In the next war, will the front line be “on line?” This question was the subject of a recent broadcast by “60 Minutes,” the premier news program on U.S. television, which asked: “Will the next war begin not with a bang, but with a blackout?”
The answer to both questions is definitely “yes,” according to an unnerving book “Cyber War” by Richard Clarke, the antiterrorism czar of the H.W. Bush, Clinton and George Bush administrations. Clarke is part of a small but growing chorus of experts (mainly Americans, most prominently Mike McConnell, former director of National Intelligence) bent on raising consciousness in the Western world about the reality of the cyber threat.
There are people out there – there is always somebody, as Jack Kennedy said – who dismiss Clarke and McConnell as modern day Cassandras, wailing about potential threats that may never happen and that, in any event, are way overblown. (Clarke reminds his readers that while it is true that no one believed Cassandra, she did in fact speak the truth – most famously about the threat represented by the big wooden horse filled with Greek warriors that was pulled into the walled city by unsuspecting Trojans who did not recognize a lethal threat of a totally new kind.) It is worth remembering that Clarke raised alarms, before 9/11, about Osama Bin Laden and Al Qaeda.
The tenets of the raging policy quarrel about the “reality” of cyber war were on display in a commercially-staged debate at Washington’s Newseum with the provocative proposition: “The Threat of Cyber War has been Grossly Exaggerated.” Prior to the debate, which included cyber-war hawk McConnell and privacy guru Marc Rotenberg, a quarter of the audience pronounced themselves in favor of the proposition, i.e. that the cyber threat was grossly exaggerated. Another quarter said that they were undecided about the question. After the debate, nearly one-third of the audience remained skeptical or undecided about the seriousness of the cyber threat – and by extension the need for political mobilization and security spending to defend against it.
As one skeptic said derisively, cyber war is “kinda like the army marches into your country and then gets in line at the motor vehicle bureau so you can’t get your driver’s license renewed.” That may have sounded good in the debate, but try telling this to the Brazilians who have suffered two major blackouts caused by cyber attacks on their electrical grid or to the world’s banks who have, according to the FBI, lost over $100 million in cyber theft, or to the Estonians who were victims of a sustained cyber attack by the Russians in 2007 known as “Cyber War I” (see “European Affairs” article on this subject). The Pentagon was penetrated in 2007 and again in 2009, and lost terabytes of data to an unknown but highly sophisticated hacking attack from a foreign country. Or try this dismissive attitude on any of the more than 20 nations whose militaries and intelligence services have created offensive cyber-war units. This new “cyber arms race” includes the U.S., which recently announced a $7 billion program to address cyber threats and has set up a new Cyber Command, headed by General Keith Alexander, Director of the NSA, whose precise mission is shrouded in secrecy.
Those are some headlines, and anyone who wants to know more can find it in Clarke’s book, which makes the detailed case that cyber attacks – and counter attacks – are likely to be at core of coming conflicts, including major wars.
The U.S. has, already “prepared the battlefield,” according to Clarke, who reports that the US has already carried out hacker operations to penetrate potential foe’s cyber apparatus by depositing “logic bombs” capable of shutting down grids or erasing data on military systems. An early test of the U.S. capabilities in cyber war occurred in 1982, at a tense peak in the cold war, when the largest recorded explosion in modern history occurred in a Soviet gas pipeline in Siberia – the result of a computer malfunction that U.S. agents had programmed into some technology the Soviets purchased from Canada.
NATO, too, takes cyber war seriously, at least as seriously as this aging alliance organization can. In 2008, it established a “center of excellence” (which can mean anything from lame research to major operations) on Cyber Defense in Tallinn, Estonia, to develop both offensive and defensive tactics in the event of a cyber conflict. In the recent Group of Experts report on the future of NATO, Chair Madeleine Albright, the former U.S. Secretary of State, raised cyber war as one of three major challenges facing the alliance. The problems are not just technical, they are also theoretical – even theological on the battlefield of international laws on warfare. For example, what happens when a NATO member is subject to a cyber attack and invokes Article 5 of the NATO treaty and requests a retaliatory attack by NATO allies?
