|
||
|
11 November 2013 A Fierce Domain: Conflict in Cyberspace 1986 to 2012 Jason Healey (Editor)
A Fierce Domain: Conflict in Cyberspace 1986 to 2012. Jason Healy, Editor. Cyber Conflict Studies Association. Advance Praise for “A Fierce Domain” If you’re a diplomat, general, or elected official that cares about the implications of cyber warfare, be sure to read this book President Toomas Ilves of Estonia [Excerpts] Introduction Cyber conflict is new, but not so new that it has failed to accumulate its own history. For over twenty-five years, nation states and non-state groups have been using computer networks to strike, spy upon, or confound their adversaries. While many of these dust-ups have been mere nuisances–more playground-pranks than real battles, several incidents have become national security issues, which have placed militaries on alert and prompted warnings to heads of state, the US President included. These conflicts are best understood as issues of international security, not information security. This book is the first of its kind to address the history of cyber conflict, which started in earnest in 1986, when German hackers searched through thousands of US computer files and sold their stolen materials to the KGB. In 1995, the US intelligence community reported to Congress that incidents involving computers and telecommunications equipment accounted for the “largest portion of economic and industrial information lost by US companies” to espionage. Cyber espionage cases are among the most prevalent of the many types of stories in this history, but there are also incidents resulting in nations resorting to the use of actual force against one another, or attacking rivals anonymously from the Internet. Patriotic hackers have attempted to disrupt networks, computers, and data controlled by their targets, who were perceived to be somehow insulting the hackers’ motherland. More important than historical cases, of course, is what we can learn from them. An analysis of the first quarter-century of cyber conflict reveals three broad lessons. 1. Cyber conflict has changed only gradually over time; thus, historical lessons derived from past cases are still relevant today (though these are usually ignored). 2. The probability and consequences of disruptive cyber conflicts have often been hyped, while the real impacts of cyber intrusions have been consistently under-appreciated. 3. The more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air, or on the sea – with one critical exception. Unfortunately, these lessons from the history of cyber conflict largely have been ignored, even though their importance has continued to escalate. Universities are building programs to train thousands of new cyber professionals. Students flow into this field in ever increasing numbers, and as graduates, into new cyber organizations, often with only technical training, a polygraph, and a pat on the back. Senior leaders, such as generals, diplomats, and elected or appointed officials, are seeking or finding themselves assigned to jobs with heavy cyber responsibilities, though they often know little of what this entails, but feel sure that they must be the first to deal with such weighty issues. In each case, all too often these new entrants are told to forget everything they thought they knew about security and cyberspace. “Don’t look back — worry about the future,” the flood of the newly hired are told. “History is in front of you.” It is true that closest to the networks, at the most technical and tactical levels, cyberspace does have completely different dynamics from conflicts on the land, in the air, or on the sea. But at the level of international security, the “forget everything” mantra is simply wrong. The technical truths so crucial to network defenders are far less important when abstracted up to commanders and policymakers in charge of handling national security crises. Admirals don’t need to understand details of the ballistics of naval weaponry to plan a naval campaign. Similarly, cyber generals do not need to know the intimate details of TCP/IP packets. One of the most important lessons to be drawn from cyber conflicts thus far is that the fundamental policies of national security and international relations should largely apply in this arena as well. Another key lesson is that we continue to make the same mistakes, over and over. This type of conflict has become more dangerous and has grown more frequent. But prior cases of cyber conflict are not merely repetitive. They can be seen as echoes. New hires in the cyber field, whether at the junior or senior levels, must learn the lessons of cyber conflict history to avoid repeating the scrambles and improvised efforts of the past. A study of this history is especially important now, because so much of our future security, business, and comfort will depend upon cyber technologies and networks. Nations and to a lesser degree non-state groups are seizing on cyber conflict tactics and strategies, seeing it as a bloodless and seemingly risk-free way to achieve disruption and conduct espionage. General Robert E. Lee once said, “it is well that war is so terrible, otherwise we should grow too fond of it.” Unfortunately, modern cyber warriors, including those in the United States, seem to be increasingly fond of believing that “it is well