Capstones: Nervous Systems

By Alan W. Dowd, 2.3.16

Large-scale cyberattacks targeting U.S. citizens, interests and infrastructure are happening so frequently that it’s nearly impossible to keep track of the onslaught. The most recent of these came last summer, when Chinese hackers penetrated the Office of Personnel Management and compromised the personal, financial and employment history of 21.5 million Americans. U.S. officials describe it as perhaps “the most devastating cyberattack in our nation’s history.”

There is more—and worse—to come. Gen. Keith Alexander, former head of U.S. Cyber Command (CYBERCOM), worries about the “transition from disruptive to destructive attacks…those are coming.” 

The challenge is to deter destructive cyberattacks, to mitigate the damage from disruptive cyberattacks and to be resilient enough to take the fight to the enemy after weathering a cyberattack.

Counting the Costs

Cyberspace is a vast, ungoverned and largely unguarded frontier that provides America’s enemies—from anarchist “hacktivists” like Anonymous to terrorist groups like ISIS to near-peer competitors like China and Russia—with access to the nervous system that runs the U.S. economy, government and military. Indeed, with irony befitting a Greek tragedy, the very thing that makes the United States so powerful—its mastery of new technologies and capacity to incorporate them into its institutions, economy and armed forces—also makes it vulnerable.

To date, cyberattacks have not been crippling—at least not those directed at the U.S.—but they have been costly.

  • Cyberattacks cost the average American company $15.4 million annually. A CSIS study estimates the annual global costs of “malicious” cyber-activity at between $375 billion and $575 billion. “That’s our future disappearing in front of us,” Alexander grimly concludes.
  • In 2013, the U.S. government notified more than 3,000 companies—many of them defense contractors—that their computer networks had been compromised. 
  • Some 431 million people around the world are victimized by cyberattacks annually, including one in four American adults. Cyber-crime represents an economy “larger than the global black market for marijuana, cocaine and heroin combined,” according to one report.

Much of the cyber-assault emanates from China. Alexander calls China’s cyber-siege of the United States “the largest transfer of wealth in history.” According to a study conducted for the U.S.-China Economic and Security Review Commission, China’s use of “computer network exploitation activities to support espionage has opened rich veins of previously inaccessible information that can be mined both in support of national-security concerns and, more significantly, for national economic development.” For example:

  • In a 2007, Chinese cyberattacks compromised 1,500 Pentagon computers.
  • Beijing has used cyberattacks to infiltrate subcontracting firms and systems related to the F-35 Joint Strike Fighter program and C-17 transport plane program.
  • Beijing exploited cyberspace to steal user credentials of NASA employees and gain “full functional control over networks at the Jet Propulsion Laboratory,” according to the U.S.-China Economic and Security Review Commission.
  • China launched “spearphishing” attacks—a tactic using email that appears to be from a trusted source to gain access to a target’s computer—against Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel, the United Steelworkers Union and SolarWorld.
  • In 2013, information-security firm Mandiant pointed to a shadowy unit of the People’s Liberation Army (PLA) called “Unit 61398” as the source of many Chinese cyberattacks. Unit 61398 has attacked government ministries in the U.S., Europe, Japan and other countries; penetrated computer systems at U.S. defense firms, the Pentagon and NASA; planted computer components in the United States with Trojan horse codes; and stolen massive amounts of information. “We witnessed them stealing hundreds of terabytes of data from 141 companies,” Mandiant reported, adding, “A unit of the PLA has in fact been chartered to compromise the U.S. infrastructure and steal our intellectual property.”

Destroying Everything
Regrettably, cyberattacks can do far worse than simply steal secrets, compromise personal privacy and erase wealth. They can destroy facilities, systems and infrastructure that people depend on for life.

U.S. officials worry about Chinese telecommunications firm Huawei placing a “bug, beacon or backdoor” into critical systems that could allow for “a catastrophic and devastating domino effect…throughout our networks,” as a congressman told Foreign Policy magazine.

Former Defense Secretary Leon Panetta described this sort of cyberattack as “the next Pearl Harbor.” But that may be an understatement. Although Pearl Harbor decimated the Pacific Fleet, it left America’s industrial, financial, communications and utilities infrastructure untouched. An orchestrated cyberattack could sever our transportation arteries, cripple our energy and water utilities, freeze our financial system, blind our military, and scramble our communications networks.

Alexander likens freedom of action in cyberspace to “freedom of the seas…in the 19th century and access to air and space in the 20th century”—and rightly so. The physical infrastructure America depends on—the electrical grid, water-treatment facilities, air-traffic control system, banking and financial systems, transportation arteries—depends on cyberspace. If America’s swath of cyberspace is at risk, those systems are at risk—and someone could throw America’s high-tech society back to pre-industrial days.

