[Infowarrior] - The Cyberwar Plan

Richard Forno rforno at infowarrior.org
Fri Nov 13 18:35:41 UTC 2009


The Cyberwar Plan

  It's not just a defensive game; cyber-security includes attack plans  
too, and the U.S. has already used some of them successfully.
by Shane Harris

Saturday, Nov. 14, 2009


http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php
In May 2007, President Bush authorized the National Security Agency,  
based at Fort Meade, Md., to launch a sophisticated attack on an enemy  
thousands of miles away without firing a bullet or dropping a bomb.

At the request of his national intelligence director, Bush ordered an  
NSA cyberattack on the cellular phones and computers that insurgents  
in Iraq were using to plan roadside bombings. The devices allowed the  
fighters to coordinate their strikes and, later, post videos of the  
attacks on the Internet to recruit followers. According to a former  
senior administration official who was present at an Oval Office  
meeting when the president authorized the attack, the operation helped  
U.S. forces to commandeer the Iraqi fighters'

communications system. With this capability, the Americans could  
deceive their adversaries with false information, including messages  
to lead unwitting insurgents into the fire of waiting U.S. soldiers.

Former officials with knowledge of the computer network attack, all of  
whom requested anonymity when discussing intelligence techniques, said  
that the operation helped turn the tide of the war. Even more than the  
thousands of additional ground troops that Bush ordered to Iraq as  
part of the 2007 "surge," they credit the cyberattacks with allowing  
military planners to track and kill some of the most influential  
insurgents. The cyber-intelligence augmented information coming in  
from unmanned aerial drones as well as an expanding network of human  
spies. A Pentagon spokesman declined to discuss the operation.

Bush's authorization of "information warfare," a broad term that  
encompasses computerized attacks, has been previously reported by  
National Journal and other publications. But the details of specific  
operations that specially trained digital warriors waged through  
cyberspace aren't widely known, nor has the turnaround in the Iraq  
ground war been directly attributed to the cyber campaign. The reason  
that cyber techniques weren't used earlier may have to do with the  
military's long-held fear that such warfare can quickly spiral out of  
control. Indeed, in the months before the U.S. invasion of Iraq in  
March 2003, military planners considered a computerized attack to  
disable the networks that controlled Iraq's banking system, but they  
backed off when they realized that those networks were global and  
connected to banks in France.

By early 2007, however, two senior officials with experience and faith  
in the power of cyber-warfare to discretely target an adversary  
stepped into top military and intelligence posts. Mike McConnell, a  
former director of the National Security Agency, took over as director  
of national intelligence in February of that year. And only weeks  
earlier, Army Gen. David Petraeus became the commander of all allied  
forces in Iraq. McConnell, who presented the request to Bush in the  
May 2007 Oval Office meeting, had established the first information  
warfare center at the NSA in the mid-1990s. Petraeus, a devotee of  
counterinsurgency doctrine, believed that cyberwar would play a  
crucial role in the strategy he had planned as part of the surge. In  
September 2007, the general told Congress, "This war is not only being  
fought on the ground in Iraq but also in cyberspace."

Some journalists have obliquely described the effectiveness of  
computerized warfare against the insurgents. In The War Within,  
investigative reporter Bob Woodward reports that the United States  
employed "a series of top-secret operations that enable [military and  
intelligence agencies] to locate, target, and kill key individuals in  
extremist groups such as Al Qaeda, the Sunni insurgency, and renegade  
Shia militias. ... " The former senior administration official said  
that the actions taken after Bush's May 2007 order were the same ones  
to which Woodward referred. (At the request of military and White  
House officials, Woodward withheld "details or the code word names  
associated with these groundbreaking programs.")

Woodward wrote that the programs began "in about May 2006." But the  
former administration official emphasized that the specific operations  
that turned the advantage back to U.S. forces came a year later.  
Published reports suggest that military commanders were eyeing cyber- 
warfare techniques in advance of Bush's 2007 order. In an October 2005  
article in Aviation Week & Space Technology, reporter David Fulghum  
noted, "Computer network attack and exploitation... are also now the  
primary tools in combating what senior U.S. Army officials identify as  
their No. 1 target -- the wireless communications networks used by  
insurgents and terrorists."

