Cyber War: The Next Threat to National Security and What to Do About It
Page 23
The attacking nation may be going after the Internet itself and the telephone infrastructure in the United States, which might make it harder for the U.S. to launch a cyber retaliation.
Thus, there could be a real case of first mover advantage, and that leads to crisis instability, a hair trigger, no time to think. Now, remember the earlier discussion about ambiguity of intent, what one side indicates by the types of targets it goes after in the preparation-of-the-battlefield period. If a nation believes that the other side has already laced its infrastructure (including cyber and electrical networks) with destructive software packages or logic bombs, that consideration, combined with the first mover advantage, could cause a decision maker in a time of rising tensions to have a very itchy keyboard finger.
10. DEFENSIVE ASYMMETRY
The team playing China won this exercise, forcing a withdrawal of U.S. forces and causing the United States to negotiate a face-saving way out. The chief reason they won was that they had been able to overcome U.S. defenses and to erect relatively effective defenses of their own. The U.S. was looking for an attack to originate overseas, and China used servers in the U.S., perhaps directed by Chinese “students” operating out of coffee shops. The U.S. was looking for the signatures of attacks that it already knew about and the Chinese used “zero day” exploits. Most important, the U.S. had no national defense mechanism for the civilian infrastructure, including the finance industry, the electric power grid, and rail systems.
China, on the other had, not only had a national command system that could dictate to its infrastructure, they had a defensive plan. When it was clear that cyber war was under way, China’s electric and rail systems shifted to a non-networked control system. When the Chinese lost satellite communications, they had a backup radio network up in an hour. In short, China had not thrown out their old systems, and had a plan to use them.
The lessons learned in the “hot wash” of this exercise have helped to identify issues and choices, which will lead us toward a cyber war strategy. There is, however, one further missing ingredient. We have talked a little about the international laws of war and other conventions. What international laws cover cyber war, and what additional multilateral agreements would be in our interest, if any?
CHAPTER SEVEN
CYBER PEACE
The United States, almost single-handedly, is blocking arms control in cyberspace. Russia, somewhat ironically, is the leading advocate. Given the potential destabilizing nature and disadvantages of cyber war to the U.S., as discussed in the earlier chapters, one might think that by now the United States would have begun negotiating international arms control agreements that could limit the risks. In fact, since the Clinton Administration first rejected a Russian proposal, the U.S. has been a consistent opponent of cyber arms control.
Or, to be completely frank, perhaps I should admit that I rejected the Russian proposal. There were many who joined me; few U.S. government decisions are ever the responsibility of a single person. However, one of my jobs in the Clinton White House was to coordinate cyber security policy, including international agreements, across the government. Despite some interest in the State Department in pursuing cyber arms control, and although the U.S. had to stand almost alone in the U.N. in rejecting cyber talks, we said no. I viewed the Russian proposal as largely a propaganda tool, as so many of their multilateral arms control initiatives had been for decades. Verification of any cyber agreement seemed impossible. Moreover, the U.S. had not yet explored what it wanted to do in the area of cyber war. It was not obvious then whether or not cyber war added to or subtracted from U.S. national security. So we said no, and we have kept saying no for over a decade now.
Now that over twenty nations’ militaries and intelligence services have created offensive cyber war units and we have gained a better understanding of what cyber war could look like, it may be time for the United States to review its position on cyber arms control and ask whether there is anything beneficial that could be achieved through an international agreement.
A SHORT CRITIQUE OF ARMS CONTROL
Whether or not you think reviewing our position on cyber arms limitations is a good policy may well depend upon what you think about arms control more broadly. So let’s begin by recalling what arms control is (since it no longer dominates the news) and what it has done in other areas. Although there were international arms control agreements before the nuclear era, such as the Washington Treaty that limited the number of battleships navies could have before World War II, arms control as we now know it was shaped by the Cold War standoff between the U.S. and the U.S.S.R. Beginning in the early 1960s and continuing for almost thirty years, arms control became a major preoccupation of the two nuclear superpowers. What resulted were two classes of agreements: multilateral treaties, in which the two superpowers invited global participation, and bilateral agreements, in which they agreed to impose specific limitations on their own military capabilities.
I began working on arms control in Vienna in 1974 and, at the Pentagon and then the State Department, was involved for almost twenty years in agreements on strategic nuclear weapons, conventional forces in Europe, so-called theater nuclear weapons of shorter range, biological weapons, and chemical weapons. That experience shapes the way I think about cyber arms control. There are lessons the United States can learn from this history as we seek to limit warfare in cyberspace through a new round of treaties.
My colleague Charles Duelfer, who was one of the leaders of UN efforts to limit Iraqi weapons of mass destruction for over a decade, takes a cynical view of U.S.-Soviet arms control and of the phenomenon in general. “The U.S. and U.S.S.R. generally agreed to ban things they were not going to do anyway. On weapons they did want, they agreed to numeric ceilings that were so high that they got to do everything they wanted.” Many analysts, like Duelfer, have a negative critique of arms control in general. They note that the fifteen-year-long talks on forces in Central Europe finally produced an accord with high limits on military personnel only months before the Soviet Union’s military alliance crumbled anyway. The final treaty allowed the Soviet Union to keep hundreds of thousands of troops in Eastern Europe, but reality did not. What caused the thousands of Red Army tanks to clank back into Russia was not arms control.