* * *
A new estimate of growing EU vulnerability against a concentrated cyber war attack has come from a U.S. security expert, who says that Europe could be brought to its knees -- its electronic functioning paralyzed and its citizens’ personal data compromised -- by a single, well-orchestrated cyber attack. Such an attack would take two years to prepare and cost the assailant 86 million euros -- 83 million of which would go to pay for an assault force of 750 hackers. “The EU 27 countries would wake up to find electricity power stations shut down; communication by phone and Internet disabled; air, rail and road transport impossible; stock exchanges and day-to-day bank transactions frozen; crucial data in government and financial institutions scrambled and military units at home and abroad cut off from central command or sent fake orders.” What seems new in this theoretical risk scenario is the notion that European countries are becoming more vulnerable collectively as they advance along the path of integrating their computer-based infrastructures. For example, Eurocontrol, the Brussels-based air-traffic control center that handles a growing share of inter-European flights, could be a potential target in any such all-out assault.
* * *
The problem for the West, of course, and particularly the U.S. is that most of the potential adversaries will be able to fight a cyber war asymmetrically. “Net/net”, says Clarke, “cyber war puts American at a disadvantage right now. Whatever we can do to ‘them,’ chances are they can do more to us.” This vulnerability stems from the fact that the U.S. and western Europe have put so much more of their essential infrastructure under cyber management, making it all the more vulnerable to attack. The asymmetry is compounded by the fact that power grids, banks, and transportation systems in the U.S. are almost completely owned and controlled by private entities which are responsible for funding the cyber security of their establishments. According to Clarke, many of these companies have left the services they provide almost naked in the face of a sophisticated attack. Moreover, the private sector has been instrumental in the so-far-successful push to prevent the U.S. Congress or any other government entity from legislating cyber security standards or requirements.
Initial steps may be underway to address the vulnerability of the electrical grid by the launch of an expansive program called “Perfect Citizen.” According to a recent Wall Street Journal report, this program under the auspices of by the National Security Agency (the U.S. electronic listening agency) will rely on a set of sensors deployed in computer networks of private power companies that could sense unusual activity that could suggest a cyber attack. Raytheon Corp., it was reported, has won a $100 million project to implement the project. The report has elicited a storm of protests from privacy advocates who object to NSA involvement with computer networks in the private sector.
Clarke compiles an index of “Overall Cyber War Strength” which has the U.S. in sixth place behind North Korea, Iran, China, and Russia based on three criteria. While the U.S. is superior in Cyber offensive capability, it ranks last in terms of cyber defense and also on “cyber dependence”, meaning how dependent a country is on cyber systems.
What is to be done? Clarke lays out a detailed plan for an enhanced “defensive strategy” for the U.S. which includes: First, protection of the cyber backbone — i.e. the lines provided by AT&T, Verizon, Level 3, Qwest and Sprint. Such a “deep-packet” inspection of traffic on the backbone at “line rate” (a speed that will not slow down the traffic), a safeguard that would cost billions but that Clarke says is imperatively needed. Second, Clarke says, the power grid must be made secure by disconnecting it from the internet. Third, the U.S. must completely disconnect the Department of Defense from any “outside” links, i.e. from any connection to non-military computer links that do not have special protection.
Each of these steps are expensive and controversial. Privacy advocates throw up their hands with the thought of “deep packet” inspection since that would potentially allow the government access to private emails of U.S. citizens. Clarke acknowledges the problem but says there are technical ways to protect privacy and still monitor for malware and cyber probes.
Opposition to breaking up the internet into separate and more defensible networks also has strong opponents. They say – rightly – that this would amount to the partial destruction of the open and unified internet that has created so many positive benefits. True, says Clarke, adding that we have to pull up some drawbridges to protect the citadel. In effect, he argues, this change and curtailment in self defense has to happen; so suck it up.
In sum, Clarke’s book is chilling – not only because of his authoritative enumeration of the very real threats that are out there, but also because his remedies will bring fundamental changes to the internet as we know it.
William Marmon is Managing Editor of European Affairs and a former telecom company executive.