Ever Evolving and Ever Changing: Where Do We Stand in the World of Cyber

From this week’s reading it is definitely evident that there is not one unified lens through which to view or understand cyber. Cyberwarfare, cyberesponiage, cyberattack, cyberdefense – the list is endless. Throughout the last few months we have been evaluating current issues but have had a framework to guide how we see each topic. In the world of cyber all bets are off and this makes it difficult to wrap one’s head around the realm.

To kick off the discussion I think it makes the most sense to talk about three topics in Cyberspace: (1) Who should we be scared of, (2) How could the US prepare to stop cyber threats and (3) Is cyberwar realistic?

1. Who should we actually be scared of?

A big topic in cyber surrounds the ability of non-state actors to easily and cheaply get involved in cyberwarfare. Without the need to spend billions creating bombs and nuclear weapons, non-state actors can easily wage attacks in cyberspace. According to McGraw in “Cyberwar is Inevitable” he says that most modern control systems are so poorly designed that they’re vulnerable to attacks devised over 15 years ago. Cited in Gartzke’s “Myth of Cyberwar,” Joseph Nye claims that non-state actors are a scary and real threat. Do you buy this? A non-state actor can definitely temporarily dislocate a country’s systems but Gartzke argues back that this might not actually create a lasting shift in the balance of power. To this end, is this cyberwar? Is this an effective attack? Look to the authors mentioned in Gartzke’s footnotes – Arquilla and Ronfeldt, for more nuance. Should the U.S. perceive a cyber threat as credible if it cannot be backed up with military force like Russia did with Georgia in 2007?

2. How could the US prepare to stop cyber threats?

McGraw offers a sobering reality in “Cyberwar is Inevitable” of the lack of technological expertise and security of legacy systems supporting our nation’s critical infrastructure. I personally worked in a technology capacity for the US government this past summer and was also dismayed at the lack of technical understanding by government employees. Employees themselves present one of the largest points of vulnerability for cyber attacks (look up “phishing” in which cyber attacks are administered when a government employee accidentally clinks on a sneaky malicious link). What were your thoughts on McGraw – are his arguments apt or is he just over hyping the lack of US cyber defense?

In “New Reality of Cyber War,” Farwall talks about the need for firewalls, cyber hygiene (training folks), detection technology, honey pots, and secure resilient networks. He claims that these methods are for obviously defensive purposes, but all of these mechanisms however could be portrayed to our adversaries as building offense capabilities – will this make countries like China and Russia build up their offensive capabilities in response? Will the US simply be causing an escalation and “cyber arms race.”

3. Is cyber war realistic?

Finally it is important to talk about whether cyber war is even something to be concerned about. In “There Will Never Be A Cyber War,” Rid claims that warfare relies on three criteria – violence, having a viable means to an end, and politically-motivated. He claims that in cyberspace, “no cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building.” Now contrast this with McGraw in “Cyber War Is Inevitable.” He speaks to the technical vulnerabilities in our power grids and financial services systems. They include exploitable “zero days” which could knock out the entire system for weeks (realistically). What damage is done to the US economy if one or more of these systems were taken out? Gartzke cites a former secretary of defense saying that there will soon be a cyber Pearl Harbor attack. To contrast these points of view I recommend looking at past examples of cyber attacks – Stuxnet and the Estonia Botnet attacks. Each is different – do either constitute war under Rid’s criteria? Is cyber war realistic? — Max

20 thoughts on “Ever Evolving and Ever Changing: Where Do We Stand in the World of Cyber

  1. The most compelling argument came from Gary McGraw’s “Cyber War is Inevitable (Unless We Build Security In)” because from what has occurred seen since 2013 when he published his article, it appears that he was right. “Cyber war” (McGraw, 109) has already hit the United States through Chinese cyber espionage. According to the BBC, “Several hacks on US institutions have been blamed on China, including one involving millions of government staff” (http://www.bbc.com/news/world-us-canada-34229439). So as other countries bolster their technological capabilities, this type of threat will almost certainly proliferate. McGraw was also right about the United States’ “financial services…[being] riddled with technical vulnerabilities” (McGraw, 109). This past summer, “[T]he computer systems at the…[NYSE] went down for nearly four hours in the middle of the day…[due to] a bug” (http://www.nytimes.com/2015/07/09/business/dealbook/new-york-stock-exchange-suspends-trading.html?_r=0). Although this was not conducted by an enemy hacker, it does show not only how exposed our economy is, but also how dependent we are on it. In other words, an enemy only has to target our economy to have a “‘kinetic’ effect” (McGraw, 112).