The more well known series of negotiations of the SALT and START agreements on strategic nuclear forces lasted over twenty years and permitted both sides to maintain enormous numbers of nuclear weapons and to continue to replace them with more modern versions. As part of that process, in the ABM Treaty, the two nations banned antiballistic missile defenses, which at the time neither side thought would work anyway.
In the multilateral arena, the two superpowers agreed on a treaty to prohibit other nations from acquiring nuclear weapons in exchange for a vague promise that the nuclear powers would eventually eliminate their own. That treaty did not stop Israel, Pakistan, India, South Africa, or North Korea from developing nuclear weapons and is now doing little to stop Iran. The Soviet Union agreed to a multilateral ban on biological weapons, but then secretly went on to create a massive biological weapons arsenal that the United States did not detect for decades. The critics of arms control point to the Soviet violation of the Biological Weapons Treaty as an example of why arms control is often not in the U.S. interest. The U.S. is fairly scrupulous in its obedience of treaty limits to which it agrees. Many other nations are not. Verification measures may not detect violations, or permitted activities may allow nations to come right up to the point of a violation without being sanctioned (as Iran may be doing with its nuclear reprocessing program).
For all the problems with arms control, there is a compelling case that both the bilateral agreements between the U.S. and U.S.S.R. and the broader multilateral treaties made the world safer. Even putting aside the value of the numeric limits on weapons, the very existence of a forum where the American and Soviet diplomats and military leaders could talk to each other about nuclear war helped to create
a consensus among the elites of both countries to take measures to prevent such a disaster. The introduction of communications channels and confidence-building measures, the increase in transparency of both sides’ armed forces reduced the possibility of miscalculation or accidental war.
As Assistant Secretary of State, it was my duty to supervise one of those so-called confidence-building measures, the U.S. Nuclear Risk Reduction Center. My counterpart was a Russian General in the Ministry of Defense. Our two teams worked on measures to reduce the likelihood of tensions escalating into nuclear alerts. Each team had a center, mine in the State Department and the general’s in the Ministry of Defense, just off Red Square in Moscow. Because the White House–Kremlin hotline was seldom employed by U.S. Presidents, we needed a way of communicating quickly at a lower level when there may have been a misunderstanding. So we connected the two centers by direct cable and satellite links, by Teletype for text, and by secure telephones. The secure telephone had to use an encryption code that we and the Soviets could share, which posed a problem for both countries. We both wanted to use encryption that would provide no clue about codes either side used elsewhere. Such was the fear of electronic espionage that some people thought that with such connectivity, I was just providing a way for the Soviets to listen in on U.S. communications. The entire U.S. Center, just off the State Department Operations area, had to be lined in copper and acoustic dampening materials.
The Nuclear Risk Reduction Centers were designed to prevent the kind of mistaken escalation that occurred in the early days of the Cold War. One day when a U.S. space launch from an aircraft platform aborted, we realized that on Russian radar the descending missile could look like a single depressed-trajectory surprise attack, possibly aimed at decapitating the leadership by hitting Moscow. I quickly called my counterpart in the Defense Ministry, on the secure line. Those lines were used repeatedly in instances like that, as well as to coordinate implementation of arms control agreements.
While it is true that SALT and START permitted large arsenals to continue for a long time, the treaties did ban destabilizing activities and programs that both sides might otherwise have felt the need to test or deploy. The numeric limits also provided a known quantity to the other side’s force, preventing an even greater upward arms spiral based on false assumptions about what the other was intending. Eventually, thanks to the persistence of National Security Advisor Brent Scowcroft, the two sides banned the highly destabilizing multiple-warhead land-based missiles. Now, the U.S. and Russia are making meaningful reductions in their strategic forces.
The Intermediate Nuclear Forces (INF) treaty, on which I worked for several years in the early 1980s, caused the United States to destroy its Pershing II mobile ballistic system and its ground-launched cruise missiles, or GLCMs (they were originally called land-launched cruise missiles, or LLCMs, until the way that acronym was pronounced—lickems—occasioned so many off-color jokes that the Pentagon changed it), in exchange for the destruction of hundreds of Soviet SS-4, SS-5, and SS-20 mobile nuclear missiles. That entire class of weapon, which could be used to circumvent limits on longer-range systems, was permanently banned and several thousand nuclear warheads in Europe were taken out of service.
The limits on nuclear weapons testing did begin with the modest prohibition of detonating weapons in the atmosphere, but over time evolved into a limit on the size of all nuclear tests and eventually to a ban on nuclear testing altogether. (The complete ban on testing has not yet been ratified by the U.S. Senate.) The ban on chemical weapons, which I worked on in the early 1990s, is causing nations to destroy their chemical weapons, prohibits making new ones, and has a very intrusive inspection regime for verification. (While we did not agree to “anytime, anywhere” inspection, few areas are exempt.)
