Haft of the Spear: Publications

The issue was straightforward: Now independent Estonia was no longer going to stand for the presence of an old WW II statue commemorating a then-Soviet victory. The Russians viewed the Estonian position as an insult. When a war of words failed to cause the government in Tallinn to acquiesce, a digital arsenal was unleashed.

The attackers were careless at first, striking out from at least one computer system used by the Russian government. Technical experts in Estonia quickly touted this discovery as proof of Russian involvement.

After a slight pause the attack was renewed, this time from a broader series of “botnets” or networks of compromised computers spread out around the world. Of course now it was harder to assess with any accuracy the actual source of the attacks but it hardly mattered; networks were unavailable and in a highly-wired nation that meant a lot of things were not getting done.

Placed under the light of forensic scrutiny, evidence that Russia proper was behind these attacks is now in question. In fact the Estonians have officially asked for Moscow’s help in identifying the “real” perpetrators of the attack. In light of more recent reporting of the computer systems belonging to opposition political parties in Russia being subjected to similar attacks, one would have to be a strong believer in coincidence to think that the Kremlin was not giving a discrete wink to the attackers – wherever and whoever they may be.

---

Conflicts in cyberspace are not new, though by and large they have been minor skirmishes of an emotional nature or exercises in self aggrandizement.

Before there was the Web there was the telephone network, and rival hacker gangs like “Masters of Deception” and “Legion of Doom” battled each other over the wires as a way to demonstrate their technical knowledge and creativity.

As public access to the Internet became commonplace and the World Wide Web emerged, the rush to get anything and everything on-line meant a big emphasis on access and a near total disregard for controlling that access. The technical skill held by the likes of those early phone-system hackers was replaced by readily downloadable, point-and-click simple tools that allowed anyone to spray cyber graffiti or digitally TP someone’s computer.

In those early days not everyone viewed the ease with which one could negatively impact a computer system as a game. “Digital sit-ins” and simple denial-of-service attacks were being conducted as early as 1995 and such attacks continue to this day, though they seem to peak in volume and fervor by the late 90s.

Nearly every major contentious real-world event has resulted in the development of a cyber counterpart. The second Intifada in 2000 was executed hand-in-hand with an “Inter-fada” launched against computer systems in Israel. The US was subjected to a rash of attacks after both the accidental bombing of the Chinese embassy in Belgrade during Operation Allied Force (the Serbs engaged in their own series of attacks against NATO systems) as well as after the forced landing of a US Navy reconnaissance aircraft in early 2001. Chinese and Taiwanese hackers have battled several times over the issue of Taiwanese sovereignty and both China and Japan have had digital throw-downs over issues related to WW II.

---

Extrapolate too carelessly and it is easy to see how one could get excessively concerned cyber conflict or carried away with a military-digital metaphor mash-up. To be sure there are concerns, but a number of mitigating factors too.

The impact of even sophisticated cyber attacks is rarely catastrophic, though recovery can be very expensive and time-consuming. The largest amount of damage done on a wholesale level tends to come from malicious code (worms, viruses) outbreaks. They spread rapidly and are quickly put down, but the clean-up can take weeks and cost millions-to-billions (depending on which security company’s numbers you trust) in both actual costs and unrealized gains.

Attacks from insiders – people who exploit their legitimate access in an act of vengeance – are the most likely to devastate an institution. In fact some such attacks have forced firms to go under because recovery of vital corporate data was impossible. Such attacks carried out by those who work for the government cause nearly incalculable damage that goes beyond the mere cost of hardware and software.

The impact from attacks generated by outsiders has tended to get less severe over time than attacks by insiders or malicious code events. This is due in part to a corresponding increase in the level of effort that has been applied to digital defense. This is primarily true at an institutional level; it is plain old home users tend to suffer the most from these sorts of attacks.

---

Sadly, the same weaknesses associated with individual users or private institutions also affect government institutions. Disinclined to sit around waiting for a “Digital Pearl Harbor,” the military is acting.

There is both joint, Army, Navy and Air Force doctrine on how to fight and achieve dominance in cyberspace. The public declarations from the military’s top “cyber warriors” make their intentions clear: They aim to keep cyberspace available for employment in the national interest. The question that most of these officers have not been asked: How do you wage war when your operational environment is almost exclusively neutral and private property?

Consider that the physical underpinnings of cyberspace are owned by private concerns. Unlike the air above us or the seas around us, the dominant forces in cyberspace are the chief executive officer and system administrator, not the combatant commander or fighter pilot. Even if a nation were to nationalize such infrastructure – something that is impractical on many levels – cyberspace does not stop at the physical borders of the nation. “Securing” US cyberspace, by military standards, essentially means preemptively denying service to ourselves (doing the enemy’s job for him).

Private ownership and international inter-dependence of the (cyber) warfighting domain is not a minor issue. War in the physical world is conducted with platforms owned and operated by the government. As things are currently configured, conducting cyber war is akin to commandeering a commercial jetliner and using it to conduct bombing sorties. The problem of course is that now that formerly neutral entity is a legitimate target for our enemies and the primary victims will be civilian.

---

The issue of cyber war seems pathetic when you consider the physical, economic, emotional and political impact of September 11th , the bombings in Spain, bombings in the UK, and the horrors dealt out daily by al-Qaeda in Iraq, but that sort of thinking disregards the importance that we place on information and information systems.

An attack need not be excessively powerful, just properly focused. What happens if you can’t reliably make a cellular phone call? When electrical power becomes unpredictable? When you cannot regularly access your bank accounts? In an extreme case, to take a line from the movie Live Free or Die Hard:

..What happened if you called for help and nobody came?

