War by Other Means
Page 10
Still, whether the hacking is offensive or defensive in nature, the degree of the problem is breathtaking. The overall scope and costs—which concentrate overwhelmingly on U.S. and European firms—are so great that even where motives of a given attack are either difficult to define or more straightforwardly commercial than geopolitical, such attacks nevertheless come with substantial geoeconomic consequences and co-benefits. The FBI in 2013 alone privately notified 3,000 U.S. companies that they had been hacked, according to James Lewis, a noted cybersecurity expert with a Washington-based think tank.93 Problems of underreporting by firms notwithstanding, more than 20 percent of the Fortune 500 and roughly one-third of the Fortune 501–1000 reported exposure to business interruption as a result of a cyber event (over 20 percent of Fortune 500 firms also reported perceived exposure to cyber penetration).
The costs are difficult to know. Problems with systematic underreporting by firms and with pinpointing state sponsorship make the job of tabulating these costs more impressionism than accounting. One British company reported that it lost $1.3 billion from a single state-sponsored attack.94 Another attack, believed to have been launched by North Korea (North Korea’s cyber army receives training and tacit support from China), shut down tens of thousands of computers and wreaked havoc on major banks, media, and government agencies in South Korea, where officials estimated damages at $800 million.95 All told, estimates by private security researchers place the annual cost to the global economy from cyber crime (including both state-sponsored and ordinary criminal activity) at more than $400 billion, with U.S. losses accounting for one-quarter of this figure.96 If correct, these estimates suggest that cyber crime extracts between 15 and 20 percent of the value created by the Internet.97 It also serves to shift employment away from many of the most economically-productive jobs. In the United States alone, studies estimate that losses from cyber crime could cost as many as 200,000 American jobs, tantamount to roughly a 0.3 percent decrease in employment for the United States (in other words, in fall 2014, with U.S. unemployment around 6 percent, correcting for cyber losses would have reduced unemployment to 5.7 percent).98
Energy is among the most attractive targets. The energy sector, including oil and gas producers and infrastructure operators, suffered more targeted malware attacks over a six-month period in 2012 than any other industry, according to one study.99 Energy companies were targeted in 41 percent of the malicious software attacks reported to the U.S. Department of Homeland Security in 2012.100 These attacks have successfully penetrated several of the world’s major oil and gas producers, including Saudi Aramco (officially the Saudi Arabian Oil Company) and Qatar’s RasGas.101
Arguably the most damaging known attack against American energy targets was “Night Dragon.” The cybersecurity firm McAfee, which first uncovered the attack, described Night Dragon as a “coordinated, covert, and targeted” campaign by China-based hackers to obtain proprietary data from five major Western energy firms, “beginning around 2008 and extending into early 2011.”102 Night Dragon exfiltrated gigabytes of highly sensitive material—everything from financial transactions and bidding data, to information about oil and gas field operations.103 One U.S. oil executive acknowledged that on at least one occasion a rival national oil company appeared to know his firm’s bidding strategy in advance of an auction, which resulted in his firm losing the bid.104
In 2012, Iranian hackers attacked Saudi Aramco, the Saudi Arabian national oil company (also the world’s largest oil company). Malware linked to Iran struck Aramco’s networks, destroying data on and ultimately disabling approximately 30,000 computers and knocking out part of the company’s system for as long as two weeks, according to intelligence officials.105 Leon Panetta, then U.S. secretary of defense, called the attack “probably the most destructive … that the private sector has seen to date.”106 According to Saudi officials, the attack aimed to disrupt oil production and although, fortunately, Aramco’s physical operations were unharmed by the attack, some security experts believe it could have eventually succeeded in damaging production had it penetrated further into the network.107
Some months later, Iran’s cyber army turned its sights toward U.S. energy firms. Energy economist Blake Clayton and cyber expert Adam Segal chronicle an episode that began in February 2013 when “malware unintentionally downloaded by workers incapacitated networks on some rigs and platforms. Two months later, U.S. officials revealed that a wave of attacks on U.S. companies, particularly energy companies, had been under way for several months. The attacks, which were unsuccessful in compromising their intended targets, appeared to have originated in Iran.”108 The attacks seemingly aimed not simply to destroy data but to take control of critical internal control systems.109
