27 July 2015

Cyber hogwash


When a series of technical glitches hit companies that ranged from United to the New York Stock Exchange this week, suspicions immediately ran to a cyber attack. Was this just the beginning of something much worse? A surprise attack, the beginning of long feared “cyber war” or the “cyber Pearl Harbor”? The irony that these worries were mostly expressed online at places like Twitter was not lost on many, but it points to how deeply they have become woven into the narrative of threats that surround us. Indeed it is notable that the discourse too quickly pointed the finger at hackers, rather than al Qaeda terrorists as would have been the default a decade back.

A key challenge in this new environment of fear is that terms like “cyber war” and “cyber Pearl Harbor” are tossed around today in politics and media with as much precision as the term “war” itself. There is a massive array of cyber threats out there, ranging from the 317 million distinct pieces of malware discovered by Symantec last year to credit card theft that has hit almost every major retail firm to advanced persistent threat campaigns that have penetrated literally every major corporation and government agency.

Many repeatedly use military terms to describe this diversity. For example, after someone (ahem, China) hacked the Office of Personnel Management (OPM), stealing records of over 21.5 million citizens, outlets that ranged from mass media like USA Today to partisan outlets likeCommentary and National Review magazine to true D.C. geek sites likeFederal Computer Weekly all claimed that this was the “ Cyber Pearl Harbor” of the war that we are already in.
.

We are at cyberwar as much as the “War on Christmas” is an actual war.

Just as a glitch is not an attack, stealing data is not war. Dependent on the goal and target, it is crime or espionage. No one likes to have their secrets stolen, but no nation has ever in history gone to war over lost secrets.

War—the real kind of war—not the way we use the term to describe everything from anti-drug to anti-Yuletide decoration campaigns, involves two key elements, mass violence and high-level politics. That is what distinguishes it from all the other wonderful human enterprises that range from crime to spying to even terrorism. Indeed, for all the talk of “cyber terrorism” and “cyber Pearl Harbor,” terms used over a half-million times according to Google, not a single person has been directly hurt or killed by a cyber attack, ever. (Cows, meanwhile, killed 22 people in the U.S. last year.)

That we have not seen the digital face of true conflict yet, however, does mean that “cyber war will not take place” as recent academic works have claimed. The reason we have seen no cyber war in the past is that we haven’t seen actors with actual cyber capabilities go to war with each other. But as the great strategic thinker Bachman Turner would advise, “You ain’t seen nothing yet.”

The Context of War

What made people’s minds jump to worrying about the glitches being something bigger is that the geopolitical context around these worries is changing. Terrorism and instability within failed and failing states is certainly not going away, particularly in the Middle East, but a larger concern of statecraft has made a comeback.

Conflict between the great powers was something that many think was dead and buried with the end of the Cold War. The New York Times even argued just four years ago that it had gone “out of style.”

But times and fashions change quickly. In Europe, NATO and Russia are at their highest levels of tension and alert since the mid-1980s height of the Cold War. In the Pacific, the U.S. and China have had standoffs over disputed waters, underscoring a deeper arms race that the two have fully leaped into, with China buying more warships and warplanes than any other nation over the last several years, and the U.S. launching a new plan to “offset” China with a new generation of military technology. Both nations this last week released new security strategies; notably the Pentagon’s document both pointed out the growing importance of the cyber realm and that the risks of interstate war were “growing,” whileChina’s new national security law sought to expand state control over what it sees as emerging risks in cyberspace.

This is what made the kind of attack we saw against OPM so concerning, aside from the fact that it revealed OPM was using COBOL, a language that dates back to 1960. It points to a penetration of US government networks deeper in scale than most realized and a targeting of information that was not about economic competition, but rather of immense political value (most notably security clearance forms) if the nations ever came to blows. To compare this to concerns over the so-called “Cyber Caliphate” of ISIL sympathizers, their most noted exploits are things like hacking a US military command’s Twitter feed and posting pictures of a goat.

A hot international war is by no means inevitable—but nor is it inevitable that history would repeat itself and ensure that the brewing 21st Century’s Cold War never turns hot. War start by accident or design, but start all the same. As China’s regime newspaper advised just a few months ago, “The world war is a form of war that the whole world should face up to.”

These uncomfortable realities led us to write our new book Ghost Fleet, which explores what such a 21st century world war might look like. The scenario of a war between the U.S., China, and Russia is fortunately fiction (for now and we hope forever), but the book is backstopped by years of research. By playing out the scenario, we traced how such a war would be different from both the wars of today and the great wars of the past, in part because it would involve battles in all domains—including the realm of cyber, an area that wasn’t even imagined the last time great powers dueled. Establishing just how different actual cyber war would be from the uncomfortable and embarrassing episodes that we’ve seen so far also shows the much higher stakes that should lead us to get our house in order.

Cyber Kinetic War: When Code Hurts

Today, more than 100 of the world’s militaries have some sort of organization in place for cyber warfare. The geographic hubs range from the Fort Meade complex in Maryland, home of the NSA and Cyber Command, which houses more personnel than the Pentagon, to Datong Road in Shanghai, the reported home of Unit 61398, a Chinese unit linked to hacks on everything from US military communications to the internal emails of the New York Times. These organizations’ size, scale, training and budgets all differ, but they all share the same goals: In the words of the U.S. Air Force, the purpose of cyber warfare is “to destroy, deny, degrade, disrupt, [and] deceive,” while at the same time “defending” against the enemy’s use of cyberspace for the very same purpose. Among military planners, it’s known as the “Five D’s plus One.”

Interest in these kinds of operations is exploding within the U.S. military. In the 2012 U.S. defense budget, for instance, the word “cyber” appeared 12 times. This year, it appeared 147 times, with new funding for everything from hiring thousands of new contractors to efforts like the U.S. military’s“Plan X,” a $110 million program designed to “help war planners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations.” There is also a broader debate beginning in various militaries as to how such units should be organized to even whether they should be structured under entirely new military services, akin to how units a century ago that fought in the air were originally put under the command of the Signal Corps, then the Army Air Corps, and finally their own Air Force.

No comments: