by Jared Cohen
When the Flame virus was discovered two years later, initial reports from security experts suggested that it was unconnected to Stuxnet; it was much larger, used a different programming language and operated differently, focusing on covert data-gathering instead of targeting centrifuges. It was also older—analysts found that Flame had been in existence for at least four years by the time they discovered it, which means it predated the Stuxnet worm. And Sanger reported that American officials denied that Flame was part of the Olympic Games project. Yet less than a month after the public revelations about these cyber weapons, security experts at Kaspersky Lab, a large Russian computer-security company with international credibility, concluded that the two teams that developed Stuxnet and Flame did, at an early stage, collaborate. They identified a particular module, known as Resource 207, in an early version of the Stuxnet worm that clearly shares code with Flame. “It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going,” a senior Kaspersky researcher explained. “The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together.”
Though Stuxnet, Flame and other cyber weapons linked to the United States and Israel are the most advanced known examples of state-led cyber attacks, other methods of cyber warfare have already been used by governments around the world. These attacks needn’t be limited to highly consequential geopolitical issues; they can be deployed to harass a disliked fellow state with equal panache. Following a diplomatic fight in 2007 over the Estonian government’s decision to remove a Russian World War II memorial in its capital, Tallinn, a mass of prominent Estonian websites, including those of banks, newspapers and government institutions, were abruptly struck down by a distributed denial of service (DDoS) attack. Estonia is often called the most wired country on Earth, because almost every daily function of the state (and nearly all of its citizens) employs online services, including e-government, e-voting, e-banking and m-parking, which allows drivers to pay for their parking with a mobile device. Yet the country that gave the world Skype suddenly found itself paralyzed due to the efforts of a group of hackers. The systems came back online, and the Estonians immediately suspected their neighbor Russia—the Estonian foreign minister, Urmas Paet, accused the Kremlin directly—but proving culpability was not possible. NATO and European Commission experts were unable to find evidence of official Russian government involvement. (The Russians, for their part, denied the charges.)
Some questions that arise—Was it an act of cyber warfare? Would it be if the Kremlin hadn’t ordered it, but gave its blessing to the hackers who executed it?—remain unanswered. In the absence of attribution, victims of cyber attacks are left with little to go on, and perpetrators can remain safe from prosecution even if suspicion is heightened. (One year after the Estonian attacks, websites for the Georgian military and government were brought down by DDoS attacks, while the country was in a dispute with, you guessed it, Russia. The following year, Russian hackers targeted the Internet providers in Kyrgyzstan, shutting down 80 percent of the country’s bandwidth for days. Some believe the attacks were intended to curb the Kyrgyz opposition party, which has a relatively large Internet presence, while others contend that the impetus was a failed investment deal, in which Russia had tried to get Kyrgyzstan to shut down the U.S. military base it hosted.)
Then there is the example of Chinese cyber attacks on Google and other American companies over the past few years. Digital corporate espionage is a rowdy subcategory of cyber warfare, a relatively new phenomenon that in the future will have a severe impact on relations between states as well as national economies. Google finds its systems under attack from unknown digital assailants frequently, which is why it spends so much time and energy building the most secure network and protections possible for Google users. In late 2009, Google detected unusual traffic within its network and began to monitor the activity. (As in most cyber attacks, it was more valuable to our cyber-security experts to temporarily leave the compromised channels open so that we could watch them, rather than shut them down immediately.) What was discovered was a highly sophisticated industrial attack on Google’s intellectual property coming from China.
Over the course of Google’s investigation, it gathered sufficient evidence to know that the Chinese government or its agents were behind the attack. Beyond the technical clues, part of the attacks involved attempts to access and monitor the Gmail accounts of Chinese human-rights activists, as well as the accounts of advocates of human rights in China based in the United States and Europe. (These attacks were largely unsuccessful.) In the end, this attack—which targeted not only Google but dozens of other publicly listed companies—was among the driving factors in Google’s decision to alter its business position in China, resulting in the shutdown of its Google China operations, the end of self-censorship of Chinese Internet content, and the redirection of all incoming searches to Google in Hong Kong.