In 2005, military planners focused their efforts largely on sensors  
that could intercept wireless signals in the combat zone, not on the  
penetration of the cellular phone network itself. Pursuing the latter  
would be a far more ambitious and riskier maneuver that, by law, would  
require presidential authorization. It would also call upon the secret  
skills of the NSA's com-puter hackers.

The lessons of the 2007 cyberwar are instructive today, as the  
director of the NSA, Army Lt. Gen. Keith Alexander, is expected to  
take over the Defense Department's new Cyber Command. The command will  
be the vanguard of the Obama administration's cyberwar efforts, as  
well as the front-line defender of military computer networks. U.S.  
networks, like those of the Iraqi fighters, are also vulnerable to  
outside attack, and an increasing number of penetrations over the past  
two years have led Defense officials to put cyber-security at the top  
of their agenda.

Cyber-defenders know what to prepare themselves for because the United  
States has used the kinds of weapons that now target the Pentagon,  
federal agencies, and American corporations. They are designed to  
steal information, disrupt communications, and commandeer computer  
systems. The U.S. is forming a cyberwar plan based largely on the  
experience of intelligence agencies and military operations. It is  
still in nascent stages, but it is likely to support the conduct of  
conventional war for generations to come. Some believe it may even  
become the dominant force.

A New Way Of War

Senior military leaders didn't come of age in a digital world, and  
they've been skeptical of computerized attacks. Mostly younger  
officers, who received their early combat education through video  
games and Dungeons & Dragons, wage these battles. To them, digital  
weapons are as familiar and useful as rifles and grenades.

Over the past few years, however, the cyber-cohort has gained  
influence among the ranks of military strategists, thanks in large  
part to the ascendancy of Gen. Petraeus. The man widely credited with  
rescuing the U.S. mission in Iraq is also a devotee of "information  
operations," a broad military doctrine that calls for defeating an  
enemy through deception and intimidation, or by impairing its ability  
to make decisions and understand the battlefield. In past conflicts,  
the military has jammed enemy communication systems with  
electromagnetic waves or dropped ominous leaflets from planes warning  
enemy forces of imminent destruction. Today, cyber-warriors use the  
global telecommunications network to commandeer an adversary's phones  
or shut down its Web servers. This activity is a natural evolution of  
the information war doctrine, and Petraeus has elevated its esteem.

Computerized tools to penetrate an enemy's phone system are only one  
part of the cyberwar arsenal. And they are perhaps the least  
worrisome. Alarmed national security officials, and the president  
himself, are paying more attention than ever to devastating computer  
viruses and malicious software programs that can disable electrical  
power systems, corrupt financial data, or hijack air traffic control  
systems. In 2007, after McConnell got Bush's sign-off for the cyber  
campaign in Iraq, he warned the president that the United States was  
vulnerable to such attacks.

Then-Treasury Secretary Henry Paulson Jr., who was present at the  
meeting, painted a chilling scenario for Bush. He said that in his  
former position as the CEO of Goldman Sachs, his biggest fear was that  
someone would gain access to the networks of a major financial  
institution and alter or corrupt its data. Imagine banks unable to  
reconcile transactions and stock exchanges powerless to close trades.  
Confidence in data, Paulson explained, supported the entire financial  
system. Without it, the system would collapse.

The following year, when a lack of confidence in the accuracy of Bear  
Stearns's accounts threatened to bring down that major bank, McConnell  
tried to use the experience as a teaching opportunity. He privately  
warned other senior administration officials that a cyberattack could  
cause the same painful consequences, and he began studying what an  
attack on the system that clears market trades might look like.  
According to The New York Times, officials were halfway through their  
research when the credit markets froze. A senior intelligence official  
remarked, "We looked at each other and said, 'Our market collapse has  
just given every cyber-warrior out there a playbook.' "

Bush's response to cyber-threats took the form of a multibillion- 
dollar defense plan, known as the Comprehensive National Cybersecurity  
Initiative. In its initial stages, the plan was classified, and  
critics later complained that the administration had cut itself off  
from valuable expertise and debate. But according to McConnell, who  
spoke about the initiative at a recent panel discussion at the  
International Spy Museum in Washington, the initiative was classified  
because it involved an "attack," or offensive, component.

