Cyber War: The Next Threat to National Security and What to Do About It
Page 22
There may be a parallel in cyber war. If a cyber attack eliminates a military command and control system, it could be difficult to prevent or terminate a kinetic war. In most militaries authority devolves to the local commander if he cannot get in touch with his superiors. Even if the command system is still operating, if the local commander believes that the system has been taken over by an opponent who is now issuing false instructions, command probably devolves to the local general until he can ascertain that he is in reliable communications with a valid superior. This is the situation so vividly portrayed in the movie Crimson Tide, where the U.S. nuclear submarine commander received and authenticated an order to launch nuclear missiles and then received an order to stop. Unable to authenticate the order to stop the attack, and fearing that it was a bogus order somehow sent by the Russians, the captain believes that procedures require him to launch.
The conclusion that we came to repeatedly in the nuclear war games was that it was probably an error to engage in a “decapitating strike,” one that made it impossible for the leadership to communicate with us or with their own forces. In cyber war, it may be desirable to cut off certain units from higher command, or to deny an opposing force access to intelligence about what is going on. But in choosing what units to cut off, one needs to keep in mind that severing the command link to a unit runs the risk that it will launch an attack on its own. Thus, cyber attacks should probably be carefully constructed so that there is still a surviving communications channel for negotiations and a way in which the leadership can authoritatively order its forces to stop fighting.
The exercise’s Control Team also denied Cyber Command the authority to strike at air defense networks. The rationale for that kind of withhold at that point in hostilities is “escalatory control.” In his 1965 masterpiece of military strategy, On Escalation, Kahn argued that if your goal is war termination short of the total destruction or forced surrender of the opponent, you can signal that by what you strike and what you withhold. You may want to signal that you have limited intentions so that the other side does not assume otherwise and proceed as if it has nothing to lose.
There are cyber war corollaries to escalation control. A cyber attack on a nation’s air defense system would lead that country’s leadership to the logical conclusion that air attacks were about to happen. In Exercise South China Sea, there were U.S. aircraft carriers nearby. If the Chinese military thought that those carriers were getting ready for air strikes on China, they would be right to take preemptive steps to sink the carriers. So, a cyber attack on the air defense network could have caused the beginning of a kinetic war that we were seeking to avoid. Even an attempted penetration of that network to lay in trapdoors and logic bombs might have been detected and interpreted as a prelude to imminent bombing. So just getting into position to launch a cyber attack would have sent the wrong message in a crisis, unless those steps had been taken well in advance.
Herman Kahn, Thomas Schelling, William Kaufmann, and the other “Wizards of Armageddon” spent a lot of time thinking about how to control nuclear escalation, from the tensions leading up to a crisis, to signaling, to initial use, to war termination. Initially the nuclear strategists saw war moving slowly up the escalatory ladder, with diplomatic attempts being made at every rung to stop the conflict right there. They also discussed what I referred to earlier, “escalation dominance.” In that strategy, one side says, basically, “We don’t want to play around with low-grade fighting that will gradually get bigger. If you want to fight me, it’s going to be a big, damaging fight.” It’s the warfare equivalent of going all-in on a hand in poker and hoping your opponent will give up rather than risk all of his chips. Except that there is one big difference: in escalation dominance you are actually jumping several rungs up the ladder and inflicting serious damage on the other side. You accompany that move with the threat that you can and will do more significant damage unless it all stops right here, right now.
The fact that you have done that damage to them may cause the opponent to feel compelled to respond in kind. Or, if you have a highly rational actor on the other side, they’ll understand that the stakes are getting too high and they stand to suffer even more serious losses if things continue. In Exercise South China Sea, the PLA decided to engage in escalation dominance. In response to a cyber attack on the power grid in southeastern China, they not only hit the West Coast power grid, they disrupted the global Defense Department intranet, damaged the databases of U.S. financial clearinghouses, and sent additional kinetic warfare units into the crisis zone in the South China Sea.
As the game continued, the U.S. leadership had to decide quickly whether it stood to lose more than China in the next round of cyber war escalation. America would have been at a disadvantage, because it stood to lose more in an ongoing, escalating cyber war. It therefore sought a quick diplomatic settlement. Escalation dominance was the right move for China in this game because that escalation showed that the U.S. was more susceptible to cyber attacks and that further escalation would only make matters worse for the U.S. team. The U.S. could have tried to block cyber traffic coming from China. But because the Chinese attacks were originating inside the U.S., and there was not yet a deep-packet inspection system on the Internet backbone, the next, larger, Chinese cyber attack would have been very difficult to stop.
Put more simply, if you are going to throw cyber rocks, you had better be sure that the house you live in has less glass than the other guy’s, or that yours has bulletproof windows.
