Cybersecurity and Cyberwar (22 page)

The severity of the attack is not the only thing to keep in mind. There are all sorts of actions that could ultimately spark a chain of events that cause the same death and destruction as real war. A young boy drops a banana, upon which a diplomat slips. The diplomat goes to the hospital instead of peace talks. The peace talks consequently fail and war breaks out. We can conceptualize how the boy's action helped lead to war, but was his dropping the banana an act of war? Of course not; the invasion was the action that mattered when looking to judge how the war actually started. Cause is not the same as effect.

This points to the second key determinant of when a cyberattack becomes an act of war:
directness and measurability
. There must be some fairly direct and intended link between cause and effect. This factor is often applied to distinguish acts of espionage from acts of war. The theft of government secrets could certainly lead to soldiers losing their lives one day by revealing to the enemy, for instance, how a plane operates or the location of a secret base. But it is only if and when the war starts that this theft could ever have that impact. This indirectness is why nations have traditionally not gone to war over acts of espionage, be they physical or increasingly now virtual. No one likes to be the victim of espionage, to be sure. But spying is cast more as part of the rough game of statecraft that nations play rather than the all-out breaking of international rules that starts real wars.

An important part of these discussions, however, is often forgotten. While we'd like to think that law is the guide to our behavior, clearly delineating when a cyberattack escalates into war is not just an issue of law or just for the lawyers to decide. As the great
philosopher of war Carl von Clausewitz wrote, “War is not an independent phenomenon, but the continuation of
politics by different means
.” War is political. And by being political, it is also always interactive. That is, there are sides to the war, each with their own goals, actions, and responses, each trying to
bend the other to its will
.

This fundamentally political nature of war means that all of these questions on when a cyberattack reaches the realm of war will come down to making tough political decisions, in what Clausewitz would see as a digital version of his famous “fog of war,” the messy, fast-moving, unclear circumstances that always accompany war. Ultimately, cyberwar is what we in the real world believe it to be. “At the end of the day, it's the President who gets to decide if this is war or something else,” explains Jim Lewis, a senior fellow at the Center for Strategic and International Studies. “The standard is ambiguous. Deciding when something is an act of war is not automatic.
It's always a judgment
.”

Like so many stories in the world of cybersecurity, Operation Orchard began with simple human carelessness. In 2006, a senior official in the Syrian government left his laptop computer in his hotel room while visiting London. When he went out, agents from Mossad, the Israeli intelligence agency, snuck into his room and installed a Trojan horse onto the laptop to allow them to monitor his communications. That was bad enough for the Syrians.

But one man's poor computer security turned out to have more significant consequences when the Israelis began to examine the files that the official had stored on the laptop's hard drive, including pictures. One photo in particular caught the Israelis' attention. It showed an Asian man in a blue tracksuit standing next to an Arab man in the middle of the Syrian desert. It could have been innocuous, but then Mossad identified the two men as Chon Chibu, a leader of the North Korean nuclear program, and Ibrahim Othman, director of the Syrian Atomic Energy Commission. Combined with other documents lifted from the hard drive, such as construction plans and photos of a type of pipe used for work on fissile materiel, the Israelis realized the laptop was an atomic alarm bell. The Syrians
were secretly constructing a facility at al Kibar to process plutonium, a key step in the assembly of a nuclear bomb, with aid from North Korea (an International Atomic Energy Agency investigation would later
confirm the Israeli suspicions
).

This news led to Operation Orchard, the next key part of the cyber story. Just after midnight on September 6, 2007, seven Israeli F-15I fighter jets crossed into Syrian airspace. They flew deep into the Syrian interior and dropped several bombs, leveling the Kibar complex depicted in the photos. The whole time the planes were in Syrian airspace, the air defense network never fired a shot.

Reportedly, the Syrian defense didn't even detect the jets, meaning they didn't even know they were under attack until the bombs started to go off. Yet Syrian radar officers hadn't all turned traitor that night. Rather, their technology had. If initially planting the Trojan horse into the Syrian officials laptop had been about finding secret information via cyber means, this was its cousin, a cyber operation with a military outcome. The Israelis had successfully penetrated the Syrian military's computer networks, allowing them to see what the Syrians were doing as well as direct their own data streams into the air defense network. This caused the Syrian radar operators to see a false image of what was really happening as the
Israeli jets flew
across the border. By effectively turning off the Syrian air defenses for the night, the Israelis not only got to their target without any losses, but they also did so with a much smaller force.

Orchard is a great illustration of the concepts behind “computer network operations,” as such military cyberattack operations are dubbed. While much is shrouded in secrecy about the rise of such operations, one of the first known US military exercises in this space was “Eligible Receiver,” a test of computer network operations in 1997. In many ways it was akin to the Fleet Problems of the 1920s, when the US Navy first experimented with aircraft carriers, or the Louisiana Maneuvers of 1940, when the US Army evaluated mechanized tank forces. After a small “red team” of computer experts gained access to the computers at the US Pacific Command's headquarters as well as the 911 emergency phone systems in nine US cities, the Pentagon decided that, just as with the airplane or the tank, the time had arrived for computers to play a part in military operations. Indeed, the naysayers were hushed the very next year when
hackers compromised over five hundred Pentagon computers in an incident that became known as “
Solar Sunrise
.”

Today, the vast majority of the world's militaries have some sort of planning or organization in place for cyber warfare. These plans can be thought of as the “Five D's plus One.” The US Air Force describes cyberwar as the ability “to destroy, deny, degrade, disrupt, [and] deceive,” while at the same time “defending” against the
enemy's use of cyberspace
for the very same purpose.