    I would also agree with Joseph Nye’s assertion that “Dependence on complex cyber systems…creates vulnerabilities in large states that can be exploited by nonstate actors” (quoted in Gartzke, 41). For instance, the hacker group “Anonymous” tried to hack into Israeli government websites in order to “carry out an ‘electronic Holocaust’” (http://www.aljazeera.com/news/2015/04/israel-anonymous-hacking-150407083458319.html). Although Anonymous was not successful, it is only a matter of time before they – or another group – will be.

    Last, I think it is important to see that the distinction between “cyber war” (McGraw, 109) and “cyber attack” (McGraw, 109) is a semantic one. Whether there is one single “cyber attack” (McGraw, 109) or there are many, which together would constitute a “cyber war” (McGraw, 109), it doesn’t really matter. Ultimately, the only factor we should consider is how much damage will be caused by an enemy’s electronic force.

  2. I agree with Michael that the threat from China is a compelling one. Cyber attacks which are having a large effect on US institutions have already occurred and are only likely to get worse as cyber systems continue to complexify, hacking technology continues to advance, and hacking attempts become less costly in terms of memory and power (so China and other governments can hack more for less). Even if most attempts to hack into US institutions fail, the occasional breakthrough could paralyze the US economy or the military’s capabilities (A recent report from Bloomberg quoted “Chinese penetrations of defense systems threaten the U.S. military’s readiness and ability to operate.”). The US is ill-equipped to defend government systems from a Chinese or other group’s cyber attack, and has even less ability to defend non-governmental systems like the NYSE which could have a similar long-term effect on citizens’ socio-economic lives.

    But that gets to the debate of whether a cyber attack like the one which China allegedly carried out – which stole over 21 million governmental employees’ social security numbers, fingerprints, and other identification – was an act of war. If we take Rid’s criteria, this act most definitely did not constitute war – no one was injured, and the data which China now has has so far not been used for a specific end. Again, I agree with Michael that the semantics – whether an act is a cyber attack and whether it is an act of cyber warfare – are meaningless unless our President draws a red line that we must retaliate against any act of ‘cyber warfare’ or any ‘cyber attack.’ However, there definitely is a practical cost to these non-warfare cyber attacks. Taking the China example again, the US government has a responsibility to its employees to help them clean up their identity status, and that takes a lot of time and money. Ultimately, I think our efforts to build up cyber defenses will remain relatively low until a cyber fire catches and we have to put it out. Up until this point, the amount of damage done in all politics-influencing regards has not reached a level that we need to devote significantly more resources to our cyber defenses. Whether that is the right decision or a bad consequence of democratic politics is another matter. I do not think that full-on cyber warfare (of the McGraw type) is feasible however – because once one attack occurs that necessitates sufficient resources being allocated to our cyber defenses, another attack will not be able to occur until the funding and resources allocated lapse again. Also, I do not believe that a terrorist group would have the capabilities to take down the US networks like in Bruce Willis’s “Live Free or Die Hard,” and another state would not attack us in this way because it would lead to a full-scale conventional war.

  3. I think Max raises some very interesting questions regarding the “World of cyber” and the current issues that came up in this week’s readings. While I believe that things like cyber war, cyber security and so on are relatively new in the realm of policymakers, I believe they should still be regarded as a real threat not only to governments, but also to every civilian, given our dependence on computer systems.

    I think in every form of warfare the biggest threat usually does not come from the often rational state actors, but from the possibility that irrational, extremist and terrorist groups acquire the resources necessary to strike an attack. McGraw claims that “even weak actors can have a major asymmetric impact” (p.109) that affect major powers more than small countries, given their dependence on high tech systems. McGraw’s paper emphasizes the easiness for weak actors to conduct a cyber attack and that is exactly why we should consider cyber warfare as a real threat.

    I agree with McGraw’s argument about the importance of both developing a strong defensive system against cyber attack and advancing in creating strong offensive measures, but I agree with Max in saying that there is really not much knowledge about how to develop sophisticated defensive systems. While detection, firewalls and honey pots are all interesting security methods I strongly believe that major powers are developing intense cyber warfare, given the dependence that governments have on those.

    All the readings for this week suggest that a cyber war is a realistic possibility, and although they have different perspectives on the way they explain what constitutes a cyber war or the different modalities through which an attack could be advanced, they all cite Stuxnet as maybe the real first precedent of an expectable cyber war. I believe states will have to worry way less on the more “classic” form of warfare and focus more on the cyber space considering the enormous impact that a strike can have and considering how much we depend on it.

