From Interstate - Journal of International Affairs VOL. 2013/2014 NO. 1
Defending the Cyber Realm
IN THIS ARTICLE
There is a widespread belief that as societies and governments become increasingly reliant upon information technology, they in turn are becoming more vulnerable to a whole range of cyber-threats.1 Whether these dangers are capable of generating enough damage to warrant a redistribution of government resources is the question at the heart of this essay. This paper provides an evaluation of the cyber-threat arguing that it deserves recognition as a top-tier priority given that it poses some significant challenges to both national security and economic prosperity. Whilst cyber -crime falls under this category and is estimated to cost the UK economy alone £27 billion annually,2 it is simply not feasible in an essay of this length to give it the attention it deserves. Therefore, whilst it is referred to on occasion, a detailed discussion of the topic is omitted from the analysis. Instead the paper argues its case through focusing on how cyberspace could potentially serve as a platform from which ho stile states and terrorist groups could direct attacks against key national infrastructures as well as on other government, military and private sector targets. Furthermore intellectual property theft is identified as a key concern.
Rather than attempting to justify elevating the status of cyber-threats through relying upon a broad discussion of how these risks fare when compared with more traditional perils, the piece aims instead to detail their severity. It further argues that meeting the cyber-threat is likely to demand a considerable amount of resources but that this is necessary given the consequences for failing to do so could be catastrophic. It does, however, insist that there exists a significant degree of crossover between these and other major threats, so that a cyber defence budget would also often serve the aims of other departments.
Dangers from the Cyber Realm
In June 2010, it was discovered that the controversial Natanz nuclear facility in Iran had been attacked. What had caused the destruction of many of the sites centrifuges was neither a bomb nor a missile but a highly sophisticated piece of malware; a computer worm that has become known in the cyber-world as Stuxnet.3 Unlike in a conventional attack, determining the culprit has proven difficult, as is often the case in a cyberassault, where perpetrators are able to operate behind false IP addresses, foreign servers and aliases.4 Indeed, the anonymity that the cyber realm can offer is one of the many advantages of these types of attacks. Whilst the identity of the aggressor in the Stuxnet case remains unknown, according to Claire Yorke, an expert in cyber security at the think tank Chatham House, there should be little doubt as to the type of actor involved:
'Although the origin of the virus is still unknown, its sophistication and complexity suggests it would have required significant time and resources beyond the capability of non-state actors'.5
Indeed, Stuxnet is but one of the many cyber-attacks that are alleged to have been orchestrated by a nation-state. Media reports and even the Iranian government suspect that the United States and Israel were involved.6 However true these allegations, it has now been estimated that over thirty states have developed specialized cyber-warfare units with aggressive computer-warfare programs.7 Richard Clarke, a former Special Advisor to the President for Cyber Security, insists that several states, including the US, possess the capability to launch cyber-attacks that could potentially devastate a modern nation.8 By failing to adopt new defensive strategies to counter the threat, many nations, he insists, are running serious risks to peace, order and stability, as well as to individual and national economic well-being.9
As far back as 1997, the Joint Chiefs of Staff have run Information Warfare (IW) exercises designed to improve the United States' response to cyber incidents. The first of which codenamed Eligible Receiver served as a wakeup call for many, demonstrating how vulnerable the nation was to this new form of attack and quite how devastating it could be when utilized. Using only commercial equipment and tools- downloaded from the Internet, agents of the National Security Agency (NSA), adopting the role of foreign cyber-warriors, were able to break into the power grids of nine American cities as well as disrupt their 911 emergency systems.10 Having proven that hackers could switch off the power in multiple cities and prevent local emergency services from responding to the crisis,11 the agents then proceeded to hack their way into thirty-six Pentagon computer networks - only two of which were detected - where they would then have the power to override the command-and-control systems and issue bogus instructions to key personnel and equipment.12
As James Adams states, 'this group of hackers using only publically available resources were able to prevent the United States from being able to wage war effectively'.13 Cyber-attacks then possess a unique appeal to rogue states and terrorist organisations not only for the anonymity they provide - which decreases the risk of retaliation - but also in that they offer an asymmetric advantage. Formerly formidable opponents, states such as the US and the UK who have sizeable defence budgets, are now weaker, due to an 'electronic Achilles heel'.14 The reliance of modern militari es on computer technologies - from GPS satellites used to guide missiles to unmanned, pilotless drones - leads Clarke to boldly assert that 'the U.S. military is no more capable of operating without the Internet than Amazon.com would be'.15
Nearly two decades on from Eligible Receiver, the Internet remains much the same, with hackers continuing to find and exploit new vulnerabilities in systems that allow for unauthorised access. Clarke provides a five page account of what a modern full scale state-sponsored cyber-assault might look like in his recent publication Cyber War. What can be drawn from this piece is that if anything the situation has only got worse. In this hypothetical scenario, the US is under cyber-attack and by hacking into the control systems of a few key national infrastructures, the anonymous aggressors are able to conduct a vicious assault on the nation that sees lethal clouds of chlorine gas being released from chemical plants, subways and freight trains derailing, passenger planes colliding in mid-air, all whilst much of the eastern half of the country is left without power.
