Cyber War: The Next Threat to National Security and What to Do About It
Page 20
The Control Team’s report on the effects of the second round of U.S. attacks is not good news. China had disconnected its networks from the global Internet, thus limiting the impact of the U.S. attack. Moreover, when the U.S. first attacked the power grid, Beijing had ordered all remaining sectors of the electric grid to go to a defensive posture that disconnected Internet links and broke up regional grids into “islands” to prevent cascading blackouts. Only a few of the generators targeted by the U.S. can be hit and their destruction will cause only isolated outages. At the same time that defenses were raised elsewhere, the rail system shifted to a manual, radio-based control system. Therefore the attempted second attack on the freight-rail system by the U.S. did not work.
The U.S. hacked the Chinese communications satellite, causing its station-keeping thrusters to fire until all fuel was spent and sending it in the direction of Jupiter. Within an hour, however, the Chinese navy has activated a backup, encrypted radio Teletype system. But the U.S. attack on the Chinese navy logistics computer network is successful and, together with the regional power blackout, has slowed the boarding of Chinese troops onto ships. The Control Team also reports that a Chinese submarine has surfaced between the two U.S. aircraft carriers. It had penetrated the defensive perimeter, similar to an incident that actually happened in 2009 when a Song-class submarine appeared next to the carrier USS Kitty Hawk. By surfacing, the sub has given away its location, but it has also sent a message to the U.S. that the location of the carriers is known with precision, making it possible for China to flood the area with air- and ground-launched cruise missiles if shooting starts.
At this point, the U.S. Cyber Command team is informed that the White House has ordered the two U.S. carrier battle groups to proceed toward Australia. The State Department will be sending a high-level team to Beijing to discuss its territorial claims. Cyber Command has been ordered to cease offensive action.
The game is over.
After every tabletop exercise in the government, there is a gathering of controllers and players called “the hot wash.” It is a time to write down lessons learned and to make note of areas for further study. So what did we learn from Exercise South China Sea? What issues did it highlight? Ten important cyber war issues emerged from the players’ conduct of the simulation: the use of deterrence; the concept of going first; the prewar preparation of the battlefield; the global spread of a regional conflict; collateral damage; escalatory control; accidental war; attribution; crisis instability; and defensive asymmetry. Let’s look at each in turn.
1. DETERRENCE
Obviously, in this case deterrence failed. In our hypothetical scenario, the Cyber Command team was not deterred by considerations of what China might do to the U.S. In the real world, the U.S. probably should be deterred from initiating large-scale cyber warfare for fear of the asymmetrical effects that retaliation could have on American networks. Yet, deterrence is an undeveloped theoretical space in cyber war today. Deterrence theory was the underpinning of U.S., Soviet, and NATO nuclear strategy during the Cold War. The horror that could be caused by nuclear weapons (and the fear that any use would lead to extensive use) deterred nuclear-weapons nations from using their ultimate weapons against each other. It also deterred nations, both nuclear-armed and not, from doing anything that might provoke a nuclear response. Strategists developed complex theories about nuclear deterrence. Herman Kahn developed a typology with three distinct classes of nuclear deterrence in his works in the 1960s. His theories and analyses were widely studied by civilian and military leaders in both the United States and the Soviet Union. His clear, matter-of-fact writing about the likely scope of destruction in books like On Thermonuclear War (1960) and Thinking About the Unthinkable (1962) undoubtedly helped to deter nuclear war.
Of all the nuclear-strategy concepts, however, deterrence theory is probably the least transferable to cyber war. Indeed, deterrence in cyberspace is likely to have a very different meaning than it did in the works of Kahn and the 1960s strategists. Nuclear deterrence was based on the credible effects created by nuclear weapons. The world had seen what two nuclear weapons had done to Hiroshima and Nagasaki in 1945. Much larger nuclear weapons had then been detonated aboveground by the United States and the Soviet Union in the 1940s and 1950s, followed by the United Kingdom in 1952, France in 1960, and China in 1968. All told, the initial five nuclear-weapons states detonated over 2,300 weapons above and below the surface.
No one knew exactly what would happen if either the United States or the Soviet Union tried to launch several hundred nuclear-armed ballistic missiles more or less simultaneously, but internally the American military thought that over 90 percent of its missiles would launch, make it to their targets, and detonate their weapons. They had similarly high expectations that they knew what the effects of their weapons would be on the targets. To insure a major attack would work, if attempted, the U.S. military planned on hitting important targets with nuclear warheads from three different delivery mechanisms (bombs from aircraft, warheads from ground-based missiles, and warheads from submarine-launched missiles). Both superpowers deployed their forces in such a way that they would have many surviving nuclear weapons even after suffering a large, surprise attack. Retaliation was assured. Thus, there was near certainty that by one side’s using nuclear weapons, it was inviting some degree of its own nuclear destruction. What would happen after a massive exchange of nuclear weapons was subject to debate, but few doubted that the two nuclear combatants would have inflicted on each other a level of damage unparalleled in human history. Many believed a large-scale exchange would trigger a “nuclear winter” that could cause the end of all human life. Almost all experts believed that a large-scale exchange by the two superpowers would cause what were termed “prompt deaths” in the scores of millions. (Kahn dryly noted, “No one wants to be the first to kill a hundred million people.”) Any use of nuclear weapons, it was feared, could escalate unpredictably into large-scale use. That fear has deterred the United States and the Soviet Union from using their nuclear weapons for over six decades to date.