McConnell, an authority on cyberwar, chose his words deliberately, and  
it was a telling admission. "Computer network attack" is a technical  
term, describing an action designed to cause real-world consequences  
for an adversary -- such as those that Paulson and McConnell warned  
the president about in the Oval Office, and such as those that the  
U.S. used in Iraq. The United States' cyber strategy, in other words,  
encompassed defensive tactics and an offensive plan. The Obama  
administration inherited the CNCI and has enhanced it with the  
creation of a national cyber-security coordinator, a White House  
official who is supposed to ensure that the defensive and offensive  
sides work together.

Cyber-Forces Already Deployed

As the White House vets candidates for the "cyber-czar" post, the  
military and intelligence agencies are honing their cyber skills and  
have already marshaled their forces.

"We have U.S. warriors in cyberspace that are deployed overseas and  
are in direct contact with adversaries overseas," said Bob Gourley,  
who was the chief technology officer for the Defense Intelligence  
Agency and is a board member of the Cyber Conflict Studies  
Association. These experts "live in adversary networks," Gourley said,  
conducting reconnaissance on foreign countries without exchanging  
salvos of destructive computer commands. "Like two ships in the same  
waters, aware of each other's presences, it doesn't mean they're  
bumping or firing on each other."

President Obama confirmed that cyber-warriors have aimed at American  
networks. "We know that cyber-intruders have probed our electrical  
grid," he said at the White House in May, when he unveiled the next  
stage of the national cyber-security strategy. The president also  
confirmed, for the first time, that the weapons of cyberwar had  
claimed victims. "In other countries, cyberattacks have plunged entire  
cities into darkness."

With every attack, network defenders learn new techniques, which in  
turn make them better warriors. If they are fortunate enough to  
capture the weapon itself, they can pick apart its command codes --  
its digital DNA -- and appropriate them. "You can analyze the attack  
code, change it, and then use it or counter the next attack," said  
Dave Marcus, the director of security research and communications for  
McAfee Labs, which dissects cyber-threats for government agencies.

The same expertise required to build a virus or an attack program to  
knock down an opponent's firewall can be put to work building more- 
sophisticated virus detection systems and stronger firewalls. "Our  
defense is informed by our offense," Gourley said.

Because the United States has studied how attacks are waged, "we  
certainly would know how to cause these effects," said Sami Saydjari,  
the president and founder of the Cyber Defense Agency, a private  
security company, and a former Defense Department employee. "If the  
president gave an order, we'd have cadres of people who'd know how to  
do that."

The Man-Made Battlefield

Military officers describe cyberspace as the fifth domain of war,  
after land, sea, air, and space. But cyberspace is unique in one  
important respect -- it's the only battlefield created by humans.

"We have invented this, and it cuts across those other four," said  
retired Air Force Lt. Gen. Harry Raduege, who ran the Defense  
Information Systems Agency from 2000 to 2005. He was responsible for  
the defense and operation of the Pentagon's global information  
network. "Cyberspace has no boundaries," Raduege said. "It's just  
everywhere, and it permeates everything we do.... We continue to  
improve our capabilities, but so do the adversaries."

No nation dominates the cyber-battlefield today. "Military forces  
fight for the ownership of that domain," said Matt Stern, a retired  
lieutenant colonel who commanded the Army's 2nd Information Operations  
Battalion and who now works in the private sector as the director of  
cyber accounts for General Dynamics Advanced Information Systems. "But  
because of the ubiquitous nature of cyberspace -- and anyone's ability  
to access it -- military forces must not only contend with the threats  
within their operational environment, they must also fight against  
threats in cyberspace that are global in nature."