Critics of cyberdefense are unpersuaded, arguing that a cyberwar, waged with bytes and streams of code rather than bullets and bombs, can’t really hurt us. They’re wrong. Just ask some of our friends.

In 2007, in what has been called “Web War I,” Russian cyberattacks cut off Estonia from the world—hacking the websites of the president, prime minister, parliament and foreign ministry; crippling Estonia’s communications infrastructure; and disabling the mobile-phone network, the 911 equivalent and the country’s largest bank. After Web War I, Ene Ergma, head of the Estonian parliament, wearily explained, “Cyberwar doesn’t make you bleed. But it can destroy everything.”

In 2012, Iran’s Shamoon computer virus destroyed 30,000 computers linked to the Saudi oil industry. 

In 2013, North Korea’s “DarkSeoul” attacks wiped clean the master boot records of 32,000 computers at South Korea’s largest banks and broadcasting companies. McAfee concluded the attacks “were actually the conclusion of a covert espionage campaign” aimed at military units in South Korea. “The true intention of the DarkSeoul adversaries,” according to McAfee, was “to spy on and disrupt South Korea’s military and government activities.” 

In December 2015, Ukraine experienced what has been called “the first blackout caused by a cyberattack.” Eight Ukrainian utilities were hit by a malware attack emanating from Russia that left 80,000 people without power—in the dead of winter. A related cyberattack crippled the IT network at the main airport in Kiev.

And in January 2016, Israel’s Public Utility Authority was hit by “one of the largest cyberattacks that we have experienced,” according to Israeli officials.    

Deterrence and ResilienceThe good news amidst all this worrisome news is that Washington is doing more to defend America’s swath of cyberspace, albeit in a piecemeal manner.

President George W. Bush launched the Comprehensive National Cybersecurity Initiative, which committed $30 billion to strengthening government networks. Bush also initiated the “Cyber Storm” readiness exercises, which enfold the private sector, federal and state agencies, and allied governments. In addition, Bush authorized U.S. intelligence and military assets to go on the offensive in cyberspace. In 2006-07, Bush approved the “Olympic Games” cyberattacks against computer systems that run Iran’s nuclear program.

President Barack Obama continued the cyber-campaign against Iran, which included the highly sophisticated Stuxnet computer worm. He stood up CYBERCOM in 2010, underscoring the Pentagon’s expanding role in this new theater of operations. And he gave the Pentagon a green light to treat cyberspace like any other domain, authorizing the military to develop capabilities to “deceive, deny, disrupt, degrade and destroy” enemy information systems. 

Gen. James Cartwright, former vice-chairman of the Joint Chiefs of Staff, had long argued for such a shift. “If we apply the principles of warfare to the cyber domain, as we do to sea, air and land,” he said in 2007, “we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests.” Toward that end, Cartwright has suggested that Washington may have “to do something that’s illustrative” in order to communicate U.S. seriousness in cyberspace.

To assist the warfighters in their deterrence mission, policymakers should let it be known that the U.S. will view a cyberattack on critical infrastructure in the same way as a traditional military attack. It’s worth noting that Russian military officials have argued that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”

But because deterrence may not always translate to cyberspace, resilience may be the operational concept that best characterizes the Information Age. “Given that the nature of cyberattacks is still evolving and that attackers increasingly use third and fourth parties to channel their attacks, and thus create false leads, deterrence is more difficult,” a Fraser Institute report argues. “A better defense is the ability to sustain one or more cyberattacks and to be able to counter and restore defensive capacity.”

Put another way, when deterrence fails to prevent cyberattack, resilience will be key to restoring critical capabilities—and taking the fight to the enemy. 

Toward that end, the Pentagon unveiled plans in 2013 to expand CYBERCOM from 900 personnel to 5,000. The expansion is part of a wider effort at CYBERCOM to field three new forces for the Information Age: a “cyber national mission force” to protect computer systems and networks that serve critical infrastructure; a “cyber combat mission force” to assist regional combatant commands in conducting offensive operations; and a “cyber protection force” to defend Pentagon networks. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace,” Alexander bluntly explains. 

In addition, top military planners are mapping cyberspace—all the billions of computers, switches, devices and related networks that make up this ever-growing invisible domain. Ominously dubbed “Plan X,” this DARPA program will ensure that the United States has “superior capabilities to rapidly plan, execute and assess the full spectrum of military operations in cyberspace.”  All of this—the cyber-weapons being developed and deployed, the new rules of engagement for cyberspace, the phalanx of cyberwarfare units, the growing ranks and reach of CYBERCOM, the mapping of cyberspace—is a function of the growing likelihood that America’s enemies will use cyberspace to do far worse than simply steal from us or spam us. And it’s long overdue. As Cartwright has warned, “We lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battlespace.”

Alan W. Dowd is a senior fellow with the Sagamore Institute, where he heads the Center for America’s Purpose