Do We Need An Offensive Cyber Warfare Capability?

I’ve been ruminating on this subject for some time and this article by James Fallows in The Atlantic has finally spurred me to comment on it. In the article Fallows muses about the likelihood and dangers of China’s waging cyber warfare on the United States:

The cyber threat is the idea that organizations or individuals may be spying on, tampering with, or preparing to inflict damage on America’s electronic networks. Google’s recent announcement of widespread spying “originating from China” brought attention to a problem many experts say is sure to grow. China has hundreds of millions of Internet users, mostly young. In any culture, this would mean a large hacker population; in China, where tight control and near chaos often coexist, it means an Internet with plenty of potential outlaws and with carefully directed government efforts, too.

Like Fallows I am skeptical indeed about China as a conventional military threat but, also like him, I think that the potential threat of cyber warfare is something we need to take more seriously.

Although the recent Google-China contretemps was much in the news, much of the coverage focused on Google’s complicity with censorship in China and relatively little attention appeared to be paid to the cyber espionage aspect of the case:

Google’s carefully worded announcement last week that it had experienced “a highly sophisticated and targeted” cyberattack in China caught the attention of both human-rights advocates and industrial espionage experts, though for quite different reasons.

Activists focused on a Google statement that a primary goal of the attack had been to access the Gmail accounts of Chinese dissidents. Espionage experts, however, were drawn to Google’s acknowledgment that the cyberattack “resulted in the theft of intellectual property.”

and Google is taking that very seriously:

WASHINGTON (Reuters) — Internet search firm Google is finalizing a deal that would let the National Security Agency help it investigate a corporate espionage attack that may have originated in China, the Washington Post reported on Thursday.

The aim of the investigation is to better defend Google, the world’s largest Internet search company, and its users from future attacks, the Post said, citing anonymous sources with knowledge of the arrangement.

The sources said Google’s alliance with the NSA — the intelligence agency is the world’s most powerful electronic surveillance organization — would be aimed at letting them share critical information without violating Google’s policies or laws that protect the privacy of online communications.

or, said another way, the technical resources of Google are insufficient to shield them from the attacks they’re seeing.

Google is not the only company that has seen sophististicated cyber attacks recently:

Source code was stolen from some of more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe Systems has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.

nor are technology companies the only ones experiencing concerted attacks:

At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.

State-sponsored cyber warfare isn’t new. You may recall the apparently Russian-sponsored attacks against the government of Estonia in 2007:

A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.

While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians’ removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies.

Nato has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences.

while the “Titan Rain” incidents appear to have been the work of Chinese military hackers directed against U. S. military targets. Such attacks continue and are quite extensive, amounting to millions of attempts on a daily basis:

The U.S. Department of Defense network structure is reported to be constantly subjected to probes by a multitude of Chinese hackers hoping to overwhelm the system. Disruption of U.S. systems in time of war – principally a short Chinese offensive against Taiwan in which U.S. response time would be delayed – and the narrowing of the technological divide between the two countries are the primary goals of the PLA. Such activity also provides th PLA with an offensive reach extending into the heart of the U.S. at very little nominal cost.

For the perpetrators, the beauty of cyberwarfare is not just the favorable cost-versus-benefits ration, but the inability of the victim to provide solid proof of their involvement. Because cyberwarfare occurs in an unregulated battle-space and tracing attacks back to the original source remains so elusive, as the Chinese have shown, states can hide behind ‘rogue’ hackers and utilize massed attacks on networks.

State-sponsored attacks against military targets are one thing. Espionage by one state against another is as old as warfare or as states. I see state-sponsored industrial espionage as having a very different character. As Google has found, however technically sophisticated or wealthy it is hard for any company to match the resources of a state, particularly a state as large as China.

Recently, DNI Dennis Blair warned of the dangers of these cyber attacks before a Congressional committee:

The chief of US national intelligence warned Wednesday that America’s “cyber defenders” are not yet able to guard national networks against the threat of attack. The comment follows revelations that California-based Google and three major US oil companies may have been compromised by overseas hackers.

Speaking to a congressional committee, Director of National Intelligence Dennis Blair said that hackers are becoming more sophisticated and that the “technological balance” favors those looking to use cyberspace maliciously. He highlighted that the threat affects not only private company networks but also national security, reports Fox News.

I think there are several steps that need to be taken. First, we should support an international accord on cyber warfare. Something of the sort was promoted at Davos by International Telecommunication Union (ITU) secretary-general Hamadoun Toure:

DAVOS, Switzerland — The world needs a treaty to prevent cyber attacks becoming an all-out war, the head of the main UN communications and technology agency warned Saturday.

International Telcommunications Union secretary general Hamadoun Toure gave his warning at a World Economic Forum debate where experts said nations must now consider when a cyber attack becomes a declaration of war.

With attacks on Google from China a major talking point in Davos, Toure said the risk of a cyber conflict between two nations grows every year.

He proposed a treaty in which countries would engage not to make the first cyber strike against another nation.

“A cyber war would be worse than a tsunami — a catastrophe,” the UN official said, highlighting examples such as attacks on Estonia last year.

He proposed an international accord, adding: “The framework would look like a peace treaty before a war.”

Countries should guarantee to protect their citizens and their right to access to information, promise not to harbour cyber terrorists and “should commit themselves not to attack another.”

Clearly, as the examples given above indicate, we need to develop a more robust defensive capability against cyber attacks on U. S. government, military, and commercial interests. The matter is beyond the capabilities of individual agencies or companies.

