriminal and cyberterrorists. Most importantly, the cyberspy's agenda is deeply opposed to the cyberwarrior's. The agenda of a cyberspy is to surreptitiously gather information from the target. You are trying to collect intelligence. The standard tools for espionage are penetration, covert operations and suborning and managing trusted agents in critical positions. So, the typical cyberspy operation against a U.S. government agency would really not be likely to encompass Internet-based attacks as much as they would be likely to consist of getting an employee on the inside who is willing to sell backup tapes for money.
If you look at the history of espionage, this has happened over and over again: Aldrich James, the Walker spy family, Robert Hanssen at the FBI. The KGB and the GRU during the cold war were extremely effective at these kinds of suborning operations for collecting intelligence. I always have to question the level of understanding of people who talk about cyberespionage as if it's a particularly big threat. Espionage is a huge threat, but the fact that you've added computers into the espionage environment doesn't make things much more complicated for a professional intelligence operative. All it does is give you another place for information to be compromised, and another mechanism for storing and transmitting it, and these are problems that people in the espionage field have understood for a long time.
One of the important things about a spy, however - and we saw this in the second World War surrounding the English and Polish compromises of the German Naval Enigma ciphers - is that, when you've collected intelligence, you have to be extremely careful about how that intelligence is used operationally so that you don't give away the fact that you have it. There's the famous story of Churchill allowing a convoy to run into where a wolf pack of German submarines was known to be in operation, and to take casualties, because the conclusion was that it was more important to have the Germans not suspect that their codes had been broken than to save a couple of ships full of people. That's a very hard choice to make, but those kinds of hard choices crop up all of the time in the intelligence environment.
Imagine for a second, if you will, that you were involved in cyberespionage operations against a country like the United States. You would be placing people in key locations. You would have agents possibly working the backup tapes or working in the operations centers of certain government agencies or, more likely, working at outsourcing companies that have deep access inside of federal agencies, and so forth. You would have all of your agents in place. The last thing that you would ever want to do would be to disrupt the network of your targets. The reasons you wouldn't want to disrupt the network is because that's where your intelligence is coming from. Thus, the mission of a cyberwarrior - where you might actually crash the target's networks - is going to blind the cyberspies; they're in opposition. Similarly, throughout the history of espionage, we have seen that there is a constant opposition between the soldiers and the spies, because the soldiers want to use the intelligence for battlefield purposes, tactically, whereas espionage is a strategic activity.
That tactical versus strategic divide is the single biggest thing that puts the spies in opposition to the warriors. You can very easily envision a situation down in the cyber war room of some country, where when the cyber war kicks off, the head of espionage throws up his hands in disgust and says: "Great! You've just blinded me. I can't get you any more intelligence about what's going on with the enemy because butthead over here just crashed all of their routers as part of his cyberattack."
The agenda of the cyberwarrior is to be prepared to attack or degrade or penetrate enemy command and control systems as an adjunct to physical military operations. Whenever the discussion turns to cyberwar people also use the term "asymmetrical warfare." The idea of asymmetrical warfare is that you have capability to do damage that is all out of proportion to their size or cost. In the case of ground warriors, it's the classic commando raid when someone is able to get two guys into a supply dump and destroy some critical supply chain at an important moment. The premise of asymmetrical warfare is to have a tipping effect that causes systemic failure. "For want of a nail the horse was lost; for want of a horse the knight was lost, and blah, blah, blah; for want of a nail the entire kingdom fell." That is the notion behind asymmetrical operations, and it's an excellent theory. Asymmetrical operations have worked extremely well since Sun Tzu's time (~400 BC) - give or take.
In cyberspace, the asymmetricality of the situation is something that I think we need to question. Is cyberwar disproportionally effective? Is it disproportionally cost-effective? Does it work at all? There are five huge buried paradoxes in the notion of cyberwar that I've identified, and I'll run through them and then we're done. In order, they are:
Imagine that we are
members of some small country's elite cyberattack force, and we're invited to
the war room as part of kick-off operations for the big attack against some military
target. The room is full of all of these generals and top brass and they're all
strutting around, and H-hour is coming up in 24 hours. And you have to raise
your hand and say, "Sir?"
