Cyber War: The Next Threat to National Security and What to Do About It
Page 2
The IAEA announced, again to little attention, that the soil samples had contained unusual, “man-made,” radioactive materials. For those few who had been following the mystery of Syria’s Euphrates enigma, that was the end of the story, vindicating Israel’s highly regarded intelligence service. Despite how unlikely it seemed, Syria in fact had been secretly fooling around with nuclear weapons, and the bizarre regime in North Korea had been helping. It was time to reassess the intentions of both Damascus and Pyongyang.
Behind all of this mystery, however, was another intrigue. Syria had spent billions of dollars on air defense systems. That September night, Syrian military personnel were closely watching their radars. Unexpectedly, Israel had put its troops on the Golan Heights on full alert earlier in the day. From their emplacements on the occupied Syrian territory, Israel’s Golani Brigade could literally look into downtown Damascus through their long-range lenses. Syrian forces were expecting trouble. Yet nothing unusual appeared on their screens. The skies over Syria seemed safe and largely empty as midnight rolled around. In fact, however, formations of Eagles and Falcons had penetrated Syrian airspace from Turkey. Those aircraft, designed and first built in the 1970s, were far from stealthy. Their steel and titanium airframes, their sharp edges and corners, the bombs and missiles hanging on their wings, should have lit up the Syrian radars like the Christmas tree illuminating New York’s Rockefeller Plaza in December. But they didn’t.
What the Syrians slowly, reluctantly, and painfully concluded the next morning was that Israel had “owned” Damascus’s pricey air defense network the night before. What appeared on the radar screens was what the Israeli Air Force had put there, an image of nothing. The view seen by the Syrians bore no relation to the reality that their eastern skies had become an Israeli Air Force bombing range. Syrian air defense missiles could not have been fired because there had been no targets in the system for them to seek out. Syrian air defense fighters could not have scrambled, had they been fool enough to do so again against the Israelis, because their Russian-built systems required them to be vectored toward the target aircraft by ground-based controllers. The Syrian ground-based controllers had seen no targets.
By that afternoon, the phones were ringing in the Russian Defense Ministry off Red Square. How could the Russian air defense system have been blinded? Syria wanted to know. Moscow promised to send experts and technicians right away. Maybe there had been an implementation problem, maybe a user error, but it would be fixed immediately. The Russian military-industrial complex did not need that kind of bad publicity about its products. After all, Iran was about to buy a modern air defense radar and missile system from Moscow. In both Tehran and Damascus, air defense commanders were in shock.
Cyber warriors around the world, however, were not surprised. This was how war would be fought in the information age, this was Cyber War. When the term “cyber war” is used in this book, it refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption. When the Israelis attacked Syria, they used light and electric pulses, not to cut like a laser or stun like a taser, but to transmit 1’s and 0’s to control what the Syrian air defense radars saw. Instead of blowing up air defense radars and giving up the element of surprise before hitting the main targets, in the age of cyber war, the Israelis ensured that the enemy could not even raise its defenses.
The Israelis had planned and executed their cyber assault flawlessly. Just how they did it is a matter of some conjecture.
There are at least three possibilities for how they “owned” the Syrians. First, there is the possibility suggested by some media reports that the Israeli attack was preceded by a stealthy unmanned aerial vehicle (UAV) that intentionally flew into a Syrian air defense radar’s beam. Radar still works essentially the same way it began seventy years ago in the Battle of Britain. A radar system sends out a directional radio beam. If the beam hits anything, it bounces back to a receiver. The processor then computes where the object was that the radio beam hit, at what altitude it was flying, at what speed it was moving, and maybe even how big an object was up there. The key fact here is that the radar is allowing an electronic beam to come from the air, back into the ground-based computer system.
Radar is inherently an open computer door, open so that it can receive back the electronic searchers it has sent out to look for things in the sky. A stealthy Israeli UAV might not have been seen by the Syrian air defense because the drone would have been coated with material that absorbs or deflects a radar beam. The UAV might, however, have been able to detect the radar beam coming up from the ground toward it and used that very same radio frequency to transmit computer packets back down into the radar’s computer and from there into the Syrian air defense network. Those packets made the system malfunction, but they also told it not to act there was anything wrong with it. They may have just replayed a do-loop of the sky as it was before the attack. Thus, while the radar beam might later have bounced off the attacking Eagles and Falcons, the return signal did not register on the Syrian air defense computers. The sky would look just like it had when it was empty, even though it was, in actuality, filled with Israeli fighters. U.S. media reports indicate that the United States has a similar cyber attack system, code-named Senior Suter.
Second, there is the possibility that the Russian computer code controlling the Syrian air defense network had been compromised by Israeli agents. At some point, perhaps in the Russian computer lab or in a Syrian military facility, someone working for Israel or one of its allies may have slipped a “trapdoor” into the millions of lines of computer code that run the air defense program. A “trapdoor” (or “Trojan Horse”) is simply a handful of lines of computer code that look just like all the other gibberish that comprise the instructions for an operating system or application. (Tests run by the National Security Agency determined that even the best-trained experts could not, by visually looking through the millions of lines of symbols, find the “errors” that had been introduced into a piece of software.)
