Information Warfare Monitor » James Lewis

Cyberwar declared as China hunts for the West’s intelligence secrets

gwalton — Mon, 08 Mar 2010 20:48:29 +0000

Source: Michael Evans, Giles Whittell, The Times:

Urgent warnings have been circulated throughout Nato and the European Union for secret intelligence material to be protected from a recent surge in cyberwar attacks originating in China.

The attacks have also hit government and military institutions in the United States, where analysts said that the West had no effective response and that EU systems were especially vulnerable because most cyber security efforts were left to member states.

Nato diplomatic sources told The Times: “Everyone has been made aware that the Chinese have become very active with cyber-attacks and we’re now getting regular warnings from the office for internal security.” The sources said that the number of attacks had increased significantly over the past 12 months, with China among the most active players.

In the US, an official report released on Friday said the number of attacks on Congress and other government agencies had risen exponentially in the past year to an estimated 1.6 billion every month.

Sources at the Office for Cyber Security at the Cabinet Office in London, set up last year, said there were two forms of attack: those focusing on disrupting computer systems and others involving “fishing trips” for sensitive information. A special team has been set up at GCHQ, the government communications headquarters in Gloucestershire, to counter the growing cyber-threat affecting intelligence material. The team becomes operational this month.

British and American cyber defences are among the most sophisticated in the world, but “the EU is less competent”, James Lewis, of the Centre for Strategic and International Studies, said. “The porousness of the European institutions makes them a good target for penetration. They are of interest to the Chinese on issues from arms sales and nuclear non-proliferation to Tibet and energy.”

The lack of routine intelligence sharing between the US and the EU also contributes to the vulnerability of European systems, another analyst said. “Because of Britain’s intelligence-sharing relationship with America our systems have to be up to their standards in a way that some of the European systems don’t,” he explained.

Jonathan Evans, Director-General of MI5, warned in 2007 that several states were actively involved in large-scale cyber-attacks. Although he did not specify which states were involved, security officials have indicated that China now poses the gravest threat. Beijing has denied making such attacks.

Robert Mueller, FBI Director, has warned that, in addition to the danger of foreign states making cyber-attacks, al-Qaeda could in the future pose a similar threat. In a speech to a security conference last week, Mr Mueller said terrorist groups had used the internet to recruit members and to plan attacks, but added: “Terrorists have \ shown a clear interest in pursuing hacking skills and they will either train their own recruits or hire outsiders with an eye towards combining physical attacks with cyber-attacks.”

He said that a cyber-attack could have the same impact as a “well-placed bomb”. Mr Mueller also accused “nation-state hackers” of seeking out US technology, intelligence, intellectual property and even military weapons and strategies.To help to fight the growing threat, the Office of Cyber Security, set up last year as part of the Government’s national security strategy, liaises with America’s so-called cyber czar, Howard Schmidt, who was appointed by President Obama to protect sensitive government computers.

British officials said that everyone in sensitive jobs had been warned to be especially cautious about disseminating intelligence and other classified information. Whether British intelligence is involved in retaliatory attacks is never confirmed. However, officials said that there was a significant difference between being part of an information war and indulging in aggressive attacks to disrupt another country’s computer systems.

Dr Lewis said that neither the US nor any of its Western allies had formed an effective response to the Chinese threat, which has its origins in a massive boost to Chinese technology ordered by Deng Xiaoping, the late Chinese leader, in 1986. The West’s own cyber offensives have so far been directed largely at terrorists rather than nation states, giving China virtually free rein to penetrate Western systems with its own world-class hackers and increasingly popular Chinese-made components. “You almost have to admire them,” Dr Lewis said. “They have been very consistent in their goals.”