that cyber war is not so terrible, otherwise we couldn’t use it.” This philosophy allows them to more eagerly use their new cyber tools for clandestine intelligence and covert disruption. In cyberspace, however, the future is a jump ball, undecided, and it may be more sensitive to state-sponsored technological disruptions than many governments currently understand. Armed with new cyber capabilities, generals and spymasters may be steering the world toward a much darker cyber future, characterized by unrestrained and unrestrainable attacks. These would be damaging to governments and potentially devastating to the rest of us. These trends, as history, are clear. But what we do about them is not. As the first account of its kind regarding this history, this book will certainly skip too lightly over countless facts and people and miss enlightening stories. For example, the US government has thousands of pages of material pending in response to filed Freedom of Information Act requests. That trove of potentially useful material was unfortunately made available too late to be included in this book. But it will be available to future researchers. Hopefully, that data will be examined and utilized in future work, to build upon this introduction and provide even more important lessons. Others will take aim at the lessons of cyber conflict history, as presented here, and well they should. It may be too early to see the lessons clearly, and our research may have been biased by relying only on unclassified information. If there have been important conflicts that are still unclassified, then perhaps the underlying lessons of those will be different. Fortunately, some of the reviewers of this book did have clearances and current knowledge. There has been no feedback yet stating that the lessons from history presented here would be any different if the authors had relied on classified sources. If the reverse does turn out to be true, then the US government should of course declassify the conflicts or at least the lessons. Part 1 of this book is a chronological narrative of cyber conflict history, mostly from a US perspective. We begin with key lessons. The section titled Realization focuses on the emerging awareness of cyber conflict problems in the 1980s (e.g., the Cuckoo’s Egg and Morris Worm). In the section titled Takeoff, the focus is new doctrines concerning information warfare and the creation of military cyber commands in the 1990s. Finally, in Militarization, topics such as Chinese espionage, Estonia, and Stuxnet—all of which became significant in the first decade of the twenty-first century—are examined. Parts 2, 3, and 4 chronicle some of the most important cyber conflicts over the past twenty-five years and present in-depth case studies, which previously have been surprisingly hard to find. Two case studies are from contemporary sources, but the rest have been created new for this book, including several from former students of mine from Georgetown University. Several others were produced by the Cyber Statecraft Young Professionals group (co-sponsored by the Atlantic Council and Cyber Conflict Studies Association), while another was the winner of a case-study competition held by these groups and the Armed Forces Communications and Electronics Association. Since so much of cyber history is currently known and seen through a US lens, Part 5 includes perspectives on key incidents and lessons by analysts from Britain and Japan. In the Concluding Assessment at the end of the book, an analysis is presented concerning which nations seem to be most responsible for some of the conflicts described in the earlier chapters. The Appendices include the sources used for this study and a useful glossary for novices to the field. ... Why Haven’t We Learned? A number of factors have contributed to hide not just the important lessons of cyber history, but also the fact that there is a history of cyber conflict. The first and foremost of these factors is the massive influx of new entrants into the field. Each new wave of entrants, every five years or so, feels that they are the pioneers. Since they are not taught any history of their field, many accordingly fail to distinguish between what is actually new versus what is just new to them. In addition, cyberspace not only has many characteristics which are non-intuitive to (older) policymakers, but it seems to be forever changing. Thus, the spirit of cyberspace is to look forward, toward the future and to new technologies. Looking backwards has mistakenly seemed a waste of time and effort. Since cyberspace is still relatively new, the analytical community which views the past twenty-five years as “history” is actually quite small. Admittedly, the field is still emerging rapidly, and we are at the beginning of the “cyber age.” But that is no reason to ignore the useful lessons of its current history. Two other key factors have been instrumental in blocking learning about cyber conflict. Its practitioners largely have been technologists who see cyber conflicts as technical challenges. Though kings and queens in their own field, these technologists have consistently failed to appreciate how different dynamics of national security operate during cyber conflicts. On the other hand, international security specialists don’t understand cyberspace, and have