The “trapdoor” could be instructions on how to respond to certain circumstances. For example, if the radar processor discovers a particular electronic signal, it would respond by showing no targets in the sky for a designated period of time, say, the next three hours. All the Israeli UAV would have to do is send down that small electronic signal. The “trapdoor” might be a secret electronic access point that would allow someone tapping into the air defense network to get past the intrusion-detection system and firewall, through the encryption, and take control of the network with full administrator’s rights and privileges.
The third possibility is that an Israeli agent would find any fiber-optic cable of the air defense network somewhere in Syria and splice into the line (harder than it sounds, but doable). Once on line, the Israeli agent would type in a command that would cause the “trapdoor” to open for him. While it is risky for an Israeli agent to be wandering around Syria cutting into fiber-optic cables, it is far from impossible. Reports have suggested for decades that Israel places its spies behind Syrian borders. The fiber-optic cables for the Syrian national air defense network run all over the country, not just inside military installations. The advantage of an agent in place hacking into the network is that it does not cause the operation to rely upon the success of a “takeover packet” entering the network from a UAV flying overhead. Indeed, an agent in place could theoretically set up a link from his location back to Israel’s Air Force command post. Using low-probability-of-intercept (LPI) communications methods, an Israeli agent may be able to establish “cove comms” (covert communications), even in downtown Damascus, beaming up to a satellite with little risk of anyone in Syria noticing.
Whatever method the Israelis used to trick the Syrian air defense network, it was probably taken from a playbook they borrowed from the U.S. Our Israeli friends have learned a thing or two from the programs we have been working on for more than two decades. In 1
990, as the United States was preparing to go to war with Iraq for the first time, early U.S. cyber warriors got together with Special Operations commandos to figure out how they could take out the extensive Iraqi air defense radar and missile network just before the initial waves of U.S. and allied aircraft came screeching in toward Baghdad. As the hero of Desert Storm, four-star General Norm Schwarzkopf, explained to me at the time, “these snake-eaters had some crazy idea” to sneak into Iraq before the first shots were fired and seize control of a radar base in the south of the country. They planned to bring with them some hackers, probably from the U.S. Air Force, who would hook up to the Iraqi network from inside the base and then send out a program that would have caused all the computers on the network all over the country to crash and be unable to reboot.
Schwarzkopf thought the plan risky and unreliable. He had a low opinion of U.S. Special Operations Command and feared that the commandos would become the first Americans held as prisoners of war, even before the war started. Even worse, he feared that the Iraqis would be able to turn their computers back on and would start shooting down some of the two thousand sorties of attacks he planned for the first day of the air war. “If you want to make sure their air defense radars and missiles don’t work, blow them up first. That way they stay dead. Then go in and bomb your targets.” Thus, most of the initial U.S. and allied air sorties were not bombing raids on Baghdad headquarters or Iraqi Army divisions, they were on the air defense radar and missile sites. Some U.S. aircraft were destroyed in those attempts, some pilots were killed, and some were taken prisoner.
When, thirteen years later, the U.S. went to war with Iraq a second time, well before the initial waves of American fighter-bombers swept in, the Iraqi military knew that their “closed-loop” private, secure military network had already been compromised. The Americans told them.
Thousands of Iraqi military officers received e-mails on the Iraqi Defense Ministry e-mail system just before the war started. Although the exact text has never been made public, several reliable sources revealed enough of the gist to reconstruct what you might have read had you been, say, an Iraqi Army brigadier general in charge of an armored unit outside of Basra. It would have read something like this:
This is a message from United States Central Command. As you know, we may be instructed to invade Iraq in the near future. If we do so, we will overwhelm forces that oppose us, as we did several years ago. We do not want to harm you or your troops. Our goal would be to displace Saddam and his two sons. If you wish to remain unharmed, place your tanks and other armored vehicles in formation and abandon them. Walk away. You and your troops should go home. You and other Iraqi forces will be reconstituted after the regime is changed in Baghdad.
Not surprisingly, many Iraqi officers obeyed the instructions CENTCOM had e-mailed them, on the secret Iraqi network. U.S. troops found many units had neatly parked their tanks in rows outside their bases, thus allowing U.S. aircraft to neatly blow them up. Some Iraqi army commanders sent their troops on leave in the hours before the war. Troops put on civilian clothes and went home, or at least tried to.
Although willing to hack into Iraq’s network to engage in a psychological campaign prior to the onset of the conventional attack, the Bush Administration was apparently unwilling to destroy Saddam Hussein’s financial assets by cracking into the networks of banks in Iraq and other countries. The capability to do so existed, but government lawyers feared that raiding bank accounts would be seen by other nations as a violation of international law, and viewed as a precedent. The counsels also feared unintended consequences if the U.S. cyber bank robberies hit the wrong accounts or took out entire financial institutions.