US would lose cyberwar: former intel chief

gwalton — Thu, 25 Feb 2010 22:54:36 +0000

“We will not mitigate this risk,” added McConnell, now an executive vice president for consulting firm Booz Allen Hamilton’s national security business. “And as a consequence of not mitigating this risk, we are going to have a catastrophic event.”
Tuesday’s hearing came a little over a month after Internet giant Google revealed that it and other US companies had been the target of a series of sophisticated cyberattacks originating in China.
“National security and our economic security are at stake,” said Democratic Senator Jay Rockefeller, the panel’s chairman and a co-sponsor of a bill seeking to bolster public and private sector cybersecurity cooperation.
“A major cyberattack could shut down our nation’s most critical infrastructure — our power grid, telecommunications, financial services.”
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said that government intervention would probably be needed to crack down on the “Wild West” the Internet has become.
The greatest threat to the United States comes from cyber espionage and cyber crime, he said, calling them a “major source of harm to national security.”
“We have lost more as a nation to espionage than at any time since the 1940s,” Lewis said.
Scott Borg, director of the US Cyber Consequences Unit, also warned of the economic damage from cyberattacks.
“Cyberattacks are already damaging the American economy much more than is generally recognized,” said Borg, whose independent research institute investigates the economic and strategic consequences of cyberattacks.
“The greatest damage to the American economy from cyberattacks is due to massive thefts of business information.
“This type of loss is delayed and hard to measure, but it is much greater than the losses due to personal identity theft and the associated credit card fraud,” he added.
In his prepared remarks, McConnell said the United States needs a “national strategy for cyber that matches our national strategy that guided us during the Cold War, when the Soviet Union and nuclear weapons posed an existential threat to the United States and its allies.”
He pointed to US President Barack Obama’s appointment of a cybersecurity coordinator in December and his national cybersecurity initiative as moves in the right direction, but said they were not enough.
“The federal government will spend more each year on missile defense than it does on cybersecurity,” he said, despite the potential for attacks that “could destroy the global financial system and compromise the future and prosperity of our nation.”
In order to secure cyberspace, McConnell suggested the United States provide a “more robust commitment” in leadership, policies, legislation and resources.
He called for establishing a National Cybersecurity Center modeled after the National Counter Terrorism Center set up after the September 11, 2001 attacks on New York and Washington.
The center would integrate elements of the Pentagon’s proposed Cyber Command, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and the cyber operations of the Federal Bureau of Investigation, state and local governments and the private sector.
It would also serve as “the hub of information sharing and integration, situational awareness and analysis, coordination and collaboration,” McConnell said.
Copyright © 2010 AFP. All rights reserved.

James Fallows: Cyber Warriors

gwalton — Tue, 09 Feb 2010 21:41:52 +0000

Early in my time in China, I learned a useful lesson for daily life. In the summer of 2006, I saw a contingent of light-green-shirted People’s Liberation Army soldiers marching in formation down a sidewalk on Fuxing Lu in Shanghai, near the U.S. and Iranian consulates. They looked so crisp under the leafy plane trees of the city’s old colonial district that I pulled out a camera to take a picture of them—and, after pushing the button, had to spend the next 60 seconds running at full tilt away from the group’s leader, who pursued me yelling in English “Stop! No photo! Must stop!” Fortunately he gave up after scaring me off.

The practical lesson was to not point a camera toward uniformed groups of soldiers or police. The broader hint I took was to be more careful when asking about or discussing military matters than when asking about most other aspects of modern China’s development. I did keep asking people in China—carefully—about the potential military and strategic implications of their country’s growing strength. Ever since the collapse of the Soviet Union and consequent disappearance of the U.S. military’s one superpower rival, Western defense strategists have speculated about China’s emergence as the next great military threat. (In 2005, this magazine published Robert Kaplan’s cover story “How We Would Fight China,” about such a possibility. Many of the international-affairs experts I interviewed in China were familiar with that story. I often had to explain that “would” did not mean “will” in the article’s headline.)