been told that cyber is new and different–so their existing theories and approaches do not apply. This mutual misunderstanding between the “geeks” and “wonks” means that the overlaps between the two, which are reflected in history, are perpetually ignored. The last factor is the pernicious effects of government secrecy. As this book was being developed, many practitioners felt that too much of cyber conflict history was classified for the story to be adequately told (some also felt that many stories perhaps should not be retold). Fortunately there has been no feedback yet that the lessons from history presented here would be any different if it had relied on classified sources. This book is necessarily built upon on media stories, FOIA requested information, interviews, and other non-classified research material, and it does provide a comprehensive overview. But almost certainly, classified conflicts have occurred, which we will not know about for years to come. Four key recommendations, if implemented, may improve our ability to learn from cyber conflict history. 1. The White House must encourage the military and Intelligence Community to declassify information on past cyber conflicts; 2. The National Intelligence University, Center for Cryptologic History, or Center for the Study of Intelligence should begin a parallel effort to develop a classified history, the lessons of which must be declassified; 3. The DoD, DHS, and others must teach cyber conflict history to both the newer cyber cadres and senior decision-makers. Professional historians need to become more involved. And cyber conflict should be taught in classes in both Cyberspace Engineering and International Security. 4. University history departments, historians, and other researchers must recognize cyber conflict as an area with a rich history, waiting to be mined. (Perhaps this might even offer better prospects for publication than other, long exploited areas of military or national security history. Trust me, you can make far more as a historian if you specialize in cyberspace than in the advantages or disadvantages of the phalanx.) Hopefully, once more cyber conflict history is revealed, new students, policymakers, and cyber practitioners will learn that the dynamics of cyber conflict are not as mystifying as they have been led to believe. As shown in Table 1, cyber conflict history can be divided into three very distinct periods. Realization started in the mid-1980s, Takeoff in 1998, and Militarization began in 2003. Each of these periods will be examined in the following pages. In each period, policymakers and technical experts struggled with a few key questions. Are we being too paranoid, or not nearly paranoid enough? How much do we focus on fighting crime, stopping espionage, or defending against catastrophic attacks? What is the right balance between offense and defense? How do we coordinate between different agencies and countries? What is the proper role for the private sector?
... Lessons and Findings from Our Cyber Past From the history of cyber conflict, key lessons and findings clearly emerge, and each of these carry significant policy implications for cyber defenders and policymakers today. As with any other indicators, these observations help confirm the long-term trends, but cannot be depended upon to predict the future with accuracy. 1. Cyber conflict has changed only gradually over time; thus, historical lessons derived from past cases are still relevant today (though these are usually ignored). a. Conflicts today are not exact repetitions of past events, but they are clearly echoes. b. There has been no essential discontinuity between the cyber conflicts of twenty-five years ago and those of today. Technologies have changed, but the underlying dynamics of today’s conflicts would be familiar to cyber defenders from those early days. c. Many of the questions vexing cyber policymakers today were asked in almost exactly the same terms by their predecessors ten and twenty years earlier. Again and again, lessons have been identified and forgotten rather than learned. 2. The probability and consequences of disruptive cyber conflicts have often been hyped, while the real impacts of cyber intrusions have been consistently under-appreciated. a. Historically, the most important cyber conflicts have not involved war or terror, but rather espionage. b However, it is increasingly clear that nations, including the United States, are engaging in covert “shadow conflicts,” which is irregular warfare using proxies and covert sabotage. c. Cyber espionage against the United States has been occurring since at least the mid-1980s. But today it is far, far worse–indeed, some say intolerable. Of course, the United States is extremely active in its own, quieter cyber espionage. d. While the cost of espionage is high (but difficult to estimate, much less to calculate), there is little evidence that disruptions have caused even blips in national GDP statistics. e. We have been worrying about a “cyber Pearl Harbor” for twenty of the seventy years since the actual Pearl Harbor. f. No one is known to have died from a cyber attack. g. Nations have not sought to cause massive damage to each other outside of larger geo-political conflicts. h. Cyber incidents have so far tended to have effects that are either widespread but fleeting, or persistent but narrowly focused. No attacks, thus far, have been both widespread and persistent. i. As with conflict in other domains, cyber attacks can take down many targets. But keeping them down over time in the face of determined defenses has thus far been beyond the capabilities of all but the most dangerous adversaries.6 j. Strategic cyber warfare has thus far been well beyond the capabilities of the stereotypical teenaged hackers in their basements. k. Adversaries historically have had either the capability to cause significant damage or the intent to do so—but rarely did they possess both dangerous capabilities and truly malicious intent. 