Concerning as Iran’s attacks were to U.S. security officials, things would soon get worse. Later in 2013, security researchers at several American cybersecurity companies uncovered a Russian cyber espionage campaign, in which Russian hackers were systematically hacking more than one thousand Western oil and gas computers and energy investment firms. Given Russian dependence on its oil and gas industry, the motive was at least partly industrial espionage. But the hackers were choosing their targets in a way that also seemed intended to seize remote control of industrial control systems, a clear geoeconomic objective.110
The asymmetric nature of geoeconomic cyberattacks—a state actor targeting a private firm—can confound the ability of U.S. and other Western government officials to respond. In the spring of 2012, the computer networks of some of the largest banks in the United States came under attack. Sites were brought down for hours at a time. Customers had trouble accessing their accounts. The assaults, believed to have been launched by Iran, marked the first major digital assault of its kind undertaken against U.S. banks by a foreign adversary. Launched shortly after the expansion of U.S. sanctions against Iran, the attacks showed impressive skill and went on for months. By September, Wells Fargo, Bank of America, JPMorgan Chase, and other U.S. financial institutions were besieged with waves of electronic traffic that had swelled from normal levels of 20 gigabits per second to 40, 80, and ultimately 120 gigabits per second—more than three times the volume of traffic that most large banks’ websites were equipped to handle. Banks were spending tens of millions of dollars to mitigate the problem.
Meanwhile, in Washington, experts from different agencies debated their options. There were few good ones, given the risks of confrontation and the desire for effectiveness.111 Later that fall, as the assault continued, the White House decided on a sort of middle course. In a move that was part diplomatic, part technical, officials appealed for help to 120 countries, asking them to target the traffic locally and to remove the malicious code from those servers serving as springboards for the attacks.112 It was largely though not entirely effective. Attacks slowed, but did not stop entirely for several more weeks; when they finally did cease, it was more on account of the opening of a diplomatic process for easing the sanctions against Iran. Apart from effectiveness in halting the attacks, many saw no real deterrent value. “What was the sanction?” intoned one former defense official who favored a more aggressive response. “The effort didn’t hinder the adversary’s objectives in the least.”113
Comparing the episode to the U.S. government’s far swifter response to the 2008 attacks on Pentagon computer systems demonstrates how confounding it can be for U.S. legal and policy regimes when states target private commercial actors to make a geopolitical point. Washington faced a similar challenge in December 2014 as policy makers struggled to determine the appropriate retaliatory measures toward North Korea following an attack on the American company Sony Pictures, a subsidiary of the Japanese multinational.114
Similar plotlines had emerged earlier in 2014 as U.S. financial firms again fell victim to a wave of sophisticated cyberattacks, once more on the heels of a decision by the Obama administration to ratchet up sanctions against a major country. This time the attacks traced back to Russia, and in
vestigators have said they believed there was at least a “loose connection” between the hackers and the Russian government (at this writing, investigations are ongoing). Certainly there is circumstantial evidence surrounding the timing of the attacks. In April, the Kremlin singled out JPMorgan for criticism when, complying with U.S. sanctions against Russia, the bank blocked a payment from a Russian embassy to the affiliate of a U.S.-sanctioned bank. Russia’s foreign ministry called the move by JPMorgan “illegal and absurd.”115
Attacks on the electronic systems of JPMorgan and nine other major U.S. firms followed within days of the Kremlin’s criticism. By the time they were uncovered in August, they constituted the largest such attack against any American company—the breach at JPMorgan alone touched between 76 million American households and 7 million small businesses.116 The hackers penetrated 90 of JPMorgan’s servers, stealing sensitive information on company executives and a list of every application and program deployed on standard JPMorgan computers.117
