According to leaked documents, the U.S. launched 231 offensive cyberoperations in 2011. Subsequent leaks indicated that the country spends $4.3 billion a year on such campaigns.
What exactly does that translate to in practical terms? It’s difficult to tell, but according to author Bruce Schneier, one thing’s certain: “We are in the early years of a cyberwar arms race.”
The first step in understanding both defensive and offensive cyber actions, Schneier believes, is remaking the language we use to discuss it in the first place.
“I maintain there a lot of powers who like it confusing,” Schneier, a renowned security technologist, author, and fellow at Berkman Center for Internet and Society at Harvard Law School who also serves as the chief technology officer of BT Managed Security Systems, told the Daily Dot.
“Let’s damp down cyberwar sabre rattling. All metaphorical mentions are banned. War is a hard word in our culture.” It sparks emotional reactions that obscure the reality we are trying to get a handle on. In a “war on poverty” for example, Schneier said, “we know we are not bringing in the Marines to shoot poverty.” And yet it risks giving the impression that poverty is an enemy subject to elimination if we simply bring our will and resources to bear on it in a coherent, limited campaign.
So what would it look like if the U.S. government and military put its resources into taking down, for example, the Syrian Electronic Army (SEA)—the hackers loosely affiliated with Syrian President Bashar Al-Assad and responsible for attacks on major news outlets from the Associated Press to NPR—and who would make that decision?
“Hopefully none, my God,” Schneier responded. “You cannot drop a drone because somebody hacks your computer. After all, most of this is kids playing politics. Your options are, you defend.”
“I’m not convinced the (SEA cyberattack) scenario is effective” in the first place, added Dr. Herb Lin, chief scientist at the Computer Science and Telecommunications Board and National Research Council of the National Academies.
“If you don’t have them in custody or dead, they’re still capable of doing what they do. There’s nothing to stop them going off to Jordan, or Kansas City for that matter. You could make it more difficult for them, force them to move around, but in the end it’s a whack-a-mole game.”
Lin believes the SEA cannot be thought of by military and intelligence officials as a real threat to U.S. interests.
“Script kiddies can hack and deface websites,” he said. “It takes skills to do that and it’s hard to defend against it. But something like that isn’t very serious. It’s not like stealing nuclear launch codes.”
But what if, just what if, the government decision-makers for whatever reason have decided to target the SEA? We know their focus, their history, how they work (and some believe, their names). What would come next?
“If we declared war on Syria,” Lin offered, “the Department of Defense would prosecute the war, subject to the Commander in Chief. If it wants to bomb, it bombs; it may send in missiles or special forces. In that situation, the Department of Defense may decide to hit (the hackers) as well,” presumably using the soldier-hackers at the U.S. Cyber Command.
Cyber Command was created in 2009. As the New Yorker’s Seymour Hersh wrote, the new command “took operational control of disparate cyber-security and attack units that had been scattered among the four military services.” It was headed by Gen. Keith Alexander, best known as the current head of the National Security Agency, and like any other command, it’s used by commanders to prosecute war or maintain defense readiness.
So when war is declared, the Cyber Command is activated. Ideally, it is employed as part of a war effort in a unified strategy with other commands and branches. But if the cyber operation took place “before the first bombs had flown,” Lin said, that’s when things get “murky.”
The president makes that decision,” he said. “That’s my guess.”
Lin bases that guess on his reading of Presidential Policy Directive 20.
Issued in late 2012, the directive, according to the Washington Post, “explicitly makes a distinction between network defense and cyberoperations to guide officials charged with making often-rapid decisions when confronted with threats.”
This includes, in essence, a best-defense-is-a-good-offense clause.
“An example of a defensive cyber-operation that once would have been considered an offensive act, for instance,” wrote the Post’s Ellen Nakamura, “might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer.”