The Chairman of the Joint Chiefs or whoever is running the show turns to you and says, "Yes."
And you say, "The attack is on Wednesday, and today is Tuesday."
And the Chair looks at you and says, "Yeah? What does that mean?"
"Well, today is Microsoft patch Tuesday, and they just issued a major patch that disarmed us, Sir."
At that point they grab you and they haul you out and you get a single bullet in the forehead.
It's a serious problem. I'm being a little bit silly about it, but if your premise is that you are going to have all of these electronic back doors into your enemy's command and control network so that you can crash it, or into their stock exchange so that you can crash it: it is a moving target that you're preparing to launch your attack against. It's one thing to say, "Here is Pearl Harbor. Its defenses are static. We understand the geographic location of where it is and we have an estimate of the kind of forces that we need to take it out." It's another thing if you're in an electronic warfare environment where your target can completely transform itself with a single router upgrade or by changing a rule on the firewall. More to the point, the second that they think that they're under attack, they might unplug the network and effectively disappear from being in harm's way. Pearl Harbor can't do that. The "digital Pearl Harbor" has completely different properties from the real one.
This is a big problem, and it's one of the reasons why I don't think that real warriors would ever be happy with a weapons system where there is no manual override operation. What would happen if all of our soldier's guns were electronically controlled and somebody was able to push a bad patch out to them and cause them all to cease to function? I think that's a ridiculous premise, and the reason I think it's a ridiculous premise is because I know lots of people who've served in the Army, myself included, and the idea that we would actually carry a weapon that could be remote disabled is just silly.
The disarmament affect and the potential for disarming a cyberwarrior without them being able to do anything about it is very real. In fact, if you want to think about cyberwar as a combined problem with intelligence, think of it this way. What happens if the enemy has a spy inside your cyberwar operations center? You have all of these viruses, penetrators, pieces of malcode in place. You've got all these capabilities to be able to launch an attack and the enemy is completely prepared so that the moment you launch your attack, they can hit one big red button which downloads correct software that blocks your attack and might even make it look as if it has worked. But in fact, it has not. I know that is a ridiculous premise. But it is no more ridiculous then the premise that someone is going to electronically wipe out a country before they launch an attack.
The next problem with cyberwar is the cost factor. This is a bit of an obscure argument but I am going to have to try to make it anyway. In order to be able to attack a network electronically from a distance, I submit to you, that you have to have what equates to the ability to remotely manage it.
If I am going to be able to sit in a war room someplace on the other side of the planet and reboot your computer reliably, I am a remote system administrator for your computer. I need administrative access. I need connectivity and I need tools to support my administrative efforts. If we're talking about cyberwar to be able to launch an effective attack against an enemy, we're basically saying that we are trying to be able to have a remote system administration capability against that enemy; which we have no part of being able to maintain. We have to reestablish that remote system administration capability at any time, at the drop of a hat; if we decide we are going to go to war. More likely, we have to keep it in place all the time, maintain it undetected, and keep it reliable without being able to test it.
Any of you who have ever done system or network administration (my professional background actually was as a network administrator) know how difficult it is to manage a heterogeneous network of hundreds of thousands of machines. This is why products like Unicenter, PatchLink and Configuresoft exist. These are expensive, complex, powerful tools that allow and organization to effectively manage its own computers. Imagine for a second that you were the head of the cyberwar force for some non-existent small country that is being tasked with simultaneously being able to knock out pieces of the U.S. Department of Defense, some big pieces of whatever is left of Wall Street, EarthLink plus a dozen other important sites. In order to do that, you are essentially being asked to remotely manage (through their firewalls!) a huge range of different systems, including different operating systems at different patch levels with different software configurations; all of which are being managed in unknowing opposition to your efforts. Do you see where I am going with this? This is the equivalent of asking somebody to build a combat version of Unicenter that actually works.
