[Infowarrior] - The Cyberwar Plan
Richard Forno
rforno at infowarrior.org
Fri Nov 13 18:35:41 UTC 2009
The Cyberwar Plan
It's not just a defensive game; cyber-security includes attack plans
too, and the U.S. has already used some of them successfully.
by Shane Harris
Saturday, Nov. 14, 2009
http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php
In May 2007, President Bush authorized the National Security Agency,
based at Fort Meade, Md., to launch a sophisticated attack on an enemy
thousands of miles away without firing a bullet or dropping a bomb.
At the request of his national intelligence director, Bush ordered an
NSA cyberattack on the cellular phones and computers that insurgents
in Iraq were using to plan roadside bombings. The devices allowed the
fighters to coordinate their strikes and, later, post videos of the
attacks on the Internet to recruit followers. According to a former
senior administration official who was present at an Oval Office
meeting when the president authorized the attack, the operation helped
U.S. forces to commandeer the Iraqi fighters'
communications system. With this capability, the Americans could
deceive their adversaries with false information, including messages
to lead unwitting insurgents into the fire of waiting U.S. soldiers.
Former officials with knowledge of the computer network attack, all of
whom requested anonymity when discussing intelligence techniques, said
that the operation helped turn the tide of the war. Even more than the
thousands of additional ground troops that Bush ordered to Iraq as
part of the 2007 "surge," they credit the cyberattacks with allowing
military planners to track and kill some of the most influential
insurgents. The cyber-intelligence augmented information coming in
from unmanned aerial drones as well as an expanding network of human
spies. A Pentagon spokesman declined to discuss the operation.
Bush's authorization of "information warfare," a broad term that
encompasses computerized attacks, has been previously reported by
National Journal and other publications. But the details of specific
operations that specially trained digital warriors waged through
cyberspace aren't widely known, nor has the turnaround in the Iraq
ground war been directly attributed to the cyber campaign. The reason
that cyber techniques weren't used earlier may have to do with the
military's long-held fear that such warfare can quickly spiral out of
control. Indeed, in the months before the U.S. invasion of Iraq in
March 2003, military planners considered a computerized attack to
disable the networks that controlled Iraq's banking system, but they
backed off when they realized that those networks were global and
connected to banks in France.
By early 2007, however, two senior officials with experience and faith
in the power of cyber-warfare to discretely target an adversary
stepped into top military and intelligence posts. Mike McConnell, a
former director of the National Security Agency, took over as director
of national intelligence in February of that year. And only weeks
earlier, Army Gen. David Petraeus became the commander of all allied
forces in Iraq. McConnell, who presented the request to Bush in the
May 2007 Oval Office meeting, had established the first information
warfare center at the NSA in the mid-1990s. Petraeus, a devotee of
counterinsurgency doctrine, believed that cyberwar would play a
crucial role in the strategy he had planned as part of the surge. In
September 2007, the general told Congress, "This war is not only being
fought on the ground in Iraq but also in cyberspace."
Some journalists have obliquely described the effectiveness of
computerized warfare against the insurgents. In The War Within,
investigative reporter Bob Woodward reports that the United States
employed "a series of top-secret operations that enable [military and
intelligence agencies] to locate, target, and kill key individuals in
extremist groups such as Al Qaeda, the Sunni insurgency, and renegade
Shia militias. ... " The former senior administration official said
that the actions taken after Bush's May 2007 order were the same ones
to which Woodward referred. (At the request of military and White
House officials, Woodward withheld "details or the code word names
associated with these groundbreaking programs.")
Woodward wrote that the programs began "in about May 2006." But the
former administration official emphasized that the specific operations
that turned the advantage back to U.S. forces came a year later.
Published reports suggest that military commanders were eyeing cyber-
warfare techniques in advance of Bush's 2007 order. In an October 2005
article in Aviation Week & Space Technology, reporter David Fulghum
noted, "Computer network attack and exploitation... are also now the
primary tools in combating what senior U.S. Army officials identify as
their No. 1 target -- the wireless communications networks used by
insurgents and terrorists."
