Cyber War: The Next Threat to National Security and What to Do About It
Page 24
Cyber warfare is the unauthorized penetration by, on behalf of, or in support of, a government into another nation’s computer or network, or any other activity affecting a computer system, in which the purpose is to add, alter, or falsify data, or cause the disruption of or damage to a computer, or network device, or the objects a computer system controls.
With that definition and the U.S. asymmetrical vulnerabilities in mind, are there successes in other forms of arms control that could be ported into cyberspace, or new ideas unique to the characteristics of cyber war that could form the basis of beneficial arms control? What are the pitfalls of bad arms control to which we should give special attention and caution when thinking about limits on cyber war? How could an international agreement limiting some aspects of cyber war be beneficial to the United States, as well as operationally feasible and adequately verifiable?
SCOPE: ESPIONAGE OR WAR?
Any potential international agreement limiting or controlling cyber war must begin with the scope of the proposal. In other words: What is covered and what is out? The definition of cyber war I used above does not include cyber espionage. Hacking your way in to spy, to collect information, does not add or alter data, nor does it need to damage or disrupt the network or things that the network controls in physical space, if it’s done well.
The Russian cyber arms control proposal, however, is sweeping in its scope and would prohibit something that the Russian Federation is doing every day, spying through hacking. The chief public advocate of the Russian proposal, Vladislav Sherstyuk, had a career of managing hackers. As Director of FAPSI, General Sherstyuk was the direct counterpart to the U.S. Director of the National Security Agency. His career background does not necessarily mean that General Sherstyuk is now being disingenuous when he advocates an international regime to prohibit what he has directed his agency to do for years. The technical differences between cyber espionage and destructive cyber war are so narrow, perhaps General Sherstyuk thinks that a distinction between the two cannot effectively be made. Or perhaps he has had a change of heart. Perhaps he believes that cyber espionage is something that now puts Russia at a disadvantage. More likely, however, the general, like all who have seen cyber espionage in action, would be very reluctant to give it up.
Cyber espionage is, at one level, vastly easier than traditional espionage. It is hard to exaggerate the difficulty of recruiting a reliable spy and getting such an agent into the right place in an organization so that he or she can copy and exfiltrate a meaningful amount of valuable information. Then there is always the suspicion that the material being provided is falsified and that the spy is a double agent. The best counterintelligence procedure has always been to imagine where the opponent would want to have a spy and then give them one there. The agent passes on low-grade data and then adds some slightly falsified material that makes it useless, or worse.
As I discussed in Your Government Failed You, the U.S. is not particularly good at using spies or, as the Americans like to call it, human intelligence (often shortened to HUMINT). The reasons have to do with the difficulty of the task, our reluctance to trust some kinds of people who might make good spies, the reticence of many Americans to become deep-cover agents, and the ability of other nations to detect our attempts at spying. These conditions are deeply seated and cultural, have been true for sixty years or more, and are unlikely to change.
What we are remarkably good at is electronic spying. In fact, our abilities in cyber espionage often make up for our inabilities in the area of HUMINT. Thus, one could argue that forcing the U.S. to give up cyber espionage would significantly reduce our intelligence-collection capability, and that such a ban would possibly put us at a greater disadvantage than it would some other nations.
The idea of limiting cyber espionage requires us to question what is wrong with doing it, to ask what problem is such a ban intended to solve. Although Henry Stimson, Secretary of State under President Herbert Hoover, did stop some espionage on the grounds that “gentlemen do not read each other’s mail,” most U.S. Presidents have found intelligence gathering essential to their conduct of national security. Knowledge is power. Espionage is about getting knowledge. Nations have been engaging in espionage at least since biblical times. Knowing what another nation’s capabilities are and having a view into what they are doing behind closed doors usually contributes to stability. Wild claims about an opponent can lead to tensions and arms races. Spying can sometimes calm such fears, as when in 1960 there was discussion of a “missile gap,” that is, that the Soviets’ missile inventory greatly exceeded our own. Our early spy satellites ended that concern. Espionage can also sometimes prevent surprises and the need to be ready, on a hair trigger, in constant expectation of certain kinds of surprises. Yet there are some fundamental differences between cyber espionage and traditional spying that we may want to consider.