Such military programs range from focused infiltrations and raids like Israel's Operation Orchard to broader efforts like the US military's “Plan X,” a
$110 million program
designed to “help war-planners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations.” But across the world, what the
New York Times
called “
a new type of warfare
” actually has much in common with war as it has always been conducted. The computer used as a military weapon is just a tool. Just as with the spear, the airplane, or the tank, it simply aids in achieving the goals that are part of any military operation.

Before battle begins, a smart commander engages in what is known as “intelligence preparation of the battlefield.” Much as Allied efforts to crack Axis radio codes proved crucial to victory in World War II, intercepted digital communications can be just as critical today. As the Israelis did in Orchard, this part of cyber warfare is about deploying one's digital weapons even before the battle has begun, infiltrating networks, gathering information, and potentially even laying the groundwork for more aggressive action. For example, some of the information inside US military computers suspected to have been targeted by Chinese military hackers includes unit deployment schedules, resupply rates, materiel movement schedules, readiness assessments, maritime prepositioning plans, air tasking for aerial refueling, and “the logistics status of American bases in
Western Pacific theater
.” This kind of data might prove useful if war ever broke out. And, as the 2013 Snowden leaks showed, US cyber warriors are gathering the same information about their potential adversaries in China and elsewhere.

But the difference between current cyber efforts and past intelligence collection programs is how computer network operations also allow aggressive actions inside the enemy's communications once the shooting has begun. It's the difference between reading the
enemy's radio signals and being able to seize control of the radio itself.

The modern military is what some folks call “network-centric,” utilizing computers bound together in a “system of systems” to coordinate across great distances with digital speed. But these advantages can create vulnerabilities. If you can compromise an enemy's networked communications, you move from knowing what they're doing, which is advantage enough, to potentially changing what they're doing.

Inside a foe's communications networks, one can disrupt or even disable command and control, keeping commanders from sending out orders, units from talking to each other, or even individual weapons systems from sharing needed information. In one example, over one hundred American defense systems, from aircraft carriers to individual missiles, rely on the Global Positioning System (GPS) to locate themselves during operations. In 2010, an accidental software glitch knocked 10,000 of the military's GPS receivers offline for over two weeks, including the US Navy's X-47
prototype robotic fighter jet
. Cyber warfare would, in effect, make such software glitches deliberate.

Alternatively, the attack might not try to disable or jam these communications but instead attack the information within them, feeding the enemy false reports via its own devices. “Information warfare” is how the military has traditionally described operations that try get
inside the enemy's mind
and influence decision-making. Now the idea is to use modern information technologies to the same ends. The objectives might be highly strategic, such as false commands from top leaders, to more tactical insertions along the lines of what the Israelis did in Orchard, compromising individual weapons systems and their sensors.

One of the more interesting potential effects of such attacks is how success might be multiplied by the impact on the minds of the users of the networks under attack. Only a relatively small percentage of attacks would have to be successful in order to plant seeds of doubt in any information coming from a computer. Users' doubt would lead them to question and double-check everything from their orders to directions. This illustrates again the notion of trust, which was so important in
Part I
. The impact could even go beyond the initial disruption. It could erode the trust in the very networks needed by modern military units to work together effectively;
it could even lead some militaries to abandon networked computers for anything important and set their capacity back decades.

Such technological abstinence sounds extreme, especially when computers have proven so useful in modern war. But imagine if you had a memo that you needed to get to your boss with absolutely no mistakes, at the risk of losing your job. Would you e-mail it if there were a 50 percent risk of it somehow being lost or changed en route? Or would you just hand-deliver it? What about if the risk were 10 percent? How about just 1 percent, but still at the risk of losing your job? Then apply the same risk tolerances when it's your life in battle rather than your job. How do your risk numbers change?

Computer network operations, though, won't just be limited to targeting command and control with indirect effects. As more and more unmanned systems are introduced into warfare (the US military has over 8,000 “drones” like the famous Predator and Reaper, while over eighty countries now have military robotics programs), targeting command-and-control networks opens up even more direct avenues of attack. These robotic weapons systems all link into computer networks, providing everything from GPS location to remotely controlled operations. Here again, the very same networking that allows drones to strike targets with precision thousands of miles away also opens up new possibilities of disruption and even co-option. What we enter is an era of “battles of persuasion.”

One could never co-opt the flight of a bullet, steering it away from where the gunner shot it. Nor has anyone proven able to brainwash a bomber pilot in midair and shift his allegiance. But if the computers on robotic weapons systems are compromised, they could be “persuaded” to do the opposite of what their owners intended. This creates a whole new type of combat, where the goal may not be merely to destroy the enemy's tanks but to hack into his computer networks and make his tanks drive around in circles or even attack each other.

And, of course, cyberwar might see computers used in the same way that other weapons have been used to cause destruction and loss of life among enemy forces. As opposed to traditional kinetic attacks (a blade, a bullet, an explosion), these would involve more destruction through indirect means. Many military systems like ship engines operate under SCADA programs, meaning that they can be targeted in much the same way that the Stuxnet virus caused Iranian
centrifuges to spin out of control. In 2009, for instance, an employee at the Shushenskaya dam in Siberia accidentally turned on an unused turbine with a few mistaken keystrokes, leading to the release of a massive “water hammer” that destroyed the plant and
killed
seventy-five people. This is the computer software version of how allied planes in World War II and Korea dropped bombs on dams, using the ensuing wave to destroy enemy targets in the flood's path.