  4. Max, it is interesting that you began this discussion with the role of non-state actors in cyberwarfare. It seems like the literature surrounding cyberwarfare frequently highlights the influence of non-state actors as a unique or defining feature of cyber attacks. I was struck, however, by how that focus appears disproportionate based on the other security threats we’ve discussed this semester: We read about “biopunks” who experimented with gene sequencing from their own basements; they were non-state actors who could potentially use public information to engineer organisms for nefarious purposes. In “The Bomb in the Backyard,” we read about terrorist groups – clearly non-state actors – who could make a nuclear weapon with a handful of people and a few million dollars. Contrary to the idea that cyberwar is uniquely non-state driven, it seems that all types of war are becoming more accessible to non-state actors. Cyberwarfare may be a reflection of that trend instead of its leader. Of course, the increased influence of non-state actors stems from increased informational availability, which stems from the internet age and the rise of new media, which is explicitly tied to the cyber realm. We observed this in Lee et al.’s “Assessing the Potential of Societal Verification by Means of New Media,” where civilians could take a split-second image of North Korea’s footage and uncover minute details about the location of their nuclear facility. Indeed, “nearly all of this information is available working from one’s office or a coffee shop with decent internet connection” (21). The salience of the internet in the cyberwarfare likely contributes to the perceived prominence of non-state actors; but it is important to remember that non-state actors are increasingly relevant in all areas of security risk.

  5. Max, thanks for an interesting discussion and opening post. I do think that cyberwar is indeed a real possibility, and think to some extent debates about whether or not is “really” war are a bit moot–with the precedent set by Stuxnet and so many critical systems and information vulnerable, it is clear that a successful cyberattack could wreak both online and kinetic havoc. I also agree that the role of non-state actors (individuals and Anonymous-like hacker collectives) is crucial here: because the capabilities underlying cyberattacks are more based in technical expertise than material capacity, cyberattacks is a form of warfare much more accessible (and on more level terms) to non-state actors. I would caution against taking this too far, though: while security for many infrastructure systems is pitiful, the skill, time, and labor needed to execute a highly sophisticated attack (such as Stuxnet or against another important government facility) is still formidable, and state actors still have a significant advantage in recruiting, coordinating, supplying, and developing the talent and capacity needed to pull that off.

    I’d like to comment on your second question, though, regarding preparations to stop cyber attacks. With respect to McGraw, I think that it is somewhat difficult to know from the outside (or from a non-technical perspective) but by nearly all accounts his assessment does appear accurate. Indeed, the leaks that Chelsea Manning and Edward Snowden were able to accomplish seem fairly damning proof that information security (even for highly sensitive documents) is poor and mismanaged; it seems unlikely that the rest of our bloated security apparatus has particularly robust security or training. To some extent this may reflect a societal issue, as most people have relatively poor online safety habits regarding ID theft and password security, so hacker capacities outpacing security precautions seems widespread–though no less alarming for it. However, I am skeptical that US cybersecurity precautions would case an “arms race”. The relevant IR literature here concerns the security dilemma, wherein one state’s actions taken to increase its security is perceived as hostile by another state, thereby fomenting reciprocal action and an arms race. But the key here is that the original actions are perceived as offensive, and I am less convinced that the proposed cyber hygiene, firewalls, and the like are liable to be perceived as such–they do seem largely defensive in nature, and after all any security-seeking action can be perceived as having a hostile component. If a rival state did similarly decide to pursue better cyber hygiene in response to US action, it seems dubious that this would truly constitute an “escalation” or make war more likely–indeed, heightened defensive capabilities on each side would seem to be more of a disincentive to pursue cyberwar rather than anything else.

  6. Thanks for your post, Max. I’d like to talk about the second question you pose about how the US should prepare for future cyber attacks.

    Some of the comments above have discussed how since McGraw’s publication of “Cyber War is Inevitable,” we have the example of Chinese espionage on US government employees to draw from. I think that this example is part of a mounting collection of other examples of cyber attacks and cyber espionage (US and Isreal’s ‘Olympic Games,’ Jonathan mentioned Snowden above) that prove how unreliable and unprepared our current security systems are.

