Cyber warfare: Sound the alarm or move ahead in stride?
Military leaders and analysts say evolving cyber threats will require the Defense Department to work more closely with experts in industry
The landscape is volatile, the rules of the game are fluid, and the adversaries remain cloaked in anonymity. In this ambiguous war, the actual threat is unpredictable, sometimes indecipherable, and it’s difficult to tell whether either side is gaining ground.
The location of this battlefield is not a desert road in Iraq or a terrorist redoubt in Afghanistan. It’s what has emerged as the forefront of modern warfare: the cyber theater, where traditional rules of engagement don’t always apply.
In cyberspace, enemy combatants can pry, spy, implant, extract and dismantle more quickly and more secretly than in the physical terrain of traditional warfare. In some cases, the threat is mundane, involving nothing more complex than defaced Web sites or denial-of-service attacks, such as those inflicted on the nation of Georgia in August 2008 by someone, perhaps the government, across the Russian border. But the potential for more damaging attacks is significant.
“The fact that physically destructive cyberattacks were not carried out against Georgian critical infrastructure industries suggests that someone on the Russian side was exercising considerable restraint,” states a report recently published by the U.S. Cyber Consequences Unit (CCU). The independent organization assesses the likelihood and possible consequences of cyberattacks and cyber-assisted physical attacks.
One important result of the emerging cyber threat is a new way of thinking about national security and defense.
“Every day I wake up and say, ‘Welcome to the 21st century. We fight in terms of nanoseconds,’” said Army Brig. Gen. LaWarren Patterson, deputy commanding general at the Network Enterprise Technology Command.
To meet the threat, the Defense Department recently created a high-level cyber command charged with spearheading the development of cyber warfare strategies, both defensive and offensive. However, DOD is not alone in this battle, and so creating the command is only the first step. Experts say the military cannot fight this battle without non-military allies. Many stakeholders exist outside the Pentagon.
Indeed, the Pentagon must ultimately change its culture, say independent analysts and military personnel alike. It must create a collaborative environment in which military, civilian government and, yes, even the commercial players can work together to determine and shape a battle plan against cyber threats.
Assessing the threats
Although most experts agree that DOD faces evolving threats, not everyone agrees on how serious those threats are. Are would-be cyberattackers a scattered group of individuals looking for easy hits, or are they a well-organized, well-funded cadre that is biding time before striking hard?
Sami Saydjari, president and founder of the nonprofit Cyber Defense Agency, believes the latter is true.
Before a congressional committee two years ago, Saydjari painted a grim picture of the country after a cyber disaster: Think digital Hurricane Katrina on a national scale. He urged the government to provide for the defense of a U.S. cyber territory that is as legitimate as physical land.
He recently said the country’s vulnerability to cyberattacks is worse and cites the continued integration of and dependence on information systems.
Military officials think in terms of network centricity, in which the goal is to ensure that warfighters always have access to the data they need. But that approach makes those systems a big target, Saydjari said.
“Net-centricity is great, but it creates huge levels of risk that [are] not well calculated or well thought-out by the government,” he said.
The concerns are real, but the concept of a digital Hurricane Katrina and similar doomsday theories might be embellished, said Jim Lewis, director and senior fellow at the Technology and Public Policy Program at the Center for Strategic and International Studies. “It’s really hard to derail a large country that has a lot of infrastructure,” he said. “People tend to exaggerate. I love the Bruce Willis movies, but that’s just not the truth.”
Lewis said less dramatic but equally dangerous espionage and crime represent the true perils.
“How would you feel about China getting our designs for the F-35" stealth fighter jet? he asked. “What about those who rob U.S. banks over the Internet from Russia, with no chance of prosecution? [Hackers] that are breaking into our systems to steal military secrets or prepare for potential sabotage…these are the real threats.”
Those threats are emerging as a priority after high-profile cyberattacks on government sites in Lithuania, Kazakhstan, Georgia and Estonia in recent years. The attacks were widely believed to have originated in Russia.
The attacks included graffiti on Web sites and total shutdowns of banks and media outlets. Although they were not catastrophic, they undermined national morale and raised an unnerving red flag to the rest of the world.
The CCU’s report on the Georgia campaign details the preparation, planning, execution, targets, effects and key lessons learned.
Also, according to those researchers, Russia and other would-be cyberattackers are capable of worse damage than they have unleashed so far.
Scott Borg, who co-wrote the CCU report, said specific targets and methods were limited and carried out in a disciplined manner. Denial-of-service attacks, which overload servers and thereby incapacitate Web sites, were the primary weapons.
“It could have been disastrous,” Borg said. “The capabilities of carrying out a devastating attack are there ... but this was a more humane system of attack. We don’t know who it was — civilian organizers, possibly the Russian government. We do know there was a lot of exchange of information between the Russian military and the attackers on message boards.”
In Georgia, the targets of the attacks were primarily the Web sites of media outlets and government entities. “The government now has to start worrying about a wider range of attackers, all kinds of entities that are informal, dispersed and communicating indirectly,” Borg said. “As expertise is diffused and more people get these capabilities, the threat grows bigger over time.”
