Moreover, the scenario presented a problem that if you do not go first in cyberspace, your ability to conduct cyber attack may be reduced by the other side stepping up both its defensive measures (for example, China cutting off its cyberspace from the rest of the world) and its offensive measures (including attacks that disrupted U.S. networks that may be necessary for some of the U.S. attacks to be launched). Whether we say it publicly or maintain it as an internal component of our strategy, if we were to accept the concept of No First Use in cyber war we would require a clear understanding of what constitutes “use.” Is penetration of a network a cyber war act? When the network penetration goes beyond just collecting information, does the act then move from intelligence operations to cyber war? Any ban on “first use” would probably only apply prior to kinetic shooting. Once a war goes kinetic, most bets are off.
3. PREPARATION OF THE BATTLEFIELD
Another thing that you should have caught is that it appears that both sides had hacked into each other’s systems well before the exercise began. In the real world, they probably have actually done just that. How much of this is done and who approves it is an issue to be reviewed when creating a strategy.
If CIA sends agents into a country to conduct a survey for possible future sabotage and they leave behind a cache of weapons and explosives, under U.S. law such activity is considered covert action and requires a Presidential finding and a formal notification of the two congressional intelligence committees. In recent years, the Pentagon has taken the view that if it conducts some kind of covert action, well, that’s just preparation of the battlefield and no one needs to know. The phrase “preparation of the battlefield” has become somewhat elastic. The battle does not need to be imminent, and almost anyplace can be a battlefield someday.
This elasticity has also been applied to cyber war capability, and apparently not just by the United States. In the hypothetical exercise, both the U.S. and China opened previously installed trapdoors in the other country’s networks and then set off logic bombs that had been implanted earlier in, among other places, the electric power grids. Beyond the exercise, there is good reason to believe that someone actually has already implanted logic bombs in the U.S. power grid control networks. Several people who should know implied or confirmed that the U.S. has also already engaged in the same kind of preparation of the battlefield.
Imagine if the FBI announced that it had arrested dozens of Chinese government agents running around the country strapping C4 explosive charges to those big, ugly high-tension transmission line towers and to some of those unmanned step-down electric substation transformers that dot the landscape. The nation would be in an outrage. Certain Congressmen would demand that we declare war, or at least slap punitive tariffs on Chinese imports. Somebody would insist that we start calling Chinese food “liberty snacks.” Yet when the Wall Street Journal announced in a headline in April 2009 that China had planted logic bombs in the U.S. grid, there was little reaction. The difference in response is indicative mainly of the Congress, the media, and the public’s inexperience with cyber war. It is not reflective of any real distinction between the effects those logic bombs could have on the power grid, compared to what little parcels of C4 explosives might do.
The implanting of logic bombs on networks such as the U.S. power grid cannot be justified as an intelligence-collection operation. A nation might collect intelligence on our weapon systems by hacking into Raytheon’s or Boeing’s network, but there is no informational value in being inside Florida Power and Light’s control system. Even if there were valuable data on that network, logic bombs do not collect information, they destroy it. The only reason to hack into a power grid’s controls, install a trapdoor so you can get back in quickly later on, and leave behind computer code that would, when activated, cause damage to the software (and even the hardware) of the network, is if you are planning a cyber war. It does not mean that you have already decided to conduct that war, but it certainly means that you want to be ready to do so.
Throughout much of the Cold War and even afterward there were urban legends about Soviet agents sneaking into the U.S. with small nuclear weapons, so-called suitcase bombs, that could wipe out U.S. cities even if Russian bombers and missiles were destroyed in some U.S. surprise attack. While both the Soviets and the U.S. did have small weapons (we actually had a few hundred called the Medium Atomic Demolition Munitions, or MADM, and another bunch called the Small Atomic Demolition Munitions, or SADM, which were designed to be carried in a backpack), there is no evidence that either side actually deployed them behind the other’s lines. Even at the height of the Cold War, decision makers thought that actually sending the MADMs out onto the streets would be too destabilizing.
How is it, then, that Chinese, and presumably U.S., decision makers have authorized placing logic bombs on the territory of the other? It is at least possible that high-level officials in one or both countries never approved the deployments and do not know about them. The cyber weapons might have been implanted on the authority of military commanders acting under their authority to engage in preparation of the battlefield. There is a risk that senior policy makers will be told in a crisis that the other side has planted logic bombs in preparation for war and will view that as a new and threatening development, causing the senior policy makers to ratchet up their response in the crisis. Leaders may be told that since it is obvious the other side intends to crash our power grid, we should go first while we still can. Another risk is that the weapon may actually be used without senior-level approval, either by a rogue commander or by some hacker or disgruntled employee who discovers the weapon.
Cyber warriors justify the steps they have taken in preparation of the battlefield as necessary measures to provide national decision makers with options in a future crisis. “Would you want the President to have fewer courses of action to choose from in some crisis?” they would say. “If you want him to have the choice of a nonkinetic response in the future, you have to let us get into their networks now. Just because a network is vulnerable to unauthorized penetration now does not mean it will be so years from now when we may want to get in.”