It is a ridiculous idea and that is one of the reasons I'm ridiculing it. So enough about the difficulty factor. I can't even imagine the budget requirements for building such a piece of attack software. If you stack that up against the budget requirements of having agents in place at each of the targets in a more classical covert operation sense, it makes a lot more sense to go for agents in place. Agents in place would be far more reliable and cost-effective if you've got time to do a run up on your target and get people in place. That, by the way, is a very important part that I forgot to mention, as part of the cost factor of this hypothetical cyberwar. It is not the case that you could simply turn to your cyberwar guys and say, "OK, we want to attack Fredonia tomorrow. Prepare." It would have to be laid in for a long time in advance. The kinds of electronic penetrations we are talking about involve considerable reconnaissance and development of custom tools and software. You'd need to study the target's administrative practices and match them with remote management capabilities; it would take months of covert operations to prepare for an actual attack before it would be possible. Some networks change every couple of months, so you'd be preparing an attack against a Pearl Harbor that was rapidly scooting around the map.
Doesn't that also seem a little ridiculous? I think it would be a lot smarter and a lot more likely that an attacker would send agents on the ground with GPS receivers to determine where the smart bombs should land when the war opens. Instead of trying to electronically trying to disable them, knock them out directly with a missile strike or a commando team. Tactical missile or bombardments take their targets offline and keep them offline. That is, by the way, why real war fighters tend to like attacking stuff by using high explosive.
Before an attack is launched it has to have some kind of useful military objective. If we are talking warfare, you need to advance your combat position: you need to take ground from the enemy or hold ground that the enemy is trying to take. Sometimes, you need to destroy critical resources of the enem - and keep them destroyed. If you look at the history of warfare, the way to accomplish virtually any military objective that is worth accomplishing involves having soldiers with feet on the ground. We've seen repeatedly in the 20th century that simply disrupting the enemy does not work. Bombing Vietnam did not work. The Germans tried it against the British in WWII. It did not work. We tried it against the Germans in WWII and it did not work. The Gulf War accomplished nothing until the ground war phase began. It takes getting boots on the ground, holding territory, guys with guns and bayonets in people's faces in order to accomplish a military objective. In order to make a cyberattack worthwhile as a force multiplier, it has to coordinate with some kind of an overall military objective that is achievable. That means that you have to have tactical superiority for some kind of follow through.
Let me try putting it in kind of a silly way. Suppose that we had some small country someplace. It has a reasonable sized economy and it has a fairly small army. They decide that they are going to conquer the United States. It is very difficult because with a population the size of the United States', even if you are electronically able to crash the U.S. infrastructure to the point where the U.S. was punch-drunk and incapable of responding: what are they going to do to actually prosecute the effectiveness of that cyberattack? Let's say we've got the U.S. electronically supine at our feet and we take our entire population of the country leading the attack and it is still smaller than the population of Los Angeles. We give all of our people guns and we send them to LA: the LA gangs kill them in about five minutes.
In order to be able to claim that cyberwar is an effective source multiplier in a military operation, you have to have a legitimate effective military operation for it to force multiply - otherwise, you are just being annoying. When we crash the U.S. infrastructure, then we wait for the U.S. Marine Corps to arrive. Because, unfortunately, it doesn't make any sense to get into a cyberwar against somebody unless you are able to withstand the inevitable retaliation - real military retaliation - that is going to come.
