Cyber War: The Next Threat to National Security and What to Do About It
Page 26
Only that seismic network, and perhaps the IAEA teams, offers any useful precedent for cyber arms control verification. You cannot detect or count cyber weapons from space, or even by driving around an army base. No nation is likely to agree to having international teams of inspectors plowing through what programs are on computer networks designed to protect classified information. Even if in some parallel universe, nations did permit such intrusive inspection of their military or intelligence computer networks, a nation could hide its cyber weapons on thumb drives or CDs anywhere in the country. A ban on development, possession, or testing of cyber weapons on a closed network (such as the National Cyber Range being developed by Johns Hopkins University and Lockheed Martin) is not something that could be verified.
The actual use of cyber weapons, however, may be more clear-cut. The effects of an attack can often be easily discerned. Computer forensic teams can generally determine what attack techniques were used, even if they may not be able to determine how the penetration into the network occurred. The attribution problem would persist, however, even in the case of an attack that has already taken place. Trace-back techniques and ISP records may indicate that a particular nation is involved, but they would not usually be able to prove a government’s guilt with high confidence. A nation, perhaps the U.S., could easily be framed. Cyber attacks against Georgia, probably orchestrated by Russia, came from a botnet control computer in Brooklyn.
Even if a nation admitted that an attack came from computers on its territory, the government could claim the attacks were from anonymous citizens. This is precisely the claim that the Russian government did make in the case of the cyber attacks on Estonia and Georgia. It is exactly what the Chinese government claimed when U.S. networks were hit from China in 2001, following the alleged penetration of Chinese airspace by a U.S. electronic spy plane. It may even be true that the hackers would turn out to be people without government jobs or offices, although they may have been encouraged and enabled by their governments.
One way to address the attribution problem is to shift the burden from the investigator and accuser to the nation in which the attack software was launched. This same burden shifting has been used in dealing with international crime and with terrorism. In December 1999, Michael Sheehan, then the U.S. ambassador for counterterrorism, had the job of delivering a simple message to the Taliban. Sheehan was instructed to make it clear to the Taliban that they would be held responsible for any attack perpetrated by al Qaeda against the United States or its allies. Late at night, Sheehan delivered the message through an interpreter by telephone to a representative of the Taliban leader Mullah Omar. To drive home the point, Sheehan used a simple analogy: “If you have an arsonist in your basement; and every night he goes out and burns down a neighbor’s house, and you know this is going on, then you can’t claim you aren’t responsible.” Mullah Omar did not evict the arsonist in his basement, indeed he continued to harbor bin Laden and his al Qaeda followers even after 9/11. Now it is Mullah Omar who is huddling in a basement somewhere, hunted by NATO, U.S., and Afghan armies.
The notion contained in the “arsonist principle” is one that can be applied to cyber war. While we talk about cyberspace as an abstract fifth dimension, it is made up of physical components. These physical components, from the high-speed fiber-optic trunks, to every router, server, and “telecom hotel,” are all in sovereign nations, except perhaps for the undersea cables and the space-based relays. Even they are owned by countries or companies that have real-world physical addresses. Some people like to contend that there is a “sovereignty problem” on the Internet, that because no one owns cyberspace in its entirety, no one has any responsiblility for its integrity or security. The arsonist principle, articulated in an international agreement as National Cyberspace Accountability, would make each person, company, ISP, and country responsible for the security of their piece of cyberspace.
At a minimum, countries like Russia could no longer claim that they have no control over so-called patriotic hacktivists. An international agreement could hold host governments responsible either for stopping these hackers from participating in illegal international activities, or at least requiring nations to make their best effort to do so. In addition to their own police activities, a nation that is party to an international agreement might have an obligation to assist. Such an obligation could require them to respond quickly to inquiries in international investigations, seize and preserve server or router records, host and facilitate international investigators, produce their citizens for questioning, and prosecute citizens for specified crimes.
The existing 2001 Council of Europe Convention on Cyber Crime already incorporates many of these obligations to assist. The United States is a party to the convention. Our sovereignty is not being infringed upon by some supranational Olde Europa bureaucracy. Rather, by signing the convention, the U.S. is promising to pass any new legislation necessary to provide the U.S. government with the authority to do the things necessary to meet the obligations in the agreement.
Going beyond the current cyber crime convention, however, a cyber war convention could make nations responsible for ensuring that their ISPs deny service to individuals and devices participating in attacks and report them to authorities. Such a provision would mean that ISPs would have to be able to detect and “black-hole” major worms, botnets, DDOS attacks, and other obvious malicious activity. (Some of this process of identifying malware is something far less difficult than deep-packet inspection and can be done largely by something called “flow analysis,” which really means nothing more than watching how much traffic is moving on the network and looking for unusual spikes or patterns.) If a nation did not successfully compel an ISP into compliance, the international agreement could establish a procedure that transferred responsibility to other nations. An ISP could be internationally black-listed. All participating nations would then be required to refuse traffic going to or from that ISP until it complied and stopped the botnets or other obvious malware.