The cynical view of warnings about a mounting Chinese threat is that they are largely Pentagon budget-building ploys: if the U.S. military is “only” going to fight insurgents and terrorists in the future, it doesn’t really need the next generation of expensive fighter planes or attack submarines. Powerful evidence for this view—apart from familiarity with Pentagon budget debates over the years—is that many of the neoconservative thinkers who since 9/11 have concentrated on threats from Iraq, Afghanistan, and Iran were before that time writing worriedly about China. The most powerful counterargument is that China’s rise is so consequential and unprecedented in scale that it would be naive not to expect military ramifications. My instincts lie with the skeptical camp: as I’ve often written through the past three years, China has many more problems than most Americans can imagine, and its power is much less impressive up close. But on my return to America, I asked a variety of military, governmental, business, and academic officials about how the situation looks from their perspective. In most ways, their judgment was reassuringly soothing; unfortunately, it left me with a new problem to worry about.

Without meaning to sound flip, I think the strictly military aspects of U.S.-China relations appear to be something Americans can rest easy about for a long time to come. Hypercautious warnings to the contrary keep cropping up, especially in the annual reports on China’s strategic power produced since 2000 by the Pentagon each spring and by the U.S.-China Economic and Security Review Commission each fall. Yet when examined in detail, even these show the limits of the Chinese threat. To summarize:

• In overall spending, the United States puts between five and 10 times as much money into the military per year as China does, depending on different estimates of China’s budget. Spending does not equal effectiveness, but it suggests the difference in scale.

• In sophistication of equipment, Chinese forces are only now beginning to be brought up to speed. For instance, just one-quarter of its naval surface fleet is considered “modern” in electronics, engines, and weaponry.

• In certain categories of weaponry, the Chinese don’t even compete. For instance, the U.S. Navy has 11 nuclear-powered aircraft-carrier battle groups. The Chinese navy is only now moving toward construction of its very first carrier.

• In the unglamorous but crucial components of military effectiveness—logistics, training, readiness, evolving doctrine—the difference between Chinese and American standards is not a gap but a chasm. After a natural disaster anywhere in the world, the American military’s vast airlift and sealift capacity often brings rescue supplies. The Chinese military took days to reach survivors after the devastating Sichuan earthquake in May of 2008, because it has so few helicopters and emergency vehicles.

• For better and worse, in modern times, American forces are continually in combat somewhere in the world. This has its drawbacks, but it means that U.S. leaders, tactics, and doctrine are constantly refined by the realities of warfare. In contrast, vanishingly few members of the People’s Liberation Army have any combat experience whatsoever. The PLA’s last major engagement was during its border war with Vietnam in February and March of 1979, when somewhere between 7,000 of its soldiers (Chinese estimate) and 25,000 (foreign estimates) were killed within four weeks.

Beyond all this is a difference of military culture rarely included in American discussions of the Chinese threat—and surprising to those unfamiliar with the way China’s Communist government chose to fund its army. The post-Vietnam American military has been fanatically devoted to creating a “warrior” culture of military professionalism. The great struggle of the modern PLA has been containing the crony-capitalist culture that comes from its unashamed history of involvement in business. Especially under Deng Xiaoping, the Chinese military owned and operated factories, hotels and office buildings, shipping and trucking companies, and other businesses both legitimate and shady. In the late 1990s President Jiang Zemin led a major effort to peel the PLA’s military functions away from its business dealings, but by all accounts, corruption remains a major challenge in the Chinese military, rather than the episodic problem it is for most Western forces. One example: at a small airport in the center of the country, an airport manager told me about his regular schedule of hong bao deliveries—“red envelopes,” or discreet cash payoffs—to local air-force officers, to ensure airline passage through the sector of airspace they controlled. (Most U.S. airspace is controlled by the Federal Aviation Administration; nearly all of China’s, by the military.) A larger example is the widespread assumption that military officials control the vast Chinese traffic in pirated movie DVDs.