In 2005, military planners focused their efforts largely on sensors
that could intercept wireless signals in the combat zone, not on the
penetration of the cellular phone network itself. Pursuing the latter
would be a far more ambitious and riskier maneuver that, by law, would
require presidential authorization. It would also call upon the secret
skills of the NSA's com-puter hackers.
The lessons of the 2007 cyberwar are instructive today, as the
director of the NSA, Army Lt. Gen. Keith Alexander, is expected to
take over the Defense Department's new Cyber Command. The command will
be the vanguard of the Obama administration's cyberwar efforts, as
well as the front-line defender of military computer networks. U.S.
networks, like those of the Iraqi fighters, are also vulnerable to
outside attack, and an increasing number of penetrations over the past
two years have led Defense officials to put cyber-security at the top
of their agenda.
Cyber-defenders know what to prepare themselves for because the United
States has used the kinds of weapons that now target the Pentagon,
federal agencies, and American corporations. They are designed to
steal information, disrupt communications, and commandeer computer
systems. The U.S. is forming a cyberwar plan based largely on the
experience of intelligence agencies and military operations. It is
still in nascent stages, but it is likely to support the conduct of
conventional war for generations to come. Some believe it may even
become the dominant force.
A New Way Of War
Senior military leaders didn't come of age in a digital world, and
they've been skeptical of computerized attacks. Mostly younger
officers, who received their early combat education through video
games and Dungeons & Dragons, wage these battles. To them, digital
weapons are as familiar and useful as rifles and grenades.
Over the past few years, however, the cyber-cohort has gained
influence among the ranks of military strategists, thanks in large
part to the ascendancy of Gen. Petraeus. The man widely credited with
rescuing the U.S. mission in Iraq is also a devotee of "information
operations," a broad military doctrine that calls for defeating an
enemy through deception and intimidation, or by impairing its ability
to make decisions and understand the battlefield. In past conflicts,
the military has jammed enemy communication systems with
electromagnetic waves or dropped ominous leaflets from planes warning
enemy forces of imminent destruction. Today, cyber-warriors use the
global telecommunications network to commandeer an adversary's phones
or shut down its Web servers. This activity is a natural evolution of
the information war doctrine, and Petraeus has elevated its esteem.
Computerized tools to penetrate an enemy's phone system are only one
part of the cyberwar arsenal. And they are perhaps the least
worrisome. Alarmed national security officials, and the president
himself, are paying more attention than ever to devastating computer
viruses and malicious software programs that can disable electrical
power systems, corrupt financial data, or hijack air traffic control
systems. In 2007, after McConnell got Bush's sign-off for the cyber
campaign in Iraq, he warned the president that the United States was
vulnerable to such attacks.
Then-Treasury Secretary Henry Paulson Jr., who was present at the
meeting, painted a chilling scenario for Bush. He said that in his
former position as the CEO of Goldman Sachs, his biggest fear was that
someone would gain access to the networks of a major financial
institution and alter or corrupt its data. Imagine banks unable to
reconcile transactions and stock exchanges powerless to close trades.
Confidence in data, Paulson explained, supported the entire financial
system. Without it, the system would collapse.
The following year, when a lack of confidence in the accuracy of Bear
Stearns's accounts threatened to bring down that major bank, McConnell
tried to use the experience as a teaching opportunity. He privately
warned other senior administration officials that a cyberattack could
cause the same painful consequences, and he began studying what an
attack on the system that clears market trades might look like.
According to The New York Times, officials were halfway through their
research when the credit markets froze. A senior intelligence official
remarked, "We looked at each other and said, 'Our market collapse has
just given every cyber-warrior out there a playbook.' "
Bush's response to cyber-threats took the form of a multibillion-
dollar defense plan, known as the Comprehensive National Cybersecurity
Initiative. In its initial stages, the plan was classified, and
critics later complained that the administration had cut itself off
from valuable expertise and debate. But according to McConnell, who
spoke about the initiative at a recent panel discussion at the
International Spy Museum in Washington, the initiative was classified
because it involved an "attack," or offensive, component.