The need to collaborate
The the impending launch of the Cyber Command marks a turning point for the arming of official information networks. But the success of the command depends largely on cultural factors that do not show up in any organizational chart.
Gen. Carter Ham, commanding general of U.S. Army Europe and Seventh Army, called the command’s establishment a historic moment. But he also advised DOD officials to ensure that their plans for the command heed the lessons of history and a more traditional era of warfare.
The key is information sharing. During the Cold War, the Soviet Union kept tight control of information and blocked people from easily communicating, while the United States let information flow more freely. The Berlin Wall fell because those firewalls collapsed under their own weight, he said.
“We are at a crossroads,” Ham said. “Do we want to build and sustain firewalls between our organizations? Or can we look for an approach that constructs an infrastructure that mirrors the environment in which we find ourselves, which is much more collaborative.”
Borg also sees danger in bringing a Cold War mindset to the cyber theater. The concept of deterrence based on mutually assured destruction does not work in cyberspace because we do not know who we are dealing with or how to reach them, he said.
“We have a lot to rethink,” Borg said. “We’re moving into a world where deterrence and retaliation are only used on occasion. We need alliances.”
Others agree that a collaborative approach will be integral to the success of cyber defense, and DOD seems to be taking the idea seriously as it prepares to launch the Cyber Command.
“It’s a matter of how do we take several global commands under a single" contiguous U.S. command? asked Maj. Timothy O’Bryant, a staff officer at the Office of the Army Chief Information Officer. “We need to synchronize our efforts and figure out the lanes [of communication] and eliminate redundancies.”
“Joint and coalition warfare is not a natural state, especially in command and control,” said Gen. James Mattis, NATO supreme allied commander for transformation and commander of U.S. Joint Forces. “But going without joint efforts is obsolete. No nation on its own can keep its people safe. We need to learn to work together.”
In the era of cyber warfare, any coalition must include industry.
Experts say DOD and the government as a whole still have not fully capitalized on their ability to influence the development of commercial cybersecurity solutions. Industry vendors have the expertise, but government has the money.
“Government may be a late adopter, but we should be exploiting its procurement power,” said Melissa Hathaway, former acting senior director for cyberspace for the Obama administration, at the ArcSight conference in Washington last month.
“A public/private partnership is necessary to protect the national infrastructure,” she said. “It’s the cornerstone of cybersecurity, and cybersecurity is the cornerstone of the global economy.”
Such a partnership reflects the blurred boundaries between the defense and civilian domains in cyberspace. Cybersecurity threats are common to everyone.
“We need a new relationship between the military and the critical infrastructure industries if we want to protect our critical infrastructure,” Borg said. “We all operate in cyberspace now. It’s not a separate region or command.”
Although one analyst praised the efforts to make organizational changes at DOD, he also stressed the need to give industry more freedom. “The real issue is a lack of preparedness and defensive posture at DOD,” said Richard Stiennon, chief research analyst at independent research firm IT-Harvest and author of the forthcoming book "Surviving Cyber War."
“Private industry figured this all out 10 years ago,” he added. “We could have a rock-solid defense in place if we could quickly acquisition through industry. Industry doesn’t need government help — government should be partnering with industry.”
Industry insiders say they are ready to meet the challenge and have the resources to attract the top-notch talent that agencies often cannot afford to hire.
Industry vendors also have the advantage of not working under the political and legal constraints faced by military and civilian agencies. They can develop technology as needed rather than in response to congressional or regulatory requirements or limitations.
“This is a complicated threat with a lot of money at stake,” said Steve Hawkins, vice president of information security solutions at Raytheon. “Policies always take longer than technology. We have these large volumes of data, and contractors and private industry can act within milliseconds.”
Many experts fear it will take an attack or some form of disaster to spur the government into faster action. Some say more money is needed, while others say a cultural shift is necessary even beyond the military. Too often, cybersecurity solutions have been developed in pieces, with each technology reacting to a specific need, they say. But such an approach means that industry is always one step behind.
“What will it take to drive innovation and spur a game-changing technology?” Hathaway asked. “Our speed, scale and solutions must outpace our opponents, and we need to move from point solutions to enterprise solutions.”
Saydjari said it will take a significant change in how the United States invests in research efforts because the government must align its investment in cybersecurity with its reliance on technology.
“The U.S. needs an attitude change,” he said. “We don’t hesitate in the physical world to invest lots of money to protect ourselves, but in cyberspace, that burden is placed on industry and the commercial sector. Cyberspace is more valuable than we reflect in investment. Our leadership and the public don’t understand the degree to which we rely on computers and the Internet.”
Meanwhile, some observers worry that people will not realize the seriousness of the threat until it’s too late.
“It’s not a real theater until something bad happens and people wake up,” said Col. Quill Ferguson, chief information management officer at U.S. Army North. Until then, “the back door is open.”