Most Americans who worry about cyberwarfare are concerned that it will be directed against the United States. But the truth is that cyber conflict is far more likely to involve smaller players — and the dangers associated with that possibility are just as real.
That's because war is more common in small, unstable areas: it's where the most conflicts are. The U.S. and other big powers — Russia and China, for instance — have pretty well-established diplomatic channels. Such hotlines are less common, for example, in Central Asia, where many nations trace their modern independence to the early 1990s, or in the Middle East, where a tit-for-tat skirmish between pro-Israeli and pro-Palestinian hackers broke out just last weekend.
Jeffrey Hunker, a Pittsburgh-based cybersecurity consultant who worked for the National Security Council under President Bill Clinton as senior director for critical infrastructure, said the problem is compounded by the fact that the appropriate response to a cyberattack hasn't yet been worked out.
Fighting in the fog
"Nobody can quite figure out rules for use of engagement and response," Hunker said. "When is it an act of war? What is the mechanism for deterrence? What is the doctrine for deterrence?"
The ambiguities could create big problems if a small "patriotic" group — such as the Russian-speaking hackers who attacked Estonian websites in 2007 — were to mount a hacking attack that caused real damage, all without the explicit support of a nation-state. Thus far, such attacks haven't provoked a military response.
But they might provoke such a response in the future. Hunker noted that the Pentagon's recently unclassified cyberwar strategy treats cyberattacks, no matter who launches them, as acts of war, and other countries may see them in the same light.
Then there's the problem of governance. Pakistan, for example, has state institutions that are comparatively weak. That leaves room for rogue actors within the system to attack other countries — perhaps India. The Pakistani government might deny involvement, but that doesn't mean India would believe it.
"The scope for someone to do something irrational is expanded," Hunker said.
Jeffrey Carr, chief executive officer of Taia Global, a security consulting firm based in McLean, Va., and an expert who blogs about cyberconflict, expects attacks by non-state actors in the near future.
"I think you'll see more of that in the next few years," Carr said. "You'll see an increase in religious or other fanatical groups that just want to destroy things."
Supplementing physical attacks
Carr said he sees cyberconflict as part of larger wars and struggles. He thinks there isn't any ultimate cyberweapon that would bring down an entire nation's infrastructure. But, he said, there are other kinds of attacks that can work in tandem with "real" military force and shade into espionage.
For example, the Israeli external intelligence agency Mossad reportedly used a Trojan to infect a computer belonging to Mahmoud Al-Mabhouh, a Hamas military commander. Mossad agents allegedly read his email, figured out his travel schedule and assassinated him in a Dubai hotel room in January 2010.
During the brief war between Russia and Georgia in August 2008, "patriotic" Russian hackers disrupted communications in Georgia, but that was part of a larger pattern of attacks involving real military hardware.
Both Hunker and Carr noted that cyberweapons of any kind are much cheaper than the usual military hardware and level the playing field somewhat. Destructive malware can be downloaded from the Internet, and it is often just a matter of devoting some time and resources to developing it further.
This is something different from the days when small conflicts might be sponsored by larger powers. When the U.S. or China sells crates full of guns, they know that those guns will still be guns — even if they are turned on them by terrorists.
A cyberattack, via malware or other code, might come from anywhere and be modified in a number of ways. And small conflicts are good laboratories for such modifications.
The fact that many countries have access to at least low-level cybercriminal technology means that police actions by powerful nations, such as the NATO intervention in Libya, might provoke a digital response by smaller states.
"Ten years from now ... there's an increased chance that the U.S. or NATO would get hit by something," Hunker said.
It isn't just attacks on infrastructure or a website that can make a group powerful.
"Al-Qaida is as powerful as they are because of cyber," Hunker said, noting that prior to the Internet, a group like al-Qaida might have stayed a small, local terrorist organization.
YouTube has also given al-Qaida and other militant Islamist groups an avenue for propaganda at little cost. That was not lost on the pro-Israel hackers who in 2008 attacked Hamas websites, or the mysterious American hacker known as The Jester, who has been attacking al-Qaida-affiliated recruitment sites.
Carr said that in order to reduce the danger that small, faraway conflicts could precipitate an attack against the U.S., there would have to be a rethinking of national cyberdefense that would scrap the "fortress" mentality in favor of a more focused set of solutions.
For example, the Department of Defense is experimenting with "microgrids" to power military bases — essentially localized power supplies. That would eliminate the possibility that a power grid attack could accomplish much.