(crossposted from Foreign Policy In Focus)
The Pentagon has traditionally presented cyber war as “their hackers” against “our defenders.” Out there, especially in China, a faceless horde of anonymous computer users are arrayed against the United States in an updated version of the “yellow peril.” In 2010, the Pentagoncomplained publicly for the first time about the Chinese government deploying civilian hackers to go after U.S. targets. These cyber attacks date back at least to 1999 when, after NATO bombed the Chinese embassy in Belgrade, Chinese hackers launched a slew of “denial of service” attacks that, among other results, shut down the White House website for three days.
According to the experts, we’re suffering death by a thousand hacks. In his bookAmerica the Vulnerable, Joel Brenner starts out the introductory chapter bybemoaning the Chinese download of 20 terabytes of information from the Defense Department in an infamous maneuver from several years ago. “To carry this volume of documents in paper form, you’d need a line of moving vans stretching from the Pentagon to the Chinese freighters docked in Baltimore harbor fifty miles away. If the Chinese tried to do that, we’d have the National Guard out in fifteen minutes. But when they did it electronically, hardly anyone noticed.”
Brenner doesn’t address whether the Chinese actually found anything useful in that enormous data dump, nor does the former senior counsel at the National Security Agency talk about what the United States has stolen from the Chinese. Threat, after all, sells books (as well as high-priced intelligence programs and weapon systems).
Washington is not just worried about Beijing, of course. The U.S. government loses sleep over Russians, al-Qaeda sympathizers, and even disgruntled computer nerds on the home front. The U.S. authorities have vigorously pursuedAnonymous, the hacker tribe that has targeted corporate websites unfriendly to the Occupy movement and to Wikileaks.
There’s a reason it’s called the Defense Department and not the War Office. Listen to Washington and you’d think the United States was simply a health body under attack by a legion of foreign microbes in league with traitorous parasites within. But several major news stories over the last week paint a very different picture of the U.S. government approach to cyber war. It turns out that our hands are not clean at all.
The Obama administration indirectly confirmed last week, through a leak in The New York Times, that it had teamed up with Israel to create Stuxnet, the worm that burrowed into Iran’s nuclear program and created havoc in its uranium-enrichment centrifuges. More disturbing perhaps has been the administration’s attempts to extend “full-spectrum dominance” to the cyberworld. We might sound all defensive. But in fact we’ve been quite offensive in our actions.
The Stuxnet worm, part of a secret U.S. program codenamed Olympic Games, was initially a Bush administration effort. As he passed the presidential baton onto Obama, Bush urged his successor to preserve two programs: the Olympic Games and the drone attacks in Pakistan. Obama complied on both. The virus was intended to instruct Iranian centrifuges to essentially destroy themselves. In 2010, however, the bug jumped from the Natanz facility in Iran to the Internet, where it began to replicate wildly, a programming error that Obama aides blamed on their Israeli partners. Still, the bug remained anonymous, and Washington pushed ahead with the program. Eventually, a new version of Stuxnet damaged one-fifth of Iran’s centrifuges, setting back the program for an unknown period of time.
The Obama administration has apparently approved this leak, for it has not issued any denials. Going into the fall elections, Obama the presidential candidate wants to make sure that the Republicans can’t charge him with appeasing Iran. Stuxnet is the cyber equivalent of assassinating Osama bin Laden: a mission that demonstrates that the Obama administration is daring, is willing to break rules and play dirty, and operates as if the world is a video game and Americans have special powers.
But Stuxnet also raises certain expectations. “Some officials question why the same techniques have not been used more aggressively against North Korea,” David Sanger writes in his investigative report. “Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world.”
Of course, the Pentagon may have already used these techniques against the competition. For two years, the Pentagon’s Cyber Command has been overseeing the development of various cyber weapons, a process that has recently been fast-tracked. And the administration just announced its effort to crowd-source cyber warfare through “Plan X.” The $110-million program will solicit proposals from universities and video-game manufacturers. Plan X’s parent agency, the Defense Advanced Research Projects Agency (DARPA), is reportedly shifting its cyber efforts from the defensive to the offensive.
Since the end of the Cold War, the United States has tried to sustain its singular superpower status through “full spectrum dominance.” Such dominance, according to the Joint Vision 2020 from those pre-9/11 days of June 2000, means “the ability of U.S. forces, operating alone or with allies, to defeat any adversary and control any situation across the range of military operation.” The spectrum has included cyberspace for some time. Offensive cyber tactics fall into five basic categories: using the Internet to win hearts and minds; denial of service attacks that effectively paralyze websites; electronic attacks on infrastructure such as nuclear power plants; sabotage through the sale of defective hardware or software; and operational attacks that accompany conventional battle plans, as when Israel disabled Syrian radar systems when it bombed a suspected nuclear weapons facility in 2007.
Hackers have long realized that even sophisticated systems have backdoors. The United States is slowly waking up to the realization that its basic infrastructure – power plants, waste-treatment facilities, indeed anything controlled by a computer — is vulnerable to hostile take-over. The search engine Shodan shows all the different computers you can access on-line. “One researcher using the system,” according to a recent Washington Post story, “found that a nuclear particle accelerator at the University of California at Berkeley was linked to the Internet with virtually no security.”
I can imagine a group of hackers over at Fort Meade that the National Security Agency pays handsomely to map all the vulnerable points in the infrastructure of other countries. Even as the United States scrambles to patch its own leaks, it is no doubt making plans to breach the cyber-Maginot Lines of its adversaries.
All’s fair in love and war, you might say. But we ramp up our e-offensive at no inconsiderable risk to ourselves. Our cyber attacks, as with any offensive strategy, can provoke retaliation. Sanger concludes his Stuxnet investigation with a cautionary note: “It is only a matter of time, most experts believe, before [the United States] becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.” Retaliation, in this case, comes with a twist. Ordinary citizens can’t send their own unmanned aerial vehicles to the United States. But some ordinary citizens can leverage the power of the Internet to hack into U.S. sites and cause considerable damage.
Also, if we attack infrastructure, civilians are at heightened risk. Knocking out centrifuges is one thing. But cyber warriors could just as easily target the entire electricity grid. “You could argue that out of the gate cyberwar is going to be war crimes,” says Marcus Ranum of Tenable Network Security. “If you’re talking taking out an electronic infrastructure preparatory to a ground attack, you’re talking about shutting down their hospitals and shutting down their businesses, shutting down their stock exchange, shutting down their street lights, and screwing people’s lives up. These are all contrary to the civilized laws of how wars are supposed to be fought.” The prospect of such attacks taking out U.S. infrastructure has prompted Richard Clarke, in his new book Cyber War, topropose a ban on cyber attacks on civilian targets.
And, finally, the most frightening possibility is the worm that goes out of control. Stuxnet did some damage outside Iran but it was relatively tame as malware goes. But more serious stuff is now out there – see, for example, Flame – and who knows what’s in the pipeline that could, like a cyber smallpox, cause a major e-pandemic?
We are creating genetically engineered life forms. We are considering geo-engineering on a massive scale to avert global warming. And now we are inching closer to importing the MAD (mutually assured destruction) logic of nuclear weapons into cyberspace. Remember: the Internet was originally a creation of DARPA (with a minor assist from Al Gore). Now DARPA, like Darth Vader, is attempting to reclaim its progeny and recruit it to the dark side. Where are the light sabers to fend it off?