Cybersecurity and Cyberwar (17 page)

Unsurprisingly, Chinese writers and officials have reacted angrily to
direct and veiled accusations
, describing them as “groundless.” But the reality is that of some thirty successful prosecutions of economic espionage tied to a foreign actor,
eighteen have direct ties
to China. Indeed, a study by Verizon's Data Breach Investigations team found that “
96 percent
of recorded, state-affiliated attacks targeting businesses' trade secrets and other intellectual property in 2012 could be traced back to Chinese hackers.”

The outcome is a cyber irony. Cyber espionage is turning into a major political problem more due to the accusations of intellectual property (IP) theft than political secret theft. While there is an expectation that all governments have and will continue to try to steal each other's state secrets, the IP theft issue is creating global tensions in two major ways. First, it reinforces a sense that not everyone in the world marketplace is playing by the same set of rules. While many hold to the theory of free markets, this new practice privileges not those who innovate new business ideas but those who steal them. This, then, further exacerbates tensions that normally arise when democracies and authoritarian systems interact. Cyber theft has been described in the
New York Times
as “the No. 1 problem” that the United States has with China's rise. In turn, those in China describe these accusations as evidence that the United States is still “locked in a
Cold War mentality
.”

Second, this theft threatens nations' long-term economic security. Cyber espionage creates both strategic winners and losers. Dmitri Alperovitch, for example, is careful not to call what goes on mere theft, but a “historically
unprecedented transfer of wealth
.” As business plans, trade secrets, product designs, and so on move from one country to another, one side is strengthened and the other weakened. The target loses future potential economic growth derived from that secret in addition to forfeited development investment. Many worry that this “transfer” can ultimately have a hollowing-out effect on an entire economy. Each loss from cyber espionage is
too small to be fatal
on its own, but their accumulation might prove crippling. As
one US official put it, “We should not forget that it was China where ‘
death by a thousand cuts
' originated.”

As for Dmitri Alperovitch, he grew tired of simply watching secrets get stolen without consequences. A year later, he helped found a cybersecurity company called
CrowdStrike
, which aims not only to identify hackers stealing information but strike back using the same cyber skill sets. He explains, “If I tackle you on the street, that's assault and battery. But if a few minutes prior you had taken my wallet, it's completely legal, I'm defending my property rights.” This has a certain direct logic, but as we'll see, this kind of cyber retaliation is not nearly as simple in execution.

Thirty-one thousand three hundred. That's roughly the number of magazine and journal articles written so far that discuss the phenomenon of cyberterrorism.

Zero. That's the number of people who had been physically hurt or killed by cyberterrorism at the time this book went to press.

The FBI defines cyberterrorism as a “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or
clandestine agents
.” But in many ways, cyberterrorism is like Discovery Channel's “Shark Week” (wherein we obsess about sharks despite the fact that you are roughly 15,000 times more likely to be hurt or killed in an accident involving a toilet). As with so many of the other issues in cybersecurity, what's real and what's feared often get conflated.

This is not to say that terrorist groups are uninterested in using the cyber technology to carry out acts of violence. For example, in 2001, al-Qaeda computers seized in Afghanistan showed models of a dam and engineering software that
simulated catastrophic failure
of controls. Similarly, in 2006, terrorist websites promoted cyberattacks against the US financial industry in retaliation for abuses at
Guantánamo Bay
. But fortunately, what terrorists have actually accomplished online so far doesn't come close to their unfulfilled dreams, our broader fears, or, more importantly, the scale of destruction they've wrought through more traditional means. Despite
plenty of speculation and foiled potential plots, there have been no actual successes.

As one congressional staffer put it, the way we use a “term like cyberterrorism has
as much clarity as cybersecurity
, that is none at all.” Indeed, the only publicly documented case of an actual al-Qaeda attempt at a cyberattack doesn't even meet the FBI definition. A detainee at Guantánamo Bay,
Mohmedou Ould Slahi
, confessed to trying to knock the Israeli prime minister's public-facing website offline. Beyond this there have been various unsubstantiated claims, such as that of September 2012, when the “Izz ad-Din al-Qassam Cyber Fighters” claimed responsibility for a series of denial-of-service attacks on five US banking firms. While many believe they stole credit for cybercriminals' work, the effects of the attacks were negligible, shutting down customer access to the sites for a few hours. Most customers didn't even know there had been an attack. Take out the word “cyber” and we wouldn't even call such a nuisance “terrorism.”

Let us be crystal clear: the worries over vulnerabilities in critical infrastructure to cyberattack have real validity. From 2011 to 2013, probes and intrusions into the computer networks of critical infrastructure in the United States went up by
1700 percent
. And the worries of cyberterrorists harming this infrastructure are certainly a real concern. For instance, in 2011 a water provider in California hired a team of computer hackers to probe the vulnerabilities of its computer networks, and the simulated attackers got into the system in
less than a week
. Policymakers must be aware that real versions of such terror attacks could expand beyond single targets and have a wider ripple effect, knocking out the national power grid or shutting down a city or even region's water supply.

But just as our fears inspired all sorts of potential new terror attack scenarios in the immediate aftermath of 9/11, the key is distinguishing between our nightmarish visions of what
might
happen from the actual uses of the Internet by terrorist groups. As one cyber expert put it to us, “There are threats out there, but there are no threats that threaten our
fundamental way of life
.”