The nuclear tests had created what was called a “demonstration effect.” Some theorists also suggested that in a major crisis, such as a conventional war in Europe, the United States might detonate a nuclear weapon at sea as another demonstration effect, thus signaling that unless the fighting stopped, the NATO Alliance was prepared to escalate to nuclear-weapons use. NATO planned that during a conventional war it could “signal NATO’s intent” by such a warning shot. Despite the instances of cyber war to date, the demonstration effect has not been compelling. As discussed earlier, most of the cyber incidents thus far have been either unsophisticated attacks such as a DDOS or covert penetrations of networks to steal information or implant trapdoors and logic bombs. The limited effects of the DDOS attacks were not widely noticed by those outside of the countries victimized. And in the case of most of the covert attacks, even the victims may not have noticed.
So what confidence do cyber warriors have that their weapons will work, and what expectation do they have about the effects that would be caused by the weapons? What they undoubtedly know is that they have already used many of their attack techniques to successfully penetrate other nations’ networks. They have probably done everything short of a few keystrokes of what they would do in real cyber war. On simulations of enemy networks, they have probably engaged in destructive operations. The Aurora test on the generator in Idaho was one such test. It left the experimenters confident that they could have caused the physical destruction of a large electric generator with a cyber weapon.
What cyber warriors cannot know, however, is whether the nation they are targeting will surprise them with a significantly improved array of defenses in a crisis. What would be the effect if China disconnected its networks from international cyberspace? Would the U.S. plans for dealing with that contingency work? Assuming Russia has placed trapdoors and logic bombs in U.S. networks, how do they know whether the Amer
icans have identified them and have planned their elimination in a period of heightened tension? When a cyber warrior goes to use the penetration technique he has planned on to get back into a target, that route of access may be blocked and an unexpected and effective intrusion-prevention system may suddenly have appeared. Unlike a national antimissile system, an intrusion-prevention for key networks could easily be kept secret until activated. If the cyber warrior’s job is to shut down an enemy’s air defense system slightly in advance of his nation’s air force doing a bombing mission, the bombers may be in for a rude awakening. The radar installations and missiles that were supposed to have been shut down may suddenly come alive and destroy the attacking aircraft.
With a nuclear detonation, one could be fairly certain about what would happen to the target. If the target was a military base, it would become unusable for years, if not forever. On my first day of graduate school at MIT in the 1970s, I was given a circular slide rule, which was a nuclear-effect calculator. Spin one circle and you picked the nuclear yield, say 200 kilotons. Spin another circle and you could choose an airburst or a groundburst. Throw in how far away from the target you might be in a worst case and your handy little spinning device told you how many pounds of explosive pressure per square inch would be created and how many would be needed to collapse a hardened underground missile silo in on itself, before becoming little radioactive pieces of dust thrown way up in the atmosphere. A cyber warrior may possibly have similar certainty that were he to hit some system with a sophisticated cyber weapon, that system, say a modern freight railroad, would likely stop cold. What he may not know is whether the railroad has a reliable resiliency plan, a backup command-and-control network that he does not know about because the enemy is keeping it secret and not using it until it’s needed. Just as a secret intrusion-prevention system might surprise us when it’s suddenly turned on in a crisis, a secret continuity-of-operations system that could quickly get the target back up and running is also a form of defense against cyber attack.
The potential surprise capability of an opponent’s defense makes deterrence in cyber war theory fundamentally different from deterrence theory in nuclear strategy. It was abundantly clear in nuclear strategy that there was an overwhelming case of what was called “offensive preference,” that is to say, any defense deployed or even devised could easily be overwhelmed by a well-timed surprise attack. It costs far less to modify one’s missile offense to deal with defensive measures than the huge costs necessary to achieve even minimally effective missile protection. Whatever the defense did, the offense won with little additional effort. In addition, no one thought for a moment that the Soviet Union or the United States could secretly develop and deploy an effective missile-defense system. Ronald Reagan hoped that by spending billions of dollars on research, the U.S. could change the equation and make strategic nuclear missile defense possible. Decades later it has not worked, and today the U.S. hopes, at best, to be able to stop a small missile attack launched by accident or a minor power’s attack with primitive missiles. Even that remains doubtful.
In strategic nuclear war theory, the destructive power of the offense was well known, no defense could do much to stop it, the offense was feared, and nations were thereby deterred from using their own nuclear weapons or taking other provocative steps that might trigger a nuclear response. Deterrence derived from sufficient certainty. In the case of cyber war, the power of the offense is largely secret; defenses of some efficacy could possibly be created and might even appear suddenly in a crisis, but it is unlikely any nation is effectively deterred today from using its own cyber weapons in a crisis; and the potential of retaliation with cyber weapons probably does not yet deter any nation from pursuing whatever policy it has in mind.