Usually when I make fun of this aspect of cyberwar, somebody comes along and says, "Well, but, what about a false flag operation. What if some small country makes it look like another small country launched this attack and then a superpower gets angry and lashes out against the wrong target. Ha ha." That sounds like something from an entertaining science fiction novel but let's address it anyway. The problem with that scenario is that before anybody is going to launch a cyberattack - even under a false flag - it has to be aligned with their particular political agenda. At the point where an entity the size of even the small country is carrying out some kind of an operation that is aligned with their political agenda it is not very difficult for the victim to look around and go, "Well, in whose advantage was this? We were attacked. Our electronic infrastructure was knocked over. It cost us billions of dollars from our economy. Boy, are we pissed. Who are we going to look at? Who did this?" There are probably five or six countries on the short list of who might have caused it. Then you simply start talking to them. Then you can investigate directionally based on that knowledge. Unless, again, somebody just randomly decides they are going to go crazy and try to provoke a new world war with a cyberattack, I don't think this is something political leaders are particularly likely to do. That scenario just simply doesn't hold water.
Because of the fact that packets don't hold ground and that cyberwar, if it has any weight at all, is only going to happen in the context of being a force multiplier, cyberwar only makes sense to the side that is likely to win anyhow. I'm going to say that again. It only makes sense to launch cyberattacks if you have the U.S. Marine Corps backing you up. Because unless you think you are going to win, launching a cyberattack simply means you are going to get clobbered harder when the other guy gets back at you. If we are talking about a conflict where the force structure is so evenly balanced that that little tiny extra kick is going to make a difference, I suppose cyberwar might be significant - but most military commanders in that situation would probably rather focus on having real forces instead of virtual force multipliers. Yes, it is the case that nations have been known to go to war in situations where the force structures are evenly balanced. But if you look at the 20th century, it didn't happen very often.
I don't think that there are a lot of political leaders in the world who are going to sit there and go, "Well, you know, we could probably take on the U.S. We could probably take them out. If we could knock their electronic infrastructure off the air for 48 hours, I think we could kick their butts." No one is going to do that. It is just stupid. But yet the cyberwar proponents talk as if that is a practical option.
To those of you who don't remember Mike Tyson: Mike Tyson was a world champion heavyweight boxer (1989) for a number of years. His hallmark as a heavyweight boxer was that he was extremely brutal. This is a guy; after all, that hits people in the head for a living. In one fairly famous incident when he was losing a match to Evander Holyfield, he attempted to bite his opponent's ear off and partially succeeded. He is not a nice man.
The point of the Blind Mike Tyson Effect is to ask yourself what happens if you were locked in a room with Mike Tyson. Of course, the first thing that comes to mind is you don't want to piss him off. What you really don't want to do is flip the lights off and whisper, "I'm gonna kick your ass, bitch."
A lot of the time when I have talked to proponents of cyberwar, what they say is cyberwar could be used to degrade the enemy's command of control prior to launching some kind of attack. That is the usual scenario. Let me be frank with you: some of these scenarios I've heard are just laughable from the standpoint of military practicality. I was at a conference about a year and a half ago. One guy was saying, "Well, if the Chinese wanted to take Taiwan, they could launch a cyberattack against the U.S. and other first world countries to knock their command and control systems off the air so that they couldn't respond effectively. Then the Chinese would have taken Taiwan before anybody would be able to do anything about it."
To which my usual response is, "Yeah, kind of like the way Saddam Hussein was able to take Kuwait before anybody was able to do anything about it."
The problem with that whole scenario of blinding your enemy is that the targets of these cyberattacks are first world superpowers. Many of them are extremely well-armed. The U.S. Navy keeps a carrier task force group down in the China Sea. It is not particularly publicized but the whole reason for that force is in case the Chinese did decide they were going to do something naughty regarding Taiwan. They have this nuclear-powered aircraft carrier; nuclear armed as well, with all of its escorts and its fighter wing. A carrier task force group, even if it's been electronically degraded, is a big bad Mike Tyson, indeed.