The Chinese military’s main and unconcealed ambition is to someday be strong enough to take Taiwan by force if it had to. But the details of the balance of power between mainland and Taiwanese forces, across the Straits of Taiwan, have been minutely scrutinized by all parties for decades, and shifts will not happen by surprise. The annual reports from the Pentagon and the Security Review Commission lay out other possible scenarios for conflict, but in my experience it is rare to hear U.S. military or diplomatic officials talk about war with China as a plausible threat. “My view is that the political leadership is principally focused on creating new jobs inside the country,” I was told by retired Admiral Mike McConnell, a former head of the National Security Agency and the director of national intelligence under George W. Bush. Another former U.S. official put it this way: “We tend to think of everything about China as being multiplied by 1.3 billion. The Chinese leadership has to think of everything as being divided by 1.3 billion”—jobs, houses, land. Russell Leigh Moses, who has lived in China for years and lectures at programs to train Chinese officials, notes that the Chinese military, like its counterparts everywhere, is “determined not to be neglected.” But “so many problems occupy the military itself—including learning how to play the political game—that there is no consensus to take on the U.S.”

Yes, circumstances could change, and someday there could be a consensus to “take on the U.S.” But the more you hear about the details, the harder it is to worry seriously about that now. So why should we worry? After conducting this round of interviews, I now lose sleep over something I’d generally ignored: the possibility of a “cyberwar” that could involve attacks from China—but, alarmingly, could also be launched by any number of other states and organizations.

The cyber threat is the idea that organizations or individuals may be spying on, tampering with, or preparing to inflict damage on America’s electronic networks. Google’s recent announcement of widespread spying “originating from China” brought attention to a problem many experts say is sure to grow. China has hundreds of millions of Internet users, mostly young. In any culture, this would mean a large hacker population; in China, where tight control and near chaos often coexist, it means an Internet with plenty of potential outlaws and with carefully directed government efforts, too. In a report for the U.S.-China Economic and Security Review Commission late last year, Northrop Grumman prepared a time line of electronic intrusions and disruptions coming from sites inside China since 1999. In most cases it was impossible to tell whether the activity was amateur or government-planned, the report said. But whatever their source, the disruptions were a problem. And in some instances, the “depth of resources” and the “extremely focused targeting of defense engineering data, US military operational information, and China-related policy information” suggested an effort that would be “difficult at best without some type of state-sponsorship.”

The authorities I spoke with pooh-poohed as urban myth the idea that an electronic assault was behind the power failures that rippled from the Midwest to the East Coast in August of 2003. By all accounts, this was a cascading series of mechanical and human errors. But after asking corporate and government officials what worried them, I learned several unsettling things I hadn’t known before.

First, nearly everyone in the business believes that we are living in, yes, a pre-9/11 era when it comes to the security and resilience of electronic information systems. Something very big—bigger than the Google-China case—is likely to go wrong, they said, and once it does, everyone will ask how we could have been so complacent for so long. Electronic-commerce systems are already in a constant war against online fraud. “The real skill to running a successful restaurant has relatively little to do with producing delicious food and a lot to do with cost and revenue management,” an official of an Internet commerce company told me, asking not to be named. “Similarly, the real business behind PayPal, Google Checkout, and other such Internet payment systems is fraud and risk management,” since the surge of attempted electronic theft is comparable to the surge of spam through e-mail networks.

At a dinner in Washington late last year, I listened to two dozen cyber-security experts compare tales of near-miss disasters. The consensus was that only a large-scale public breakdown would attract political attention to the problem, and that such a breakdown would occur. “Cyber crime is not conducted by some 15-year-old kids experimenting with viruses,” Eugene Spafford, a computer scientist at Purdue, who is one of the world’s leading cyber-security figures (and was at the dinner), told me later via e-mail.

It is well-funded and pursued by mature individuals and groups of professionals with deep financial and technical resources, often with local government (or other countries’) toleration if not support. It is already responsible for billions of dollars a year in losses, and it is growing and becoming more capable. We have largely ignored it, and building our military capabilities is not responding to that threat.

With financial, medical, legal, intellectual, logistic, and every other sort of information increasingly living in “the cloud,” the consequences of collapse or disruption are unpleasant to contemplate. A forthcoming novel, Directive 51, by John Barnes, does indeed contemplate them, much as in the 1950s Nevil Shute imagined the world after nuclear war in On the Beach. Barnes’s view of the collapse of financial life (after all, our “assets” consist mostly of notations in banks’ computer systems), the halt of most manufacturing systems, the evaporation of the technical knowledge that now exists mainly in the cloud, and other consequences is so alarming that the book could draw attention in a way no official report can.