Cyberspace is also the domain that, as of now, the United States  
stands the greatest chance of ceding to another nation. In July, an  
independent study of the overall federal cyber-workforce described it  
as fragmented and understaffed. The study blamed a hiring process that  
takes too long to vet security clearances, low salaries, and the lack  
of a unified hiring strategy. "You can't win the cyberwar if you don't  
win the war for talent," said Max Stier, the president of the  
Partnership for Public Service, an advocacy group that helped write  
the study. The co-author was Booz Allen Hamilton, the government  
contracting firm where former intelligence Director McConnell now runs  
the cyber-security business.

The Defense Department graduates only about 80 students per year from  
schools devoted to teaching cyber-warfare. Defense Secretary Robert  
Gates has said that the military is "desperately short" of cyber- 
warriors and that the Pentagon wants four times as many graduates to  
move through its teaching programs over the next two years.

That will be difficult, considering that the military and intelligence  
agencies compete directly with industry for top talent. Beltway  
contractors have been on a hiring spree ever since the Bush  
administration began the comprehensive cyber-security plan. Raytheon,  
which has assisted Pentagon special-operations forces using advanced  
cyber-technology, posted an ad to its website earlier this year titled  
"Cyber Warriors Wanted." The company announced 250 open positions --  
more than three times as many as the Defense Department is moving  
through its education programs.

Despite a relative shortage of skilled warriors, the military services  
have charged vigorously into cyberspace. The Army, Navy, Air Force,  
and Marines all have their own cyber-operations groups, which handle  
defense and offense, and they've competed with one another to control  
the military's overall strategy. It now appears that the individual  
service components will report to the new Cyber Command, which will be  
led by a four-star general. (NSA Director Alexander, the presumptive  
candidate, has three stars, and his promotion would require the  
Senate's approval.)

The military may be organizing for a cyberwar, but it's uncertain how  
aggressive a posture it will take. Some have argued for creating an  
overt attack capability, the digital equivalent of a fleet of bombers  
or a battalion of tanks, to deter adversaries. In a 2008 article in  
Armed Forces Journal, Col. Charles Williamson III, a legal adviser for  
the Air Force Intelligence, Surveillance, and Reconnaissance Agency,  
proposed building a military "botnet," an army of centrally controlled  
computers to launch coordinated attacks on other machines. Williamson  
echoed a widely held concern among military officials that other  
nations are building up their cyber-forces more quickly. "America has  
no credible deterrent, and our adversaries prove it every day by  
attacking everywhere," he wrote. Williamson titled his essay, "Carpet  
Bombing in Cyberspace." Responding to critics who say that by building  
up its own offensive power, the United States risks starting a new  
arms race, Williamson said, "We are in one, and we are losing."

A Fight For First

Other experts concur that the United States cannot claim to be the  
world's dominant cyber-force. Kevin Coleman, a senior fellow with the  
security firm Technolytics and the former chief strategist for the Web  
pioneer Netscape, said that China's and Russia's abilities to defend  
and attack are just as good as America's. "Basically, it's a three-way  
tie for first."

China has proved its prowess largely by stealing information from U.S.  
officials and corporate executives. Last year, the head of  
counterintelligence for the government told National Journal that  
Chinese cyber-spies routinely pilfer strategy information from  
American businesspeople in advance of their meetings in China. And a  
computer security expert who consults for the government said that  
during a trip to Beijing in December 2007, U.S. intelligence officials  
discovered spyware programs designed to clandestinely remove  
information from personal computers and other electronic equipment on  
devices used by Commerce Secretary Carlos Gutierrez and possibly other  
members of a U.S. trade delegation. (See NJ, 5/31/08, p. 16.)

But it is the Russian government that has done the most to stoke fears  
of a massive cyberwar between nations. Most experts believe that  
Russian sources launched a major attack in April 2007 against  
government, financial, and media networks in Estonia. It came on the  
heels of a controversy between Estonian and Russian officials over  
whether to move a statue honoring Soviet-era war dead. Estonia, one of  
the most "wired" nations on Earth, is highly dependent upon access to  
the Internet to conduct daily business, and the cyberattack was  
crippling.