The White House could elect to target a server used by the SEA, for instance, in the hope of ending an attack by that group. In this case, the work would more likely be done by hackers at one of the intelligence agencies, like NSA’s resident propellerheads working out of “FANX,” or the “Friendship annex,” a small, secret building near Thurgood Marshall International Airport, outside Baltimore, Md.
However, Hersh, Schneier said, has convincingly argued that cyberoperations are rarely made, or led, by someone with the operational authority of a “bird colonel” (a full colonel) or general, much less the president. Too many are made under the authority of majors and others with rank insignificant to handle the problems and implications of nation-to-nation cyberattacks.
In a Syrian situation in which offensive cyberoperations were going to be instigated, the U.S. would more likely ask one question in particular, Lin believes: Who are the allies of the Syrians?
Iran and Russia. Russia has top-notch hackers working for the government, as well as a real deep bench of criminal hackers for hire that are surely not above government contracting. Although Iran is not on the “top tier of cyber powers,” their hackers are certainly better than Syria’s.
“I’m certainly more worried about the combination of the Syrian Electronic Army, Iran and Russia” than the SEA alone, Lin said.
All of this has a very low signal-to-noise ratio. Hacking and defacing sites are low priority, even if the sites themselves are high-profile.
What Lin said is a great worry, however, is a targeted hack of subsystems within a larger operating systems on, say, an aircraft carrier, something that has never happened before. But it’s conceivable, and if successfully carried out, it could cost a significant number of lives.
Such an attack, relying as it would on intelligence, manpower, computing power and so on, is unlikely to come from anywhere but a nation state, and any country committing such an act would be risking much.
“A kinetic attack on a USN ship is certainly an act of war,” Lin said. “A cyberattack may be an act of war under U.S. policy if it kills people or causes serious damage, but the international law on this point is not clear.” It also lacks any precedent. The closest to it is the claim by Iran that it hacked a drone. (Even if Iran did what it claimed, it merely forced the drone into autopilot mode, which sent it back to its base in Afghanistan.)
If such a hacking attack as the theoretical one on the aircraft carrier act “does not kill people or damage anything, then it could arguable constitute a showing of hostile intent,” Lin said, “much in the same way that locking fire control radar on a fighter jet is such a showing—and thus entitling the targeted entity to take defensive measures.”
And that goes back to Schneier’s assertion that your priority has to be defense. If you have the ability to successfully defend against such an attack, then your superior conventional military capabilities would carry the day.
Most cyberoperations between nation states are espionage efforts, but among the U.S.’s aforementioned 231 offensive cyberoperations, some must take advantage of the fact that U.S. Cyber Command and intelligence agencies like the NSA create and even purchase exploits designed to deliver payloads of malware to targeted systems. Take Stuxnet, for example, a virus most believe was designed by the U.S. and Israel and introduced in June of 2010 into the Iranian nuclear system via seeded USB drives.
Cyberoperations are clearly part of the arsenal of the American military and intelligence agencies, but cyberwar itself seems to be taking place primarily in the imaginations of politicians and pundits. The drama of such a conception has captured the imagination of many, but as Schneier insists, it obfuscates the very important realities surrounding nation-state power struggles and the collateral damage it does to civil liberties and government transparency.
Will “cyberwar” be declared against a group like the Syrian Electronic Army? By its very definition, no. In fact, a combination of the difficulties in shutting up what amounts to a very talented group of electronic graffiti artists and the costs of cyberoperations says such an event is if not unthinkable at least profoundly unlikely.
So far, the overwhelming majority of cyberoperations carried out by any government, the U.S. included, has been in the area of covert information gathering on the one hand and counterespionage on the other.
When the one instance of offensive cyberattack, Stuxnet, has had such limited success, resulted in such bad press, and proven so difficult to control, some very prominent experts believe virtual commando raids are likely to remain the province of movies, video games, and talking heads for the foreseeable future.
The U.S. Cyber Command, the Pentagon, and the Naval War College declined to comment on this story.
Illustration by Jason Reed