Nobody is foreseeing starting a nuclear war with China - but that's the point. If you have a capability like that sitting in your backyard, only a madman would blind or interfere with them. It's just like blinding Mike Tyson when you're locked in a closet with him: because what is going to happen is that they will only find very small scraps of you when the lights come back on. Anyone who was stupid enough to try to electronically blind a significant military force as part of local operations is going to have to take into account what happens when the rest of the strategic arsenal gets involved. Real military planners (not the armchair cyberwar pundits) understand that.
It's far more plausible that if China wanted to take Taiwan at this point, they would do it in the context of some kind of diplomatic initiative. They might wait until all of the superpowers that might object were busy with their own economic problems or foolish adventures in other parts of the world, or when their force structures were completely tapped out from dealing with (for example) insurgencies in the Middle East. Those are legitimate strategic approaches to how you might take Taiwan. But the idea of saying that someone was going to electronically blind their target before they launched a significant attack at somebody else or directly at that target is really silly - it's like the stupid ninjas in the bad movies of the 1980s, who always scream "aiiieee!" before they attack. Of course, if you launched your attack as part of a massive combined forces operation, then you need forces to combine with: you have to be able to take on the Blind Mike Tyson.
I grew up during the late part of the Cold War and spend a lot of time war gaming World War III-type scenarios and reading up and playing simulations based on the doctrine of mutually assured destruction. One of the givens in the M.A.D. doctrine was that if your enemy started rolling back their silo doors, you had to launch first. As a consequence of that, it was also a given during the Cold War that the last thing anyone would ever do is shoot down an opposition force's spy satellite. The U.S. has spy satellites over Russia. Russia has spy satellites up over the U.S. The Chinese have spy satellites up over the U.S. If, suddenly, the Soviet spy satellite goes dark, the Soviets are going to assume that the only reason it went dark is because we are rolling back our silo doors and they are going to launch first. That sounds like a farfetched scenario. The reason it sounds like a farfetched scenario is because it is. When the Chinese tested a satellite-killer missile a few years ago, we matched their test with one of our own - but nobody would ever dream of testing a satellite-killer on someone else's satellite. If either side launches an electronic attack against intelligence collection and blinds the enemy, you may as well run up a big flag saying, "We're about to attack you." That's one of the reasons why this whole scenario of knocking out somebody's electronic ability to react is really quite silly. You're left with nothing but a hellacious, blind, slugfest or a single-sided all-out strike.
If you take all this into account, what you'll realize is that cyberwar only makes sense in the case where you're going to win anyway. If you are already in a situation where you've got the ground forces to go in and successfully prosecute a war after you've launched your cyberattack, then it makes some sense to launch a cyberattack. If you have the naval forces to sink the carrier task force group and are not afraid of fighting the strategic war that's going to follow, yes, it makes sense launch an cyberattack prior launching your attack. But it only makes sense in the context where the political decision-makers and the military decision-makers at the highest level are confident of their ability to win the war to begin with. So that raises a really interesting question, which is, "Is the whole thing cost effective?" Which would you rather have, the U.S. Marines or a Cyberwar Department? Well, without the U.S. Marines a Cyberwar Department is pointless, and if you've got the U.S. Marines a Cyberwar Department becomes - well, it's kind of nice, I guess, but it's kind of like curb feelers on a Ferrari. The reason that I'm raising this is because I don't believe that our political leaders are not aware of this. It makes the situation such that the U.S. is not very likely to come under a cyberwar attack from anybody at this point in time, or for the near-term future.
We are quite possibly likely to use cyberwar against somebody else, and I would like to encourage people to think about that. I don't think in the future that full-on state-versus-state cyberwar is very likely to happen because it's pointless for superpowers to develop cyberattacks just to crush non-superpowers when they can crush them conventionally. When the cyberattacks against Estonia happened, initially people were claiming that the Russians were behind it, and that it was the first cyberwar that was happening. My response to that was the correct one, which was, "when Russia invades you it's a lot more obvious than a bunch of packets. There's just a whole hell of a lot of explosions and tanks and helicopters and Russians. Ask the people in Grozny." That probably wasn't a very nice thing to say, but it really is the truth. If Russia's going to invade you, they don't really need to crash your electronic infrastructure before they invade you; they're either going to win or they're not.