3. The more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air, and on the sea – with one critical exception. a. The most meaningful cyber conflicts rarely occur at the “speed of light” or “network speed.” While tactical engagements can happen as quickly as our adversaries can click the Enter key, conflicts are typically campaigns that encompass weeks, months, or years of hostile contact between adversaries, just as in traditional warfare. b. Because the most strategically meaningful cyber conflicts have been part of larger geo-political conflicts, their nature has tended to offer ample warning time to defenders, even without reliance on technical means. A good rule of thumb is that “physical conflict begets cyber conflict.” c. While some attacks are technically difficult to attribute, it is usually a straightforward matter to determine the nation responsible, since the conflict takes place during an ongoing geo-political crisis. d. There have been no digital Pearl Harbors yet. Nations seem generally reluctant to conduct large-scale damaging attacks on one another, outside of traditional geo-political conflicts. e. To date, no terrorist groups have chosen cyber attack as a primary attack method. There has been no Cyber 9/11 yet, a major attack designed to cause death, destruction, and terror. f. Perhaps the biggest difference between cyber conflicts and their traditional equivalents is the one most often overlooked: when defending against cyber conflicts, it is non-state actors, not governments, which typically are decisive in cyber defense. Companies and volunteer groups have repeatedly used their agility and subject matter knowledge to mitigate and prevail in most of the conflicts in this book, while governments are on the side. Only uncommonly are governments able to bring the superior resources of their unwieldy bureaucracies to bear in enough time to decisively defend against attacks. Despite the popular conception that the nature of cyber “war” must constantly change with every new technology, this book makes the case that the situation is happily much different. The lessons from yesterday are not trivia–they remain eminently useful. As an analogy, imagine buying a few rounds of drinks for a modern fighter pilot and his predecessors from World Wars One and Two. Despite over a hundred years of technological and doctrinal changes between their respective careers, within five minutes they would be telling breathless tales of dogfights, and how they had zipped through complex aerial maneuvers to lose an adversary or to line up a kill shot. The dynamics of dogfighting, such as the advantages of relative height, speed, and maneuverability, have remained stable over time, even though technology has made dogfights faster, higher in altitude, wider in range, and above all, more lethal. So it is with cyber conflicts. In addition, these lessons show the underlying continuity of cyber conflict with traditional international relations, national security, and military operations. While there are certainly differences, to date cyber conflicts have not been fundamentally different from conflicts on the land, in the air, or on the sea. The key historical findings above are different from the common myths about cyber conflict, such as that cyber attacks are like massively disruptive, lightning wars unleashed either by kids in their basements or by nations using surprise attacks which are wholly unrelated to current geopolitical tensions. While not impossible, these scenarios have not yet materialized. It appears that cyber deterrence, long the subject of theory but usually dismissed, has been operative for some time. This has gone unrecognized, because historical analysis has been focused on quotidian hacking and technical details, rather than on conflicts as nations have actually conducted them. Despite early fears that nations would strike at each other using surprise, strategic attacks, while relying on anonymity within the Internet, there is no evidence that such conflicts have occurred. Nations seem to be willing to launch significant cyber assaults during larger crises, but not out of the blue. Accordingly, a comparison with nuclear deterrence is extremely relevant, but not necessarily the one that Cold Warriors have recognized. Nuclear weapons did not make all wars unthinkable, as some early Cold War thinkers had hoped. Instead, they provided a ceiling under which the superpowers fought all kinds of wars, regular and irregular. The United States and the Soviet Union, along with their allies, engaged in lethal, intense conflicts ranging from Korea to Vietnam, and through proxies in Africa, Asia, and Latin America. Nuclear