McConnell, an authority on cyberwar, chose his words deliberately, and
it was a telling admission. "Computer network attack" is a technical
term, describing an action designed to cause real-world consequences
for an adversary -- such as those that Paulson and McConnell warned
the president about in the Oval Office, and such as those that the
U.S. used in Iraq. The United States' cyber strategy, in other words,
encompassed defensive tactics and an offensive plan. The Obama
administration inherited the CNCI and has enhanced it with the
creation of a national cyber-security coordinator, a White House
official who is supposed to ensure that the defensive and offensive
sides work together.
Cyber-Forces Already Deployed
As the White House vets candidates for the "cyber-czar" post, the
military and intelligence agencies are honing their cyber skills and
have already marshaled their forces.
"We have U.S. warriors in cyberspace that are deployed overseas and
are in direct contact with adversaries overseas," said Bob Gourley,
who was the chief technology officer for the Defense Intelligence
Agency and is a board member of the Cyber Conflict Studies
Association. These experts "live in adversary networks," Gourley said,
conducting reconnaissance on foreign countries without exchanging
salvos of destructive computer commands. "Like two ships in the same
waters, aware of each other's presences, it doesn't mean they're
bumping or firing on each other."
President Obama confirmed that cyber-warriors have aimed at American
networks. "We know that cyber-intruders have probed our electrical
grid," he said at the White House in May, when he unveiled the next
stage of the national cyber-security strategy. The president also
confirmed, for the first time, that the weapons of cyberwar had
claimed victims. "In other countries, cyberattacks have plunged entire
cities into darkness."
With every attack, network defenders learn new techniques, which in
turn make them better warriors. If they are fortunate enough to
capture the weapon itself, they can pick apart its command codes --
its digital DNA -- and appropriate them. "You can analyze the attack
code, change it, and then use it or counter the next attack," said
Dave Marcus, the director of security research and communications for
McAfee Labs, which dissects cyber-threats for government agencies.
The same expertise required to build a virus or an attack program to
knock down an opponent's firewall can be put to work building more-
sophisticated virus detection systems and stronger firewalls. "Our
defense is informed by our offense," Gourley said.
Because the United States has studied how attacks are waged, "we
certainly would know how to cause these effects," said Sami Saydjari,
the president and founder of the Cyber Defense Agency, a private
security company, and a former Defense Department employee. "If the
president gave an order, we'd have cadres of people who'd know how to
do that."
The Man-Made Battlefield
Military officers describe cyberspace as the fifth domain of war,
after land, sea, air, and space. But cyberspace is unique in one
important respect -- it's the only battlefield created by humans.
"We have invented this, and it cuts across those other four," said
retired Air Force Lt. Gen. Harry Raduege, who ran the Defense
Information Systems Agency from 2000 to 2005. He was responsible for
the defense and operation of the Pentagon's global information
network. "Cyberspace has no boundaries," Raduege said. "It's just
everywhere, and it permeates everything we do.... We continue to
improve our capabilities, but so do the adversaries."
No nation dominates the cyber-battlefield today. "Military forces
fight for the ownership of that domain," said Matt Stern, a retired
lieutenant colonel who commanded the Army's 2nd Information Operations
Battalion and who now works in the private sector as the director of
cyber accounts for General Dynamics Advanced Information Systems. "But
because of the ubiquitous nature of cyberspace -- and anyone's ability
to access it -- military forces must not only contend with the threats
within their operational environment, they must also fight against
threats in cyberspace that are global in nature."
