August 7, 2011
The Challenge of Cyber Warfare
The Challenge of Cyber Warfare—Posner
Becker identifies the principal issues presented by cyber warfare—the difficulty of prevention and the difficulty of identifying the attacker, which is essential to effective deterrence.
In assessing these issues, one needs to distinguish beetween hacking data and destroying data. The essential vulnerability of online data to hacking lies in the fact that, since the data are not physically enclosed (like documents in a steel safe), they can be secured against copying only by encryption, and any code designed to scramble a body of electronic data to make it unintelligible can be hacked from anywhere in the world. Unless the code is changed constantly (maybe every few seconds), the indispensable defensive response is to detect the hacking promptly and change the code.
But hacking is a relatively minor problem—more in the nature of an annoyance than a serious injury. In the national security setting, it is a form of espionage, and espionage rarely inflicts more than marginal harm, in part because it a too-way street. And this is true of hacking: foreign countries hack our national security computer communications and databases, but presumably we hack theirs.
The greater danger is the danger of destruction of online data (i.e., sabotage versus espionage). It could paralyze our conduct of cyber warfare and could also gravely disrupt the national electrical grid, the financial system, and communications generally. There have already been cases of successful cyber sabotage, notably of Iranian nuclear facilities.
So cyber warfare is a real danger. But in that respect it is no different from nuclear warfare, which the world has managed to avoid, mainly by deterrence (threat of retaliation) but also by the taboo status that nuclear warfare has attained in the imagination of most people, including national leaders, over the last three-quarters of a century despite the proliferation of nuclear weapons and the relative cheapness and simplicity of creating and deploying them.
The problem with deterring cyber warfare is partly the difficulty of identifying the source of a cyber attack, which need not even be a nation (it could be a terrorist group—though there is also a danger that such a group could procure and deliver nuclear or biological weapons), and partly the difficulty of a feasible, effective response. Suppose the United States is the victim of a very serious cyber attack by a nation that has nuclear arms. How do we retaliate? If we use nuclear weapons, we risk counter-retaliation by nuclear weapons. If we use cyber weapons to retaliate, they may prove to be relatively ineffectual, either because the enemy has better cyber security or because it simply is less dependent on online data and communications for the management of its economy than the United States. We are confident that no nation could defend itself against a U.S. nuclear attack, but we can't be confident about our ability to devastate an enemy nation with a cyber attack.
What makes cyber warfare particularly insidious is that it is extremely cheap. It requires no raw materials, like uranium, no processing, like enriching uranium, and no delivery vehicles, like missiles carrying nuclear weapons. In these respects biological warfare is similar, but it is indiscriminate—it is difficult to shield the attackers from contagion. That is not the case with cyber warfare. And to prevent the proliferation of cyber warfare capabilities is impossible, because they are inexpensive, requiring basically nothing more in the way of inputs than software scientists and engineers. An international convention with inspections by an international agency analogous to the International Atomic Energy Agency would be unworkable because the cyber "warriors" would not work in identifiable facilities and because cyber weapons are immaterial rather than material entities. Of course the cyber warriors use computers but the computers are multi-purpose—they don't identify themselves as weapons.
Although at present defense against cyber warfare is very difficult, and indeed seemingly ineffectual, a pooling of the civilized world's computer expertise in an international effort to secure computer networks and databases against online espionage and (especially) sabotage, as well as to create redundancy in such networks and databases that would enable their essential functions to be maintained even after a large-scale cyber attack, would certainly be a worthwhile undertaking. There are indications of cooperation between the United States and close allies such as the United Kingdom and Israel. Let us hope that international cooperation in cyber defense is expanded and adequately financed.
The Challenge of Cyberwarfare and Cyberspying -Becker
In May 2010 the US military appointed its first four-star general to direct its defensive and offensive capabilities in cyber warfare. China, Russia, and other major countries also have increased their skills in this new kind of warfare. All major banks and other companies, such as Google, continue to upgrade their protection against breaches of their information and computer network systems. The increasing dependence of both modern economies and modern weaponry on computer-based networks and online storage of information explains the rapid expansion of programs to repel cyber attacks, and to provide armies with significant offensive cyber capabilities.
Of course, modern warfare still relies on large numbers of combat military personnel. But the architecture of the military has become increasingly computer-based, with online communications, information storage, and other essential components that use cyberspace, or can be disrupted through attacks from cyberspace. Countries at war would gain an enormous military advantage if they could shut down the computer-networks of their adversaries for even a few hours.
Larger companies in developing as well as developed countries rely increasingly on the Internet and computer networks. Valuable information can be stolen, privacy of customers compromised, and internal and external communication made much more difficult when these systems get breached.
Warfare and espionage against government and private targets are not just hypothetical possibilities. After gaining independence from the Soviet Union in 1991, Estonia became a technologically sophisticated nation where the great majority of Estonians had access to the Internet, and much business was conducted online. Estonia suffered one of the first cyber attacks on a whole nation for a couple of weeks in 2007. Computer robot networks seized control over huge numbers of computers from many other countries, and used them to attack different targets in Estonia. These attacks crippled activities by the Estonian government, banks, and other businesses. Suspicion focused on the Russian government as the source of these attacks, but this could not be conclusively proved.
Georgia suffered severe cyber attacks slightly before the Russian invasion of Georgia in 2008. The attacks hit government websites, the media, banks, and other businesses. Georgia was more backward than Estonia, so these attacks on Georgia did not cause as much devastation as the earlier ones on Estonia, but they still inflicted considerable harm for a while. The timing and other evidence suggested again that Russia was behind these attacks, but no conclusive evidence could substantiate this belief.
Almost every day another company admits that its computer and online security systems has been breached. Often the attackers turn out to be hackers who just enjoy showing they can defeat even top of the line security firewalls. The culprits are sometimes criminals who seek information, such as credit card names and passwords, which they can use for financial gain. The hackers may also be governments that spy on companies in the hope of acquiring valuable proprietary information.
This week the American cybersecurity company McAfee issued a report that claims to identify a single government perpetrator (alleged to be China) of large numbers of cyberattacks on other governments, companies, and even the United Nations. So far their claims have not been confirmed.
Combating cyberwarfare and cyberspying faces several unique challenges. Since cyberspace is not owned by any nation, and is easily accessed by billions of individuals and companies, it is often very difficult to get clear evidence about who is responsible for cyberattacks, such as the attack last year on Google's source code, or the earlier attack on Estonia. Are they from governments that are probing for state and business secrets, or from private hackers seeking publicity, or valuable information that they can use for financial gain? If the source of the attack cannot be identified with much confidence, it is hard to establish a credible system of deterrence.
A second major challenge is the intrinsic vulnerability of many Internet and computer network systems. It has long been recognized that foolproof security systems do not exist, whether they be vaults, safes, identifications for checking accounts, or other traditional forms of protecting valuable assets. Any security system that protects information will generate efforts to access that information, including sometimes efforts by individuals who helped design these systems.
Since security systems that protect information in cyberspace are even more vulnerable, continuing battles take place against public and private hackers who probe for weaknesses in these systems. No company or government can ever hope to have a cyber-based system that cannot be breached, but they can make breaching more difficult.
The development of clearer international law about hacking would help deter attacks in cyberspace by private individuals and groups. Cyberattacks on military targets might be also brought before international tribunals, but countries have to prepare their own responses. These responses include cyber and other retaliations against cyberattacks during both wartime and peacetime on vital military network and information systems.