By Shawn Woodley, Contributor
The United States faces mounting insecurity in cyberspace where foreign intelligence services, criminal organizations, and publics are able to penetrate and compromise sensitive government and corporate networks. Vulnerabilities in cyberspace have resulted in breaches to military and private systems where sensitive information has been extracted, circulated, or manipulated. Critical infrastructures, including electrical, communications, and transportation networks are known to have serious vulnerabilities. The growing sophistication and scope of cyber attacks has outpaced the technical ability to quickly and reliably attribute the source of attacks resulting in a cyber security policy more akin to weatherproofing than actual cyber warfare.
The Expanding Cyberspace
The modern internet, once the domain of the United States and European allies, has rapidly expanded beyond the West in recent decades. There are some 1.6 billion people already wired to the internet, with China alone reporting 200,000 new users daily. National intranets are increasingly sophisticated; Iran boasts the world’s third largest blogosphere; the rate of Russian internet expansion more than triples the rest of Europe; South Korea is the most wired of the G20 nations; and China reports some 298 million internet users, surpassing the US.
Much like the expanding universe, the shape of today’s cyberspace has much to do with its initial conditions. Developed principally by French, British, and American engineers, it took root in ideologically similar allied nations and emphasis was placed on the accuracy and expediency of data exchange rather than monitoring and control. While structural adjustments continue being made to the architecture of the internet, it remains a very flat and open system, especially difficult to police.
War Games
With cyberspace no longer dominated by the U.S. and its allies, increasingly sophisticated state sponsored threats have emerged, exploiting the anonymity and legal ambiguities of cyberspace. The Department of Homeland Security (DHS) reported 37,000 successful intrusions into US government networks in 2007, up from 24,000 the previous year, while the Department of Defense (DOD) reports that the military’s Global Information Grid experiences more than three million daily scans for vulnerabilities. Congressional leaders have warned that intrusions have resulted in “massive amounts” of data theft and cite that China is now in a position to “delay or disrupt the deployment of America’s military forces around the world.”
Researchers on the DHS project “Aurora” highlighted the vulnerability of the electrical infrastructure in an experiment illustrating how a generator can be remotely sabotaged. US intelligence officials report that the presence of software enabling spies to shut down the US power grid is pervasive. By one estimate, a successful actual attack against just one third of the North American power grid would cost the American and Canadian economies some $700 billion over three months. The Chairman of the Joint Chiefs of Staff and other senior Pentagon officials have cited cyber-security as the single greatest threat to American security.
Porous Private Networks
The challenge of accurately illustrating the private sector security situation is due in part to underreporting and non-detection. However, losses are evident as sensitive research and banking information, recently including submarine and satellite technology, has been found on information black markets where it is traded and sold to organized criminals and foreign corporations.
Weak network security practices at private sector firms have left soft targets in the private sector open to attack. Nearly half of Computer Security Institute (CSI) survey respondents reported virus activity on their networks, insider abuse, and laptop theft which weaken information security at these firms. Twenty percent of CSI respondents reported that compromised computers on their networks were used as proxies remotely activated to execute simple cyber attacks against third parties. These attacks which use private networks and numerous personal computers as proxies to overwhelm and disable websites are called Distributed Denial-of-Service (DDoS) attacks. The high occurrence of compromised computers may account for many of the cyber attacks reported to originate in the US and China although they could be orchestrated from anywhere.
Soft private sector targets may be the most attractive targets of state and non-state cyber attacks. Lt. Gen. Keith Alexander, director of the NSA, testified before the House Armed Services Committee recently where he paraphrased a 1996 statement made by China’s Peoples Liberation Army stating that, “If you want to attack the United States, attack its banking system.” The PLA assessment reflects the consequential reality that the economies of wired nations are significantly vulnerable in cyberspace.
On the economic front, the Organization for Security and Cooperation in Europe (OSCE) estimates that cyber crime costs the global economy $100 billion a year while the FBI estimates it costs $50 billion a year to the American economy alone. Much of these losses could be avoided with stronger network security practices.
Cyberspace as a Warfighting Domain
Current U.S. cyber security strategy is centered on hardening sensitive networks and critical infrastructures against attack, developing and deploying monitoring tools, and incentivizing private sector firms and the public to better secure their networks against attack and malicious software. It has been suggested that this defensive strategy may come to incorporate offensive or responsive elements as discussions on “active defenses” and rules of engagement in cyberspace expand, but it is unclear what tactics can be executed against attackers without knowing their identities or locations.
Attribution is the first problem in retaliating against a cyber attack. Through the proliferation of malicious code and exploitation of security loopholes, the use of proxies is common and any response is little more than symptom relief. For instance, if a DDoS attack is orchestrated from a Russian city against an American bank by way of ten thousand Chinese computers, observers in the US have no way of responding against the Russian in real time and the Chinese computers will be identified as the origin of the attack until forensic information becomes available, if it does. Does the bank have a right to respond with a cyber response? Does the bank respond against the Chinese computers or pursue the dead-end legal action in Russia against the perpetrator in the unlikely event that they are identified? If the Pentagon, with its responsive capabilities were targeted, do they have the right to retaliate against the Chinese civilian computers?
More sophisticated attacks can be routed through any number of proxies further complicating the forensics. A 2003 report on attribution techniques by the Institute for Defense Analyses stated that, “All technical means for attribution are inherently limited. These limitations include attribution delay, failed attribution, and misattribution.” In practice, attribution must rely on human intelligence when available.
If cyberspace is a “warfighting domain” as some officials have described it, questions over what kind of activity can be considered an actionable act of war under the existing legal framework must be raised. Activities in cyberspace that physically endanger lives, such as disruption of the electrical grid or manipulation of water deliver systems, may come to be construed to be acts of war. In that eventuality, how does a state respond when the lines between state and non-state actors are blurred and real time attribution capabilities are limited at best?
Ongoing international efforts to develop and enforce standards for cyberspace akin to the Law of the Sea are in their embryonic stage but gaining momentum. While states are in their right to develop offensive capabilities in cyberspace, they are unlikely to be useful for so long as real time attack attribution remains an obstacle. An offensive strategy would be as ineffective as swinging in the dark. Defense remains the best offense and a cyber security strategy that emphasizes the weatherproofing of sensitive networks is the best way to address the growing cyber attacks trend. Cyber attacks should be viewed as monsoons and typhoons are seen at seas; as a phenomenon of cyberspace to be guarded against.