Next, the authorities stressed that Chinese organizations and individuals were a serious source of electronic threats—but far from the only one, or perhaps even the main one. You could take this as good news about U.S.-China relations, but it was usually meant as bad news about the problem as a whole. “The Chinese would be in the top three, maybe the top two, leading problems in cyberspace,” James Lewis, a former diplomat who worked on security and intelligence issues and is now at the Center for Strategic and International Studies, in Washington, told me. “They’re not close to being the primary problem, and there is debate about whether they’re even number two.” Number one in his analysis is Russia, through a combination of state, organized-criminal, and unorganized-individual activity. Number two is Israel—and there are more on the list. “The French are notorious for looking for economic advantage through their intelligence system,” I was told by Ed Giorgio, who has served as the chief code maker and chief code breaker for the National Security Agency. “The Israelis are notorious for looking for political advantage. We have seen Brazil emerge as a source of financial crime, to join Russia, which is guilty of all of the above.” Interestingly, no one suggested that international terrorist groups—as opposed to governments, corporations, or “normal” criminals—are making significant use of electronic networks to inflict damage on Western targets, although some groups rely on the Internet for recruitment, organization, and propagandizing.

This led to another, more surprising theme: that the main damage done to date through cyberwar has involved not theft of military secrets nor acts of electronic sabotage but rather business-versus-business spying. Some military secrets have indeed leaked out, the most consequential probably being those that would help the Chinese navy develop a modern submarine fleet. And many people said that if the United States someday ended up at war against China—or Russia, or some other country—then each side would certainly use electronic tools to attack the other’s military and perhaps its civilian infrastructure. But short of outright war, the main losses have come through economic espionage. “You could think of it as taking a shortcut on the ‘D’ of R&D,” research and development, one former government official said. “When you create a new product, a competitor can cherry-pick the good parts and introduce a competitive product much more rapidly than he could otherwise.” Another technology expert, who serves on government advisory boards, told me, when referring to the steady loss of technological advantage, “We should not forget that it was China where ‘death by a thousand cuts’ originated.” I heard of instances of Western corporate officials who arrived for negotiations in China and realized too late that their briefing books and internal numbers were already known by the other side. (In the same vein: I asked security officials whether the laptops and BlackBerry I had used while living in China would have been bugged in some way while I was there. The answers were variations on “Of course,” with the “you idiot” left unsaid.)

The final theme was that even though these cyber concerns are not confined to China, the Chinese aspects do deserve consideration on their own, because China’s scale, speed of growth, and complex relationship with the United States make it a unique case. Hackers in Russia or Israel might be more skillful one by one, but with its huge population China simply has more of them. The French might be more aggressive in searching for corporate secrets, but their military need not simultaneously consider how to stop the Seventh Fleet. According to Mike McConnell, everything about China’s military planning changed after its leaders saw the results of U.S. precision weapons in the first Gulf War. “They were shocked,” he told me. “They had no idea warfare had progressed to that point, and they went on a crash course to take away our advantage.” This meant both building their own information systems—thus China’s aspiration to create a Beidou (the Chinese name for the Big Dipper) system of satellites comparable to America’s GPS—and being prepared in time of war to “attack what they see as our soft underbelly, our military’s dependence on networking,” as McConnell put it, noting the vast emerging PLA literature on defending and attacking data networks.

Ed Giorgio, formerly of the NSA, has prepared charts showing the points of “asymmetric advantage” China might have over the long run in such competition. Point nine on his 12-point chart: “They know us much better than we know them (virtually every one of their combatants reads English and virtually none of ours read Mandarin. This, in itself, will surely precipitate a massive intelligence failure).” But James Lewis, of CSIS, pointed out an “asymmetric handicap”: “For all the effort the Chinese put into cyber competition, external efforts”—against a potential foe like the United States—“are second priority. The primary priority is domestic control and regime survival. The external part is a side benefit.” For many other reasons, the China-cyber question will, like the China-finance and China-environment and China-human-rights questions, demand special attention and work.