During the Cold War, the United States and the Soviet Union each spent billions spying on each other. We worked hard, as did the Soviets, to recruit spies within sensitive ministries in order to learn about intentions, capabilities, and weaknesses. Sometimes we succeeded and reaped huge benefits. More often than not, we failed. Those failures sometimes came with damaging consequences.
In the late 1960s, U.S. espionage efforts against North Korea almost led to combat twice. The U.S. Navy electronic espionage ship Pueblo was seized, along with its eighty-two crew members, by the North Korean Navy in January 1968. For eleven months, until the crew was released, militaries on the Korean Peninsula were on high alert, fearing a shooting war. Five months after the crew’s release, a U.S. Air Force EC-121 electronic espionage aircraft was shot down off the North Korean coast, killing all thirty-one Americans on board (interestingly, on the birthday of North Korean leader Kim Il-sung). The U.S. President, Richard Nixon, considered bombing in response, but with the U.S. Army tied down in Vietnam, he held his fire, lest the incident escalate into a second U.S. war in Asia.
Seven months later, a U.S. Navy submarine was allegedly operating inside the territorial waters of the Soviet Union when the ship collided underwater with a Red Navy submarine. Six years later Seymour Hersh reported, “The American submarine, the USS Gato, was on a highly classified reconnaissance mission as part of what the Navy called the Holystone program when she and the Soviet submarine collided fifteen to twenty-five miles off the entrance to the White Sea.” According to Peter Sasgen’s excellent Stalking the Bear, “Operation Holystone was a series of missions carried out during the Cold War [that] encompassed everything from recording the acoustic signatures of individual Soviet submarines to collecting electronic communications to videotaping weapon tests.” Both these incidents of spying gone wrong could have brought us into very real and dangerous conflict.
In early 1992, I was an Assistant Secretary of State, and my boss, Secretary of State James A. Baker III, was engaged in delicate negotiations with Russia about arms control and the end of the Cold War. Baker believed he was succeeding in overcoming the feelings of defeat and paranoia in the leadership circles and the military elites in Moscow. He sought to assuage fears that we would take advantage of the collapse of the Soviet Union. Then, on February 11, the USS Baton Rouge, a nuclear submarine, collided not far off the coast from Severomorsk with the Red Banner Fleet’s Kostroma, a Sierra-class submarine. The Russians, outraged, charged that the U.S. submarine had been collecting intelligence inside the legal limit of their territory.
I recall how furious Baker was as he demanded to know who in the State Department had approved the Baton Rouge’s mission and what possible value it could have compared to the damage that could be done by its discovery. Baker urgently embarked on a diplomatic repair mission, promising his embarrassed counterpart, Eduard Shevardnadze, that any future such U.S. operations would be canceled. The USS Baton Rouge, badly damaged, made it back to port, where it was, shortly after, struck from the fleet and decommissioned. Those in Moscow who had been preaching that America was hoodwinking them had t
heir proof. The distrust Baker sought to end only grew instead.
As we think of cyber espionage, we should not just think of it as a new intercept method. Cyber espionage is in many ways easier, cheaper, more successful, and has fewer consequences than traditional espionage. That may mean that more countries will spy on each other, and do more of it than they otherwise would.
Prior to cyber espionage, there were physical limits to how much information a spy could steal and, thus, in some areas there were partial constraints on the extent of the damage he could do. The case of the F-35 fighter (mentioned briefly above, in chapter 5) demonstrates how when the quantitative aspect of espionage changes so much with the introduction of the cyber dimension, it does not just add a new technique. Rather, the speed, volume, and global reach of cyber activities make cyber espionage fundamentally and qualitatively different from what has gone before. Let’s look at the F-35 incident again to see why.