Furthermore, the perpetrators have managed to corrupt sensitive data belonging to financial institutions as well as the military.16 Far from being the type of overdramatized scenario that could only appear in a Hollywood movie, Clarke insists that a nation-state has the capacity to carry out such an attack today, in the space of fifteen minutes and all without a single terrorist or soldier ever needing to appear.17 Why an attack of this magnitude has not yet occurred, he believes, is for the same reason that the nine nations with nuclear weapons have not made use of them since 1945; the political circumstances, as of yet, have not warranted its use.18
Intellectual property theft is among the major concerns for many of today's most technologically advanced and industriali sed states. Stockholders and taxpayers pour billions of dollars into funding various research projects. The analyses and results of these are often accessible to hackers who, once they have compromised the system, are able to access the information which can then be copied, deleted and/or edited at will. For Clarke, the ability of adversaries to steal trade secrets as well as sensitive military information could have such a profound impact as to alter the balance of power within the international system.19 Jonathan Evans, the incumben t head of Britain's Security Service MIS, also views this as a major issue. Evans recently wrote to three hundred leading companies advising them that the Chinese government had most likely already penetrated their networks? ) stressing the need for them to tighten their security measures and protect their intellectual property which undeniably forms an integral part of the UK economy.
Cyber Security Budgets
Governments are now waking up to the idea that the cyber realm hosts a great number of dangers that could have a profound impact on the welfare of the state and its citizens-. Cyber-threats were a prominent feature in the 2010 National Security Strategy, in which the new UK coalition government outlined it as one of only four "Tier I" priorities which also included International Terrorism.21 The Strategic Defense Review that followed declared that an additional £650 million would be added to the cyber security budget so that both the government and private sector could bolster their online defences.22 This move could be seen to demonstrate a significant shift in government priorities in which cyber-threats take precedence over more conventional concerns, with funds being stripped from other vital areas. Indeed, the same review announced that overall defence expenditure would be slashed by 8 per cent over the next five years and would include 42,000 job losses within the MOD and armed services.23
However, when considering the implications for failing to do so, the reallocation of resources appears to be a prudent move. In financial terms, the cost of dealing with cyber-attacks on commercial systems-in the U.S. already exceeds $50 billion a year.24 The infamous- "I love you" worm that was launched in 2000 by a single univer sity student in the Philippines is estimated to have cost $3 -$15 billion in damages.25 What a state or wellfunded terrorist group intent on causing excessive damage and disruption could do then is truly an unsettling thought A cyber defence budget of £650 million would no longer appear to be a disproportionate sum to allocate towards countering the threat.
In 2010, the London based think tank Chatham House produced a paper that argued 'Cyberspace has merely extended the battlefield and should be viewed as the fifth battlespace alongside the more traditional arenas of land, air, sea and space'.26 This new domain of warfare, they declare, is open not only to nation-states but to a host of actors including terrorist cells and organised crime groups, who may choose to use it as a platform that may enable them to meet their political or financial objectives.27 In keeping with Clarke's stark warning, but written many years before, the National Research Council, in a paper entitled Computers at Risk, argued that 'tomorrow's terrorist may be able to more with a keyboard than with a bomb'.28 There is then a strong degree of crossover when dealing with the cyber issue. Through funding projects that aim to tackle the cyber issue, governments might well be simultaneously funding other departments that aim to counter terrorism, organised crime or the proliferation of nuclear weapons, as many adversaries could use cyberspace as a means to achieve these ends.
In a paper written for the Center for Strategic and International Studies, James Lewis presents a highly skeptical view of what the likelihood and effectiveness of launching a cyber-attack would be. Whilst admitting that many computer networks remain vulnerable to attack, 'few critical infrastructures' , he claims, 'are equally vulnerable'.29 He argues that an attack directed against the national electric grid in the US, which is often cited as a potential target for hostile states and terrorist groups, would have limited consequences given that it is not controlled by one central organis ation, but by some 3,000 public and private sector groups.30 To cause large scale disruption , Lewis contends, would then require cyberwarriors to simultaneously attack multiple targets, something he views as an enormous task. His argument, however , fails to recognise that not all energy suppliers contribute equally and that a strategic attack against only a couple could be all that is needed to bring a thriving metropolis to a grinding halt.
The idea that terrorists or other potential aggressors could hack into nuclear weapons systems and cause a major catastrophe, reminiscent to scenes in the 1983 film WarGames, is perhaps a little too farfetched. Joshua Green is keen to emphasize that such systems are protected by 'air gapping', meaning that they are not physically connected to the Internet or any open network which makes it almost impossible for an outsider to gain unauthorised access to the systems.31 Similar safety measures also exist for many government and military networks such as the US Department of Defense Secret Internet Protocol Router Network (SIPRNET) which is used to transfer classified information between relevant departments.32 Cutting off all outside users heavily reduces the risk of an adversary being able to steal sensitive information or cause disruption to services but it does not eradicate it.