This is because cyberattacks of a massive scale are fairly difficult to pull off, especially compared to more traditional terrorist activities. In 2011, then US Deputy Defense Secretary William Lynn, the Pentagon's second highest civilian leader, spoke to the RSA
conference in San Francisco, a gathering of the top experts in cybersecurity, about the dangers of cyberterrorism. “It is possible for a terrorist group to develop cyberattack tools on their own or to buy them on the black market,” Lynn warned. “A couple dozen talented programmers wearing flip-flops and
drinking Red Bull
can do a lot of damage.”

But here again, he was conflating a fear and a reality, not just about what such Red Bull–drinking programmers are actually hired to do but also what is needed to accomplish a truly violent cyberattack of major scale. It goes well beyond finding top cyber experts. Taking down hydroelectric generators or designing malware like Stuxnet that causes nuclear centrifuges to spin out of sequence doesn't just require the skills and means to get into a computer system. It requires knowing what to do once you're there.

To cause true damage entails an understanding of the devices themselves: how they run, their engineering, and their underlying physics. Stuxnet, for example, involved cyber experts as well as experts in nuclear physics and engineers familiar with a specific kind of Siemens-brand industrial equipment. On top of the required expertise, expensive software tests had to be conducted on working versions of the target hardware. As a professor at the US Naval Academy explains, “the threat of cyber terrorism, in particular, has been vastly overblown,” because conducting a truly mass-scale act of terrorism using cyber means “simply outstrips the intellectual, organizational, and personnel capacities of even the most well-funded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises. To be blunt: neither the 14-year old hacker in your next-door neighbor's upstairs bedroom, nor the two or three person al Qaeda cell holed up in some apartment in Hamburg are going to bring down the
Glen Canyon and Hoover Dams
.” By comparison, the entire 9/11 plot cost less than $250,000 in travel and organizational costs and used simple box-cutters.

There is another cautionary note that puts the impact of such potential attacks into perspective. The 2007 cyberattacks on Estonia were allegedly assisted by the Russian government and hence were well beyond the capacity of most terror organizations. And yet, while they were able to interfere with public-facing government websites for several days, they had little impact on the daily life of
the average Estonian and certainly no long-term effect. Compare that with the impact of a plane crashing into the center of the US financial system. Indeed, even when you move into the “what if” side of the largest-scale potential terror attacks, a successful cyberterror event still pales compared to other types of attacks. The disruption of the electric power grid for a few days or even months would most definitely be catastrophic. But the explosion of just one nuclear bomb, even a jury-rigged radiological “dirty bomb,” would irradiate a city for centuries and set off an earthquake in global politics. Similarly, while a computer virus could wreak havoc in the economy, a biological weapon could change our very patterns of life forever.

As Mike McConnell, former Director of National Intelligence, put it when talking about cyberterrorism, we need to weigh the balance of what is real and what is potential. “Terrorist groups today are ranked near the bottom of cyberwar capability.” But just because no one has pulled off an attack thus far doesn't mean one shouldn't be mindful of the threats. “Sooner or later [they] will achieve
cyber-sophistication
.”

That cyberterrorism may not be as likely or scary as the media and some government leaders portray doesn't mean that terrorists are Luddites who never use technology. Far from it. The Internet offers the means to connect with vast groups of people, overcoming traditional geographic constraints. It links people of similar interests and beliefs who otherwise wouldn't normally meet while allowing voices to be magnified and reach more people. So, just as the Internet has been used by everyone from companies looking to recruit new workers to Christian singles looking to mingle, so too has it been a boon to terrorist groups.

Indeed, if you want to understand terrorists' use of cyber technology, just look at how others use it to engage in less nefarious acts. For terrorists, and the rest of us, cyberspace is a medium mostly for communication and information sharing. Al-Qaeda, for example, rarely used the Internet during its formative years in the early 1990s. Osama bin Laden's messaging was spread through the distribution of audio- and then videotapes, usually passed surreptitiously
between vetted followers. Indeed, the very name “al-Qaeda,” or “the base,” is thought to have originated after the name of the first terrorist training camps in the mountains of Afghanistan (anyone who had gone through the camps was already known, trained, and trusted). But in the 2000s, two key changes occurred. After 9/11, the US military's operations in Afghanistan eliminated a physical safe haven for training and organization, while simultaneously cyber technology became more commonplace and usable.

The result was a group, guided by medieval ideals, embracing twenty-first-century technology. Al-Qaeda didn't use cyberspace to conduct cyberterrorism as it is usually defined, but to conduct information operations, harnessing the power of the Internet to reach the wider world in a way never before possible for such a small group. Bin Laden's speeches and musings could be delivered alone in a hideout yet uploaded onto the Internet and seen by millions.

Notably, these messages were often distributed not just to the media but also within Internet chat rooms, where individuals who reacted positively could then be targeted for recruitment. Here, too, technological change was crucial. At the time of the 9/11 attacks, downloading such a propaganda video would have taken so long that few would have even been able to watch it, let alone find out about it. Now, video clips can be uploaded and downloaded in seconds.

As the cyber world has evolved, so too has terrorist groups' use of it, especially in information operations. Just as in other parts of cyberspace, the more attention-grabbing the content, the more likely it is to be watched, thus rewarding aberrant and abhorrent attitudes and behavior with more web clicks (this is what terrorists and the Kardashians have in common). It has allowed fringe groups to reach the mainstream, often to the disadvantage of more moderate and representative voices. For example, searches for generic terms like “Islam” on YouTube will yield speeches by radical imams with fringe followings, like the one that inspired the 2013 Boston Marathon bombers, who often get higher page counts than those by reputable Muslim scholars. Accordingly, groups have begun to tailor their activities to recruit adherents who can operate inside the West, especially as borders become harder to cross for would-be terrorists. The al-Anser Forum, for instance, is a jihadi site published mainly in English.