    However, when you couple McGraw’s notion that most modern systems would still be vulnerable to 15-year old malware, DLL interpositioning and other cyber attacks (see p. 115) with Farwell and Rohozinski’s claim that security systems sometimes require millions of lines of code while malware requires far less, is more adaptable and can be highly targeted (p.114), I’m inclined to believe that offensive capabilities of cyberwarfare, cyberespionage, and cyberattacks will always outpace cyberdefense. If this is indeed the case, then I see the possibility of stronger cyber offense capabilities acting as a deterrent (on the state level) more effectively than efforts to catch up cyberdefense.

    This of course, ignores the fact that, as McGraw mentioned and has been cited above, 90% of critical infrastructure is privately owned. Even if victims of cyberattack in the private sector manage to attribute the attack to an actor, it probably is a non-state actor. This is where the waters get murkier. Private companies now, more than ever, need to be actively trying to improve their software security.

  7. I believe the United States needs to be weary of all nation-states, as well as non-state actors, such as “hacktivists” like Anonymous and Team Poison. All nations, including allies of the United States, are potentially attacking the US via cyberwarfare in order to infiltrate America’s confidential information regarding its society, economy, military, and other critical infrastructure. Additionally, nations and “hacktivist” groups are targeting American corporations and declassifying private information regarding cliental and other secret information as a form of protest. Therefore, I argue that the United States must continually protect itself, for many nations and private organizations pose a potential threat.

    In my eyes, cyberwarfare is realistic. Although one could argue that nobody has died directly from a cyberattack, there has been speculation surrounding the use of cyberattacks in military operations. For example, in 2007, the Israeli Army bombed Syria and used cyberattacks to manipulate Syrian radars so their aircraft wouldn’t be detected. Additionally, foreign intelligence is highly dependent on cyberattacks. Many nations use cyberattacks as their primary methodology in gathering intelligence. During any given military conflict, nations are constantly trying to infiltrate the opposing party’s cyberspace to gather intelligence and utilize said intelligence to their advantage. Thus, cyberattacks are used in warfare and contribute to fatalities.

  8. An interesting and potentially overlooked part of the cybersecurity climate is the difficulty in attribution to a specific actor. For example, if there is an ongoing attack on your critical systems, and you need to initiate specific countermeasures to stop the attack, what degree of certainty is sufficient to launch an attack? With what degree of certainty can you say that the address or group of addresses is indeed the initiator of the attack. What happens if you end up causing huge amounts of damage to the systems of someone who actually had nothing to do with the attack?

    Attack attribution is a huge problem, especially given the fact that “hacking back” is becoming a larger and larger problem as cyber attacks become more and more complicated and the stakes are raised higher and higher all the time when more and more systems come online. Hackers and those who in general wish to do harm also seem to stay one step ahead of defense, further necessitating offensive measures to ensure good defense. After all, a good offense if the best defense, as we have discussed in nuclear deterrence.

  9. As you touched on, the world of cyber is one that can almost appear endless, with so many different factors and lenses coming into play when we reflect upon issues of cyberwarfare, cyberdefense, and beyond. I think you did a great job in the way you broke down your blog prompt. With regards to your question on whether or not I buy non-state actors, being a threat, I do believe we should be scared of them. While I understand the argument that a non-state actor may not actually be able to create lasting shifts in the balance of power, the idea that they can cause any shift at all is enough for me to perceive them as a threat, as with increased technology comes an increased ability for them to wage cyberwarfare and attack- something I believe they are in fact doing. In this light, I do believe the U.S. should perceive a cyber threat as credible even if it does not have a state military force backing it up. We can look to groups such as Anonymous who has declared war on ISIS as proof of non-state groups being able to wage cyberwarfare in a pretty legitimate manner.

    In response to your heading of how the U.S. could prepare to stop cyber threats, I believe its best defense would be enhancing many of the aspects Farwall discusses, which you have noted to be firewalls, training of people, detection technology, and secure networks. With cyberwarfare being quite different from traditional warfare, I believe the best way to stop cyber threats would be enhancing these tools and ensuring the possession of a strong cyber defense. If the U.S. focuses mostly on defensive strategies, I believe that although they would be progressing further in the cyber world, this would not necessarily lead to a larger international cyber arms race.

    With respect to your all-encompassing question of “Is cyberwarfare realistic”, I believe that it is in fact a possible, realistic threat. With Rid pointing out that warfare relies on violence, having a means to an end, and being politically motivated, I believe that with our society constantly increasing its technology, there is no reason not to believe that a cyber situation will rise to meeting all three of these criteria. With many believing the world on the verge of large-scale cyber attacks, I believe that cyberwarfare is something the United States needs to take seriously, as large-scale cyberwarfare would be unlike anything like our world has ever seen.