The Department of Defense has already experienced several incidents where malicious software has moved over to their most sensitive air gapped networks,33 and indeed the aforementioned Stuxnet worm is thought to have been unleashed when a user uploaded the malware via USB.34 The Natanz computer network was itself air gapped and was considered by many to be impenetrable. Penta gon information security experts who have grown accustomed to these problems have labeled it "the sneakernet threat".35 To argue that our most sensitive information is inaccessible because certain networks maybe air gapped is then ill founded. Air gapping as an answer to the cyber-threat is of course not a credible solution. Looking at the wider issue, these dangers extend beyond military networks and directly target the private sector, as well as individuals. To implement similar measures in these theatres would call for the disbandment of the Internet altogether. Its use may protect systems from attacks but there are obviously ways around it. Furthermore , to believe that all valuable information is stored on air gapped networks would be a ludicrous assumption.
Since the "dot-com" boom era of the mid-1990s, the Internet has enabled millions of users worldwide to share a wealth of information. What had started out as a research project for the US government, cyberspace has now undeniably helped to develop international trade and commerce as well as bringing people from all corners of the globe closer together through the use of email, chatrooms and social media platforms. However, it also possesses a darker quality, one that enables organised crime syndicates to siphon billions from an unsuspecting public and more recently it has served as a platform from which hostile actors could launch devastating attacks that are capable of crippling a modern state. The anonymity, low cost and asymmetric properties of cyber-attacks makes them a highly attractive tool for advancing political or financial objectives.
Cyber-threats encompass a host of dangers that include fraud, intellectual property theft, cyber-espionage, as well as attacks on military, government and private sector targets. Depending upon the actor initiating the strike, it could also fall into other categories such as organised crime and terrorism. By funding cyber security projects one might not necessarily be taking away resources from these other areas as these dangers are capable of crossing over into the cyber realm. In essence, this piece argues that cyberthreats deserve recognition as major threats given the potential damage they could inflict upon areas critical to the adequate functioning of the state. Furthermore, the considerable degree of overlap that exists between cyber-threats and other concerns such as inter-state hostilities, terrorism and organised crime, justifies the need to provide sufficient political capital to the departments that are tasked with tackling this emerging security concern.
Adams, J. 'Virtual Defense'. In Foreign Affairs, 80 (2001).
BBC News, 'UK cyber crime costs £27bn a year - government report'. BBC News (online), 17 February 2011. Available at http://WM-v.bbc.eo .uk/news/uk -politics-12492309. (Accessed 18 March 2012).
BBC News, 'Defence review: 'Cameron unveils armed forces cuts'. BBC News (online), 19 October 2010. Available at http://www .bbc.c o. uk/news/uk -politics-11570593 (Accessed 18 March 2012).
Clarke, R. & Knake, R. Cyber War: The Next Threat to National Security and Mat to do Aboutit (New York, Harper-Collins Publishers, 2010).
Cornish, P. et al, On Cyber Warfare, (London, Royal Institute of International Affairs, 2010) Available at http ://www.chathamhouse.o rg/sites/default/files/pub lic/Research/ Internat iona l%20Security/rl 110 cyberwarfare.pdf (Accessed 18 March 2012).
Dunni gan, J. The Next War Zone - Confronting the Global Threat of Cyberterrorism (New York, Kensington Publishing Corp, 2002).
Eriksson, J. & Giacomello, G. "The Information Revolution, Security, and International Relations: (IR) Relevant Theory? International Political Science Review, 27 (2006). pp. 221-244.
Farewell, P. & Rohozinski , R. 'Stuxnet and the Future of Cyber War ', Survival: Global Politics and Strategy, 53, (201 I). pp. 23-40.
HM Government, 'A Strong Britain in an Age of Uncertainty: The National Security Strategy' (London: Her Majesty's Stationary Office, 2010) p.1 I. Available at http://WM.v.direct.gov.uk/prod con.sum dg!groups/dg digitalassets/@~/ @en!document s/digitalas set/dg 191639.pdf?CID =PDF&PLA=furl&CRE= nationa lsecuritys trategy (Accessed 18 March 2012).
HM Government, 'Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review' (London: Her Majesty's Stationary Office, 2010) p.47. Available at http ://www.direct.gov. uk/ prod consum
Hopkins, N. 'Stuxnet attack forced Britain to rethink the cyber war'. The Guardian (online), 30 May 2011. Available at: htt p://www.guardian.co. uk/politics/20 I l/m ay/30/ stuxnet-attack- cyber war- iran (Accessed 18 March 2012).
Lewis, J. 'Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats' (Washington DC: Center for Strategic & International Studies, 2002). pp. 1-12.
National Research Council, 'Computers at Risk' (Washington DC: National Academy Press, 1991).
Weimann, G. Terror on the Int ernet: The New Arena, tbe New Challenges (Washington DC, United Institute of Peace, 2006).