As the scale and gravity of the breach became more clear to U.S. officials, there were few answers to the one question the White House thought most important: what was the motive for the attack? “The question kept coming back, ‘Is this plain old theft, or is Putin retaliating?’ ” one senior U.S. official said, referring to sanctions on Russia. “And the answer was: ‘We don’t know for sure.’ ”118
Many months after the first attacks were discovered, the source remains unclear, and there is no evidence any money was taken from any institution (casting further doubt on the notion that the hacks were mere criminal activity). Those searching for a motive believe the attack may have been intended to give U.S. leaders pause as they make foreign policy decisions. “If you can steal the data—if you can reach in that far and steal it—you can do anything else you want,” former NSA director Keith Alexander explained. “You collapse one bank and our financial structure collapses.… If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?”119
All of this raises the question of what, precisely, is to be done about the problem. Analysts believe countries will tolerate cyber crime as long as it stays at “acceptable levels”—thought to be less than 2 percent of GDP (current estimates suggest cyber crime in the United States is between 0.64 and 1 percent of GDP).120 Government tolerance levels for state-sponsored cyberattacks, geoeconomic or otherwise, are even less well understood. Most analysts interpret the United States as drawing a red line at loss of life or major economic damage. But U.S. officials have remained intentionally vague as to what “major” might mean, so as to avoid specifying a clear standard and thereby giving attacking countries a threshold they could remain just shy of in their attacks.
To date, U.S. officials have attempted to maintain a distinction between the type of spying that the United States does, which they claim is done for national security purposes, and spying for commercial purposes, which they accuse China of doing. As New York Times reporter David Sanger explained, the United States “does not go in and steal trade secrets the way they accuse the Chinese of doing, so that they can then give those trade secrets to American companies.”121 But in countries like China, where economic and regime security are so closely linked, and where geoeconomic tools are so often the instruments of first resort, the attempted distinction tends to be lost on its target audience. Thus, when the Chinese President pledged during a visit to the U.S. in September 2015 that, “the Chinese government will not in whatever form engage in commercial theft,” many in Washington were skeptical.122 Indeed, just three weeks after President Xi’s pledge, the cybersecurity firm Crowdstrike reported that it had detected continued efforts by Chinese attackers “affiliated with the Chinese government” to “penetrate U.S. corporate networks—just the kind of behavior that Mr. Xi promised to stop.”123
“It’s a very American way of thinking about this,” says Sanger. “It somewhat puzzles the Chinese and many other countries for whom their state-owned industries are part of their national security structure. They sort of look, and don’t really understand what it is the United States is trying to accomplish by making this distinction.”124
Economic Assistance
The practice of deploying aid—whether military aid, bilateral development assistance, or humanitarian assistance—to buy strategic influence is one of the most straightforward examples of geoeconomic tools and has been around as long as diplomacy itself. To be sure, most military and humanitarian aid is geoeconomic only in the broadest sense, because money is fungible (meaning that any military or humanitarian assistance dollars a government receives can enable it to redirect or save funds that it would have otherwise spent). This alone makes military and humanitarian aid worth at least including—although perhaps not prioritizing—in any conceptual framework of geoeconomics. But there are other reasons for including them. First, there are exceptions to this general rule—instances where military or humanitarian assistance comes with geoeconomic underpinnings that go beyond the mere fungibility of official assistance. Second, even when there is nothing especially geoeconomic about cases of military and humanitarian aid beyond their fungibility, they can nevertheless interact with other, more clearly geoeconomic aspects of statecraft in important ways.
Some of the largest and longest-running examples come from the United States, which spends upward of $5.5 billion in foreign military financing every year. Amounts are often written into diplomatic agreements, as with Israel and Egypt within the terms of the Camp David accords.125
But beyond the “how much,” there are also important questions in the “how” of military financing and the motivations underlying it. In particular, as both Russia and Saudi Arabia have recently proven, military aid, when done well, can register powerful geopolitical impacts on parties other than the beneficiary.