  10. I think that “who” we should be scared of depends on the scale of damage. At the highest level of aggression, state actors are our main concern because cyber attacks can be combined with military forces to carry out national agendas, as Max points out with the Russia example. Furthermore, like in physical war, state agents possess the financial and intellectual means to develop advanced systems. Non-state actors may pose a threat to national security, but it appears more likely that they cause private damages to systems (an estimated $1 trillion worldwide annually as cited by McGraw), which can in turn send ideological messages by disrupting daily life. The “who” is also interesting to consider in light of Farwell and Rohozinki’s last sentence because we must recognize the two way nature of malware, “Strategies for using cyber weapons like Stuxnet need to take into account that adversaries may attempt to turn them back against us” (36). We must recognize the slippery slope of our own actions given that political actors have the capacity to reuse our viruses.

    I agree that cyber warfare is something that we should be concerned with as a national issue. Rather than an outright act of “war” as strictly defined by Rid, cyber attacks seem to be more indirect, perhaps attacking ways of life or adding to tensions that can fuel physical war. The likelihood of a cyber attack on our financial systems seems much more likely to me than one on our military systems. While my experience with anything related to the creation of cyber warfare is extremely limited, I do think that the “cardboard” comparison by McGraw seems dramatic. The free market may be able to develop potential solutions to attacks on private institutions, while national security strengthening would require massive political dedication to cyber security in order to prevent a “Pearl Harbor” type event (Gartzke).

  11. I think this topic is particularly relevant with the recent events in Paris, especially regarding the response by Anonymous. Anonymous is an international network that loosely connects hackers, and recently, the group effectively declared war on ISIS as a response to the terrorist attacks on Paris. But what does that mean? How does a group of hackers, although powerful in their own right, declare war on ISIS without any state or military force behind them? As Amanda points out in her comment, it seems that the cyber attacks we should be the most concerned about are state actors with some physical force to back up their cyber attacks. I’m not saying Anonymous can’t do damage, because they certainly can, but it seems that in the wake of their threat, we are left asking how. What does this threat mean, coming from a very loose and decentralized command structure like the one that “governs” anonymous? I’ve seen quite a few articles surfacing that explore this question, and in one article, the subtitle perfectly sums up how many of my peers have expressed feeling: “How can a bunch of computer nerds fight an international terrorist group?”

    The common view of the Anonymous response to ISIS and the Paris attacks appears to fall in line with Rid’s view, specifically the quote that Max pulled: “no cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building.” People don’t seem to take the Anonymous threats as credible at all. However, McGraw seems to believe that cyber attacks are not only inevitable, but dangerous. I believe that this is one of the situations that we spoke about at the beginning of the course, where we won’t really know what kind of damage can be done, or how to prevent it, until it happens, which is the biggest danger.

  12. Thanks Max and to everyone that replied. Reading about Cyber both before the break and now brought back many memories. Because of the OPM breach in June, I did not receive my DOS clearance to work at State until late August and I had to scramble last-minute to find another internship. The threat is very real and very very apparent. As McGraw pointed out cyber war is realistic and is most talked about, but we have to consider the “Three Headed Cerberus” in its entirety – cyber crime, cyber espionage and cyber war of which cyber war is the least common.

    That being said, I think it would be naive to say that we should be “afraid” of anybody, whether they are a state or a non-state actor. We must be vigilant and continually improving our defensive capabilities to bolster our infrastructure, but we cannot live in fear of rogue groups, lone wolfs, or countries who we are at odds with because fear causes irrationality and it leads to sub-optimal decisions (think Iraq War).

    The best way to prepare for cyber threats is to be ahead of the curve. As Max mentioned, there is a lack of technological expertise and security of legacy systems supporting our nation’s critical infrastructure. This must and has to be addressed. Public/Private funds have to go towards improving our infrastructure and overhauling our technologies while working to improve their technical know-how by reframing and retooling the software. I think the Sony & Target hacks which occurred after McGraw wrote his paper really awakened the sleeping giant (us) – and after Snowden, Manning, Assange and others released intel, the government has begun to devote significant resources to cyber. That being said, work still has to be done given the recent OPM hacks. The question of the “cyber arms race” is a crucial one – albeit like a nuclear arms race, except that creating a piece of malware or a trojan can be done by a rogue actor. Having state-backing can only help and thus, it makes sense that we establish clear standards, conventions and organizations that allow for dialogue on sensitive issues like these.

