The first two months of 2013 witnessed a level of escalation in cyber espionage and cyber exploitation incidents that few would have predicted or felt was possible even a few months ago outside of a small circle of mavericks.
The first hint at the true scope of covert cyber op activities became apparent at the end of January, with the New York Times telling the world that it had found evidence of a breach on its network, lasting at least 4 months and targeting the computers of over 50 employees, many of them suspiciously involved in reporting on China and Chinese affairs. At the same time, it came to light that Bloomberg, the Wall Street Journal, CNN and the Washington Post had also been targeted.
On the heels of that, Twitter also reported that it had been targeted by a “sophisticated” cyber exploitation attack with 250,000 user credentials being compromised.
More worryingly, we also received information from Symantec that Defense and Aerospace companies had recently been the subject of a cyber-exploitation campaign, and in the first week of February the US Energy Department confirmed that it too had been the victim of a recent breach in January, followed by the Federal Reserve.
China, the apparent and alleged perpetrator of this espionage campaign, has denied all involvement.
Some analysts agree with the official Chinese Statement, citing issues with attribution amongst other discrepancies.
I wish I could gloat at all of the people who claimed that the warnings of some analysts in this regard were overblown and hype, and just intended to sell more security products, but sadly the severity of these revelations has made gloating a secondary concern.
This worry is rightfully shared by US officials, who are preparing a National Intelligence Estimate to assess the true extent of the situation, amidst a flutter of other frantic and, at least from afar, chaotic activity. Amongst these was the report that the Pentagon is expanding its Cybersecurity Force fivefold, a move that has caused quite a lot of skepticism in regards to whether this really has any defensive value at all, or if it is even feasible to find that many cyber warriors. Obama has also issued a widely-anticipated executive order on cybersecurity this month.
A further revelation was that cyber weapons have now been approved as a means to execute preemptive attacks. This has caused some confusion even in informed circles and as other commentators have pointed out, seems belated considering the revelation that the US orchestrated the Stuxnet attack on Iranian Nuclear Facilities, the first ever incident of an actual cyber-attack with kinetic impact, albeit on infrastructure, and thus, the first operation to actually deserve the label of ‘cyber attack’, as opposed to cyber exploitation or espionage. The academics are slowly becoming irate with the liberal use of the term. The distinction is also important, because each has a different legal status in international law. As an interesting side note, an official inquiry has begun investigating who was responsible for the leak to the press on the topic.
All evidence points to US Officials further pursuing the “Active Defense” Doctrine, despite calls for caution, warnings and criticism by experts and researchers regarding the consequences and the defensive flaws of such a strategy.
The somewhat more cynical observer will recognize a different pattern here. It’s not actually about Defense – not exclusively.
This strategy also makes perfect sense, once we begin to look at the dynamics and logic of Might and Power. The truth is that most international actors are powerless to stop any offensive cyber operation that targets them.
To put this into perspective let us look at a hypothetical scenario – in this scenario, one or all of the remaining greater powers (USA, China, Russia) invest heavily into offensive capabilities, giving them the ability to dominate the majority of other international actors in the realm of offensive cyber-operations.
Given enough investment in offensive cyber capabilities to develop them to a level of sufficient maturity and effectiveness, there is little that a defender could do to prevent an aggressor gaining entry to and undermining his entire cyber-infrastructure. Little aside from retaliation of course – which could take one or more of several forms – from a counter-cyber-op to military action, from economic sanctions to seeking international support in the form of a U.N Resolution or similar. But this is predicated on the injured party having enough clout – militarily, economically, or within a regional or international body or community – to actually represent a realistic deterrent.
In the case of the United States, who have historically held one unique advantage over every other power; the majority of the world’s business, government and military’s high technology is designed and manufactured there. Theoretically this allows unprecedented access to, and cooperation with, both this valuable pool of knowledge and the actual products and services being used by 3rd parties and powers. This gives the US an immediate technological advantage.
This advantage in recent years has been somewhat diluted and subsequently extended to a few other international actors in certain industries and technological fields – notably China being the most successful contender, and in the case of some technologies, even usurper.
Geopolitics and the advance in sophistication and spread of technology have also fundamentally changed how, where and by whom technology is used. This is having a considerable and increasing impact on military, defence and intelligence operations.
A shift in strategy is evident. Cuts in defense budgets are already leading to the reallocation of funds into newer technologies such as drones and cyber-security. The reasons why are obvious. Military operations and escapades in the latter half of the twentieth and so far in the twenty first century have shown that pitched battles based on armies composed of tanks and infantry have lost their practical validity (although the reasons are less technological and more social and economic), and in the near future this will become even more so. Armies are trimming down and becoming more specialized than in past times, with the percentage of military combatants compared with civilians amongst the lowest in recorded times. The way of making war has once again markedly changed from one phase to another.
Building an armed force with the ability to project might and influence internationally primarily based on drones (not just in the aviation domain), small but effective special operation forces supported logistically and with intelligence provided by cyber-operations may well become classical military triumvirate of the 21st century.
Cyber-operations will allow anyone with a sufficiently sophisticated developed capability to literally infiltrate, co-opt and abuse much of the economic, military, administrative and even social cyber-infrastructure of any victim lacking sufficient deterring power. Being able to send a fleet of remote-controlled aerial drones potentially equipped with a dizzying array of different missiles and other ordnance, and then mop up whatever is left is a mighty enough deterrent to make anyone but a militant fanatic think twice about any cyber-adventure that may be considered too daring. We already know that this option is on the table.
For lesser infringements and cyber-attacks that have been attributed with a high degree of certainty but without any kinetic impact, for example espionage, traditional diplomatic methods and instruments will also be sufficient to punish any would-be aggressor. These include economic and trade sanctions, suspending aid and development funds, or opposition in regional and international interests in international governmental bodies.
Smaller and especially poorer actors will fall behind, lacking the resources to construct effective security architectures, reliable and persistent offensive cyber capabilities, or to gather enough support to exert sufficient external pressure.
There will also be scant evidence for them to make any legally tight and verifiable claims in front of any international court or similar body. No spy or saboteur to physically apprehend leaving plenty of room for plausible deniability.
There is a saying: “Might is right. And a lot of might means a lot of right”. In this case, Might means that you can act with impunity in the realm of cyber operations. It is this path that the USA appears to have chosen. This is further underlined by the a development that may seem unrelated – the redefinition of Imminence by the current US administration, that we have just found out about, which broadens the definition of what constitutes evidence to “legally” justify a preemptive strike. It seems unlikely that this will not also be applied to preemptive Cyber operations. Take these two developments together, and the legal justification for any such action can be stretched to just about anything.
The overarching strategy that the US appears to be following then, can be summarized in a few precise short sentences
We will hack you at will.
If you hack us back, we will smite you.
Oh, unless you’re China.
The USA is of course not the only active player in this game. China as we have seen, even if it is doubtful that all of the activity can be attributed to them, and Russia have already shown their own willingness to flex their virtual muscles.
It remains to be seen how the big powers will come to agree on the precise rules to govern cyber operations – currently the international legal status is uncertain, but the little players had better concentrate on improving old and developing new defensive measures.