However, I also think we need to consider developing a robust offensive capability. The analogy I’d make is this. Imagine that our navy only had the capabilities of, say, a coast guard: rescues, interdiction of smugglers, and the like. How would such a navy fare against an opposing navy with a full offensive capability, destroyers, battleships, aircraft carriers? Not well, I would think.

Such a capability would provide us with deterrence that we’re lacking now via negative reciprocity, i.e. we won’t go after your companies and infrastructure if you won’t go after ours.

Additionally, a robust cyber warfare offensive capability would provide another dimension in bolstering our defensive capability, additional ways of thinking.

So, I’ll open up the question to the floor. Should we develop an offensive cyber warfare capability?

FILED UNDER: Asia, National Security, Science & Technology, Terrorism, , , , , , , , , , , , , , , , , , , , , ,
Dave Schuler
About Dave Schuler
Over the years Dave Schuler has worked as a martial arts instructor, a handyman, a musician, a cook, and a translator. He's owned his own company for the last thirty years and has a post-graduate degree in his field. He comes from a family of politicians, teachers, and vaudeville entertainers. All-in-all a pretty good preparation for blogging. He has contributed to OTB since November 2006 but mostly writes at his own blog, The Glittering Eye, which he started in March 2004.

Comments

  1. Should we develop an offensive cyber warfare capability?

    I assume we already have.

  2. mpw280 says:

    Apparently Tom Clancy does, he has a line of books devoted to it. Maybe someone in the government needs to start using his books as blueprint for the safety and security of the US. The idea that we have produced some of the best hacker minds in the world and can’t use them to keep Chinese and Russian hackers out of our computers is unreal. Maybe we need to work on alternate sentencing for hackers, if you get caught you do time in the military having all the fun in the world taking apart the Chinese and Russian computer systems. Since the world sees our computers as their playground, maybe we need to start playing as well. mpw

  3. Eric Florack says:

    I also assume we already have, but I suppose that what force we bring to that table is less robust than it could be. We have an entire community of hackers and whatnot we could be making use of to this end. It’s my guess we’re not.

  4. Dave Schuler says:

    I assume we already have.

    Either we don’t have one, it’s not effective, or the folks in Washington don’t understand deterrence.

  5. Herb says:

    Should we develop an offensive cyber warfare capability?

    At the risk of sound totally ignorant on this subject…

    Define “offensive cyber warfare capability.”

  6. sam says:

    Should we develop an offensive cyber warfare capability?

    Absolutely.

    Define “offensive cyber warfare capability.”

    Simply, you have the capability of effing up someone else’s networks. Or getting into said networks and stealing stuff. Or altering stuff. Or putting stuff in there that makes their stuff our stuff. And so on.

  7. FWIW, from one of my previous lives, prehaps I was too coy in calling it an assumption regarding the existence of our cyber warfare capabilities, but any discussion of the extent and use of these capabilities is an entirely different matter. This is kind of a classic case of having a weapon that you won’t really know if it works until it is used, and there’s no real good way to field test it under “live fire” conditions. You can test some aspects of its use, but nobody wants to start a real war. Deterrence in this context is rather difficult since it may not be state approved actors you are fighting, so to speak. Kind of like the war on terrorism when you think about it. Of course, it can still be true that the folks in Washington wouldn’t understand deterrence in any case. Extending the usual war analogies and metaphors doesn’t work very well in this arena.

    There seems to be some confusion by conflating defensive measures with offensive measures when it comes to cyber warfare. Preventing attacks is a very different problem than launching them. As with most everything in this life, it is much easier to destroy something than to build it and protect it.

  8. Franklin says:

    I vote yes.

    I also vote to have all government agency passwords not be “password”:

    Low security Alberta budget website

  9. Ole_Sarge says:

    I assume we already have.

    Either we don’t have one, it’s not effective, or the folks in Washington don’t understand deterrence.

    [I]t’s not effective, or the folks in Washington don’t understand deterrence

    Right now either of those two answers is correct (I thinking it is BOTH of them).

  10. Mr. Prosser says:

    “. . .in China, where tight control and near chaos often coexist, it means an Internet with plenty of potential outlaws and with carefully directed government efforts, too.” I think this quote can sum up the Western Internet environment also. If our government is engaged in offensive cyber tactics (I also assume it is) it may not be taking advantage of the outlaws. Knowing how turf defense in government works there may not be the necessary sharing of info and tactics required for a comprehensive offensive and defensive program. Like it or not, the government may need to involve the outlaws. It’s obvious that industry is already seeking help and cooperation. The downside, of course, is privacy for Internet users. Also, any sort of “treaty” is a waste since any government can hide behind a screen of outlaw hackers.

  11. Eric Florack says:

    f our government is engaged in offensive cyber tactics (I also assume it is) it may not be taking advantage of the outlaws.

    Exactly my thought. Well put.

  12. Herb says:

    Simply, you have the capability of effing up someone else’s networks. Or getting into said networks and stealing stuff. Or altering stuff. Or putting stuff in there that makes their stuff our stuff. And so on.

    Hmmm….still too vague for me. If that’s the plan and I was the president, I’d say no, not until I have more details.

  13. Boyd says:

    Since its inception, NSA’s mission has traditionally been two-fold: electronic collection of intelligence concerning foreign governments, and protecting the United States’ own information from foreign electronic intelligence-gathering efforts.

    To my mind, if NSA is involved in protecting our government networks from foreign intrusion, they are undoubtedly trying to find ways to intrude into the networks of foreign governments. As always, what you learn from your efforts on one end of that equation help out what you’re doing on the other end.