A year later, many security experts accused Moscow of launching a  
cyberattack on Georgia as conventional Russian military forces poured  
into the country. The assault was aimed at the Georgian centers of  
official command and public communication, including websites for the  
Georgian president and a major TV network.

The suspected Russian attacks startled military and civilian cyber- 
experts around the globe because of their scale and brazenness.  
"Estonia was so interesting because it was the first time anyone ever  
saw an entire country knocked out," said Ed Amoroso, the chief  
security officer for AT&T. "The whole place is like a little mini- 
version of what our federal government has aspired to" in terms of  
conducting so much business online. "It scared the heck out of people."

The attacks also underscored one of the most befuddling aspects of  
cyberwar. Not all of the computers that attacked Estonia were in  
Russia. The machines, in fact, were scattered throughout 75 countries  
and were probably hijacked by a central master without their owners'  
knowledge. Many of the soldier-machines in this global botnet were in  
the United States, an Estonian ally. To launch a counteroffensive,  
Estonia would have had to attack American computers as well as those  
in other friendly countries.

On May 5 of this year, lawmakers on the House Armed Services  
Subcommittee on Terrorism and Unconventional Threats and Capabilities  
asked the NSA's Alexander whether the attacks on Estonia and Georgia  
met the definition of cyberwar. "On those, you're starting to get  
closer to what would be [considered war]," he said. "The problem you  
have there is who -- the attribution." Although it was obvious to most  
experts that the culprits were Russian, it's easy for attackers to  
mask their true location. The anonymity of the Internet provides many  
alibis. Furthermore, it's hard to know whether the Russian government  
committed the attack, hired cyber-mercenaries to do it, or simply  
looked the other way as patriotic hackers turned their sights on rival  
countries.

Over the Fourth of July weekend this year, a series of attacks struck  
websites used by the White House, the Homeland Security Department,  
the Secret Service, the NSA, and the State and Defense departments, as  
well as sites for the New York Stock Exchange and NASDAQ. The attacks  
also hit sites in South Korea, and suspicion immediately turned to  
North Korea. But again, the inability to attribute the source with  
certainty impeded any response. The attacks appear to have emanated  
from about 50,000 computers still infected with an old computer virus,  
which means that their owners probably had no idea they were  
participating in a cyber-offensive. Some of those machines were inside  
the United States, said Tom Conway, the director of federal business  
development for McAfee. "So what are you going to do, shoot yourself?"

Holding Fire

The pitfalls of cyberwar are one reason that the United States has  
been reluctant to engage in it. The U.S. conducted its first focused  
experiments with cyberattacks during the 1999 bombing of Yugoslavia,  
when it intervened to stop the slaughter of ethnic Albanians in  
Kosovo. An information operations cell was set up as part of the  
bombing campaign. The cell's mission was to penetrate the Serbian  
national air defense system, published accounts and knowledgeable  
officials said, and to make fake signals representing aircraft show up  
on Serbian screens. The false signals would have confused the Serbian  
response to the invasion and perhaps destroyed commanders' confidence  
in their own defenses.

According to a high-level military briefing that Federal Computer Week  
obtained in 1999, the cyber-operation "could have halved the length of  
the [air] campaign." Although "all the tools were in place ... only a  
few were used." The briefing concluded that the cyber-cell had "great  
people," but they were from the "wrong communities" and "too junior"  
to have much effect on the overall campaign. The cyber-soldiers were  
young outsiders, fighting a new kind of warfare that, even the  
briefing acknowledged, was "not yet understood."

War planners fear unleashing a cyber-weapon that could quickly escape  
their control, a former military officer experienced in computer  
network operations said. These fears hark back to the first encounter  
with a rampant Internet virus, in 1988. A Cornell University student  
named Robert Morris manufactured a program that was intended to  
measure the size of the Internet but ended up replicating itself  
massively, infecting machines connected to the network.

The military took a lesson from the so-called Morris worm, the former  
officer said. Only four years after the war in Yugoslavia, planners  
again held off on releasing a potentially virulent weapon against  
Iraq. In the plan to disable the Iraqi banking network in advance of  
the U.S. invasion, the Pentagon determined that it might also bring  
down French banks and that the contagion could spread to the United  
States.