Today, only a small number of states have the capacity to launch large-scale cyber attacks—the lack of fast networks and technical talent holds others back—but in the future there will be dozens more participating, either offensively or defensively. Many people believe that a new arms race has already begun, with the United States, China, Russia, Israel and Iran, among others, investing heavily in stockpiling technological capabilities and maintaining a competitive edge. In 2009, around the same time that the Pentagon gave the directive to establish United States Cyber Command (USCYBERCOM), then secretary of defense Robert Gates declared cyberspace to be the “fifth domain” of military operations, alongside land, sea, air and space. Perhaps in the future the military might create the equivalent of the Army’s Delta Force for cyberspace, or we could see the establishment of a department of cyber war with a new cabinet secretary. If this sounds far-fetched, think back to the creation of the Department of Homeland Security as a response to 9/11. All it takes is one big national episode to spur tremendous action and resource allocation on the part of the government. Remember, it was the United Kingdom’s experience with Irish terrorism that led to the establishment of closed-circuit television (CCTV) cameras in every corner of London, a move that was welcomed by much of the populace. Of course, some raised concerns about their every move on the streets being filmed and stored, but in moments of national emergency, the hawks always prevail over the doves. Postcrisis security measures are extremely expensive, with states having to act quickly and go the extra mile to assuage the concerns of their population. Some cyber-security experts peg the cost of the new “cyber-industrial complex” somewhere between $80 billion and $150 billion annually.
Countries with strong engineering sectors like the United States have the human capital to build their virtual weapons “in-house,” but what of the states whose populations’ technical potential is underdeveloped? Earlier, we described a minerals-for-technology trade for governments looking to build surveillance states, and it stands to reason that this type of exchange will work equally well if those states’ attention turns toward its external enemies. Countries in Africa, Latin America and Central Asia will locate supplier nations whose technological investment can augment their own lackluster infrastructure. China and the United States will be the largest suppliers but by no means the only ones; government agencies and private companies from all over the world will compete to offer products and services to acquisitive nations. Most of these deals will occur without the knowledge of either country’s population, which will lead to some uncomfortable questions if the partnership is later exposed. A raid on the Egyptian state security building after the country’s 2011 revolution produced explosive copies of contracts with private outlets, including an obscure British firm that sold online spyware to the Mubarak regime.
For countries looking to develop their cyber-war capabilities, choosing a supplier nation will be an important decision, akin to agreeing to be in their “sphere of online in
fluence.” Supplier nations will lobby hard to gain a foothold in emerging states, since investment buys influence. China has been remarkably successful in extending its footprint into Africa, trading technical assistance and large infrastructure projects for access to resources and consumer markets, in no small part due to China’s noninterference policy and low bids. Who, then, will those countries likely turn to when they decide to start building their cyber arsenal?
Indeed, we already see signs of such investments under the umbrella of science and technology development projects. Tanzania, a former socialist country, is one of the largest recipients of Chinese foreign direct assistance. In 2007, a Chinese telecom was contacted to lay some ten thousand kilometers of fiber-optic cable. Several years later, a Chinese mining company called Sichuan Hongda announced that it had entered into a $3 billion deal with Tanzania to extract coal and iron ore in the south of the country. Shortly thereafter, the Tanzanian government announced it had entered into a loan agreement with China to build a natural-gas pipeline for $1 billion. All across the continent, similar symbiotic relationships exist between African governments and big Chinese firms, most of which are state-owned. (State-owned enterprises make up 80 percent of the value of China’s stock market.) A $150 million loan for Ghana’s e-governance venture, implemented by the Chinese firm Huawei, a research hospital in Kenya, and an “African Technological City” in Khartoum all flow from the Forum on China-Africa Cooperation (FOCAC), a body established in 2000 to facilitate Sino-African partnerships.
In the future, superpower supplier nations will look to create their spheres of online influence around specific protocols and products, so that their technologies form the backbone of a particular society and their client states come to rely on certain critical infrastructure that the superpower alone builds, services and controls. There are currently four main manufacturers of telecommunications equipment: Sweden’s Ericsson, China’s Huawei, France’s Alcatel-Lucent and Cisco in the United States. China would certainly benefit from large portions of the world using its hardware and software, because the Chinese government has dominating influence over what its companies do. Where Huawei gains market share, the influence and reach of China grow as well. Ericsson and Cisco are less controlled by their respective governments, but there will come a time when their commercial and national interests align and contrast with China’s—say, over the abuse of their products by an authoritarian state—and they will coordinate their efforts with their governments on both diplomatic and technical levels.
These spheres of online influence will be both technical and political in nature, and while in practice such high-level relationships may not affect citizens in daily life, if something serious were to happen (like an uprising organized through mobile phones), which technology a country uses and whose sphere it’s in might start to matter. Technology companies export their values along with their products, so it is absolutely vital who lays the foundation of connectivity infrastructure. There are different attitudes about open and closed systems, disputes over the role of government, and different standards of accountability. If, for example, a Chinese client state uses its purchased technology to persecute internal minority groups, the United States would have very limited leverage: Legal recourse would be useless. This is a commercial battle with profound security implications.