Such an international agreement would deal with a portion of the attribution problem, by shifting responsibility. Even if the attacker could not be identified, at least there would be someone who could be held responsible for stopping the attack and investigating who the attacker was. Such an obligation would not require most nations to add new cyber forensics units. Nations like China and Russia have the ability now to identify and move quickly against hackers. As Jim Lewis of the Center for Strategic and International Studies has said, “If a hacker in St. Petersburg tried to break into the Kremlin system, that hacker could count the remaining hours of his life on one hand.” You can be sure that the same is true for anyone in China trying to hack the People’s Liberation Army network. If China and Russia signed a cyber war agreement with obligations like the ones suggested here, those governments could no longer blame their citizens for DDOS attacks on other nations and then stand back and do nothing. Failure to act promptly against citizen hackers would result in the nation itself being held in violation of the agreement and, more important, in other nations disconnecting all traffic from the offending ISPs. Nations could black-hole such rogue traffic from other countries now, but in the absence of a legal framework, they are reluctant to do so. An agreement would not only permit nations from blocking such traffic, it would require them to do so.
A National Cyberspace Accountability provision and its corollary Obligation to Assist would not completely solve the attribution problem. The Russian botnet attack could still come from Brooklyn. The Taiwanese hacker sitting in the San Francisco cyber café could still attack a Chinese government website. But under such an agreement the U.S. would have to stop the botnet and actively investigate the hacker. In the case of a hypothetical Taiwanese agent hacking into Chinese networks in violation of an international agreement, the U.S. government, when notified by China of such activity, would have to task the FBI or Secret Service to help the Chinese police track down the culprit in San Francisco. If he
was found, he could be tried in a U.S. court for violation of U.S. law.
Of course, nations may say that they are looking for hackers and not be. They may try culprits and find them not guilty. When notified of a botnet originating on an ISP in their country, nations may take their sweet time doing something about it. To judge whether a nation is actively complying or is just being passive-aggressive, it may be useful if a cyber war agreement created an “International Cyber Forensics and Compliance Staff.” The staff of experts could make reports to member states on whether or not a nation is acting in the spirit of the agreement. There could be international inspection teams, similar to those under the nuclear nonproliferation agreement, the chemical weapons ban, and the European security and cooperation agreement. Such teams could be invited in by signatory nations to assist in verifying that a cyber war attack had occurred in violation of the agreement. They could help determine what nation had actually launched the attack. The international staff might also, with the voluntary cooperation of member states, place traffic-flow monitoring equipment at key nodes leading into a nation’s networks to help detect and identify the origin of attacks.
The international staff might also run a center that nations could contact whenever they believed they were coming under a cyber war attack. Imagine that an Israeli network is hit with a botnet DDOS attack from an ISP in Alexandria, Egypt, at three in the morning, Tel Aviv time. Israel, like all signatory countries in our hypothetical agreement, would have a national cyber security liaison office constantly staffed. The Israeli center would call the international center, say, in Tallinn, and report that a cyber attack was originating from a certain ISP in Egypt. The international center would then call the Egyptian national center in Cairo and request that they immediately investigate whether there is a botnet operating on that ISP in Alexandria. The international staff would time how long it took Egypt to comply and shut down the attack. Perhaps the international staff would be able to look at traffic-flow monitors on gateways coming out of Egypt and see the botnet spike. Egypt would be required to respond with a report on its investigation of the attack. If the incident warranted it, the international staff might ask to send a team of investigators to assist or observe the Egyptian authorities. The international staff could file a report, with conclusions and recommendations, to member states on the incident.
Nations that were found to be scofflaws could be subject to a range of sanctions. In addition to having traffic to and from offending ISPs denied by ISPs in other member states, the offending nation could have its hands slapped by the international organization. For more drastic action, nations could deny visas to officials from the offending nation, limit exports of new IT equipment to the nation, limit the overall amount of cyber traffic to and from the nation, or disconnect the nation altogether from international cyber space for a period of time.
These verification and compliance provisions in a cyber war agreement would not totally solve the attribution problem. They would not prevent a nation from spoofing the source of an attack or framing another state. They would, however, make it more difficult for some kinds of cyber war attacks, while establishing norms of international behavior, providing international legal cover for nations to assist, and creating an international community of cooperating experts in fighting cyber war. It is also important to remember that the capability to conduct attacks that amount to cyber war currently requires a state-level effort, and only a handful of states have advanced capabilities. The list of potential attackers is small. Attribution is a major problem for cyber crime, but for warfare, technical forensics and real-world intelligence can narrow down the list of suspects fairly quickly.