Assume for the sake of discussion that the United States (or some other nation) had such powerful offensive cyber weapons that it could overcome any defense and inflict significant disruption and damage on some nation’s military and economy. If the U.S. simply announced that it had that capability, but disclosed no details, many opponents would think that we were bluffing. Without details, without ever having seen U.S. cyber weapons in action, few would so fear what we could do as to be deterred from anything.
The U.S. could theoretically look for an opportunity to punish some bad actor nation with a cyber attack just to create a demonstration effect. (The U.S. used the F-117 Stealth fighter-bomber in the 1989 invasion of Panama not because it feared Panamanian air defenses, but because the Pentagon wanted to show off its new weapon to deter others. The invasion was code-named Operation Just Cause, and many in the Pentagon quipped that the F-117 was sent in “just cause we could.”) The problem with the idea of using cyber weapons in the next crisis that comes up is that many sophisticated cyber attack techniques may be similar to the cryptologist’s “onetime pad” in that they are designed for use only once. When the cyber attack weapons are used, potential opponents are likely to detect them and apply all of their research capability in coming up with a defense.
If the U.S. cannot deter others with its secret cyber weapons, is it possible that the U.S. itself may be deterred by the threat from other nations’ cyber warriors? In other words, are we today self-deterred from conventional military operations because of our cyber war vulnerabilities? If a crisis developed in the South China Sea, as in the exercise described above, I doubt that today anyone around the table in the Situation Room would say to the President, “You better not send those aircraft carriers to get China to back down in that oil dispute. If you do that, Mr. President, Beijing could launch a cyber attack to crash our stock market, ground our airlines, halt our trains, and plunge our cities into a sustained blackout. There is nothing we have today that could stop them, sir.”
Somebody should say that, because, of course, it’s true. But would they? Very unlikely. The most senior American military officer just learned less than two years ago that his operational network could probably be taken down by a cyber attack. The Obama White House did not get around for a year to appointing a “cyber czar.” America’s warriors think of technology as the ace up their sleeves, something that lets their aircraft and ships and tanks operate better than any in the world. It comes hard to most of the U.S. military to think of technology as something that another nation could use effectively against us, especially when that technology is some geek’s computer code and not a stealthy fighter-bomber.
So, we cannot deter other nations with our cyber weapons. In fact, other nations are so undeterred that they are regularly hacking into our networks. Nor are we likely to be deterred from doing things that might provoke others into making a major cyber attack. Deterrence is only a potential, something that we might create in the mind of possible cyber attackers if (and it is a huge if) we got serious about deploying effective defenses for some key networks. Since we have not even started to do that, deterrence theory, the sine qua non of strategic nuclear war prevention, plays no significant role in stopping cyber war today.
2. NO FIRST USE?
One of the first things you should have noticed about the scenario in our hypothetical exercise was the idea of going first. In the absence of any strategy to the contrary, the U.S. side in the hypothetical exercise took the first move in cyberspace by sending out an insulting e-mail on what China thought was its internal military e-mail system and then by initiating what the U.S. team hoped would be a limited power blackout. The strategic goal was to signal both the seriousness with which the U.S. viewed the crisis and the fact that the U.S. had some potent capabilities. Cyber Command’s immediate tactical objective was to slow down the loading of the Chinese amphibious assault force, to buy time for U.S. diplomats to talk China out of its planned operation.
In nuclear war strategy, the Soviet Union proposed that we and they agree that neither side would be the first to use nuclear weapons in a conflict. The U.S. government never agreed to the No First Use Declaration, preserving for itself the option to use nuclear weapons to offset
the superior conventional forces of the Soviet Union. (My onetime State Department colleague Jerry Kahan once asked a Soviet counterpart why they kept suggesting we ban orange juice. When the Russian denied making such a proposal, Jerry retorted, “But you’re always running around saying ‘no first juice.’”) Should we incorporate a No First Use approach in our cyber war strategy?
There is no conventional military force in the world superior to that of the U.S., assuming that the U.S. military is not blinded or disconnected by a cyber attack. Therefore, we do not need to hold open the prospect of going first in cyberspace to compensate for some other deficiency, as we did in nuclear strategy. Going first in cyber war also makes it more politically acceptable in the eyes of the world for the victim of the cyber attack to retaliate in kind, and then some. Given our greater vulnerability to cyber attack, the U.S. may not want to provoke a cyber phase to a war.
However, forswearing the use of cyber weapons until they have been used on us could mean that if a conventional war broke out, we would not defend our forces by such things as cyber attacks on our opponent’s antiaircraft missile systems. The initial use of cyber war in the South China Sea scenario was a psychological operation on China’s internal military network, sending a harassing e-mail with a picture of a sinking Chinese ship. Should that be considered a first use of cyber war?