The second U.S.-Iraq war, and the more recent Israeli attack on Syria, had demonstrated two uses of cyber war. One use of cyber war is to make a conventional (the U.S. military prefers the term “kinetic”) attack easier by disabling the enemy’s defenses. Another use of cyber war is to send propaganda out to demoralize the enemy, distributing e-mails and other Internet media in place of the former practice of dropping pamphlets. (Recall the thousands of pieces of paper with instructions in Arabic and stick-figure drawings dropped on Iraqi forces in 1991, telling them how to surrender to U.S. forces. Thousands of Iraqis brought the pamphlets with them when they did surrender.)
The raid on the Syrian nuclear facility and the U.S. cyber activity that preceded the invasion of Iraq are examples of the military using hacking as a tool to assist in a more familiar kind of war. The use of cyberspace by nation-states for political, diplomatic, and military goals does not, however, have to be accompanied by bombing raids or tank battles. A small taste of what a stand-alone cyber war could look like came, somewhat surprisingly, in a little Hanseatic League city of 400,000 people on the shores of the Baltic. The city of Tallinn had become, once again, the capital of an independent Estonia in 1989 when the Soviet Union disintegrated and many of its component republics disassociated themselves from Moscow and the U.S.S.R. Estonia had been forced to become part of the Soviet Union when the Red Army “liberated” the Baltic republic from the Nazis during what the Russians call “the Great Patriotic War.”
The Red Army, or at least the Communist Party of the Soviet Union, didn’t want Estonians, or any other East Europeans, to forget the sacrifices that were made “liberating” them. Thus, in Tallinn, as in most East European capitals, they erected one of those giant, heroic statues of a Red Army soldier that the Soviet leaders had such a fondness for. Often these bronzes stood atop the graves of Red Army soldiers. I first stumbled upon such a statue, almost literally, in Vienna in 1974. When I asked the police protecting it why neutral Austria had a giant Communist soldier in its downtown, they told me that the Soviet Union had put it up right after the war and had required the Austrians to promise never to take it down. Indeed, the statue is specifically protected in the treaty the U.S. and Austria signed, along with the Soviets, when American and Soviet troops left Austria in 1950. Back in the 1970s, the Viennese almost uniformly described the enormous bronze as “the only Russian soldier in Vienna who did not rape our women.” It seems these statues mean a great deal to the Russians, just as the overseas graves of American World War II dead are sacred ground to many American veterans, their families, and their descendants. The giant bronze statues also had significant meaning to those who were “liberated,” but that meaning was something entirely different. The statues and the dead bodies of Red Army soldiers under them were, symbolically, lightning rods. In Tallinn, the statue also attracted cyber lightning.
Tensions between ethnic Russians living in Estonia and the native Estonians themselves had been building ever since the little nation had declared its independence again at the end of the Cold War. The majority of Estonians sought to remove any sign of the five oppressive decades during which they had been forced to be part of the Soviet Union. In February 2007, the legislature passed a Forbidden Structures Law that would have caused anything denoting the occupation to be taken down, including the giant bronze soldier. Estonians still resented the desecration of their own veterans’ graves that had followed the appearance of the Red Army.
Moscow complained that moving the bronze soldier would defame the heroic Soviet dead, including those buried around the giant bronze. Seeking to avoid an incident, the Estonian President vetoed the law. But public pressure to remove the statue grew, just as a Russian ethnic group dedicated to protecting the monument and an Estonian nationalist group threatening to destroy it became increasingly militant. As the Baltic winter warmed into spring, the politics moved to the street. On April 27, 2007, now known as Bronze Night, a riot broke out between radicals from both ethnic factions, with the police and the statue caught in the middle. Authorities quickly intervened and moved the statue to a new, protected location in the military cemetery. Far from quelling the dispute, the move ignited indignant nationalist responses in the Moscow media and in Russia’s legislature, the Duma.
This is when the conflict mo
ved into cyberspace. Estonia, oddly, is one of the most wired nations in the world, ranking, along with South Korea, well ahead of the United States in the extent of its broadband penetration and its utilization of Internet applications in everyday life. Those advances made it a perfect target for cyber attack. After Bronze Night, suddenly the servers supporting the most often utilized webpages in Estonia were flooded with cyber access requests, so flooded that some of the servers collapsed under the load and shut down. Other servers were so jammed with incoming pings that they were essentially inaccessible. Estonians could not use their online banking, their newspapers’ websites, or their government’s electronic services.
What had hit Estonia was a DDOS, a distributed denial of service attack. Normally a DDOS is considered a minor nuisance, not a major weapon in the cyber arsenal. Basically it is a preprogrammed flood of Internet traffic designed to crash or jam networks. It is “distributed” in the sense that thousands, even hundreds of thousands, of computers are engaged in sending the electronic pings to a handful of targeted locations on the Internet. The attacking computers are called a “botnet,” a robotic network, of “zombies,” computers that are under remote control. The attacking zombies were following instructions that had been loaded onto them without their owners’ knowledge. Indeed, the owners usually cannot even tell when their computers have become zombies or are engaged in a DDOS. A user may notice that the laptop is running a little slowly or that accessing webpages is taking a little longer than normal, but that is the only indicator. The malicious activity is all taking place in the background, not appearing on the user’s screen. Your computer, right now, might be part of a botnet.