The implications of electronic insecurity will be with us in the long run, among the other enduring headaches of the modern age. The “solution” to them is like the solution to coping with China’s rise: something that will unfold over the years and require constant attention, adjustments, and innovations. “Cyber security is a process, not a patch,” Eugene Spafford said. “We must continue to invest in it—and for the long term as well as the ‘quick fix,’ because otherwise we will always be applying fixes too late.”

No doubt because I’ve been so preoccupied for so long with the implications of China’s growth, I thought I heard a familiar note in the recommendations that many of the cyber-security experts offered. The similarity lies in their emphasis on openness, transparency, and international contact as the basis of a successful policy.

In overall U.S. dealings with China, it matters tremendously that so many Chinese organizations are led or influenced by people who have spent time in America or with Americans. Today’s financial, academic, and business elite in China is deeply familiar with the United States, many of its members having studied or worked here. They may disagree on points of policy—for instance, about trade legislation—but they operate within a similar set of concepts and facts. This is less true of China’s political leaders, and much less true of its military—with a consequently much greater risk of serious misunderstanding and error. The tensest moment in modern China’s security relationship with the outside world came in January of 2007, when its missile command shot one of its own weather satellites out of the sky, presumably to show the world that it had developed anti-satellite weaponry. The detonation filled satellite orbits with dangerous debris; worse, it seemed to signal an unprovoked new step in militarizing space. By all accounts, President Hu Jintao okayed this before it occurred; but no one in China’s foreign ministry appeared to have advance word, and for days diplomats sat silent in the face of worldwide protests. The PLA had not foreseen the international uproar it would provoke—or just didn’t care.

Precisely in hopes of building familiarity like that in the business world, the U.S. Navy has since the 1980s taken the lead in military-to-military exchanges with the PLA. “I think both sides are trying to figure out what kind of a military-to-military relationship is feasible and proper,” David Finkelstein, of the Center for Naval Analyses, in suburban Washington, D.C., told me. “We have two militaries that, in some circumstances, see each other as possible adversaries. At the same time, at the level of grand strategy, the two nations are trying to accommodate each other. There is a major chasm, but both sides are working hard to bridge it.” Such exposure obviously doesn’t eliminate the real differences of national interest between the two countries, but I believe it makes outright conflict less likely.

A similar high-road logic seems to lie behind recommendations for cyber security in general, and for dealing with the Chinese cyber threat in particular. The NSA, which McConnell directed and where Giorgio worked, is renowned for its secrecy. But both men, along with others, now argue that to defend information networks, the U.S. should talk openly about risks and insecurities—and engage the Chinese government and military in an effort to contain the problem.

As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. No credit-card company wants to admit how often or how easily it is cheated. No bank or investment house wants to admit how close it has come to being electronically robbed. As a result, the changes in law, regulation, concept, or habit that could make online life safer don’t get discussed. Sooner or later, the cyber equivalent of 9/11 will occur—and, if the real 9/11 is a model, we will understandably, but destructively, overreact.

While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.

We’re naturally skeptical of abstractions like “cooperation” or “greater openness” as the solutions to tough-guy, real-world problems. But in making the best of a world that will inevitably be changed by increasing Chinese power and increasing electronic threats from many directions, those principles may offer the right, realistic place to start.

The URL for this page is http://www.theatlantic.com/doc/201003/china-cyber-war

U.S. Cyberwar Strategy: The Pentagon Plans to Attack

gwalton — Wed, 03 Feb 2010 21:36:28 +0000

Pentagon officials acknowledge privately that such work is under way, though nearly all of it is classified. The recent creation of U.S. Cyber Command shows that the U.S. military is taking this mission seriously. “You have to be very careful about what you say in this area,” says a top cyberwarrior of the Pentagon. “But you can tell there’s something going on because the services are putting their money there and contractors are going after it in a big way.”