The F-35 is a fifth-generation fighter plane being developed by Lockheed Martin. The F-35 is meant to meet the needs of the Navy, Air Force, and Marines in the twenty-first century for an air-to-ground striker, replacing the aging fleet of F-16s and F-18s. The F-35’s biggest advancement over the fourth-generation aircraft will be in its electronic warfare and smart weapons capabilities. With a smaller payload than its predecessors, the F-35 was designed around a “one shot, one kill” mode of warfare that depends on advanced targeting systems. Between the Air Force, Navy, and Marines, the U.S. military has ordered nearly 2,500 of these planes, at a cost of over $300 billion. NATO nations have also ordered the aircraft. The F-35 would provide dominance over any potential adversary for the next three decades. That dominance could be challenged if our enemies could find a way to hack it.
In April 2009, someone broke into data storage systems and downloaded terabytes’ worth of information related to the development of the F-35. The information they stole was related to the design of the aircraft and to its electronics systems, although what exactly was stolen may never be known because the hackers covered their tracks by encrypting the stolen information before exporting it. According to Pentagon officials, the most sensitive information on the program could not have been accessed because it was allegedly air-gapped from the network. With a high degree of certainty, these officials believe that the intrusion can be traced back to an IP address in China and that the signature of the attack implicates Chinese government involvement. This was not the first time the F-35 program had been successfully hacked. The theft of the F-35 data started in 2007 and continued through 2009. The reported theft was “several” terabytes of information. For simplicity’s sake, let’s assume it was just one terabyte. So, how much did they steal? The equivalent of ten copies of the Encyclopaedia Britannica, all 32 volumes and 44 million words, ten times over.
If a Cold War spy wanted to move that much information out of a secret, classified facility, he would have needed a small moving van and a forklift. He also would have risked getting caught or killed. Robert Hanssen, the FBI employee who spied for the Soviets, and then the Russians, starting in the 1980s, never revealed anywhere near that much material in over two decades. He secreted documents out of FBI headquarters, wrapped them in plastic bags, and left them in dead drops in parks near his home in Virginia. In all, Hanssen’s betrayal amounted to no more than a few hundred pages of documents.
Hanssen now spends twenty-three hours a day in solitary confinement in his cell at the supermax prison in Colorado Springs. He is allowed no letters, no visitors, no phone calls, and when addressed by prison guards, is referred to only as “the prisoner” in the third person (“the prisoner will exit his cell”). At least Hanssen escaped with his life. The spies he betrayed were not so lucky. At least three Russians in the employ of the American intelligence community were betrayed by Hanssen and killed by the Russians. A fourth was sent to prison. Spying used to be a dangerous business for the spies. Today it is done remotely.
The spies who stole the information on the F-35 didn’t need to wait for a recruit to be promoted to gain access, they didn’t have to find someone motivated to betray his country, and no one had to risk getting caught and going to a supermax, or worse. Yet with the information stolen, they may be able to find a weakness in the design or in the systems of the F-35. Perhaps they will be able to see a vulnerability to a new kind of cyber weapon they will use in a future war to eliminate our dominance in the air by dominating cyberspace. That may not even be the worst-case scenario. What if, while the hackers were in our systems, exfiltrating information, they also uploaded a software package? Maybe it was designed to provide a trapdoor for access to the network later, once their original way in was patched. Maybe it was a logic bomb set to take down the Pentagon’s network in a future crisis. Moving from espionage to sabotage is just a few clicks of the mouse. Whoever “they” are, they may be in our systems now just to collect information, but that access could allow them to damage or destroy our networks. So, knowing that nations have been in our systems “just to spy” may give the Pentagon and the President a moment of pause in the next crisis.
