Do We Need An Offensive Cyber Warfare Capability?
I’ve been ruminating on this subject for some time and this article by James Fallows in The Atlantic has finally spurred me to comment on it. In the article Fallows muses about the likelihood and dangers of China’s waging cyber warfare on the United States:
The cyber threat is the idea that organizations or individuals may be spying on, tampering with, or preparing to inflict damage on America’s electronic networks. Google’s recent announcement of widespread spying “originating from China” brought attention to a problem many experts say is sure to grow. China has hundreds of millions of Internet users, mostly young. In any culture, this would mean a large hacker population; in China, where tight control and near chaos often coexist, it means an Internet with plenty of potential outlaws and with carefully directed government efforts, too.
Like Fallows I am skeptical indeed about China as a conventional military threat but, also like him, I think that the potential threat of cyber warfare is something we need to take more seriously.
Although the recent Google-China contretemps was much in the news, much of the coverage focused on Google’s complicity with censorship in China and relatively little attention appeared to be paid to the cyber espionage aspect of the case:
Google’s carefully worded announcement last week that it had experienced “a highly sophisticated and targeted” cyberattack in China caught the attention of both human-rights advocates and industrial espionage experts, though for quite different reasons.
Activists focused on a Google statement that a primary goal of the attack had been to access the Gmail accounts of Chinese dissidents. Espionage experts, however, were drawn to Google’s acknowledgment that the cyberattack “resulted in the theft of intellectual property.”
WASHINGTON (Reuters) — Internet search firm Google is finalizing a deal that would let the National Security Agency help it investigate a corporate espionage attack that may have originated in China, the Washington Post reported on Thursday.
The aim of the investigation is to better defend Google, the world’s largest Internet search company, and its users from future attacks, the Post said, citing anonymous sources with knowledge of the arrangement.
The sources said Google’s alliance with the NSA — the intelligence agency is the world’s most powerful electronic surveillance organization — would be aimed at letting them share critical information without violating Google’s policies or laws that protect the privacy of online communications.
or, said another way, the technical resources of Google are insufficient to shield them from the attacks they’re seeing.
Google is not the only company that has seen sophististicated cyber attacks recently:
Source code was stolen from some of more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe Systems has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.
nor are technology companies the only ones experiencing concerted attacks:
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.
The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.
State-sponsored cyber warfare isn’t new. You may recall the apparently Russian-sponsored attacks against the government of Estonia in 2007:
A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.
While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians’ removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies.
Nato has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences.
while the “Titan Rain” incidents appear to have been the work of Chinese military hackers directed against U. S. military targets. Such attacks continue and are quite extensive, amounting to millions of attempts on a daily basis:
The U.S. Department of Defense network structure is reported to be constantly subjected to probes by a multitude of Chinese hackers hoping to overwhelm the system. Disruption of U.S. systems in time of war – principally a short Chinese offensive against Taiwan in which U.S. response time would be delayed – and the narrowing of the technological divide between the two countries are the primary goals of the PLA. Such activity also provides th PLA with an offensive reach extending into the heart of the U.S. at very little nominal cost.
For the perpetrators, the beauty of cyberwarfare is not just the favorable cost-versus-benefits ration, but the inability of the victim to provide solid proof of their involvement. Because cyberwarfare occurs in an unregulated battle-space and tracing attacks back to the original source remains so elusive, as the Chinese have shown, states can hide behind ‘rogue’ hackers and utilize massed attacks on networks.
State-sponsored attacks against military targets are one thing. Espionage by one state against another is as old as warfare or as states. I see state-sponsored industrial espionage as having a very different character. As Google has found, however technically sophisticated or wealthy it is hard for any company to match the resources of a state, particularly a state as large as China.
Recently, DNI Dennis Blair warned of the dangers of these cyber attacks before a Congressional committee:
The chief of US national intelligence warned Wednesday that America’s “cyber defenders” are not yet able to guard national networks against the threat of attack. The comment follows revelations that California-based Google and three major US oil companies may have been compromised by overseas hackers.
Speaking to a congressional committee, Director of National Intelligence Dennis Blair said that hackers are becoming more sophisticated and that the “technological balance” favors those looking to use cyberspace maliciously. He highlighted that the threat affects not only private company networks but also national security, reports Fox News.
I think there are several steps that need to be taken. First, we should support an international accord on cyber warfare. Something of the sort was promoted at Davos by International Telecommunication Union (ITU) secretary-general Hamadoun Toure:
DAVOS, Switzerland — The world needs a treaty to prevent cyber attacks becoming an all-out war, the head of the main UN communications and technology agency warned Saturday.
International Telcommunications Union secretary general Hamadoun Toure gave his warning at a World Economic Forum debate where experts said nations must now consider when a cyber attack becomes a declaration of war.
With attacks on Google from China a major talking point in Davos, Toure said the risk of a cyber conflict between two nations grows every year.
He proposed a treaty in which countries would engage not to make the first cyber strike against another nation.
“A cyber war would be worse than a tsunami — a catastrophe,” the UN official said, highlighting examples such as attacks on Estonia last year.
He proposed an international accord, adding: “The framework would look like a peace treaty before a war.”
Countries should guarantee to protect their citizens and their right to access to information, promise not to harbour cyber terrorists and “should commit themselves not to attack another.”
Clearly, as the examples given above indicate, we need to develop a more robust defensive capability against cyber attacks on U. S. government, military, and commercial interests. The matter is beyond the capabilities of individual agencies or companies.
However, I also think we need to consider developing a robust offensive capability. The analogy I’d make is this. Imagine that our navy only had the capabilities of, say, a coast guard: rescues, interdiction of smugglers, and the like. How would such a navy fare against an opposing navy with a full offensive capability, destroyers, battleships, aircraft carriers? Not well, I would think.
Such a capability would provide us with deterrence that we’re lacking now via negative reciprocity, i.e. we won’t go after your companies and infrastructure if you won’t go after ours.
Additionally, a robust cyber warfare offensive capability would provide another dimension in bolstering our defensive capability, additional ways of thinking.
So, I’ll open up the question to the floor. Should we develop an offensive cyber warfare capability?