Beyond the limits and bans on nuclear, chemical, and biological weapons, arms control includes limits on the conduct of war itself. A series of agreements on armed conflict bans attacks on military hospitals, prohibits attacks on civilian population centers, establishes standards for treating prisoners of war, bans torture, outlaws land mines, limits the use of child soldiers, and makes genocide an international crime. The United States has not ratified all of these agreements (such as the ban on land mines) and has recently violated others (such as the Convention Against Torture). World War II saw broad violations of the laws of armed conflict, but even then some nations upheld the standards for treatment of prisoners of war.
When arms control works well, it reduces uncertainty, creating a more predictable security environment. By establishing some practices as illegal and some armament acquisition as a violation, arms control agreements can clarify what another nation’s intentions might be. If a nation is willing to violate a clear agreement, there is less ambiguity about their policies. By prohibiting certain arms and practices, arms control can sometimes help nations to avoid expenditures that they might have been driven to only by fear that other nations were about to do the same. Agreed-upon international norms can be useful in gathering multilateral support against a nation that is an outlier.
When arms control is not valuable and can even be unhelpful is when it is largely hortatory, or when the negotiation is seen as an end in itself or a platform for propaganda, when its limitations are vague and also when violations are without cost to the violator. If a nation can quickly move from compliance to significant violation with little or no warning time, the attributes of stability and predictability are lost. Similarly, if nations can cheat on agreements with little or no risk of detection or fear of punishment when caught, the agreements tend to be one-sided and are discredited.
My overall view is that the arms control experience we had in the last thirty years of the Cold War was largely positive, but it was very far from a panacea and occasionally it was little more than a farce. A simple test of whether an area is ripe for arms control is to determine if all parties have a real interest in limiting their own investments in the area. If a party is proposing to stop something that they really want to keep around, then they are likely merely engaged in arms control for propaganda or as a deceptive means of constraining a potential opponent in an area where they think they may be outclassed.
LIMIT CYBER WAR?
All of which brings us back to cyber war. To determine our national policy toward concepts of arms control or limits on cyber war activities, we first need to ask whether this new form of combat gives the United States such an advantage over other nations that we would not wish to see international constraints. If we believe that we do enjoy such a unilateral advantage, and that it is likely to continue, then we should not ask the follow-on questions about what kinds of limits might be created, whether they could be verified, and so on.
I suggested earlier that at present the U.S. would be better off if cyber warfare never existed, given our asymmetrical vulnerabilities to such warfare. Before looking at cyber war control, let’s first consider four ways in which we are more vulnerable than those nations that might use cyber weapons against us. First, at the moment, the United States has a greater dependency upon cyber-controlled systems than potential adversary nations. Other nations such as South Korea or Estonia may have greater consumer access to broadband. Others such as the United Arab Emirates may have more Internet-capable mobile devices per capita. But few nations have used computer networks as extensively to control electric power, pipelines, airlines, railroads, distribution of consumer goods, banking, and contractor support of the military.
Second, few nations, and certainly none of our potential adversaries, have more of their essential national systems owned and operated by private enterprise companies. Third, in no other major industrialized and technologically developed nation are those private owners and operators of infrastructure so politically powerful that they can routinely prevent or dilute government regulation of their operations. The American political system of well-financed lobbying and largely unconstrained political campaign contributions has greatly empowered pr
ivate industry groups, especially when it comes to avoiding meaningful federal regulation.
Fourth, the U.S. military is highly vulnerable to cyber attack. The U.S. military is “netcentric,” bringing access to databases and information further down into the operation of every imaginable type of military organization. Along with that access to information systems has come dependence upon them. One small sign of things to come was reported in late 2009. Insurgents in Iraq had used twenty-six-dollar software to monitor the video feeds of U.S. Predator drones through an unencrypted communications link. While not directly threatening to American troops, the discovery raises questions about the Pentagon’s beloved new weapon. What if the unencrypted signal could be jammed, thus causing the drone to return home? American forces would be denied one of their most valuable tools and an off-the-shelf program would defeat the product of millions of dollars of research and development. U.S. forces, in addition to being more wired, are also more dependent upon private-sector contractor support than any likely adversary. Even if the U.S. military’s own networks were secure and reliable, those of its contractors, who often rely upon the public Internet, may not be.
Those four asymmetries, taken together, tell us that if we and a potential adversary engaged in unlimited cyber warfare, they might do more damage to us than we could do to them. Having some effective limits on what nations actually do with their cyber war knowledge might, given our asymmetrical vulnerabilities, be in the U.S. national interest. Putting that broad theory into practice, however, would require some precise definitions of what kinds of activity might be permitted and what kinds prohibited.
Often arms control negotiations have found difficulty in achieving agreement on something as basic as a definition of what it is that they were seeking to limit. I sat around the table for months with Soviet counterparts trying to define something as simple as “military personnel.” For the purposes of discussion in this book, we won’t have that kind of delay. Let’s take the definition we used in chapter 1 and make it sound more like treaty language: