How the cyber domain blurs the lines on warfare
- By Mark Pomerleau
- Jul 23, 2015
U.S. leaders are still wrestling with the complicated questions of how best to respond to cyber attacks. For evidence, look no further than the breach of records at the Office of Personnel Management. Privately, officials say they’re certain China was behind the hack. But publicly, it appears the United States will not point the finger at China or retaliate, primarily for two reasons: ongoing economic relations and the fear of revealing intelligence methods.
First reported by the Daily Beast, the U.S. is concerned that if it publicly names China, they will have to provide proof, which will require some revelation of intelligence practices – something the U.S. is loath to do considering the already damaging intelligence hits such as the OPM breach and reports that ISIS has studied practices from documents leaked by former NSA contractor Edward Snowden. “Revealing technical details of how the U.S. has attributed the breach of OPM to Chinese actors could tip off hackers to the ways that American intelligence agencies track them,” the report quoted one cybersecurity expert as saying.
This exemplifies the fine line in the cyber domain between war and espionage, a trade as old as territorial borders themselves. “A key challenge in this new environment of fear is that terms like ‘cyber war’ and ‘cyber Pearl Harbor’ are tossed around today in politics and media with as much precision as the term ‘war’ itself,” P.W. Singer, and August Cole wrote recently in Politico.
“We are at cyberwar as much as the ‘War on Christmas’ is an actual war,” wrote Singer and Cole, authors of the new novel “Ghost Fleet: A Novel of the Next World War.” “Just as a glitch is not an attack, stealing data is not war. Dependent on the goal and target, it is crime or espionage. No one likes to have their secrets stolen, but no nation has ever in history gone to war over lost secrets.” The authors assert that “real war,” or traditional kinetic operations, requires two key aspects – mass violence and high-level politics – that have not emerged yet in the cyber domain yet.
With the exception of a few events, the cyber domain is mostly being used for espionage between nation states. Acts of “cyberwar” will most likely involve attacks that either intend to or actually damage critical infrastructure, such as the Stuxnet virus developed by the U.S. and Israel that incapacitated several Iranian centrifuges. Singer and Cole outline a scenario in which “Cyberwarfare would seek to make a software error into a deliberate act, where the simple ability to block access would cause mass confusion and ineffective operations.”
An example they pointed to was a glitch that killed 10,000 military GPS receivers, “meaning everything from trucks to the Navy’s X-47 prototype robotic fighter jet suddenly couldn’t determine their locations.” In such cases, the cyber domain could be used preemptively or as an adjunct to ongoing hostilities.
Spy vs. spy
“To grab the equivalent in the Chinese system, I would not have thought twice. I would not have asked permission,” former CIA and NSA director Gen. Michael Hayden said following the OPM breach. “This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information,” Hayden’s comments, which echo those of the Director of National Intelligence James Clapper, indicate that for now at least, cyber is just being used as an extension of traditional espionage tools.
“Long before the Internet, we’ve had espionage and counter espionage tenets…they’re tools of the national policy…my suspicion, my sense is that this just another domain that we need to extend those in,” Mark Testoni, president and CEO of SAP National Security Services (NS2), told Defense Systems. These espionage tactics in the cyber domain are no different than those in the more traditional sense, e said, “other than there’s an underlying technology that makes it easier to get the information.”
The Defense Security Service defines cyber espionage as “The act of obtaining, delivering, transmitting, communicating, or receiving information about the national defense using cyberspace with an intent, or reason to believe, that the information may be used to the injury of the United States or to the advantage of any foreign nation.”
The fact that the information lifted from OPM has not reached the black market indicates that whoever took it – again, all signs point to China – is playing a longer intelligence game. “Experts believe the OPM cyberattack is the work of Chinese intelligence and say the theft will be used to help carry out espionage and better inform targeting (and possible blackmail) campaigns aimed at U.S. intelligence personnel,” writes Daniel Gonzales, senior scientist at RAND Corporation.
“In addition, because security clearance and job assignments were also stolen in the OPM hack, U.S. espionage efforts may suffer significant and long-term damage,” Gonzales writes. “The massive theft of personal data could potentially be used to commit a range of additional disruptive and damaging cyberattacks, including those that disrupt tax collection and refunds on a broad scale or that prevent access to the bank accounts of U.S. government officials, members of the U.S. military and military contractors.”
As opposed to attacks from nation states, attacks from criminals and non-state actors are most likely conducted for shorter-term personal gain, from either selling stolen information for a high fee or using lifted information to steal people’s identities. Some more organized non-state actors also can use these attacks to intimidate perceived adversaries, such as the hacks committed by sympathizers of ISIS.
The increase in cyber operations from both nation states and non-state actors reinforces the importance of counterintelligence practices and defenses. Several U.S. agencies are responsible for various levels of counterintelligence (CI), ranging from traditional intelligence and law enforcement agencies to the Energy Department. The National Security Act of 1947 defines CI as “information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorist activities.”
According to a CIA study, “it is the job of US counterintelligence to identify, assess, neutralize and exploit the intelligence activities of foreign powers, terrorist groups, and other entities … The signature purpose of counterintelligence is to confront and engage the adversary.” To that end, some have pointed out that it would be hypocritical for the U.S. to punish the Chinese for something the U.S. would not think twice about doing – although even in the traditional sense, spies that are found are punished.
“We have to go on the attack and punish those that are trying to get on the inside,” SAP’s Testoni said. He believes that folks have shied away from talking in terms of offense in the cyber domain, but cyber must be approached like the physical battlefield. “We want to create much like we do on the battlefield…a cost for playing and fighting in this space,” he said. “So whether you’re a state actor, you’re some sort of a non-state actor affiliation…if you come after us, you’re going to pay a price – much like if you were to attack our military overseas or our homeland.”
As the Washington Post recently pointed out, however, economic espionage was thought to have the potential of warranting a forceful response. “A reluctance to retaliate could encourage adversaries to continue targeting U.S. government networks,” said Robert K. Knake, a former White House cyber official, noting that suspected spies were arrested or expelled from countries during the Cold War.
A distinct difference between the cyber and traditional physical attacks how often cyber crosses over to the private sector. “When we look at [cyber]…it’s not the traditional battlefield,” Testoni said. “People are going after our companies. The Chinese have been going after our intellectual properties for many, many years, so it’s a much more comprehensive problem.” Within the past year, several private companies’ customer information—such as those at Anthem and Home depot—had been lifted either by hackers or nation states.
A second difference, as former Rear Adm. William Leigher points out, skilled cyber attacks can be more insidious than kinetic attacks because scyber attacks can go months before being detected – case in point, OPM. “[U]nlike traditional military attacks, the intelligence breaches and battle damage from cyber strikes isn’t always immediately obvious – in fact, it can take months or even years to detect,” Leigher writes.
The U.S. is continuing to evaluate and define operations in the cyber domain. At a recent congressional hearing, Sen. Tim Kaine (D-Va.) complained that definitions of what kind of cyber attack would qualify for retaliation were “hazy.” “I have been on this committee for two and a half years now, I don’t really have an understanding for what our cyber strategy is,” he said. “Do we have a line by which we would say when a cyber attack constitutes war, do we have a clear doctrine for the kind of response that we should make to cyber attack? What is the policy with respect to cyber deterrence, cyber defense, and then offensive use of cyber?”
Lt. Gen. Edward Cardon, commander of the Army Cyber Command, has said that despite, struggles in cyberspace, the military will adapt, much like it did against the immensely devastating improvised explosive devices used against soldiers in Iraq and Afghanistan.
Some officials, such as Christopher Painter, the State Department’s coordinator for cyber issues, have outlined responses to specific types of cyber incidents, but as tensions and operations continue to ramp-up in the cyber domain, the U.S. strategy and response will likely to continue to adjust in kind. So what can be done going forward?
On the domestic side, folks such as Testoni believe government and private sector collaboration are a must. This collaboration translates into information sharing, as seen in pending legislation, and leveraging the innovative minds in regions such as Silicon Valley, an idea Defense SecretaryAshton Carter is promoting. On the government side, Homeland Security Secretary Jeh Johnson has requested that Congress make the EINSTEIN tool – described as “first basic layer of protection…at the network perimeter of each federal civilian department and agency” – more available to all agencies.
The military, for its part, need to focus on the deterrence factor. Offensive capabilities to punish intruders would help contribute to dominance in other domains, where the United States’ traditional dominance is being challenged. Officials have asserted that responses to cyber incidents do not always have to occur in cyberspace; they might include economic sanctions or international condemnation.
The Defense Department recently released its updated cyber strategy, with other service branches releasing strategies of their own. So the military is moving forward on its cyber plans. However, breaches similar to OPM will likely continue, further escalating and blurring the lines in cyberspace.