Cybersecurity and Cyberwar (23 page)

As in traditional war, though, what sounds easy in description can prove hard in execution. This is not just due to the complexity of target systems and the operations needed to exploit them, but because every war, even in cyberspace, has at least two sides. Every potential operation meant to attack and defeat a foe would be met by the opponent's efforts to keep the enemy out or threats of an equivalent attack to make the aggressor think twice about conducting it.

These difficulties drive adversaries to instead go after “soft targets,” as has long been the case in traditional modes of war. In theory, war is only a contest among warriors. In reality, well over 90 percent of the casualties in the last decades of war have been civilians. Unfortunately, one can expect the same dynamic in cyberwar.

The more conventional type of civilian targeting in computer network operations would attack civilian networks and operators viewed as directly or indirectly supporting the military enterprise. These range from civilian contractors, who provide much of the supply and logistics support to modern militaries (about half of the American force in places like Afghanistan and Iraq were actually private contractors), to the infrastructure that the military relies on for its operation, such as ports and railroads. Of note, the computer networks that these civilian forces rely upon often don't have the same levels of security as military networks because they lack similar resources, standards, and incentives. The result is they make particularly choice targets. In one 2012 Pentagon-sponsored war game we participated in, a simulated enemy force hacked the contractor company supplying the logistics of a US force, with the simple purpose of transposing the barcodes on shipping containers. It seems a minor change with little impact. But had it been a real attack, US troops in the field would have opened up a shipping pallet expecting to find ammunition and instead only found toilet paper.

The history of warfare shows that it's not just those who directly support the military who might cross the cyber firing line. When
new technologies like the airplane expanded forces' reach beyond the front lines, militaries gradually expanded who they defined as a legitimate target. First, it was only those working directly for the military. Then it was those engaged in the war effort, such as workers at a tank factory. Then it was the workers' houses. And by the end of World War II, all the sides had engaged in strategic bombing against the broader populace, arguing that the best way to end the war was to drive home its costs to all civilians. Given civilians' greater vulnerability to cyberattacks, we should expect nothing less as part of any cyberwar. Thanks to the modern military's dependence on civilian networks, they might even make up a new center of gravity to target.

As scary as this all sounds, it's important to note two key differences between war in the cyber realm and other past modes of conflict. First, unlike previous transitions in warfare, cyber is unlikely to immediately multiply the level of destructive power in ways that previous technological innovations did. Because of its reliance on indirect effects, cyber's effects will have less long-term destructive impact. That is, attacks that change GPS codes or shut down the energy grid would be quite devastating. But they would be nowhere near the destruction visited by explosive-filled bombs and incendiaries upon Dresden or the permanent irradiation of Hiroshima.

Second, the weapons and operations in cyberwar will be far less predictable than traditional means, leading to greater suspicion of them among military commanders. For instance, the blast radius of a bomb can be projected to exacting standards; not so the radius of most malware. Most cyberattacks rely on the second- and even third-order effects that might result, and while these widen the impact, they can also have unexpected outcomes. During the Iraq war, for instance, US military officers were very excited by the prospects of taking down an enemy computer network facilitating suicide bombings. But the operation accidentally took down over 300 other servers in the wider Middle East, Europe, and the United States, opening a whole
new can of worms
. Similarly, Stuxnet was specifically tailored to target just a few Iranian centrifuges and yet ended up spreading to well over 25,000 other computers around the world.

In the end, we are still at the early stages of conceptualizing what cyberwar will look like. Predicting the future of computer network
operations now is akin to those who laid out their visions of air war in the early days of “flying machines” at the turn of the last century. Some of their predictions proved right, like the idea that planes would bomb cities, while others proved woefully wrong, like the prediction that airplanes would render all other forms of war obsolete.

The same is likely to happen with cyberwar. It will prove to be fantastically game-changing, introducing real-world capabilities and operations that once seemed science fiction. But even in a world with digital weaponry, war will still be a chaotic domain. This means that war, even cyber-style, will still remain a waste of resources and efforts better spent elsewhere.

Do you know what “9ec4c12949a4f31474f299058ce2b22a” means? If so, the US military may have a job for you.

The answer is actually a wonderful summary of where the US military stands in its approach to cybersecurity. This code appears in the logo of the US military's Cyber Command, a revolutionary new military organization formed in 2010. In cryptography, a hash is a one-way function that creates a unique “fingerprint” of a file. The MD5 (Message-Digest algorithm 5) hash was a widely used way to add security by detecting tampering in files. The code above is the MD5 hash of Cyber Command's mission statement, which reads: “USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks; and prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” There is an irony, however. The same year Cyber Command put the code on its logo, the US Department of Homeland Security announced that it was moving the US government away from the MD5 hash for its computer systems. The
once sophisticated code
was now too easy to break.

Cyber Command brings together all components of the US military that work on cyber issues, from the Army's Ninth Signal Command to the Navy's Tenth Fleet (the Fleet Cyber Command). All
told, the organization boasts a cyber warrior force of just under 60,000 personnel, with headquarters located at Fort Meade, Maryland. Its location was deliberate, placing CYBERCOM, as it is known, next door to the National Security Agency, the spy agency that focuses on signals and information intelligence and protection. This allows the two agencies to share resources at the field level, such as the hundreds of PhDs in mathematics, computer science, engineering, and other fields who work there, all the way up to the top. Currently, the director of the NSA and the commander of CYBERCOM is the same person. General Keith Alexander was named the head of both organizations simultaneously, or “
double-hatted
” in military parlance.