The Joint Chiefs of Staff want the ability to destroy an enemy’s computer network “so badly that it cannot perform any function,” according to the handbook on what the Pentagon calls “Information Operations.” The U.S. military wants to keep foes “from accessing and using critical information, systems and services” and to spoof adversaries “by manipulating their perception of reality.” Just how such wizardry is to be accomplished is contained in a classified supplement. But hints can be gleaned in a trickle of contracts and budget documents, larded with geek-speak, that have begun seeping onto the public record. (See pictures of technological advances in the military.)

The Air Force wants the ability to burrow into any computer system anywhere in the world “completely undetected.” It wants to slip computer code into a potential foe’s computer and let it sit there for years, “maintaining a ‘low and slow’ gathering paradigm” to thwart detection. Clandestinely exploring such networks, the Dominant Cyber Offensive Engagement program’s goal is to “stealthily exfiltrate information” in hopes it might “discover information with previously unknown existence.” The U.S. cyberwarriors’ goal: “complete functional capabilities” of an enemy’s computer network — from U.S. military keyboards. The Army is developing “techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications.” And the Navy is developing “a non-lethal, non-attributable system designed to offer non-kinetic offensive information operation solutions,” according to Pentagon budget documents. (See how cyberwar was envisioned in 1995.)

Yet concepts that have regulated war forever, such as deterrence and attribution, are slippery or missing in cyberspace. National boundaries don’t exist, making moot the question of sovereignty. Asymmetries abound: defenders must defend everything, all the time, while an attacker can prevail by exploiting a single vulnerability. Tracking down the source of cybersabotage, routed like a skipping stone through a series of innocent servers, can be all but impossible. Are the attackers curious teenagers, criminal gangs, a foreign power — or, more likely, a criminal gang sponsored by a foreign power? Deterrence becomes meaningless when the identity of an attacker is unknown. (See an invasion of Chinese cyberspies.)

“We’re in the stage before warfare,” cyberwarfare expert James Lewis told a Washington audience on Jan. 27. “We’re in the stages of people poking around.” Lewis, with the Center for Strategic and International Studies (CSIS), said cyberdefenses are inadequate. “Unless we find a way to use offensive capabilities as part of a deterrence or strategic defense,” he said, “we will be unable to defeat these opponents.” CSIS also released last week a survey of cybersecurity experts from around the world who “rank the U.S. as the country ‘of greatest concern’ in the context of foreign cyberattacks, just ahead of China.”

It’s the instantaneous nature of cyberattacks that has rendered defenses against them obsolete. Once an enemy finds a chink in U.S. cyberarmor and opts to exploit it, it will be too late for the U.S. to play defense (it takes 300 milliseconds for a keystroke to travel halfway around the world). Far better to be on the prowl for cybertrouble and — with a few keystrokes or by activating secret codes long ago secreted in a prospective foe’s computer system — thwart any attack. Cyberdefense “never works” by itself, says the senior Pentagon officer. “There has to be an element of offense to have a credible defense.”

Such cyberbattles are already happening in miniature. In Afghanistan and Iraq, U.S. cyberwarriors are hard at work denying enemy commanders the ability to direct their forces, the senior Pentagon officer says. “I shut it down, take away your electricity, take away the radio, infect your phone,” he explains. “Now you don’t know where I’m coming from, or if you do, you can’t tell the rest of your force what’s going on.” More insidiously, the U.S. can doctor the information the foe gets. “I can alter the messages coming across,” he says.

But there is mounting concern that U.S. offensive capability in cyberspace is growing too fast and too secretly. “I have no doubt we’re doing some very profoundly sophisticated things on the attack side,” says William Owens, a retired Navy admiral and cyberwar expert who led a federal study on U.S. offensive cyberwarfare last year. “But that is little realized by many people in Congress or the Administration.” That study, by the National Research Council, concluded that “the U.S. armed forces are actively preparing to engage in cyberattacks, and may have done so in the past.” But it added that a lack of public debate has led to “ill-formed, undeveloped and highly uncertain” policies regarding its use, which could lead the U.S. to stumble inadvertently into a cyberwar.