The New
Code War
The logical conclusion of many more states coming online, building or buying cyber-attack capability and operating within competitive spheres of online influence is perpetual, permanent low-grade cyber war. Large nations will attack other large nations, directly and by proxy; developing nations will exploit their new capabilities to address long-standing grievances; and smaller states will look to have a disproportionately large influence, safe in the knowledge that they won’t be held accountable because of the untraceable nature of their attacks. Because most attacks will be silent and slow-moving information-gathering exercises, they won’t provoke violent retaliation. That will keep tensions on a slow burn for years to come. Superpowers will build up virtual armies within their spheres of influence, adding an important proxy layer to insulate them, and together they’ll be able to produce worms, viruses, sophisticated hacks and other forms of online espionage for commercial and political gain.
Some refer to this as the upcoming Code War, where major powers are locked in a simmering conflict in one dimension while economic and political progress continues unaffected in another. But unlike its real-world predecessor, this won’t be a primarily binary struggle; rather, the participation of powerful tech-savvy states including Iran, Israel and Russia will make it a multipolar engagement. Clear ideological fault lines will emerge around free expression, open data and liberalism. As we said, there will be little overt escalation or spillage into the physical world because none of the players would want to jeopardize their ongoing relationships.
Some classic Cold War attributes will carry over into the Code War, particularly those pertaining to espionage, because governments will largely view their new cyber-warfare capabilities as extensions of their intelligence agencies. Embedded moles, dead letter drops and other tradecraft will be replaced by worms, key-logging software, location-based tracking and other digital spyware tools. Extracting information from hard drives instead of from humans may reduce risk to traditional assets and their handlers, but it will introduce new challenges, too: Misinformation will remain a problem, and very sophisticated computers may give up secrets even less easily than people.
Another Cold War attribute—war by proxy—will see a revival in these new digital-age entanglements. On one hand, it could manifest in progressive alliances between states to counter dangerous non-state elements, where the cyber attack’s lack of attribution provides political cover. The United States could covertly fund or train Latin American governments to launch electronic attacks on drug-cartel networks. On the other hand, war by digital proxy could lead to further misdirection and false accusations, with countries exploiting the lack of attribution for their own political or economic gain.
As with the Cold War, there will be little civilian involvement, awareness or direct harm, which deleteriously affects how states perceive the risks of such activities. States with ambition but a lack of experience in cyber warfare might go too far and unintentionally start a conflict that actually does harm their populations. Eventually, mutually-assured-destruction doctrines might emerge between states that stabilize these dynamics, but the multipolarity of the landscape promises to keep some measure of volatility in the system.
More important, there will be a great deal of room for error in the new Code War. The misperceptions, misdirection and mistakes that characterized the Cold War era will reappear with vigor as all participants go through the process of learning how to use the powerful new tools at their disposal. Given the additional layer of obfuscation that cyber attacks provide, it might end up being worse than the Cold War—even exploded missiles leave trails. Mistakes will be made by governments in deciding what to target and how, by victims who out of panic or anger retaliate against the wrong party, and by the engineers who construct these massively complicated computer programs. With weapons this technically complex, it’s possible that a rogue individual would install his own back door in the program—a means of access that bypasses security mechanisms and can be used remotely—which would remain unnoticed until he decided to use it. Or perhaps a user would unknowingly share a well-constructed virus in a way its creators did not intend, and instead of skimming information about a country’s stock exchange, it would actually crash it. Or a dangerous program could be discovered that would bear several false flags (the digital version of bait) in the code, and this time the targeted country would decide to take action against the apparent source.
We’ve already seen examples of how the attribution problem of cyber attacks can lead to misdirection on a state level. In 2009, three waves of DDoS attacks crippled major government websites in both
the United States and South Korea. When security experts reviewed the cyber attack, they found Korean language and other indicators that strongly suggested that the network of attacking computers, or botnet, began in North Korea. Officials in Seoul directly pointed their fingers at Pyongyang, the American media ran with the story and a prominent Republican lawmaker demanded that President Obama conduct a “show of force or strength” against North Korea in retaliation.
In fact, no one could prove where the attacks came from. A year later, analysts concluded they had no evidence that North Korea or any other state was involved. One analyst in Vietnam had earlier said that the attacks originated in the United Kingdom, while the South Koreans insisted that North Korea’s telecommunications ministry was behind them. Some people even thought it was all a hoax orchestrated by the South Korean government or activists attempting to incite U.S. action against the North Korean regime.
These attacks were, by most accounts, rather ineffectual and fairly unsophisticated—no data was lost, and the DDoS method is considered a rather blunt instrument—which in part explains why the situation did not escalate. But what happens when more countries can build Stuxnet worms, and even more sophisticated weapons? At what point does a cyber attack become an act of war? And how does a country retaliate when the instigator can almost always cover his tracks? Such questions will have to be answered by policy-makers the world over, and sooner than they expect. Some solutions to these challenges exist, but most options, like international treaties governing cyber attacks, will require substantial investment as well as honest dialogue about what we can and cannot control.