Security Experts:

Cyberwar: Breaching the Kinetic Barrier

What would happen if Chinese or Russian agents were to conduct a covert operation, sabotaging America’s electricity grid using targeted bombs, leading to widespread power-outages resulting in, amongst other things, patients dying in hospitals, an economic crash, traffic accidents, and people freezing in their houses. Would this neutralize a nation’s armed forces ability to retaliate?

Would this be met with nothing more than acceptance and resignation? Would the US Government just watch helplessly?

Threats of Cyberwar

That is what some people would like you to believe; only instead of an actual physical bomb, the strike will supposedly occur using computerized means only.

At the end of 2012, as is usual at the end of every year, many “predictions” and warnings echoed such sentiments, with observers ranging from the uninformed to the utterly unqualified, acting the Cassandra and warning us of the dire and catastrophic consequences of cyberwar in 2013.

It appears that logic breaks down here. Somehow, some cyber security researchers (note I say cyber security, and not cyberwar researchers) and marketing people believe that there will be acts of war, without an actual war.

After 9/11, as a response to the terrorist attack of a small, but well organized group of terrorists with the backing and assistance of some elements of rogue nation states, the US invaded two countries, among many other actions.

What would be the likely consequence of a cyber-attack with actual kinetic impact and intended or collateral damage in the form of human lives? The answer has already been provided, at least as far as the current US administration is concerned, with Defense Secretary Leon Panetta having said, that the United States reserves the right to use military force against any nation that launches a cyber-attack against America or its assets and interests.

Back in October, the New York Times reported that Panetta also made quite clear, that the greatest fear of the Government currently is “The most destructive possibilities involve cyber-actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack”, describing the collective result as a “cyber-Pearl Harbor” that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”

The comparison with Pearl Harbor is interesting and worth a closer look. Why was the phrase “A Cyber 9/11” not used instead? It is unlikely that Panetta did not choose his words carefully and deliberately, so there are essentially two explanations:

1. It was decided that the term “Cyber 9/11” would conjure up the wrong connotation

2. The word choice was deliberate

The first explanation has some merit to it. After 11 years of constant media-saturation of the concepts and terms “The war on terror” and “9/11”, there is a certain amount of fatigue, as well as skepticism and cynicism attached to them. There is also a sense that that horse has been flogged to death, initially with many false warnings of further incidents that for the most part failed to materialize due to increased security. These labels are now negatively loaded in the mind of the general populace.

What about the other explanation? The term “Pearl Harbor” was deliberately selected. What image was Panetta attempting to project?

A brief history lesson is in order.

Pearl Harbor is a deep-water naval base on the island of Oahu, Hawaii. It has been used by the US Navy as the headquarters of the United States Pacific Fleet since the early 1900’s, when following the annexation of Hawaii by the United States, the harbor was enlarged for use by warships and the building of a large naval base.

It entered the history books in infamous circumstances on December 7th, 1941, when Imperial Japan launched a surprise attack against the naval forces stationed there, prompting the United States entry into Second World War.

The root cause of the attack can be found in the resurgence of expansionist policies of Imperial Japan, beginning in 1931 with the invasion of Manchuria, and then China in 1937, and the associated reports of atrocities and massacres. These reports influenced public opinion negatively towards Japan in the United States and Europe, finally culminating in the sinking of a US gunboat, the USS Panay in December 1937.

The United States reaction came swiftly in the form of an oil and steel embargo, which had a huge impact on the Japanese economy. This embargo brought the Japanese war machine to a halt, leaving Japan perilously without the necessary resources to continue its war against China.

The Empire of Japan was left with two choices: withdraw from its newly acquired territories and the war in China, or go to war for the required resources by invading the Dutch East Indies. With the administration of President Roosevelt refusing to sit at the negotiation table until Japanese troops withdrew from China, Japan chose the latter.

Japanese generals and policy makers came to the conclusion (often claimed incorrectly) that the United States would enter the war if Japanese forces attacked the Dutch East Indies, and so decided to launch a preemptive attack against Pearl Harbor, intent on crippling the United States Pacific fleet and any possibility of the US engaging in the Pacific war theatre.