If the U.S. is going to invade you, we don't need to crash your electronic infrastructure. I think penetrating it, using it against you, understanding it completely, using your own infrastructure to monitor you-all of those things are completely legitimate intelligence objectives (in a military context "information operations"). From a military standpoint, crashing the target's network probably doesn't make a huge amount of sense. In the rare event that it does make sense, it's probably a lot more expedient to crash it with a thousand-pound bomb dropped on a GPS coordinate and then reconstruct it at the U.S. taxpayers' expense after we're done blowing it up.
The whole concept of cyberwar, at this time, as it's being sold, is ridiculous and pointless. The reason that I'm trying to raise this issue is not just to ridicule cyberwar proponents - it's because at a certain point, unless we are able to get the governments of the world to think rationally about this, we're going to move into an environment where civilian electronic infrastructure is on the table as if it were a military target. At what point is cyberwarfare turning into "state-sponsored cyberterrorism"? At what point is the automatic teller network - which is a civilian piece of infrastructure - going to be treated like a military target?
I know the twentieth century was marked as a period of total warfare in which horrendous attacks were launched against civilians during both of the two major world wars, but I am deeply concerned that we are preparing to carry out war crimes in cyberspace. If you accept my argument that this type of attack really doesn't have any military utility, but we spend all this money on building this cyberwarfare capability, we're going to crash enemy targets just because we can. At a certain point I think that you are attacking civilian targets indiscriminately, and that is a war crime. We need to think about that.
So just to wrap up here, no matter how you slice it, critical civilian infrastructure is going to continue to come under increasing levels of cyberattack. I am not at all saying that we should not be worried about coming under attack. We should be worried about coming under attack and we're going to continue to come under extremely high rates of attack for the foreseeable future. But because the types of attacks that we're coming under are not aligned, we're going to have really interesting problems. We should be thinking about how to defend against point attacks like cybercrime (first and foremost) and cyberterror as a distant second. I don't think we should be worrying about cyberwarfare attacks against us because if we're hardening our systems against cybercrime and cyberterror, we've probably done as much as we need to do to harden ourselves against cyberwarfare. Espionage remains as the critical problem that we're ignoring during our rush to worry about cyberwarfare and terrorism - penetrations launched on a ten year time-window are nearly impossible to prevent and we're doing very little in that area.
In a sense the cybercriminals are helping protect us against the terrorists because they're encouraging us to put firewalls in place: they are the ones who've caused us to have Microsoft patch Tuesdays, they are the ones who are constantly encouraging us in their oh-so-gentle way to keep all of our software as up-to-date and as flexible and as changing as possible. The cybercriminals are applying a pressure that is directly degrading the ability of a cyberwarrior to prosecute operations. Conversely, the cybercriminals are possibly increasing the avenues by which a cyberspy would be able to get in, thanks to the laissez-faire attitude many organizations are adopting toward malware and botnets. The flood of malware we're up against is a perfect hiding place for a small amount of critical espionage activity. Additionally, the research that's going on in producing malware is directly applicable for espionage purposes - and there is evidence that it has been used that way. I don't think any professional, self-respecting intelligence officer who had access to such wonderful tools as rootkits would avoid using them if he had them.
No matter how you slice it, we're going to have to be prepared to defend ourselves. I am not saying that we should just sit here and think, "Oh yeah, well, cyberwar is not going to happen. We don't need to worry about it." You can ask the government of Estonia about that. It wasn't cyberwar but it still hurt. Maybe it was just a cyberKaczynskiite, but the effect is the same. We need to be on our toes and we need to be prepared to defend our networks better - if only because of the simple fact that we are losing to a bunch of amateurs. Meanwhile, we don't need to worry nearly as much about cyberwars; the people who are selling the concept are blowing it all out of proportion.