warheads did not stop these wars, but they did set an upper threshold which neither side proved willing to cross. Likewise, though the most cyber capable nations (including the USA, China, and Russia) have been more than willing to engage in irregular cyber conflicts, they have stayed well under the threshold of conducting full-scale strategic cyber warfare, and have thus created a de facto norm. Nations have proved just as unwilling to launch a strategic attack in cyberspace as they have been to do on the land, in the air, or on the sea. The failure of the United States to learn from these lessons, or indeed even to notice that there is a history from which they may learn, has critical implications for cyber operations today and tomorrow. For example, cyber conflicts are fast, but by no means do they occur at the “speed of light” or even at “network speed,” as is routinely described by US military leaders. As later sections of this history will discuss, MOONLIGHT MAZE, Estonia, Conficker, Stuxnet, and Chinese cyber espionage were all prolonged conflicts.7 Tactical engagements in every domain can unfold quickly (for example, aerial dogfights in every war could sometimes be over before an unsuspecting pilot knew he was in one), but successful generals and strategists never allow themselves to obsess over these tactical engagements. Instead, they extrapolate from each action to more strategic levels to plot several moves ahead. This will be difficult if we continue to over-emphasize tactical, rather than strategic, truths. These popular misunderstandings of cyber conflicts have critical implications, which include the following: 1. The US cyber community will likely over-invest in capabilities and doctrine to automatically counterattack against surprise attacks. 2. Rules of engagement will allow ever-lower levels of military authority to “shoot back” without seeking authorization—a relaxation of the rules which may not be conducive to long-term US economic or military interests. 3. Response plans will focus on today’s incident, with little thought on how to surge and sustain an effort over the weeks and months that it has previously taken conflicts to occur. 4. Defensive actions which make sense in longer campaigns (such as installing new networking capabilities and Internet Exchange Points) will be ignored. 5. The US military will train their new cyber cadres with doctrines and strategies that are focused only on the immediate fight, with little conception of the true nature of the strategic whole. A reading of today’s headlines shows that the US military is barreling down most, if not all of these roads. Likewise, the US national security community should know it is difficult to have a prolonged strategic effect, even in cyberspace. If Flying Fortresses in World War II could not achieve a strategic victory over Germany after dropping millions of tons of high explosives over several years of operations, why do so many people still believe that a few kids might take down the United States from their garage or basement? Yet basement-originated strategic warfare is a common theme. As recently as March 2012, the four-star general who oversees Air Force cyber operations said at a conference that deterrence was difficult in cyber conflict since, “[f]or someone with the right brainpower and the right cyber abilities, a cheap laptop and Internet connection is all it takes to be a major player in the domain.”8 These tools might help an adversary to steal data or identities—or even to conduct a major intrusion. But they are not sufficient for a strategic effect that requires deterrence power from the world’s most powerful military. At least as important is the principal difference between cyber and traditional conflicts: the primacy of the private sector. Cyber conflict history clearly shows that nearly every significant incident has been resolved by the private sector, not the government. Yet government response plans, such as the US National Cyber Incident Response Plan, reverse this emphasis and discuss how government bureaucrats and elected officials will make the key decisions. In cyber conflicts, the private sector is not a “partner” of government, but the “supported command.” It is also becoming apparent that cyber conflicts have not been as universal in scope as has often been thought. Researchers Brandon Valeriano and Ryan Maness used traditional political science methods to find that “Only twenty of 124 active rivals—defined as the most conflict-prone pairs of states in the system—engaged in cyber conflict between 2001 and 2011. And there were only ninety-five total [cyber conflicts] among these twenty rivals.” Their more quantified and comprehensive approach confirms that cyber conflicts have not been devastating. Having rated all cyber conflicts with a severity rating “ranging from five, which is minimal damage, to one, where death occurs as a direct result from cyberwarfare… Of all ninety-five [cyber conflicts] in our analysis, the highest score—that of Stuxnet and Flame—was only a three.”9 Their research also counters the myth that cyber conflict is a free-for-all. Instead, they found that conflicts did not take place randomly. Instead, they tend to occur only between existing rivals, who are typically neighbors, and only during ongoing crises.
|
![[Image]](fierce-domain-01.jpg)