7. POSITIVE CONTROL AND ACCIDENTAL WAR
The issue we discussed above, of maintaining some means for the opponent to exercise command and control, raises a similar issue, namely: Who has the authority to penetrate networks and to use cyber weapons? Earlier in this chapter I suggested that it may require the approval of multiple Cabinet members to alter banking data, and yet we are not sure that the President knows that the U.S. may have placed logic bombs in various nations’ power grids. Those two facts suggest that there is too much ambiguity regarding who has what authority when it comes to cyber war, including preparation of the battlefield.
In nuclear war strategy there were two central issues regarding who could do what, and they came under the general heading of “positive control.” The first was, simply: Could some U.S. military officer who had a nuclear weapon use that weapon even if he was not authorized to do so? To prevent that from happening, as well as to prevent someone from stealing and then setting off a bomb, elaborate electronics were embedded in the bomb’s design. The electronics physically blocked the bomb from detonating unless the lock had received an alphanumeric unlocking code. On many weapons, two officers had to each confirm the code and simultaneously turn physical keys to accomplish their part of the unlocking sequence. This was called the “two key” control. Part of that code was kept away from the weapon and would be sent down by higher authority to those who would unlock it. These “permissive action links,” or PALs, grew more sophisticated over the years. The U.S. shared parts of its PAL technology with some other nuclear-weapon states.
The second issue regarding positive control was: Who should be the higher authority capable of sending down the unlocking codes for nuclear weapons? The theory was that under normal circumstances that authority would rest with the President. A military officer attached to the U.S. President carries at all times a locked case in which reside the “go codes” for various nuclear attack options. I learned during the attempted military coup in Moscow in 1990 that the Soviets had a similar system. President Gorbachev, who was taken hostage at one point in the crisis, had the nuclear “go codes” with him at his vacation villa. The Gorbachev incident highlights the need for having the decision-making authority devolve if the President is unable to act. The U.S. government refuses to acknowledge who below the President has the authority to unlock and use nuclear weapons and under what circumstances that power devolves. All personnel who have physical access to nuclear weapons must undergo special
security review and testing as part of a personnel reliability system designed to weed out persons with psychological or emotional issues.
Cyber weapons would have a far lesser impact than nuclear weapons, but their employment under certain circumstances could be highly damaging and could also trigger broader war. So, who gets to decide to use them, and how do we make sure they are not used without authorization? Who should decide what networks we should be penetrating as part of the preparation of the battlefield?
Until we gain more experience with cyber weapons, I would argue that the President should at least annually approve broad guidelines about what kinds of networks in what countries we should be penetrating for both intelligence collection and for the embedding of logic bombs. Some will criticize that as overly restrictive, noting that we have been penetrating networks for intelligence collection for years without presidential review. That may be true, but in many cases there are only a few keystrokes’ difference between penetrating a network to collect intelligence and hacking your way in to cause destruction and disruption. Because there is the risk, however low, that logic bombs and other penetrations may be discovered and misunderstood as hostile intentions, the President should decide on how much risk he wants to take, and with whom.
The decision to use a cyber weapon for disruptive or destructive purposes should also rest with the President, or, in rare cases where quick action is necessary, with the Secretary of Defense. There may be circumstances in which regional commanders should have some predelegated authority to respond defensively to an ongoing or imminent attack. However, Cyber Command and its subordinate units should employ some form of software control analogous to the two-key control on nuclear weapons to ensure that an overzealous or massively bored young lieutenant cannot initiate an attack.
Even with proper command controls in effect, there is the potential for accidental war. In the Cold War, early radar systems could sometimes not distinguish between huge flocks of Canada geese and formations of Russian bombers. Thus, there were times when the U.S. launched the portion of its bombers that were kept on strip alert and sent them heading toward their destinations until air defense authorities could clarify the situation and determine for sure if we were under attack.
In cyber war, it is possible to imagine accidental attacks developing if somehow the wrong application were used and instead of inserting code that copied data, we mistakenly used code that deleted data. Alternatively, you could imagine the possibility that a logic bomb might be accidentally triggered by the network operator or by some other hacker who found it. The chances of that happening are very low, but Cyber Command and others engaged in hacking into other nations’ networks must have strict procedures to ensure that no such mistake occurs. The greatest potential for accidental cyber war is likely to come in the form of retaliating against the wrong nation because we were misled as to who attacked us.
8. ATTRIBUTION
In Exercise South China Sea, neither side doubted the identity of who was attacking them. There was a political context, rising tensions over the offshore oil fields. But what if, instead of China having done the attack, it was Vietnam? In the exercise scenario, Vietnam and the U.S. are allied against China. So why would our ally attack us? Perhaps Vietnam wants to drag the U.S. deeper into the conflict, to get Washington to stand up against China. What better way than letting Washington think that China was engaged in cyber war against us? And when China denied that it was them, we would probably just write that off as Beijing engaging in plausible deniability. (If you want to contemplate a similar scenario, and if you will forgive a bit of shameless self-promotion, read my novel Breakpoint, which deals with cyber war attribution, among other things.)