Cyberspace is also the domain that, as of now, the United States
stands the greatest chance of ceding to another nation. In July, an
independent study of the overall federal cyber-workforce described it
as fragmented and understaffed. The study blamed a hiring process that
takes too long to vet security clearances, low salaries, and the lack
of a unified hiring strategy. "You can't win the cyberwar if you don't
win the war for talent," said Max Stier, the president of the
Partnership for Public Service, an advocacy group that helped write
the study. The co-author was Booz Allen Hamilton, the government
contracting firm where former intelligence Director McConnell now runs
the cyber-security business.
The Defense Department graduates only about 80 students per year from
schools devoted to teaching cyber-warfare. Defense Secretary Robert
Gates has said that the military is "desperately short" of cyber-
warriors and that the Pentagon wants four times as many graduates to
move through its teaching programs over the next two years.
That will be difficult, considering that the military and intelligence
agencies compete directly with industry for top talent. Beltway
contractors have been on a hiring spree ever since the Bush
administration began the comprehensive cyber-security plan. Raytheon,
which has assisted Pentagon special-operations forces using advanced
cyber-technology, posted an ad to its website earlier this year titled
"Cyber Warriors Wanted." The company announced 250 open positions --
more than three times as many as the Defense Department is moving
through its education programs.
Despite a relative shortage of skilled warriors, the military services
have charged vigorously into cyberspace. The Army, Navy, Air Force,
and Marines all have their own cyber-operations groups, which handle
defense and offense, and they've competed with one another to control
the military's overall strategy. It now appears that the individual
service components will report to the new Cyber Command, which will be
led by a four-star general. (NSA Director Alexander, the presumptive
candidate, has three stars, and his promotion would require the
Senate's approval.)
The military may be organizing for a cyberwar, but it's uncertain how
aggressive a posture it will take. Some have argued for creating an
overt attack capability, the digital equivalent of a fleet of bombers
or a battalion of tanks, to deter adversaries. In a 2008 article in
Armed Forces Journal, Col. Charles Williamson III, a legal adviser for
the Air Force Intelligence, Surveillance, and Reconnaissance Agency,
proposed building a military "botnet," an army of centrally controlled
computers to launch coordinated attacks on other machines. Williamson
echoed a widely held concern among military officials that other
nations are building up their cyber-forces more quickly. "America has
no credible deterrent, and our adversaries prove it every day by
attacking everywhere," he wrote. Williamson titled his essay, "Carpet
Bombing in Cyberspace." Responding to critics who say that by building
up its own offensive power, the United States risks starting a new
arms race, Williamson said, "We are in one, and we are losing."
A Fight For First
Other experts concur that the United States cannot claim to be the
world's dominant cyber-force. Kevin Coleman, a senior fellow with the
security firm Technolytics and the former chief strategist for the Web
pioneer Netscape, said that China's and Russia's abilities to defend
and attack are just as good as America's. "Basically, it's a three-way
tie for first."
China has proved its prowess largely by stealing information from U.S.
officials and corporate executives. Last year, the head of
counterintelligence for the government told National Journal that
Chinese cyber-spies routinely pilfer strategy information from
American businesspeople in advance of their meetings in China. And a
computer security expert who consults for the government said that
during a trip to Beijing in December 2007, U.S. intelligence officials
discovered spyware programs designed to clandestinely remove
information from personal computers and other electronic equipment on
devices used by Commerce Secretary Carlos Gutierrez and possibly other
members of a U.S. trade delegation. (See NJ, 5/31/08, p. 16.)
But it is the Russian government that has done the most to stoke fears
of a massive cyberwar between nations. Most experts believe that
Russian sources launched a major attack in April 2007 against
government, financial, and media networks in Estonia. It came on the
heels of a controversy between Estonian and Russian officials over
whether to move a statue honoring Soviet-era war dead. Estonia, one of
the most "wired" nations on Earth, is highly dependent upon access to
the Internet to conduct daily business, and the cyberattack was
crippling.