While some see this pairing as natural, given the two entities' close responsibilities, many worry about blurring the lines between a military command and a civilian spy agency. There is a question as to which mentality will prevail: the spy's inclination to watch and learn or the warrior's inclination to act? There is also a worry about one person trying to take on too many different roles at once.

In contrast, others worry that CYBERCOM is not distinct enough, not merely from the NSA but from the military services that source it. Much as the Air Corps was once part of the Army before evolving into its own service (the Air Force) in 1947, some feel that Cyber Command, too, needs to become its own military branch. Two US Army officers have observed that the current military services are “properly positioned to fight kinetic wars, and they value skills such as marksmanship, physical strength, the ability to leap out of airplanes and lead combat units under enemy fire. Unfortunately, these skills are irrelevant in cyber warfare. Technical expertise isn't highly valued in the three services. Just look at military uniforms:
no decorations or badges
honoring technical expertise.”

Regardless, CYBERCOM is growing rapidly in both size and perceived importance inside the US military. Indeed, the Pentagon's 2013 budget plan mentioned “cyber” 53 times. Just a year later, the 2014 budget plan
discussed
“cyber” 147 times, with spending on CYBERCOM's headquarters alone
set to effectively double
(all the more notable as the rest of the US military budget was being cut).

The strategy that guides CYBERCOM draws from the overall idea that cyberspace is a new domain of both possibilities and risks, and the US military had better do its utmost to protect its ability to use this domain (its traditional “freedom of maneuver”) as well as
preserve the initiative, and prevent others from using it to their full potential (establishing “dominance”). As Lieutenant General Jon Davis, the deputy commander of CYBERCOM, describes, the US military is treating cyber issues with a whole new level of seriousness. “This is now commander's business; this is no longer
admin tech business
.”

The current plan runs over twelve pages in its unclassified version and
thirty pages
in the classified form. In sum, CYBERCOM focuses on five objectives: treat cyberspace as an “operational domain” as the rest of the military does the ground, air, or sea; implement new security concepts to succeed there; partner with other agencies and private sector; build relationships with international partners; and develop new talent to spur new innovation in how the military might fight and win in this space. As part of this mission, CYBERCOM is to create and lead
three types of cyber forces
: “cyber protection forces” that will defend the military's own computer networks, regionally aligned “combat mission forces” that will support the mission of troops in the field, and “national mission forces” that will aid in the protection of important infrastructure.

While turning these ideas into an actual working military doctrine, three key concerns have bedeviled CYBERCOM planners. The first is the long-standing question over mission areas and responsibilities. The wider cybersecurity roles that CYBERCOM has taken on have pushed it closer and closer to the civilian sphere, creating a twofold problem. Not only is CYBERCOM continually operating on civilian and government computer networks that it must now seemingly defend, but these responsibilities are frequently competing with others who have a duty to monitor the same networks, including the private sector and other government agencies like the civilian Department of Homeland Security. To make a parallel to the expanded role of “national mission forces,” when banks are moving physical money, it isn't the Pentagon that defends the cash, but rather a combination of hired security and the police. But when the cash is virtualized, CYBERCOM has now joined into the discussion.

The second big concern is how far can and should the US military go to maintain the freedom of maneuver it so desires in cyberspace. When the command was first formed, defense leaders like then Deputy Secretary of Defense
William Lynn publicly talked
about how CYBERCOM would simply busy itself with the “day-to-day
defense and protection of all DOD networks.” Within four years, the new roles and strategy pushed well beyond that. As one CYBERCOM official put it, “We need the capabilities to
do things offensively
in cyber … everybody acknowledges that, but how we specifically employ that in an operational context is classified.” Or, as a former National Security Agency watch officer put it, the goal is to ensure that US capabilities remain more advanced than those of potential adversaries. “Whatever the Chinese can do to us,
we can do better
.”

Another strategic question is whether the United States can manage the way threats shift between the cyber domain and the real world and still maintain deterrence in both. It sees the concept of “equivalence” as key to addressing this question. As one report described, “If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a ‘use of force' consideration,
which could merit retaliation
.”

The idea is to send a message to adversaries that the US military plans to fight and win in cyberspace, but it reserves the right to play a different game if it doesn't like the outcome. Or, as one US military official put it more bluntly, “If you shut down our power grid, maybe we will put a missile down
one of your smokestacks
.”

The central problems this strategy faces are whether cyberspace dominance is achievable and whether deterrence in cyberspace is
workable in execution
. Such posture requires knowing who your adversaries are, which is exceedingly difficult in cyberspace. As a study on American cyberattack policy and ethics concluded, “
Absolute, unambiguous technical proof
could be lacking, which forces more reliance on non-technical info than policy makers like.”

Additionally, deterrence is not as effective against nonstate groups, which, of course, are major players in cyberspace. Not all are rational actors, and even those that are rational weigh costs and benefits very differently than governments with broad territories and populaces to defend. Nonstate groups frequently don't have fixed locales to target, and many of them would even welcome counterattacks. A response from the United States would provide the recognition that so many nonstate groups crave while possibly even generating public sympathy. There is also a deep concern that
the strategy of equivalence could be escalatory, cascading an attack in cyberspace into a much bigger conflict.