  13. I wanted to approach Max’s question about the feasibility of a cyberwar. Rid is correct in saying that cyberwarfare does not qualify as warfare under his criteria. Cyberwarfare certainly does not have the same direct destructive power as a military force or a nuclear weapon. However, I would agree with McGraw that there are immediate dangers if hackers were to gain control of a nation’s power grids or financial records and resources. Surely the corruption of these resources would have serious consequences on the people of a nation (e.g. financial peril, loss of power and ability to perform common 21st century tasks, being unable to store food properly), but I cannot imagine any of these consequences being fatal. The direct destructive power of cyberattacks is quite limited (unless hackers are able to access nuclear codes and launch rockets at enemy countries, of course). The fact that Anonymous declared “war” on ISIS yet has so far only managed to pinpoint and delete a majority of its social media accounts and identify members of the terrorist group demonstrates how limited hackers are in doing serious and irreparable damage to an enemy.

    I am not suggesting that the United States and other nations that have been affected by cyberattacks should not seek to retaliate against their attackers, but an effective and appropriate form of retaliation is nearly impossible to determine if the cyberattack was not absolutely crippling. Monitoring needs to continue to take place, but it would be unproductive to have back-and-forth hacking battles.

  14. These are all interesting questions, Max. Before considering whether or not cyber war is realistic, it might be helpful to take a page from Rid and try to properly define what a cyber war is, and what it might look like. Rid himself cites sabotage, espionage and subversion, all of which, fundamentally, are attempts to weaken the power and reach of some system, but are auxiliary tools of war, not war itself. Rid then proceeds to dismiss events like the Stuxnet attack on Iranian nuclear facilities and the rigging of Soviet oil pipelines as auxiliary, not primary acts of war. Rid wisely distinguishes these three tactics from full-on war, but these tactics, if used drastically enough, could themselves constitute war. Rid argues that a war fought only in cyberspace seems close to impossible, and I would agree, but given the current nuclear parity between superpowers, and the lose-lose quality of fighting modern-day land wars, it does seem likely that states (at least the nuclear superpowers) will transition toward attacking and retaliating against each other in cyberspace, instead of physical space. It is certainly imaginable that such a cyber-scrum could be the lead-in to a real, physical war.

    To address this problem, states could try to similarly “solve” cyberwar as they have for physical war; determine well-defined deterrents against cybercrime perpetrated by other states, á la mutually assured destruction. However, this will be quite the challenge, especially because the range of possible cyberattacks are too broad, and the potential for retaliation is not as clear-cut. Even so, this could be the road states move toward, as tit-for-tat battles fought in cyberspace are far from desirable, especially compared with diplomacy and cooperative action.

  15. I think Chandler brings up a very good point. Yes, any cyber attack is unlikely to be directly fatal. But I disagree that this limits the destructive power of a cyber attack. Besides the consequences on the people of the United States, there are many aspects to the United States as nation that rely on electronics that could potentially be taken out which would then result in higher destruction to the nation as a whole. For example, if the the power grid were to be hacked and shut down, any potential defenses the United States has would consequently be shut down leaving it in a most vulnerable state. Any monitoring abilities/cyber responses would be unusable, communication between offices would be very difficult, and military coordination would be nearly impossible. We would not be able to respond adequately to any further attacks, both cyber and military. Yes, cyber attacks are not directly fatal but could leave the United States in a vulnerable state for potentially (very) destructive follow up attacks.

    In response to Max’s third posed question (Is cyber war realistic?), I believe the answer falls somewhere in between the two authors’ stances (as expected, they are on two obvious extremes). I do not believe cyber war is inevitable, but I also do not believe that it will never happen. The United States monitoring processes are up to par in order to deter attacks, but, as McGraw touches on, a strong one that breaks through is likely occur given international opinions. The next step, though, is the United States’ response to such an attack. If the government is able to (i.e. the power grid is not out), it will respond according to its attacker. But as Luke thoughtfully said, it is difficult to attribute attacks in the cyber realm, and consequently, a response attack initiating a cyber war would also be difficult to pin. Despite this difficulty, though, I think it is possible for the United States to respond to a strong attack in a justifiable manner to the group that they best believe is the attacker. Thus, I think a response to its supposed attacker can, at some point, initiate a back and forth series of attacks and a cyber war. Yet, this is not inevitable as McGraw since the conditions for a cyber war to occur are difficult to reach right now. But not impossible, as Rid claims.

