The Pentagon has made clear in recent weeks that cyber warfare is no longer just a futuristic threat—it is now a real one. U.S. government agency and industry computer systems are already embroiled in a number of nasty cyber warfare campaigns against attackers based in China, North Korea, Russia and elsewhere. As a counterpoint, hackers with ties to Russia have been accused of stealing a number of Pres. Barack Obama’s e-mails, although the White House has not formally blamed placed any blame at the Kremlin’s doorstep. The Obama administration did, however, call out North Korea for ordering last year’s cyber attack on Sony Pictures Entertainment.
The battle has begun. “External actors probe and scan [U.S. Department of Defense (DoD)] networks for vulnerabilities millions of times each day, and over 100 foreign intelligence agencies continually attempt to infiltrate DoD networks,” Eric Rosenbach, assistant secretary for homeland defense and global security, testified in April before the U.S. Senate Committee on Armed Services, Subcommittee on Emerging Threats and Capabilities. “Unfortunately, some incursions—by both state and nonstate entities—have succeeded.”
After years of debate as to how the fog of war will extend to the Internet, Obama last month signed an executive order declaring cyber attacks launched from abroad against U.S. targets a “national emergency” and levying sanctions against those responsible. Penalties include freezing the U.S. assets of cyber attackers and those aiding them as well as preventing U.S. residents from conducting financial transactions with those targeted by the executive order.
Deterrence of this type can only go so far, of course, which is why the DoD last month issued an updated version of its cyber strategy for engaging its adversaries online. The plan outlines Defense’s efforts to shore up government networks, systems and information as well as those run by U.S. companies.
If cyber attacks continue to increase at the current rate, they could destabilize already tense world situations, says O. Sami Saydjari, a former Pentagon cyber expert who now runs a consultancy called the Cyber Defense Agency. “Nations must begin to create real consequences for malicious action in cyberspace because they are leading, in aggregate, to serious damage, and there is potential for much larger damage than we have seen so far,” he adds.
A major part of the DoD’s cyber strategy is to bolster the Pentagon’s “cyber mission force,” which the department began forming in 2013 to carry out its operations in cyberspace. Although the unit will not be fully operational before 2018 the unit is expected to have nearly 6,200 military, civilian and contractors—divided into 13 teams—working across various military departments and defense agencies to “hunt down online intruders,” Defense Secretary Ashton Carter said last month during a lecture delivered at Stanford University.
The strategy does not go into detail about which digital weapons the cyber mission force will deploy to fight its campaigns. That information can instead be gleaned from the malicious software—“malware”—already rampant on the Internet as well as military technologies designed to disrupt digital communications. The Stuxnet worm that sabotaged Iran’s Natanz uranium enrichment plant in November 2007 is an early example of cyber war weaponry. No one has officially claimed ownership of Stuxnet although much speculation points to the U.S. and Israel as its authors. A related piece of strategic malware known as Flame is subtler, stealthily gathering information and transmitting it via Bluetooth while avoiding detection.
The components of cyber warfare are the very same components as warfare using guns and explosives, only much faster, Saydjari says. An attacker would seek to damage a critical infrastructure such as power, telecommunications or banking by damaging the computer systems that control those infrastructures. “The instrument of creating that damage is generally some form of malicious software that is inserted into such systems by a variety of means including hacking into the system by taking advantage of some known but as yet unpatched or as yet undiscovered vulnerability,” he adds.
China recently admitted that it has both military and civilian teams of programmers developing digital weapons, and documents disclosed by National Security Agency whistle-blower Edward Snowden indicate China has developed malware to attack U.S. Defense Department computers and even steal sensitive information about the F-35 Lightning II fighter plane that Lockheed Martin is developing for the U.S. Air Force. “All technically savvy countries are developing both offensive and defensive capabilities to prepare for the potential of cyber conflict both by itself and as one aspect of broader conflicts including kinetic warfare, which involves bombs and bullets,” Saydjari says. “The goal of many such countries is to be able to exercise complete dominance and control over any part of cyberspace, anywhere and anytime it serves their national interests.”
The Air Force Research Laboratory is soliciting projects that could furnish cyber deception capabilities for use by commanders to “provide false information, confuse, delay or otherwise impede cyber attackers to the benefit of friendly forces.” Another aspect of cyber warfare could be the use of cyber electromagnetic activities to “seize, retain and exploit an advantage over adversaries and enemies in both cyberspace and the electromagnetic spectrum,” according to a U.S. Army report on the subject. Electromagnetic attacks have already struck in South Korea where more than 500 aircraft flying in and out of that country’s Incheon and Gimpo airports reported GPS failures in 2010, IEEE Spectrum reported in 2014. The source of the electromagnetic fields was traced to the North Korean city of Kaesong, about 50 kilometers north of Incheon.
Cyber war itself may be difficult to define but cyber treaties pose an even bigger challenge. “In some sense it is a bit like asking bank robbers in the old wild West to negotiate a non–bank-robbing treaty,” Saydjari says. “Many countries are benefiting from the lack of rules. Many countries are exploring this new arena of warfare and do not quite understand it well enough to agree to stop exploring it.”
Even more importantly, he adds, it is very difficult to attribute responsibility to actions within cyberspace because of its complexity, “so imposing consequences to treaty violation would be problematic.”