The cyber experts at Black Hat were asked at the 2009 meeting whether they thought the problem of attribution was as important as some suggest, that is, is it really that hard to figure out who is attacking you, and does knowing who attacked you really matter? To a person, they answered that attribution was not a major issue to them. It was not that they thought it was easy to identify the attacker; rather, they just did not care who it was. These were mainly corporate people whose networks had been attacked and when it had happened, their chief concern was getting the system back to normal and preventing that kind of attack from happening again. Their experiences dealing with the FBI had convinced most of them that it was hardly worth it even to report to law enforcement when they had been attacked.
For national security officials, however, knowing who attacked you is much more important. The President may ask. You may want to send the attacker a diplomatic note of protest, a demarche (what we called in the State Department a “démarche-mallow.”), as Secretary Clinton did after news of the attempted hacking on Google from Mainland China went public. You might even want to retaliate to get them to stop doing it. One way to find out who the attacker was is to use trace-back software, but eventually you will probably get to a server that does not cooperate. You could, at that point, file a diplomatic note requesting that the law enforcement authorities in the country get a warrant, go around to the server, and pull its records as part of international cooperation in investigating a crime. That could take days, and the records might be destroyed by then. Or the country in question may not want to help you. When trace-back stops working, you do have the option of “hack back,” breaking into the server and checking its records. Of course, that is illegal for U.S. citizens to do, unless they are U.S. intelligence officers.
Hacking into a server to trace the origin of an attack may not work, either, if the attacker worked hard at covering up his origins. You may have to be online, watching live when the attack packets actually move through the servers. It is unlikely that you will find that, say, even after bouncing through a dozen servers in as many countries to cover their tracks, the attacking packets had originated in some place called the “Russian Offensive Cyber War Agency.” Just to be safe, if it were the Russian government, they probably would have directed the attack from a server in another country and, if it were an intelligence-collection operation, the data they copied would probably have been sent to a data-storage unit in a third country.
So when it comes to figuring out who attacked you, unless you are sitting on the network the attacker uses and you see it coming (and sometimes not even then), you may not know right away. Computer forensics may be able to say that the original keyboard used in developing the attack code was designed for Arabic, or Cyrillic, or Korean, but that is hardly dispositive as to the identity of the hacker. And if you do find that the attack came from Russia, based on what happened to Estonia and Georgia, the authorities there will likely blame citizen hacktivists and do nothing to them.
This attribution difficulty could mean that nations trying to identify their attackers may need to rely upon more traditional intelligence techniques, such as spies penetrating the other side’s organization, or police methods. Human intelligence, unlike cyber, does not move at velocities approaching the speed of light. Quick responses may not be available. In nuclear war strategy, attribution was not generally thought to be a major problem because we could tell where a missile or bomber had been launched. Cyber attack may be similar to a suitcase bomb going off in an American city. If we see the attack being launched because we are watching the cyber equivalent of their missile silos and bomber bases, we might be able to assign attack attribution with a high degree of certainty. But if the attack starts on servers in the U.S., it may take a while to tell the President that we really know who attacked us. How sure do you need to be before you respond? The answer will likely depend upon the real-world circumstances at the time.
9. CRISIS INSTABILITY
The late Bill Kaufmann once asked me to write a paper on something called “launch on warning.” The Strategic Air Command had the idea that as soon as we saw a Soviet nuclear attack coming we should launch as many bombers as we could and fire our land-based missiles. As the Soviets had improved the accuracy of their missiles, it
had become possible for them to destroy our missiles even though we kept them in hardened, underground silos. As with everything in strategic nuclear doctrine, even this idea of “fire when you see them coming” got complicated. What if you were wrong, if your sensors made a mistake? Perhaps they were attacking, but with a small force aimed at only a few things, should you still throw the kitchen sink at them? Therefore the Air Force had evolved a strategy called “launch under attack,” which essentially meant that you waited until you had a better picture, until some of their missiles’ warheads were already going off in your countryside.
The launch on warning strategy was generally thought to be risky because it added to crisis instability, the hair-trigger phenomenon in a period of rising tensions. If you don’t make the right decision quickly, you lose, but if you have to make the decision quickly, you may make a losing decision. What I was able to conclude for Kaufmann was that we had enough missiles at sea, and those missiles had grown sufficiently accurate, that we could ride out an attack and then make a rational decision about what had just happened before we sized our response.
There is a similar issue with cyber war. The U.S. expects to see an attack coming and move quickly to blunt the cyber assault and destroy the attacker’s ability to try it again. The assumption about being able to see an attack coming may be invalid. Nonetheless, we will assume that the U.S. strategy is to see the attack coming and act. To act, you have to go quickly and without a lot of assessment of who the enemy was or what they were going to strike. If you do not go quickly, however, you suffer two possible disadvantages:
The attacking nation will probably pull up the drawbridge over the moat after its attackers charge out of the castle, by which we mean that as soon as they launch a big attack, a nation like China may disconnect from the rest of the Internet and “island” subnets;