  16. Focusing on the second question (i.e. “How Could the US Prepare to Stop Cyber Attacks”), I found it especially interesting that this may not be very difficult to achieve. Admittedly, McGraw notes that “software security is a relatively new discipline that takes on the challenge of building security in” (McGraw, 110). However, he also says that large corporations have already succeeded in implementing defenses against cyber-attacks: “[There has been] real success among multinational corporations. In general, software-security progress is more advanced among private corporations (including multinational banks and independent software vendors) than in the public sector, which lags years behind” (McGraw, 110).

    For this reason, rather than asking how the U.S. government could be stopping cyber-attacks, the real question is why have they not implemented strategies that are already commonplace in the private sector?

    According to Rid, cyber-war is unlikely to occur because “if the use of force in war is violent, instrumental, and political,… there are very few cyber attacks in history that meet only one of these criteria” (Rid, 10). For example, Rid claims that cyber-attacks have never constituted violent force since “no cyber offense has ever caused the loss of human life. No cyber offense has ever injured a person. No cyber attack has ever damaged a building” (Rid, 11).

    However, this analysis is flawed for several reasons. First, he cites historical anecdotes to back up his claims without considering that the world is now much more dependent upon technology today and that methods of cyber-attack have probably become much more severe.

    In one anecdote, Rid describes a cyber-attack on Estonia in 2007: “the online services of Estonia’s largest bank, then known as Hansapank, were unavailable for 90 minutes on 9 May and for two hours a day later. The effect of these coordinated online protests on business, government, and society was noticeable, but ultimately it remained minor” (Rid, 12). Nevertheless, imagine if the banking system had been offline for days or weeks instead of a few hours. This could have had much more serious effects on society that Rid fails to take into account.

  17. According to several members of the US intelligence community (who wish to remain anonymous), the issue of cyber warfare is one that divides even our most well-informed agencies: some believe that the threat of cyber-attack is absolutely terrifying, but also admit that they may only find it so daunting because they are unfamiliar with it. Others think the idea of it is ridiculous. The internet can no doubt be a conduit for destruction; wikileaks is a perfect example of the type of curve ball that manipulation of the internet can produce. The attacks of 9/11 were committed by terrorists who had been able to communicate easily with one another through the medium of the internet; this globalization of information and communication itself presents any number of new security threats to every developed nation.

    I thought Gartzke’s The Myth of Cyberwar highlighted an interesting issue: when assessing whether or not a group would be likely to attack the United States, the effectiveness of the result of possible attacks in relation to the group’s own goals should be considered. If a terrorist organization were to enter into a Netwar with the US—perhaps undermining online consumerism, as suggested—what would be the result? We American consumers would have less confidence in the security of our networks, and we would shy away from the internet; the country would take an economic hit, and there would be policy implications that would arise because of it. But America’s lagging economy would do little to boost terrorist groups’ personal images: a change in the US economy is not the same as the burning of an iconic building, and a confused Congress does not have the same effect on onlookers as does the reality of fire and death. Netwar for most terrorist groups would do little to garner support amongst the cohorts they target for backing—cohorts which are best fed by sensationalism of outward attack, and are less likely to react strongly to subversive tactics. A cyber-attack in tandem with a physical attack could be likely, but then the planning of the physical attack itself would leave these terrorist organizations open to discovery; the more time they spend planning attacks, the more likely our own intelligence community is likely to foil them.

    I’m not saying that there aren’t people who just want to watch the world burn, because there are—but organizations, terrorist or no, often operate with some goal in mind, and their actions will be logical in that they show some pursuit of the realization of that goal. Individuals who are vindictive enough to wish for the end of the cyberworld are limited by their own abilities, and while the internet does have the power to bring these people with malicious intent together, those groups who claim to have the ability to undermine entire online systems don’t usually seem to follow through in wreaking the havoc they promise (as in the case of the group Anonymous). That’s not to say that it couldn’t happen, but it does seem unlikely that a small group might undermine entire nations without leaving even the slightest trace of their methods or identities (which seems to be a common conception of net and cyber war that is perpetuated by our own inability to grasp the limits and operations of the world of cyber in its entirety, as Max mentions in his above post).

    The world is developing at a rapid pace, and while this age of technology can seem terrifying, it’s also adaptable. Preventing every form of attack may be difficult if not impossible, as has been outlined in several of the readings (and which, in truth, applies to a vast array of forms of attack), but there is little doubt in my mind that the advent of a cyber-attack will be closely followed by the advent of new technologies on our end that can effectively combat that attack’s negative effects.