A well-planned and successfully executed cyber attack may not strike at our hearts like 9/11 did, but it most certainly can impact our heads and our health. Right now, this second, how long can you survive with the potable water in your house, the medicine in your bathroom, and the food in your pantry? How ignorant would you feel if you could not access the Web (a growing if not primary source of news for many in this country) or if the information contained therein were so corrupted you didn’t know if it could be trusted? I have long argued that the ‘Net is not a right, but for many it has become and essential service like water and power. When essential services are impacted negatively, you look to one entity to restore faith and confidence in that service, and that entity isn’t the firm to which you mail your bill.

Despite public testimony that a few skilled practitioners could take down the Internet inside of an hour, it has never been done. There are various theories on why this is so (including that it cannot be done) but one of the more reasonable ones is the “Spiderman theory.” Simply put: If you have the wherewithal to acquire such power, you are more likely to appreciate the responsibility that comes with such knowledge. Perhaps even more likely: If you have the power to rule the Internet, why destroy your own kingdom?

Securing or at least bringing a certain level of law and order to cyberspace is in the best interests of every government, but government has little practical control over the ‘Net. This is a disconnect that to date has left cyberspace in a fairly robust state of lawlessness.

---

Some have called cyber weapons the modern equivalent of air power. It is true that future conflicts of any sort will likely have a cyber aspect to it – either in preparing the battle space, playing a role in psychological operations, or denying or degrading enemy decision-making capabilities – but just as air power contributes to victory, cyber weapons are not a magic bullet. There is a saying in the Infantry: If they (your troops) are not there, you do not own it (territory). You can bomb a force to the point of submission, but someone has to go in and enforce the terms of surrender (a lesson being re-learned daily for about four years now). Cyber weapons might turn off the lights, but eventually the sun will rise and soldiers in every army know how to use iron sights.

Of course any nation preparing to fight in cyberspace should start to realize that a digital arsenal is a double-edged sword. The knowledge, skills, and infrastructure necessary to build and execute cyber war only make you more vulnerable to attack. In a cyber war who suffers more: North Korea or the US? The US or Iran?

..(Could you even do IO prep of the battle space for NK?)

This is where non-state actors have yet another edge over us: They have little if anything to lose should they engage in a cyber conflict. When cyberspace is your operational environment, your legions global, and your weapons virtual, then bullets and bombs, loss of territory and a lack of freedom of physical movement are of little concern. The attack on Estonia drove the point home: You cannot shoot back if you do not have a legitimate target; if you shoot back anyway you’re probably missing the actual perpetrators.

---

The question about what to do about the attack on Estonia is currently unresolved. Technically speaking an attack on one NATO state should be viewed as an attack on them all, but no other alliance nation is clamoring for retaliation. It was barely five years ago that NATO nations finally resolved how to deal with the issue of warning about cyber attacks. Anyone who thinks that they have made progress towards an offensive strategy in such a short amount of time does not appreciate the pace at which NATO business is conducted.

So what should we be doing to prepare for the cyber component to future conflict? Building up a digital arsenal, hardening vulnerable systems, and debating the merits of cyber-weapon non-proliferation treaties is the response you would expect from the military, but these are reactionary and short term (and outright foolish in the case of non-proliferation) solutions.

Our primary response should be to build and maintain an information infrastructure that is capable of withstanding multiple, massive assaults from adversaries of any stripe. That was essentially the reason for building the Internet in the first place, but in our headlong rush to turn a resilient communications medium into an engine of commerce we have succeeded in degrading that capability. That failing grades for cyber security are regularly given to defense and security agencies suggests that we have long way to go before such resilience is achieved.

The secondary response should be to improve our decision-making speed and ability. This means creating and implementing policies and procedures that liberalizes access to essential information, and provides ready access to powerful decision-making tools. Even if we were to lose important information to an enemy, our ability to act before he does should render the loss moot. Despite frequent calls to improve information technology and sharing across our national security apparatus, progress made to date may be generously described as “modest.”

---

Cyber conflict has been with us for years and it will play an increasingly important role in the broader spectrum of warfare in the future. A pure-play cyber war – one that sees a nation capitulate due to the hardship imposed by severing or degrading access to cyber space over and extended period – is inconceivable. The more wired the target the greater the impact, but it would take a weak people indeed to surrender in a war of inconvenience.

What can be assured are both an increased dependence on information technology at a personal level, and a corresponding increase in weaknesses as that dependence grows. The more we make IP-enabled devices desirable if not essential (the iPhone craze kicked off as this essay was being finalized) the more complex and interdependent our systems become and the more gaps are created that await discovery and exploitation. If cyber war ever comes the pain will be collective and personal.

Perhaps the most significant danger to consider when addressing information age conflict is getting carried away trying to make physical warfighting allegorical to the digital world. It can be intoxicating to talk of cyber this-and-that, bloodless, push-button warfare, but the virtual world disappears if the right physical nodes are destroyed. When talking about success in warfare, kinetic is still king. The application of soft power has yet to achieve a level of success equal to that of bombs from the air or boots on the ground.

It has been argued that initiating a conflict via cyberspace, followed by a more traditional application of force, could shorten future conflicts. Such an approach eliminates the need to destroy physical infrastructure, thus speeding recovery efforts and accelerating a return to normalcy. The nature of our most recent conflicts – not to mention the adversaries that we are likely to face in the short term – suggests that the future of war and peace are more complex than simply rebooting a computer. This of course is not news to anyone who is a student of warfare, but it is worth remembering when metaphor is in danger of overpowering reality.

(c) 2006-2007 Michael Tanji