* Find this article at:
* http://www.time.com/time/nation/article/0,8599,1957679,00.html

In Digital Combat, U.S. Finds No Easy Deterrent

gwalton — Tue, 26 Jan 2010 14:41:39 +0000

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.

There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic démarche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.

Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.

“We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,” said Joseph Nye, a professor at the Kennedy School at Harvard. “It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.”

Fighting Shadows

When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack — a battle unlike any they had engaged in.

Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defense Department’s advanced capabilities may not be brought to bear short of a presidential order.

“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”

William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.

Mr. Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.

“A fortress mentality will not work in cyber,” he said. “We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.”

The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate.

“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen. Kevin P. Chilton, in charge of the military’s Strategic Command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”

But first you would have to figure out who was behind the attack.

Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a “Trojan horse” — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China’s denials, American officials say, are one reason that President Obama has said nothing in public about the attacks — a notable silence, given that he has made cybersecurity a central part of national security strategy.

“You have to be quite careful about attributions and accusations,” said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.

“It’s the nature of these attacks that the forensics are difficult,” the official added. “The perpetrator can mask their involvement, or disguise it as another country’s.” Those are known as “false flag” attacks, and American officials worry about being fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.

Nonetheless, the White House said in a statement that “deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” citing work in the past year to protect networks and “international engagement to influence the behavior of potential adversaries.”

Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” But he added, “there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president.”

Others are less convinced. “The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.

In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. “We didn’t even come close,” she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. “There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn’t produce what you need to do decision making.”

Ms. Hathaway was asked to stay on to run Mr. Obama’s early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.

Government-Corporate Divide

In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.

So part of the problem is to calibrate a response to the severity of the attack.

The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates — whose unclassified e-mail system was hacked in 2007 — is developing a “framework document” that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.

The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.

But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation.

Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.

That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.

An Obama administration official who has been dealing with the Chinese mused recently, “You could argue that Google came up with a potential deterrent for the Chinese before we did.”

Cyber conflict still in infancy, states analysis

gwalton — Wed, 28 Oct 2009 11:56:37 +0000

“It was more like a noisy demonstration,” Lewis wrote. “The attackers used basic technologies and did no real damage. To date, we have not seen a serious cyber attack.”

In early July, widespread distributed denial-of-service attacks inundated U.S. government and South Korean Web sites. The targets of the attack, which lasted days, suggested a connection to the tensions surrounding the two countries and North Korea, but so far, no group has taken credit for the incident. The attack was not the first to seemingly involve the two countries: A year ago, South Korea claimed that North Korea attempted to infect some of its military systems with spyware.

While the United States is still trying to formulate doctrine for conflicts in the virtual world, the nation did establish a joint military command in June to conduct strategic operations in cyberspace.

CSIS’s Lewis downplayed the current risk of terrorists using cyber attacks to cripple the infrastructure, arguing that the six countries with the most advanced cyber capabilities — China, France, Israel, Russia, the United Kingdom and the United States — are unlikely to cooperate with would-be cyber jihadists.

Yet, the countries do not have long before the capabilities will be outside of their control, Lewis warned.

“We have, at best, a few years to get our defenses in order, to build robustness and resiliency into networks and critical infrastructure, and to modernize our laws to allow for adequate security,” he wrote. “Frankly, many colleagues do not believe we as a nation will be able to do this and only a successful major attack will spur the United States to make the needed changes.”

Report: Cyberterror Not a Credible Threat

gwalton — Wed, 28 Oct 2009 11:49:46 +0000

The report, written by James Lewis of the Center for Strategic and International Studies, looks at cyberwar through the prism of the Korean attacks, which many commentators have speculated originated in North Korea. However, there has been little in the way of proof offered for this assessment, and Lewis doesn’t go down that road. Instead, he focuses on whether the attacks constituted an act of war and whether they could have been the work of a terrorist group.

Read the rest of this post at the original site.