Cyber Warfare: Fact or Fiction?
Cyberspace has long been identified as a separate and additional domain in which wars can be waged (land, sea, air, space and cyber). The United States Cyber Command has been operational since May 2010 (it even has a Facebook page), and other countries including Germany, Israel, China and North and South Korea have established cyber warfare units.
It is interesting to note that the stated mission of most of these units is defensive, i.e. there seems to be a reluctance to acknowledge any offensive intent or capability.
Notwithstanding this public emphasis on defence, in order to fight and win any war, the availability of appropriate weapons is pretty fundamental, and this is true for cyberspace just as it is for conventional warfare.
Cyber weapons are available today.
They can and have been purchased and used. Some appear on corporate websites, although not openly described as weapons, and many of their features and possible uses are also not advertised. Of course a weapon doesn’t need to be designed as such, by which I mean that good things can be used for bad purposes. An analogy would be the baseball bat, designed for playing baseball but also an extremely effective weapon. It isn’t hard to think of similar examples in cyberspace; a program designed to monitor a computer network to ensure that it operates efficiently might easily be used to capture passwords and other sensitive data on the network.
One of the most notable examples of cyber warfare is the cyber attacks launched on Estonia in 2007, widely reported as state-sponsored (allegedly by Russia). Another is a series of coordinated attacks on US federal agencies and defence contractors that began in 2003. Known as Titan Rain, these attacks have been attributed to Chinese military hackers. Whereas the Estonian example was relatively short in duration, with the primary aim of denial of services, Titan Rain occurred over a period of years with the aim of gathering sensitive information.
Advanced Persistent Threat
A term that will appear in any debate or discussion around cyber warfare is APT, or Advanced Persistent Threat. APT is characterised by highly sophisticated hacking techniques that can evade detection for long periods. Their design, assembly and deployment require considerable resources, beyond those available to any individual or group, and are most often associated with state-level sponsorship. Stuxnet is the most widely quoted example of APT – designed and used successfully to attack a specific component on the centrifuges being used to enrich uranium at the Natanz nuclear site in Iran.
It is worth noting that computers in other countries were also infected by Stuxnet – perhaps an example of collateral damage akin to that which is a common feature of conventional warfare.
The deployment of such a weapon also raises some interesting questions. When a conventional weapon such as a cruise missile is deployed, the weapon itself is destroyed as it impacts the target, so the opportunity for an adversary to reverse engineer the missile and to construct a clone is somewhat limited.
The same is not true in the case of Stuxnet, which did not self-destruct (although it did de-activate on 24th June 2012 via an in-built ‘kill-switch’), and it has been successfully reverse engineered, revealing details of how it was designed and constructed. These details are now in the public domain, perhaps providing useful indicators to others that may seek to develop similar capabilities.
Cyberspace arms race
It is entirely reasonable to consider the possibility of an arms race in cyberspace, with nations and others seeking to gain superiority. Some would suggest that just such an arms race is already well advanced, although little hard evidence exists to support such claims.
It is also worth considering that many of the established rules and conventions of warfare do not apply in cyberspace. Modern conventional warfare has evolved over centuries of conflict and ‘rules of engagement’ govern the circumstances under which weapons can legally be discharged (unless you are the Taleban or perhaps the CIA). No such rules of engagement exist in cyberspace, so the level of control over cyber weapons may be diminished. During the cold war nuclear weapons were used as a deterrent in order to avoid ‘MAD’ – Mutually Assured Destruction – but how, if at all, can this be replicated in cyberspace?
So fact or fiction? If you are in any doubt, I conclude with a short extract from ‘Cyber War’ by Richard A. Clarke, that may help you decide. “These military and intelligence organisations are preparing the cyber battlefield with things called ‘logic bombs’ and ‘trapdoors,’ placing virtual explosives in other countries in peacetime.” If you’re still undecided, read the book; thereafter I confidently predict your conclusion will be ‘fact’.
Steve Southern
Director
Amethyst Risk Management Ltd.