Networks are constantly being modified. An electric power transmission company might one day buy an effective intrusion-prevention system (IPS) that would detect and block the techniques we use to penetrate into the network. But if we can get into the network now, we can leave behind a trapdoor that would appear to any future security system as an authorized entry. Getting onto the network in the future is not enough, however; we want to be able to run code that makes the system do what we want, to malfunction. That future IPS might block the downloading of executable code, even by an authorized user, without some higher level of approval. Thus, if we can get into the system now, we should leave behind the instruction code to override surge protection or cause the generators to spin out of synchronization, or whatever method we have to disrupt or destroy the network or the hardware it runs.
That sounds persuasive at one level, but are there places where we do not want our cyber warriors preparing the battlefield?
4. GLOBAL WAR
In our hypothetical exercise, the Chinese response aimed at four U.S. navy facilities but spilled over into several major cities in four countries. (The North American Interconnects link electric power systems in the U.S., Canada, and parts of Mexico.)
To hide its tracks, the U.S., in this scenario, attacked the Chinese power grid from a computer in Estonia. To get to China from Estonia, the U.S. attack packets would have had to traverse several countries, including Russia. To discover the source of the attacks on them, the Chinese would probably have hacked into the Russian routers from which the last packets came. In response, China hit back at Estonia to make the point that nations that allow cyber attacks to originate from their networks may end up getting punished even though they had not intentionally originated the attack.
Even in an age of intercontinental missiles and aircraft, cyber war moves
faster and crosses borders more easily than any form of hostilities in history. Once a nation-state has initiated cyber war, there is a high potential that other nations will be drawn in, as the attackers try to hide both their identities and the routes taken by their attacks. Launching an attack from Estonian sites would be like the U.S. landing attack aircraft in Mongolia without asking for permission, and then, having refueled, taking off and bombing China. Because some attack tools, such as worms, once launched into cyberspace can spread globally in minutes, there is the possibility of collateral damage as these malicious programs jump international boundaries and affect unintended targets. But what about collateral damage in the country that is being targeted?
5. COLLATERAL DAMAGE AND THE WITHHOLD DOCTRINE
Trying to strike at navy bases, the two cyber combatants hit the power plants providing the bases electricity. In so doing, they left large regions and scores of millions of people in the dark because electric power grids are extremely vulnerable to cascading failures that move in seconds. In such a scenario there would probably be dozens of hospitals whose backup generators failed to start. The international laws of war prohibit targeting hospitals and civilian targets in general, but it is impossible to target a power grid without hitting civilian facilities. In the last U.S.-Iraq War, the U.S. campaign of “Shock and Awe” employed precision-guided munitions that wiped out targeted buildings and left structures across the street still standing. While being careful with bombs, the U.S. and other nations have developed cyber war weapons that have the potential to be indiscriminate in their attacks.
In the cyber war game scenario, U.S. Cyber Command was denied permission to attack the banking sector. In the real world, my own attempts to have NSA hack into banks to find and steal al Qaeda’s funds were repeatedly blocked by the leadership of the U.S. Treasury Department in the Clinton Administration. Even in the Bush Administration, Treasury was able to block a proposed hacking attack on Saddam Hussein’s banks at the very time that the administration was preparing an invasion and occupation in which over 100,000 Iraqis were killed. Bankers have successfully argued that their international finance and trading system depends upon a certain level of trust.
The U.S. decision to withhold attacks narrowly targeted on the financial sector also reflects an understanding that the United States might be the biggest loser in a cyber war aimed at banks. Even though the financial services sector is probably the most secure of all of the major industry verticals in the U.S., it is still vulnerable. “We’ve tested the security at more than a dozen top U.S. financial institutions, as hired consultants, and we’ve been able to hack in every time,” one private-sector security consultant told me. “And every time, we could have changed numbers around and moved money, but we didn’t.”
The existing U.S. policy does not prohibit hacking into foreign banks to collect intelligence, but it does create a very high hurdle for altering data. Both the Secretary of the Treasury and the Secretary of State have to personally authorize such an action. As far as I was able to determine from my sources, that approval has never been granted. We have, in effect, what in nuclear war strategy we called a “withhold target set,” things that we have targeted but do not intend to hit. That policy assumes, or hopes, that opponents will also play by those unarticulated rules. In Exercise South China Sea, the PLA team did not. In its last move it hit the databases of the stock market and the major bank clearing house. That was a dramatic and, we hope, unrealistic escalation. Today China’s economy is so tightly connected to America’s that they, too, might have a withhold doctrine affecting the financial sector. Under foreseeable circumstances, it is maybe an acceptable risk to assume that nations will all withhold data-altering attacks on the financial sector, though some U.S. analysts would dispute that about China.