Cyber WarOn the fateful day, 353 Japanese fighter, torpedo and bomber planes descended on the Naval Base in two waves. American losses including 2,402 dead, 1,282 injured, 188 aircraft and 8 battleships damaged. The next day, America declared war on Japan and entered the conflict in both theaters, Europe and the Pacific on the side of the Allies.

There is a general agreement now that although the United States Intelligence community was aware that the Japanese were in the planning stages of a military operation against American interests. There was disagreement and uncertainty about the precise location and time, leaving US forces without warning and unprepared.

In recent times, the circumstances revolving around the lack of a formal declaration of war has also come under scrutiny, with evidence that there were disagreements even within the Japanese leadership on the topic.

In essence though, the surprise attack came without a prior declaration of war – and it is this facet that is of interest for us, considering Defense Secretaries Panetta’s statement and insistence on the label.

It is highly doubtful that the selection of the phrase was arbitrary - on the contrary it seems purposefully selected. So the question is, why? What does Mr. Panetta, and the US Intelligence Services know or suspect? Or was the choice just based on the mental priming effect and the symbolic impact of the event?

With more and more reports of governments focusing on offensive cyberwar-capabilities, from the United States and the United Kingdom, to Russia and China, and even Singapore, we need to listen carefully to what Policymakers are saying right now.

After the first successful testing and then use of nuclear weapons by the United States in 1945, it took 4 more years (1949) until the next nation, Russia, acquired nuclear weapons. In another 3 years the United Kingdom tested such a weapon in 1952, and France joined the nuclear club in 1960. In 15 years 4 countries developed these offensive capabilities. The proliferation process was a sluggish one. The same process for offensive cyber-capabilities appears to be speeding ahead at a much quicker pace, with far more actors.

At the same time, events on the geopolitical world stage are showing increasing tensions, with an ongoing civil war in Syria that is looking more and more like a proxy-war involving at least Russia and China, a fresh Islamic rebellion in Mali drawing in UN intervention, and the increasing calls for action against Iran. It seems that everything that is being said may be of utmost importance and relevance.

When a historic parallel such as Pearl Harbor is used by the United States Defense Secretary, with all of the background to that event, maybe one has to pay very close attention.

At the same time, there is another important lesson in the statement that Defense Secretary Panetta made – and it is this lesson that should really make you doubt the dire doom-mongering that is coming from some corners. Should any international actor think that cyberwar-operations and offensive activities will have no serious consequence, they will be sorely mistaken and ultimately pay a high price for it. It is akin to a declaration of war – one that will very quickly move from the cyber-theater to the other 4 domains of warfare. Thankfully, most nation-states have intelligence services that are aware of this – and will likely keep a cooler head than most representatives of companies that are trying to sell cyber security solutions.

As I have stated in a prior article (Putting Cyber warfare into perspective), cyber warfare has limited application fields – covert operations such as espionage, intelligence gathering and limited sabotage – direct application in actual kinetic conflicts that rely on electronic and computerized aids, weapons and tools – or as a component of a strategy for all-out war.

The risk of cyber-terrorism is of course far greater – religious and dogmatic fanatics and radicals may indeed wish to provoke such a conflict. But we have to try and differentiate between that, and actual nation-states taking potshots at another- activities with very little to gain in real strategic terms, but which could very quickly escalate.

There are of course exceptions – many smaller countries may attack each other, without fear of retaliation. But for someone to take action against one of the big players, such as the US, Russia or China, they will literally provoke a war. That alone will keep such activity in the realm of speculation, at least for now. Even smaller players will be able to offer at least some resistance, in the form of trade embargos or restrictions, and the withdrawal of diplomatic relations.

Cyberwar, at least the type where infrastructure or actual lives are targeted and destroyed, will not just happen for the fun of it. There are consequences to any such activity, as recent policy activity and policy makers make clear. As the Cyber Pearl Harbor comparison makes clear, it will be considered an act of war.

Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.