  18. Addressing your first point, I believe that non-state actors should not be underestimated in the realm of cyber-warfare. Though they may not possess sufficient military capability to offer a paired physical threat with a cyber threat, there is plenty of damage that can be caused by non-physical means. Attacks may be contained to economic or information realms. The effect that economic interference can have is well-known; relatively simple security breaches for retail stores have repeatedly resulted in high levels of consumer distrust and drastically reduced profits. Information focused attacks may simply seek to make private government or corporate information public, to affect the public and international perception of these bodies. Even less focused attacks may be designed to agitate, confuse, or scare a population through the disruption of trusted systems. We know that such attacks capture the public attention, from the retail failures of Home Depot and Target, to the exposure of Sony, and the spectacles of the Ashley Madison and iCloud breaches. The means of these attacks, largely relying on basic security failures of the corporations, are well with the means of a non-state actor.
    Though none of the above attacks are going to produce a lasting shift in the balance of power by themselves, the manipulation of public attention may play a role in wider international interactions. A non-state actor does not need to be the sole opposition to the US to achieve its ends. In a period of tension between the US and China over cyberattacks, a nonstate actor may make a move that puts greater focus on the cyber issue and the US-China rift to distract from its own actions, either within China or the US. They can act as a wedge between states, and manipulate their interplay with smaller attacks.

  19. I’d like to start off by thanking Max for kicking off such an in-depth discussion! I’m going to try to bring things back to the original main three points: who to be afraid of, how to defend ourselves, and if it [cyberwarfare] is indeed realistic. My thoughts on the feasibility of cyberwarfare will not substantively stand out from the general consensus here – acts of cyberaggression like Stuxnet and the Chinese extraction of information from databases containing government employees’ personal information suggests to me that this new age has definitively dawned.

    The issue of defending ourselves is a more complicated one. The outdatedness of much of the government infrastructure cannot be overstated. The Office of Personnel Management, one of the major agencies hacked by the Chinese, stored much of its information in databases written in COBOL code from the 1960s (http://www.fedtechmagazine.com/OPMhack), and it is hardly the only agency to do so. Not only is such ancient code less efficient to use and less compatible with current systems than more modern code would be, it has also had all those decades to have its weaknesses analyzed in great depth. Broad, systematic upgrading of outdated security coding and protocol that happens at least on the decade basis seems necessary to prevent ourselves from having to mount increasing difficult defenses.

    The original post also mentioned the practice of “phishing.” While I think Zach did mention it in his post as well, I think that it is worth stating again that government programs to train their employees about common phishing scams and how to avoid them would likely help to cut down on security risks. Even basic office protocols of checking with an advisor before sending personal/work information to a supposedly valid site could likely decrease the amount of successful phish attempts by a good amount. While state actors are probably not going to use the old “Nigerian prince” trick, making sure that those sort of things catch as little information as possible is still very worthwhile.

    I also want to say that the notion of cyberwar may perhaps be itself a misnomer. War, with its famous definition of being a continuation of politics (as Rid takes such great care to discuss), certainly implies two governments struggling against each other. We’ve brought up the 90% statistic about private ownership of critical infrastructure a good deal already, but I think that statistic carries an extra implication as well. Corporate espionage and sabotage to gain competitive advantages over others will certainly continue into the digital realm as well. In fact, as corporations are in direct competition with one another and governments often strive not to be, I might even assume that this type of cyberaggression would be more common than those types arising from interstate conflict.

  20. Max does a great job with this blog post at raising and categorizing the important questions and concerns. I will review them in order so that I can follow his questions linearly. The first question of who we should be scared of is a really legitimate concern because cyber technologies opens the warspace up to non-state actors in a way that has never before been seen or experienced. The idea that a single attack may not have any lasting shift in the over-all balance of power, a continuous onslaught of multiple attacks could create unforeseen advantages – so it is important not to downplay the risks of a single hack. The second question of how the U.S. should prepare for cyber war is also very complicated and non-linear. Preparation is a matter of value systems. Where does the U.S. government place its values and where does it choose to use its resources? The problem is that it takes an entire network of tech competent employees to create and maintain a proper defense for a governmental system as large as the United States, but only one tech savy attacker to find a single weak link in the chain. The third question of whether cyber war is realistic needs a bit more perspective. A refashioning of the ideas of war is necessary to determine what we see as “realistic.” We need to take the emphasis off of real world changes as a determining factor of an act of war. This emphasis reduces an act of war to a definition that is incapable of sifting through and preventing fluid attacks like those that can be produced through cyber methods. Cyber-warfare is realistic and should be considered on its own terms in order to fully protect against any possible single or collective attack.

Leave a Reply