What emerges from this discussion of cyber arms control are five broad conclusions. First, unlike other forms of arms control that destroy weapons, cyber arms control cannot eliminate capability. It can only prohibit acts. Thus, a nation could move from a state of compliance to a gross violation in seconds and without warning.
Second, broad definitions of cyber warfare, such as those that include espionage, are not verifiable and are not in our interest as a nation. Nonetheless, national intelligence services and national governments should initiate channels for discussions so that intelligence activities do not get out of hand, or become misconstrued as showing hostile intentions.
Third, international agreements that prohibit certain acts, such as cyber attacks on civilian infrastructure, are in our interest. Because such attacks could still take place, such agreements would not in any way diminish the need to take defensive steps to protect that infrastructure.
Fourth, high-confidence verification of compliance with a cyber war limitation agreement will not be possible. We may be able to verify a violation, but attribution of the attack will be difficult and could be subject to intentionally misleading activity. Nonetheless, there are measures that can contribute to an international norm against cyber attacks on civilians, namely, an expert international staff, national governmental responsibility for the prevention of violations originating within a nation’s borders, and an obligation to assist in stopping and investigating attacks.
Finally, limits on cyber war attacks against civilian infrastructure would probably mean that we and other states would have to cease any activity in which we may be engaged with logic bombs, and perhaps trapdoors, in other nations’ civilian infrastructure networks. Lacing infrastructure with trapdoors and logic bombs, although little noticed or discussed by the media and the general population, is dangerously provocative. They are alluring because they offer some of the results of war, but without soldiers or death. But they also signal hostile intent far more than any weapon that stays in a nation’s inventory. They could be utilized easily and quickly, without proper authorization, or without a full appreciation for what kind of spiral of escalation they might cause. Although a war might start in cyberspace and be conducted without soldiers or bloodshed, it would be highly unlikely to stay that way for long. By lacing on another’s infrastructure networks with cyber weapons, nations have made starting a war far too easy.
CHAPTER EIGHT
THE AGENDA
Invisibly, military units from over a score of nations are moving into a new battlespace. Because the units are unseen, parliaments and publics have not noticed the movement of these forces. Because their first skirmishes have been isolated and involved only simple weapons, few have thought that cyber warriors could do more. Because most of the major military powers are also one another’s trading partners, commentators cannot envision the circumstances that could turn their relations to hostility. Because the United States has been at war in one nation for seven years and in another for nine, is struggling with its worst-ever recession, and is diverted by partisanship, the “bandwidth” of its policy elites is already consumed. Thus, with attention diverted elsewhere, we may be laying the groundwork for cyber war.
There may be parallels in the early years of the last century. Barbara Tuchman in The Proud Tower describes a world similarly diverted from the realization that its various militaries were preparing devastating forces without contemplating the horrific consequences of their use. Then, as she describes in the sequel, The Guns of August, a spark caused those forces to be activated. Von Schlieffen’s elaborate military use of Germany’s massive new freight rail network literally set wheels in motion that could not be stopped. The military use of the new chemical industry added an element of destructiveness. The use of chemical weapons did far more damage than anyone had anticipated. Today our military is developing elaborate plans for a new kind of war, once again using a technology originally designed for commercial use. As in the period one hundred years ago, those plans have received little public scrutiny.
There have been few times in our history when the American academic community, the media, and the Congress have focused on a potential problem and together cast so much light on an issue that controls were put in place that averted calamity. The issue of strategic nuclear war, referenced much
in this book, is the clearest example. A new technology had burst upon the world and the U.S. military had seen in it a way to achieve military dominance and, through that, peace. At airbases with the signs “Peace Is Our Profession,” the plans called for early and massive use of nuclear weapons in a war, against cities and civilian targets. Not until the research community focused a public klieg light on those plans and the larger issue of how to fight nuclear war, were rational controls and plans developed and adopted.
Today at U.S. Cyber Command, and at its related agencies, some of our nation’s most intelligent, patriotic, and undercompensated government employees, military and civilian, are putting plans and capabilities in place to achieve “dominance in cyberspace” to maintain this country’s security and preserve the peace. In other nations, cyber war units are also preparing. As part of that preparation, cyber warriors are placing trapdoors in civilian networks, placing logic bombs in electric power grids, and seeding infrastructure for destruction. They believe that their new form of warfare is an advance, not just because of its use of the latest technology, but because it does not involve explosives and direct lethality. Like the Predator pilots who sit in the United States, killing Taliban in Pakistan by remote control, they could subconsciously think that because they live in a peaceful suburban environment, the effects of their destruction on the other side of the world may somehow be clean and neat, unlike “real war.”