Banning cyber espionage effectively would present huge challenges. Detecting whether a nation is engaging in cyber espionage may be close to impossible. The ways in which the U.S. and Russia now engage in cyber espionage are usually undetectable. Even if we had means of noticing the most sophisticated forms of network penetration, it could be exceedingly difficult to prove who was on the keyboard at the other end of the fiber, or for whom he was working. If we agreed to a treaty that stopped cyber espionage, U.S. agencies would presumably cease such activity, but it is extremely doubtful that some other nations would.
The ways in which we collect information, including by cyber espionage, may offend some people’s sensibilities and may sometimes violate international or national laws, but, with some notable exceptions, U.S. espionage activities are generally necessary and beneficial to U.S. interests. Moreover, the perception that espionage is vital is widespread among U.S. national security experts and legislators. One question I always asked my teams when I was engaged in arms control was, “When it comes time to testify in favor of the ratification of this agreement, how will you explain to the U.S. Senate how you came to agree to this provision, or, since it will likely be me testifying, how the hell do I explain why we agreed to this?” With an agreement to limit espionage, I would not even know where to begin. And so, when looking at a Russian proposal to ban cyber espionage, one is left wondering why they proposed it and what it says about the overall intent and purpose of their advocacy of a cyber war treaty. The Russian proposal to ban cyber espionage comes from a country with a high degree of skill in such activity, a nation that has regularly orchestrated cyber warfare against other states, has one of the worst records when it comes to international cooperation against cyber crime, and has not signed the one serious international agreement on disruptive cyber activity (the Council of Europe Cyber Crime Convention).
In rejecting the Russian proposal for an international agreement prohibiting cyber espionage, I recognize that cyber espionage does have the potential to be damaging to diplomacy, to be provocative, and possibly even destabilizing. As former NSA Director Ken Minihan said to me, “We are conducting warfare activities without thinking that it is war.” That is dangerous, but there may be other ways to address those concerns. Over the course of the Cold War, the CIA and its Soviet counterpart, the KGB, met secretly and developed tacit rules of the road. Neither side went around assassinating the other’s agents. Certain things were generally out of bounds. There may be a parallel in cyber espionage. What I recommend is consideration of quiet understandings. Countries need to recognize that cyber espionage can easily be mistaken for preparation of the battlefield and that such actions may be seen to be provocative. Nations should not do things in cyberspace that they would not do in the real world. If you would not put a group of agents in somewhere to extract the information you are hoping to steal on the Net, you probably s
hould not take it electronically. Because there is so little difference between extraction and sabotage, countries should be careful about where they prowl and what they take in cyberspace.
While espionage targeting government systems may have gotten out of hand, America’s real crown jewels are not our government secrets, but our intellectual property. U.S. stockholders and taxpayers spend billions of dollars funding research. China steals the results for pennies on the billions and then takes the results to market. The only real economic edge that the U.S. enjoyed, our technological research prowess, is disappearing as a result of cyber espionage. Calling it “industrial espionage” doesn’t alter the fact that it is crime. By hacking commercial organizations around the world to steal non-defense data to increase China’s profits, the government in Beijing has become a cleptocracy on a global scale. Even if a major cyber war involving the U.S. never happens, Chinese cyber espionage and intellectual property war may swing the balance of power in the world away from America. We need to make protecting this information a much higher priority, and we need to confront China about its activities.
If consequences can be created for certain kinds of destabilizing cyber espionage, countries may more tightly control who does it, why it is done, and where it is done. Most bureaucrats want to avoid scenes in which they have to explain to an outraged Secretary of State, or similar senior official, how the intelligence value of an exposed covert operation was supposed to outweigh the damage done by its discovery. Thus, while I recognize that some cyber espionage may have the potential to be less valuable than the corresponding amount of damage it may cause, I think that risk is best handled by discussions among intelligence organizations and governments bilaterally, privately. An arms control agreement limiting cyber espionage is not clearly in our interest, might be violated regularly by other nations, and would pose significant compliance-enforcement problems.