This was a new kind of war and here is a story about one of the resent battles, barely reported in the press. The only giveaway the United States was being attacked at all was a subtle, unexplained flicker on a computer screen in August 2007. The person sitting at the terminal that day was John Bumgarner, a retired U.S. Army special operations veteran and professional hacker who’d come to an office of one of the service branches —he’s not at liberty to divulge which one — to give a how-to presentation on attacking enemy computer networks. Something subtle about the behavior of the computer he’d borrowed to make printouts tripped a mental alarm.
“I saw the screen flicker and thought, ‘Hmm, that looks strange,’” said Bumgarner, a researcher at the U.S. Cyber Consequences Unit, a Washington-based think tank. His job is to study the shape of future conflicts in which computers will be weapons, and the vast web of interlaced networks that connects them, a realm called “cyberspace”, will be the battlefield.
Using software tools, Bumgarner isolated the offender, a deviously simple computer worm able to rifle through hard drives and forward documents to servers overseas. How it got there was a mystery, but users from a number of agencies became unwitting carriers when they connected USB flash drives to the network to upload or download the material.
“The people who used it all had security clearances,” he said. “They were infecting computers their agencies gave them, and then would have gone back and infected their agency’s networks.”
After notifying the proper authorities about the worm, Bumgarner saved a copy to test commercial antivirus software. He has yet to find one able to neutralize it.
While the episode might look to an outsider like little more than a case of computer help desk work on steroids, to the Defense Department, it represents one aspect of a new class of warfare.
Analysts say cyber conflicts of the future could vary in intensity from quiet campaigns of network intrusion to steal technology all the way up to what Pentagon leaders call a “cyber 9/11,” with terrorists carrying out deadly attacks on utilities, industrial facilities or air traffic control systems.
Deputy Secretary of Defense William Lynn previewed the upcoming cyber strategy in a February speech at a computer security conference. Besides elevating the status of cyberspace, the strategy calls for:
-- “Active defense” systems for military networks. The systems use “sensors, software and signatures derived from intelligence to stop malicious code before it succeeds.”
-- Planning and coordination with the Department of Homeland Security. This will ensure that critical civilian infrastructure on which the military also relies is safe from cyber attacks.
-- Commitment from the Pentagon to work with allies to build international network defenses.
-- A public-private partnership to secure networks.
While experts say the strategy will leave key points undecided ( which responses are merited for specific types of attack, or how much the Pentagon will participate in defending non-military networks) one thing is clear: Information technology and the Internet are entwined in nearly every facet of military operations, from departmental email to battlefield operations. As a result, every function of the U.S. military is vulnerable in some degree to cyberattack.
Cyber incursions like the worm Bumgarner found cause slow information leaks, but keeping cyber-attackers out of the Pentagon’s networks is becoming a matter of life and death. The modern weapons systems are all networked. They have their own IP addresses. There are over 15,000 networks in over 100 countries.
Cyber experts say threats are coming from every direction: lone hackers, foreign intelligence services and organized groups of digital infiltrators. The threat to our computer networks is substantial. They are scanned millions of times a day, they are probed thousands of times a day, and we have not always been successful in stopping intrusions.
In one high-profile 2008 incident, a computer worm able to steal documents was uploaded to a military laptop in the Middle East. The worm proliferated on classified and unclassified networks before its discovery, which prompted creation in 2009 of Cyber Command.
While the Pentagon’s cyber defenses are far from perfect, many experts say the Defense Department is the leading government agency at network security and its efforts far outstrip private industry’s response to the threat.
“The D(efense) Department is leading the charge, far ahead of the rest of the government,” said Joel Brenner, national counterintelligence executive for the Director of National Intelligence from 2006 to 2009, in an email interview.
But currently, the Pentagon is only authorized to defend military networks. It lacks legal authority to extend its defenses elsewhere, in part because of concerns of civil libertarians and private industry about government domination of the Internet.
Testifying in March before the House Armed Services Committee, Alexander was asked what Cyber Command could do if the U.S. electric grid were targeted.
“We do not have the authority to stop that attack,” he admitted.
In the case of a cyber 9/11, however, the military would likely have to take the lead with presidential authorization, said retired Rear Adm. Edward Masso, a cybersecurity researcher at the Potomac Institute for Policy Studies. “Who is the country going to turn to in a cyberattack against the [Federal Aviation Administration] radar system?” he said. “It’s going to fall to the military because they’re the most capable and that’s what the public will demand.”
Although the larger jurisdiction question remains, recent collaboration between the Pentagon and DHS has targeted certain aspects of the cyber threat. The departments are working in pilot programs with private defense contractors as well as with major Internet providers to make the nation’s networks more secure.
Establishing culpability for attacks is one of the most daunting technical tasks in the cyber domain. Missiles come with a return address, “Cyberattacks, for the most part, do not.
The 2010 Stuxnet computer worm, the most sophisticated yet, infiltrated an Iranian network thought to be secure and destroyed equipment crucial to the country’s nuclear program. Though no perpetrator has been established, some theories point to Israel or the United States.
But if an attacker is discovered, what options exist? The question is not addressed by the Pentagon’s upcoming cyberstrategy, but could be key if a truly damaging cyberattack occurs. There is no international legal framework for making such decisions.
“All of the guidelines for waging war were designed when war was about land, sea and air,” he said. “If a nation penetrates your land borders or airspace, it’s clear how you can respond.”
Cyberspace knows no geography. When Russian hackers shut down Estonian websites, some of their attacks came from servers within the United States. Under NATO rules, does that make the United States responsible for attacking its own ally?
NATO Article 5, which says an attack on one is an attack on all, is going to have to be reworked to acknowledge what war is going to look like in cyberspace.
As cyberwarfare matures, technical and policy issues will arise that planners haven’t yet thought of, Masso said.
But like all warfare, the enduring challenge will be one of imagination, of outthinking the enemy. Failure to do so could result in a digital equivalent of the Maginot
Admiral Chester Nimitz once said the Naval War College fully prepared him for war, except for one thing — the kamikaze. That was a major step development in the history of asymmetric war, and cyberware is another step.
So the key thing now is to be asking, ‘What is the next kamikaze?’
Live Long and Prosper....