Because a sophisticated nonstate actor might not be so polite, it would be important for the U.S. financial sector to have an advance understanding with the federal regulators about what they would do if there were a major hack that altered data. Certain European and Japanese institutions should probably also be discreetly consulted about the policies they would use to reconstruct who owns what after a major data-altering breach. The Federal Reserve Bank and the Securities Industry Automation Corporation, among other financial database operators, have extensive off-site backup systems. Key to their being prepared to fix a data-altering breach is the idea that there is data with a recent picture of “who owns what” that is unlikely to be altered by a cyber attack. With the agreement of the federal regulators, banks and stock markets could revert to a prior date to recover from a data-altering breach. Some people would be hurt and others enriched by such a decision and it would be the subject of litigation forever, but at least the financial system could continue to operate.
China’s air traffic control (ATC) system was also placed on a withhold list in the exercise. As the U.S. modernizes its ATC, making it more network dependent, the system is likely to become only more vulnerable to cyber attack. Already with the older system, the U.S. has experienced instances where individual airport towers and even specific regional centers have been blacked out for hours because of computer or communications connectivity failures. As far as we know, none of these major outages was caused by hacking. (There is one case of an arrest for hacking into the FAA system, but the effects of the attack were minor.)
Nonetheless, the potential for someone altering data and causing aircraft to collide in midair has to be considered. The U.S. is a party to the Montreal Convention, which makes an intentional attack on a civilian airliner a violation of international law. Of course, almost all hacking is a violation of some national and/or international law, but the Montreal Convention is an articulation of the general global sentiment that certain kinds of actions are beyond the pale of acceptable conduct.
Hacking into the flight controls of an aircraft in flight is probably also becoming more feasible. The Federal Aviation Agency raised concerns with Boeing that plans for the new 787 Dreamliner called for the flight control system and the elaborate interactive passenger-entertainment system to use the same computer network. The FAA was concerned that a passenger could hack into the flight control system from his seat, or that live Internet connectivity for passengers could mean that someone on the ground could hack into the system. The airlines’ own systems already create a data connection from the ground to some aircraft’s computer networks. The computer networks on a large passenger aircraft are extensive and play a significant role in keeping the aircraft in the air.
In modern “fly-by-wire” aircraft, it is the flight control system that sends a computer signal to a flap, aileron, or rudder. The Air France crash over the South Atlantic in 2009, mentioned earlier, revealed to a wider audience what pilots have known for years: in modern fly-by-wire aircraft, onboard computers decide what signals to send to the control surfaces. Under certain circumstances, the software can even override the decision of a pilot to prevent the manual controls from making the aircraft do something that would cause it to stall or go out of control. As that recent Air France crash also demonstrated, the aircraft’s computers were firing off messages back to the Air France headquarters’ computers without the pilot being involved. As with the ATC system, the computer networks of commercial passenger aircraft should probably also be off limits. Military aircraft are, however, likely to be considered fair game.
Had the Cyber Command team asked the Controllers for permission to attack the reservations and operations network of Chinese airlines, they may have gotten a different answer. In the real world, computer crashes at U.S. and Canadian airlines have kept hundreds of aircraft grounded for hours at a time. The aircraft worked and there were crews available, but without the reservations database and the operational network up and running, the airlines did not know what crew, passengers, cargo, or fuel load should go on what planes. The airlines, like so many other huge business systems, no longer have manual backup systems that are sufficient to create even mini
mal operations.
There may be other withholds, in addition to banking and commercial aircraft. In the exercise, two of the networks that Cyber Command was told not to strike were China’s military command and control network and their air defense system. Since those are purely military targets, why were they spared?
6. ESCALATORY CONTROL
During the Cold War, I often participated in exercises in which teams of national security officials were secretly hustled out of Washington on short notice to obscure, covert locations. Once at our destinations, the teams did exactly what the War Games movie computer suggested. We played thermonuclear war. These were massively depressing experiences, since the “game reality” we had to accept was that millions of people had already died in a nuclear exchange. Our job was almost always to finish the war and begin the recovery.
The most difficult part of finishing the war usually turned out to be finding who was still alive and in control of the military on the other side. What survivor was in command of Soviet forces, and how do we talk to him without either of us revealing our hidden locations? Part of the problem that the game controllers deviously planned for us sometimes was that the guy with whom we were negotiating war termination did not actually have control over some element of the surviving Soviet force, for instance, their nuclear missile submarines. What we learned from these unpleasant experiences was that if we eliminate the opponent’s command and control system, then he has no way to tell his forces to stop fighting. Isolated local commanders, cut off from communications with higher echelons, or not recognizing the authority of the surviving successor, made their own decisions, and often it was to keep fighting. It was the nuclear war equivalent of those lone Japanese fighters who kept turning up on remote Pacific isles in the 1950s, unaware that the Emperor had years before ordered them to surrender.
Cyber War: The Next Threat to National Security and What to Do About It Page 21