Certainly Saudi Arabia’s December 2013 $3 billion aid package to Lebanon furthered Riyadh’s desire to help the Lebanese government counter the Shi’a militant group Hezbollah. “If a wealthy patron were all the Lebanese Army needed to counter the Shiite militant group Hezbollah as the dominant force in the country,” press reports explained at the time, “the recent $3 billion grant from Saudi Arabia might make a decisive difference in the country’s complex political landscape.”126 But, curiously, the package—nearly twice Lebanon’s $1.7 billion annual defense budget—came earmarked to buy French (rather than U.S.) arms and, as such, would be “unlikely to give the army what it needs most,” according to both supporters and opponents of Hezbollah in Lebanon.127 And even if it does, it will likely take years to make an impact.128
Why would the Saudis accept less than maximum strategic return on their investment? Because weakening Hezbollah was not Riyadh’s only geopolitical aim. Though the Saudis are “clearly alarmed at Hezbollah’s staying power and its intervention in Syria’s civil war,” the December aid package to Lebanon “was intended as much to send a message to the United States as to shift the military balance.”129 The Saudis were declaring what some called a “tactical divorce” from Washington over their frustrations with U.S. policies on Syria and Iran.130
Armenia was among several countries from the former Soviet Union that, on considering enhanced links with the European Union, found itself subject to intense pressure from Moscow beginning in 2013. Intent on seeing Armenia remain within Russia’s orbit and having exhausted other powers of persuasion, Russia stepped up military aid to Azerbaijan, delivering nearly $1 billion worth of tanks, artillery systems, and infantry fighting vehicles in 2013—thereby exaggerating tensions lingering from the Nagorno-Karabakh War of 1988 to 1991.131 Shortly thereafter, Armenia announced that it would not sign an association agreement with the European Union and would join instead the Eurasian Customs Union, which to that point included only Russia, Belarus, and Kazakhstan.132 From Azerbaijan’s perspective, the episode itself seems a fairly straightforward case
of military assistance. Other than the fact that this military assistance potentially allowed Azerbaijan to redirect at least some of its planned military spending to other uses, it evinces little geoeconomic logic. But from Moscow’s perspective, $1 billion in military spending was a cost-effective means of signaling that Armenia could expect disastrous geopolitical consequences for any refusal to join Russia’s customs union. As such, the episode attests not just to how traditional politico-military and geoeconomic tactics can work in tandem but also to how some states are putting military activities firmly in the service of geoeconomic aims.
Humanitarian aid, while arguably an even less interesting form of geoeconomics than military assistance, can yield outsized geopolitical dividends. Humanitarian aid tends to come with a crisis discount of sorts: for countries on the receiving end, reeling from disaster, vulnerability tends to magnify the geopolitical significance of aid (or the lack of it, in some cases). This seems straightforward enough. But a survey of some of the most geoeconomically resonant cases of humanitarian aid demonstrates that it is not so much that geopolitical sensitivities are magnified because of crisis or disaster; rather, these are cases where geopolitical stakes were heightened well prior to humanitarian assistance. As a result, states are not shy about treating humanitarian aid as a geoeconomic exercise. In the wake of 2013’s Typhoon Haiyan, for example, the outpouring of foreign assistance to the hundreds of thousands of homeless Filipinos quickly proved to be a testing ground for geoeconomic tools.133 The United States and its allies worked intensely to get the Philippines—an important actor in the U.S. pivot to Asia—back on its feet through aid and other support. China, on the other hand, kept its attention on its maritime disputes with Manila around the Scarborough Shoal, choosing to keep its aid at what many described as “paltry” levels.134 The Obama administration’s prompt response was geopolitically advantageous, cementing the Aquino government’s shift toward the United States.