Weapons Stockpiles of the Future will Include Stashes of Zero-Day Vulnerabilities, Botnets, Control Codes and Sophisticated Malware
Throughout history, the victors of warfare are usually those most technologically adept. From the stirrup to the trebuchet to gunpowder to the hydrogen bomb, technological developments have shown that military conflicts are won not only by the courage and strength of the men and women on the field, but also by the ingenuity of the inventors and engineers back home. Today, drone technology and other remotely controlled arms have given Western powers a decisive advantage over their opponents; soldiers no longer require proximity to destroy infrastructure or kill enemy combatants with precision.
When war breaks out, early targets invariably include the lines of supply and communication necessary for a well-oiled military to function. Destroying a bridge or a telecommunications hub could help bring a conflict to a speedier and less bloody conclusion. But in the 21st century, not all critical infrastructure is physical. The Internet permeates almost every aspect of daily life in many nations, playing a vital role in transport, industry, healthcare, finance and even the military. Today, digital networks are ripe with high-value targets, and opponents do not need a bomb or a missile to bring the foundations down. The Internet has become, some argue, the “fifth domain” of warfare, after land, sea, air and space.
The 21st century has already revealed itself as the era of asymmetric warfare in the offline world, and the same is undoubtedly true in cyberspace. For better or worse, the Internet is a great leveler — the same low barriers-to-entry that allow disruptive business models and technological innovation to thrive also enable criminals and enemy states to more easily create weapons of mass disruption. The threat is greater to established economies, which have more to lose economically from Internet-based attacks.
In recent years, this reality has become explicitly acknowledged by national governments. In the U.S., last year saw the formation of United States Cyber Command, an effort to coordinate the defense of Department of Defense networks across the Army, Navy, Air Force and Marines. USCYBERCOM, as it is known, reached full operational capacity in November 2010. In May, the White House recognized that “cyberspace” now has a part in traditional forms of conflict — and clearly stated that the U.S. will exercise its right to self-defense — in its first International Strategy for Cyberspace. And in July, the Pentagon announced its new cyber-defense strategy with the news that unidentified hackers recently invaded the computers of one of its contractors and stole 24,000 “sensitive” documents.
In China, thought to be the source of a great many cases of Internet-based industrial espionage, the People’s Liberation Army (PLA) confirmed in May what many had suspected for years — the existence of an elite team of Internet security experts focused, ostensibly, on defensive initiatives. This so-called “Blue Army” reportedly has existed for at least two years and comprises a few dozen of China’s finest security minds, drawn from within the PLA and from the general citizenry. Some defense experts in the West believe the group has been operating for longer, and that its remit is not purely defensive.
Elsewhere in the world, defectors from North Korea have reportedly revealed that the secretive regime has amassed an army of some 30,000 hackers to launch cyber-attacks on South Korea. Iran has reportedly bragged about the scale of its own hacking initiatives. The 2008 land conflict between Russia and Georgia saw a parallel distributed denial of service attack against the Georgian Internet infrastructure, described by some at the time as possibly the first cyber war, although links to the Russian military were never proved.
The offensive weapons of cyber warfare are already among us, and it is not only the United States’ competitors and adversaries that stand accused of using information warfare tactics to advance their interests. The Stuxnet worm that emerged last year was specifically designed to infiltrate SCADA systems used to control industrial processes; many experts have speculated that it was created by Israel and/or the USA to disrupt Iran’s nuclear program.
Stuxnet exploited no fewer than four zero-day Windows vulnerabilities and demonstrated deep knowledge of the inner workings of SCADA, a level of sophistication not usually found in malware created by the criminal community. This lead many observers to conclude its creation was government-backed, and that it was designed for military sabotage. Geo-political goals that in the past may have been achievable only through covert means or military intervention in the physical world have now become achievable using techniques that only a decade ago were largely the domain of disgruntled teenage hobbyists and vandals.
Rules of Engagement for Cyber Warfare
The rules of engagement for cyber warfare are still unclear. It’s not obvious today under what circumstances an Internet-based attack on digital infrastructure in the U.S. could be considered provocation worthy of a conventional economic or military response. Nor is it entirely clear how the Internet would be utilized as part of such a response. World leaders have yet to come to official — or unofficial — agreements about what constitutes acceptable use of the Internet, and what crosses the line. When is a civilian informational target legitimate, and when is it not? When does a malicious hack cease being an act of espionage and become an act of war? How much responsibility should law enforcement or the private sector take on when it comes to defending civilian targets?
Those are questions public and private sectors are still wrestling with. What is clear is that the weapons stockpiles of the future will include stashes of zero-day vulnerabilities, botnets, control codes and sophisticated malware, and that the military veterans of the future will be drawn not only from the front-line ground, air and sea troops, but also from the ranks of the cyber security profession. Soldiers more comfortable studying code on a laptop screen than staring down the sights of a rifle will play a key role in future battles. In some cases these men and women will be responsible for averting bloodshed, but in others their efforts may, sadly, provoke it.