A year later, many security experts accused Moscow of launching a
cyberattack on Georgia as conventional Russian military forces poured
into the country. The assault was aimed at the Georgian centers of
official command and public communication, including websites for the
Georgian president and a major TV network.
The suspected Russian attacks startled military and civilian cyber-
experts around the globe because of their scale and brazenness.
"Estonia was so interesting because it was the first time anyone ever
saw an entire country knocked out," said Ed Amoroso, the chief
security officer for AT&T. "The whole place is like a little mini-
version of what our federal government has aspired to" in terms of
conducting so much business online. "It scared the heck out of people."
The attacks also underscored one of the most befuddling aspects of
cyberwar. Not all of the computers that attacked Estonia were in
Russia. The machines, in fact, were scattered throughout 75 countries
and were probably hijacked by a central master without their owners'
knowledge. Many of the soldier-machines in this global botnet were in
the United States, an Estonian ally. To launch a counteroffensive,
Estonia would have had to attack American computers as well as those
in other friendly countries.
On May 5 of this year, lawmakers on the House Armed Services
Subcommittee on Terrorism and Unconventional Threats and Capabilities
asked the NSA's Alexander whether the attacks on Estonia and Georgia
met the definition of cyberwar. "On those, you're starting to get
closer to what would be [considered war]," he said. "The problem you
have there is who -- the attribution." Although it was obvious to most
experts that the culprits were Russian, it's easy for attackers to
mask their true location. The anonymity of the Internet provides many
alibis. Furthermore, it's hard to know whether the Russian government
committed the attack, hired cyber-mercenaries to do it, or simply
looked the other way as patriotic hackers turned their sights on rival
countries.
Over the Fourth of July weekend this year, a series of attacks struck
websites used by the White House, the Homeland Security Department,
the Secret Service, the NSA, and the State and Defense departments, as
well as sites for the New York Stock Exchange and NASDAQ. The attacks
also hit sites in South Korea, and suspicion immediately turned to
North Korea. But again, the inability to attribute the source with
certainty impeded any response. The attacks appear to have emanated
from about 50,000 computers still infected with an old computer virus,
which means that their owners probably had no idea they were
participating in a cyber-offensive. Some of those machines were inside
the United States, said Tom Conway, the director of federal business
development for McAfee. "So what are you going to do, shoot yourself?"
Holding Fire
The pitfalls of cyberwar are one reason that the United States has
been reluctant to engage in it. The U.S. conducted its first focused
experiments with cyberattacks during the 1999 bombing of Yugoslavia,
when it intervened to stop the slaughter of ethnic Albanians in
Kosovo. An information operations cell was set up as part of the
bombing campaign. The cell's mission was to penetrate the Serbian
national air defense system, published accounts and knowledgeable
officials said, and to make fake signals representing aircraft show up
on Serbian screens. The false signals would have confused the Serbian
response to the invasion and perhaps destroyed commanders' confidence
in their own defenses.
According to a high-level military briefing that Federal Computer Week
obtained in 1999, the cyber-operation "could have halved the length of
the [air] campaign." Although "all the tools were in place ... only a
few were used." The briefing concluded that the cyber-cell had "great
people," but they were from the "wrong communities" and "too junior"
to have much effect on the overall campaign. The cyber-soldiers were
young outsiders, fighting a new kind of warfare that, even the
briefing acknowledged, was "not yet understood."
War planners fear unleashing a cyber-weapon that could quickly escape
their control, a former military officer experienced in computer
network operations said. These fears hark back to the first encounter
with a rampant Internet virus, in 1988. A Cornell University student
named Robert Morris manufactured a program that was intended to
measure the size of the Internet but ended up replicating itself
massively, infecting machines connected to the network.
The military took a lesson from the so-called Morris worm, the former
officer said. Only four years after the war in Yugoslavia, planners
again held off on releasing a potentially virulent weapon against
Iraq. In the plan to disable the Iraqi banking network in advance of
the U.S. invasion, the Pentagon determined that it might also bring
down French banks and that the contagion could spread to the United
States.
