In the early days of the Internet, optimists projected that it would usher in an era of unprecedented peace and prosperity. Maybe this will happen yet, but currently the net is proving to be a powerful tool in the hands of criminals and terrorists. On top of the rising number of globally based online thieves bent on stealing our identities and money, a growing cadre of state and nonstate actors are adding Internet weapons to their traditional arsenals that can be unleashed in cyber attacks.
The appropriation of cyber weapons emerged in the 1980's when hackers began using computer viruses and worms as platforms of protest. One of the most damaging attacks was the infection of NASA's computer network with the WANK (Worms Against Nuclear Killers) worm in 1989. At the time of the attack, antinuclear activists were protesting the launch of a space shuttle that carried the Galileo spacecraft—the Jupiter-bound space probe was powered by a radioisotope thermoelectric generator fueled with radioactive plutonium. The protestors failed to stop the launch, but it took a month to eradicate the worm from NASA's computers, costing the space agency an estimated half million dollars in wasted time and resources.
The introduction of the Web in the 1990s brought with it new forms of digital protest, including defacements of Web sites with political and social messages and denial-of-service (D-o-S) attacks that disrupt access to target sites by flooding them with useless traffic. Often, the activists claim credit for their attacks. Although many are the work of lone individuals or small teams, groups such as the New York City–based Electronic Disturbance Theater (EDT) sponsor massive online "Web sit-ins," during which participants flood target sites with traffic at a specified time. EDT's early actions in the late '90s were designed to support the Zapatista rebels at war with the Mexican government, but their later attacks were motivated by other causes, such as the March 2008 Web sit-in against nanotech and biotech firms, because "their science is driven by the war [in Iraq] and drives the war."
Many cyber attacks are the work of patriotic citizens who hack to defend their countries, although they are not under the command and control of their governments. Chinese hackers have been among the most active, frequently defacing Taiwanese, Japanese and U.S. Web sites—the latter, for example, in response to the accidental bombing of their embassy in Belgrade during the Kosovo conflict in 1999 and the spy plane incident in 2001. U.S. hackers retaliated against Chinese sites. Pakistani hackers have hit Israeli and Indian Web sites over the conflicts in the Middle East and Kashmir, respectively. Russian hackers have been slower to engage in political protests, but their D-o-S attacks against Estonian Web sites in 2007 over the moving of a Soviet-era war memorial showed their ability to mobilize and shut down targeted Web sites, including those of banks. Soon, every interstate conflict, however minor, may be accompanied by some form of hacker war that is beyond the control of ruling governments.
Hackers have also aligned themselves with terrorist groups, including al Qaeda and the global jihad associated with it. After U.S. forces invaded Afghanistan in late 2001, a group of Pakistani hackers calling themselves the al Qaeda Alliance Online started defacing U.S. government Web sites with messages praising Osama bin Laden and condemning the U.S. invasion. That group disappeared, but others have taken its place, launching cyber attacks against U.S. and other Western sites in response to such incidents as the war in Iraq, publication of the Danish cartoons satirizing the prophet Muhammad, and the U.S. treatment of prisoners at Guantanamo Bay, Cuba. This "electronic jihad" is promoted on jihadist Web forums that coordinate the attacks and distribute information and software tools for hacking. The attacks have not been serious enough to warrant the label "cyber terrorism," but the potential is there for causing considerable damage against critical infrastructures such as power grids and oil and gas systems.
Although most of the conflict-related cyber attacks taking place today appear to originate with nonstate actors, governments have been blamed for launching some of them. China especially is fingered, but the Kremlin was accused of being behind the Estonian assault. Whereas the Chinese and Russian protest attacks were most likely the work of patriotic hackers operating on their own, it is possible these governments supported their efforts, or at least turned a blind eye. Regardless, most major governments are developing a cyber warfare capability, though details remain closely guarded secrets. If there is a silver lining, it is that cyber warfare may produce fewer casualties than conventional conflict as well as damages that are more quickly repaired. Instead of bombing a telecommunications hub and killing those in the vicinity, the objective of disrupting enemy communications on the battlefield might also be achieved through a cyber attack. Although a cyber attack, say against a power generator or military communications hub, could lead to casualties, in the near term, at least, physical weapons are far more lethal.
Addressing the cyber attacks against U.S. targets has been a challenge. Clearly, we need to defend our networks and computers, but this is not a problem the government alone can solve any more than it can defend our homes and offices from burglars. Rather, it requires knowledge and diligence on the part of each of us, along with considerable support from industry, such as more secure software. Industry efforts such as Microsoft's Trustworthy Computing Initiative help, but much remains to be done.
Government can help in four areas: defending its own networks; establishing and enforcing the law in cyberspace; promoting security through regulation and incentives; and funding research and education in security. Of these, the U.S. government has most effectively met the latter objective, perhaps because it is the easiest to accomplish. It has also been successful creating cyberspace law, though enforcement has been problematic owing to the difficulty of tracing and investigating cyber attacks, especially when they cross international borders. Yet effective law enforcement is critical for deterrence.
As for defending its own networks, many government agencies continue to flunk security assessments or succumb to cyber attacks, so there is ample room for improvement. Although the government has helped promote security in the private sector, it has generally avoided regulation, which in the end may become necessary, at least for software that controls crucial infrastructural and life-critical systems.
The White House's Comprehensive National Cybersecurity Initiative, a multiagency, multiyear plan established in January by the U.S. Department of Homeland Security, may address some of these needs. The plan calls for the government to set up a National Cyber Security Center to coordinate and integrate information for protecting U.S. networks and promoting collaboration among federal cyber groups. The jury is still out, however, on whether the initiative will be up to the task of strengthening the nation's cyber security posture.