"It turns out that their computer systems extend well outside Iraq," a  
senior Air Force official told Aviation Week & Space Technology in  
March 2003. "We're also finding out that Iraq didn't do a good job of  
partitioning between the military and civilian networks. Their  
telephone and Internet operations are all intertwined. Planners  
thought it would be easy to get into the military through the  
telephone system, but it's all mixed in with the civilian [traffic].  
It's a mess." This official said that to penetrate the military  
systems, the United States would risk what planners began calling  
"collateral computer network attack damage."

Because of the widespread damage that cyber-weapons can cause,  
military and intelligence leaders seek presidential authorization to  
use them. "They're treated like nuclear weapons, so of course it takes  
presidential approval," the former military officer said. McConnell,  
the ex-intelligence director, has compared the era of cyberwar to "the  
atomic age" and said that a coordinated attack on a power grid or  
transportation or banking systems "could create damage as potentially  
great as a nuclear weapon over time."

Unlike atomic bombs, however, cyber-weapons aren't destroyed in the  
attack. "Once you introduce them to the battlefield, it's trivially  
easy for the other side to capture your artillery, as it were, and  
then use it against you if you're not already inoculated against it,  
and then against other friendlies," said Ed Skoudis, a co-founder of  
the research and consulting firm InGuardians and an instructor with  
the SANS Institute, which trains government employees in cyber-security.

The risk of losing control of a weapon provides a powerful incentive  
not to use it. But until a new computer virus is spotted in the wilds  
of the Internet, no one can be certain how to repel it. That gives  
every aggressor the advantage of surprise. "Why would you expect an  
adversary to lay their cards on the table until it counts?" said Tom  
McDermott, a former deputy director of information security at the  
NSA. "Why would you expect to have seen the bad stuff yet?"

The Case For Restraint

During his subcommittee testimony in May, Gen. Alexander was asked  
whether the United States needed the cyber-equivalent of the Monroe  
Doctrine, a set of clearly defined interests and the steps the  
government would take to protect them. Without offering any specific  
proposals, Alexander responded simply, "I do."

The Obama administration's former White House chief of cyber-security,  
Melissa Hathaway, has called for international cyberspace agreements.  
In a number of speeches in 2008 while still with the Bush  
administration, Hathaway proposed a Law of the Sea Treaty for the  
Internet, which, she said, is the backbone of global commerce and  
communications, just as the oceans were centuries ago.

The odds for a broad international framework aren't good, however. The  
Russian government has proposed a treaty limiting the use of cyber- 
weapons, but the State Department has rejected the idea, preferring to  
focus on improving defenses and prosecuting cyberattacks as crimes.  
Officials are also wary of any strategy by the Russian government to  
constrain other nations' ability to attack. In September, a panel of  
national security law experts convened by the American Bar Association  
and the National Strategy Forum, a Chicago-based research institute,  
concluded that the prospects for any multinational agreement are  
bleak. "The advantages of having a cyber-warfare capacity are simply  
too great for many international actors to abjure its benefits," the  
panel stated.

Students of cyberwar find parallels between the present day and the  
early 1960s, when the advent of intercontinental missiles ushered in  
not only the space age but also an arms race. Like outer space then,  
cyberspace is amorphous and opaque to most, and inspires as much awe  
as dread. In this historical analogy, experts have embraced a Cold War  
deterrent to prevent the cyber-Armageddon that military and  
intelligence officials have been warning about -- mutually assured  
destruction.

Presumably, China has no interest in crippling Wall Street, because it  
owns much of it. Russia should be reluctant to launch a cyberattack on  
the United States because, unlike Estonia or Georgia, the U.S. could  
fashion a response involving massive conventional force. The United  
States has already learned that it makes no sense to knock out an  
enemy's infrastructure if it disables an ally's, and possibly  
America's own. If nations begin attacking one another's power grids  
and banks, they will quickly exchange bombs and bullets. Presumably,  
U.S. war planners know that. And it may be the most compelling reason  
to keep their cyber-weapons sharp but use them sparingly.


More information about the Infowarrior mailing list