"It turns out that their computer systems extend well outside Iraq," a
senior Air Force official told Aviation Week & Space Technology in
March 2003. "We're also finding out that Iraq didn't do a good job of
partitioning between the military and civilian networks. Their
telephone and Internet operations are all intertwined. Planners
thought it would be easy to get into the military through the
telephone system, but it's all mixed in with the civilian [traffic].
It's a mess." This official said that to penetrate the military
systems, the United States would risk what planners began calling
"collateral computer network attack damage."
Because of the widespread damage that cyber-weapons can cause,
military and intelligence leaders seek presidential authorization to
use them. "They're treated like nuclear weapons, so of course it takes
presidential approval," the former military officer said. McConnell,
the ex-intelligence director, has compared the era of cyberwar to "the
atomic age" and said that a coordinated attack on a power grid or
transportation or banking systems "could create damage as potentially
great as a nuclear weapon over time."
Unlike atomic bombs, however, cyber-weapons aren't destroyed in the
attack. "Once you introduce them to the battlefield, it's trivially
easy for the other side to capture your artillery, as it were, and
then use it against you if you're not already inoculated against it,
and then against other friendlies," said Ed Skoudis, a co-founder of
the research and consulting firm InGuardians and an instructor with
the SANS Institute, which trains government employees in cyber-security.
The risk of losing control of a weapon provides a powerful incentive
not to use it. But until a new computer virus is spotted in the wilds
of the Internet, no one can be certain how to repel it. That gives
every aggressor the advantage of surprise. "Why would you expect an
adversary to lay their cards on the table until it counts?" said Tom
McDermott, a former deputy director of information security at the
NSA. "Why would you expect to have seen the bad stuff yet?"
The Case For Restraint
During his subcommittee testimony in May, Gen. Alexander was asked
whether the United States needed the cyber-equivalent of the Monroe
Doctrine, a set of clearly defined interests and the steps the
government would take to protect them. Without offering any specific
proposals, Alexander responded simply, "I do."
The Obama administration's former White House chief of cyber-security,
Melissa Hathaway, has called for international cyberspace agreements.
In a number of speeches in 2008 while still with the Bush
administration, Hathaway proposed a Law of the Sea Treaty for the
Internet, which, she said, is the backbone of global commerce and
communications, just as the oceans were centuries ago.
The odds for a broad international framework aren't good, however. The
Russian government has proposed a treaty limiting the use of cyber-
weapons, but the State Department has rejected the idea, preferring to
focus on improving defenses and prosecuting cyberattacks as crimes.
Officials are also wary of any strategy by the Russian government to
constrain other nations' ability to attack. In September, a panel of
national security law experts convened by the American Bar Association
and the National Strategy Forum, a Chicago-based research institute,
concluded that the prospects for any multinational agreement are
bleak. "The advantages of having a cyber-warfare capacity are simply
too great for many international actors to abjure its benefits," the
panel stated.
Students of cyberwar find parallels between the present day and the
early 1960s, when the advent of intercontinental missiles ushered in
not only the space age but also an arms race. Like outer space then,
cyberspace is amorphous and opaque to most, and inspires as much awe
as dread. In this historical analogy, experts have embraced a Cold War
deterrent to prevent the cyber-Armageddon that military and
intelligence officials have been warning about -- mutually assured
destruction.
Presumably, China has no interest in crippling Wall Street, because it
owns much of it. Russia should be reluctant to launch a cyberattack on
the United States because, unlike Estonia or Georgia, the U.S. could
fashion a response involving massive conventional force. The United
States has already learned that it makes no sense to knock out an
enemy's infrastructure if it disables an ally's, and possibly
America's own. If nations begin attacking one another's power grids
and banks, they will quickly exchange bombs and bullets. Presumably,
U.S. war planners know that. And it may be the most compelling reason
to keep their cyber-weapons sharp but use them sparingly.
More information about the Infowarrior
mailing list