The power of nation-state actors in the cyber world has been coming into focus for some time. Richard Clarke’s 2010 book “Cyber War” on the cyber threat from nation states received wide attention. This trend became blindingly apparent this October, designated “National Cyber Security Awareness Month” in the U.S. It was the eighth such annual consciousness-raising effort by the Department of Homeland Security focused on the hydra-headed cyber threat. In this year’s crop of seminars, blogs and think tank sessions, the emphasis shifted strongly to the role of nation-states in potential cyber conflicts.
Clearly, the most credible and serious cyber threat today comes from nation-states. In this context, the center of concern is NOT Islamic (or other) terrorists -- who are sophisticated users of the Internet, but have shown little talent for opening up a cyber-front in their guerilla warfare. (Indeed, the corollary seems to be widely accepted – that such groups are to be handled by the lethal “kinetic power” of commando teams and drones.) In contrast, the state players in the cyber sphere are those contesting for real geopolitical power – countries such as the U.S., China, Russia, Ukraine, Iran, Israel, some European nations and others who have the capabilities and aspirations to operate in the arena of cyber attack and defense on national infrastructures, in the espionage efforts to steal economically significant intellectual property, in investment to develop deterrence through credible offensive capability and in the effort to gain a seat at any future table on cyber arms control.
As this issue moves up national security agendas, discussions have intensified across the Atlantic about the roles and approaches of the U.S. and the EU, about national initiatives on cooperation among all these states, including within the context of NATO. The U.S. staked out a new (and still rather preliminary) position this summer when President Barack Obama issued the first presidential decree on the subject of “International Strategy for Cyberspace.” The 25-page document made headlines by stating that the U.S. would regard a cyber attack with the same gravity as a conventional assault. “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country,” it said. “We reserve the right to use all necessary means -- diplomatic, informational, military and economic…in order to defend our Nation, our allies, our partners and our interests…” In the wake of Iraq and Libya and other recent conflicts, there is no mistaking the meaning of the euphemism, “all necessary means.”
The policy paper evoked Article 5 of the NATO charter that requires all allies to regard an attack against any member as an attack against all. Without citing this NATO obligation by name, the U.S. document said that “we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.”
Some of the resulting headlines were extreme and absurd, “Obama Reserves Right to Nuke Hackers” and “Hack Us and We’ll Bomb You.” But the policy paper did cut through, at least for an instant, what insiders complain is the “glaze” that often obscures attention to discussions of cyber threats as they become too theoretical, too recondite – and in any case devilishly difficult to assess. Historically, the U.S. declaration formally adds cyber as the fifth realm of national battle along with land, sea, air, and space. According to many insiders, the war has already been going on, as evidenced by a few known skirmishes (with others still buried in classified secrecy).
But cyber war does remain largely in the future tense, with the main players reluctant to cross the Rubicon to declared cyber war. As the New York Times reported last month, the U.S. seriously debated whether to unleash a “cyber offensive” in Libya against the Qaddafi government’s air-defense system. While details remain classified, the goal would have been to penetrate the firewalls of Libyan computer networks to disrupt communication links and prevent the transmission of radar information to missile batteries aiming at NATO planes. In the end, the cyber gun stayed holstered, partially because of fears that an attack would establish a bad precedent and partially because of doubts in the Pentagon about whether a cyber offensive would work on such short notice.
The cyber gun did come out in the covert war against Iran’s nuclear program when the “Stuxnet computer worm” was implanted as a destructive virus into Iran’s nuclear centrifuges last year, delaying the production of highly-enriched nuclear fuel (that could be upgraded to fissionable-quality isotopes). It is widely believed, but not absolutely established, that the U.S. and Israel were responsible for successfully deploying the computer code that sabotaged the Iranian systems. So it seems that the U.S., behind a web of anonymity, has already established the precedent of nation-state activity to physically destroy via cyber attack the infrastructure of another state. It is argued in Washington (and in European capitals and in Tel Aviv) that the potential Iranian nuclear weapons capability was deemed worth the risk. Nevertheless, elaborate steps were taken to leave no smoking gun traces of the intruder’s identity.
In this emerging context featuring the intervention of state actors, both the U.S. and the EU are acting on their perceived needs for credible cyber-warfare capabilities. The threat has now been spelled out in Washington as coming from Russia and China. So far, it has focused on economic warfare in the form of state-sponsored theft of industrial and defense secrets and other intellectual property by state-sponsored hacking by the regimes in these two countries, reportedly for multi-billion-dollar benefits a year. Behind this cost, there is the even larger potential issue of China or Russia attempting to use cyber threats in a crisis to intimidate other countries, notably states whose independence is supported by the West. And there have been penetrations of national security networks and networks that control critical infrastructure in NATO homelands.
As a result, NATO comes increasingly into the picture. Since 2009, the alliance has conducted annual “tabletop” cyber exercises (meaning small virtual war games) to simulate cyber attacks and threats testing the decision-making process among NATO member states. This year’s exercise will be conducted in December at the NATO cyber command inside the alliance’s overall headquarters in Mons, Belgium.
In June, NATO adopted a new Cyber Defense Policy and Action plan that goes beyond the basics in a cyber directive included in the Strategic Concept adopted by allied leaders in 2010 at the Lisbon summit conference. Details are classified, but the new policy focuses on response to cyber attacks not only on military targets but also on civilian and infrastructure targets. The new policy apparently brings up the question of an Article 5 contingency (of solidarity in response to an attack on one ally), but officials say that there is still considerable debate and discussion about how to define a cyber attack rising to this level and how to respond practically to the question of scope and “attribution,” especially in a situation involving “patriotic hackers,” who are used as surrogates for governments. All these new parameters will complicate a NATO response to a cyber attack, even one that seems clearly supported by a nation-state. Commenting on the status of this policy debate, Michelle Markoff, a senior State Department official, told a cyber-security conference in Washington that a cyber attack apparently perpetrated by a nation-state adversary was more likely to trigger NATO’s Article 4, which mandates close cooperation among NATO members but not necessarily an armed response.
A tangible development in NATO’s investment in this sector is the alliance’s research center on cyber war that opened two years ago in the Estonian capital, Tallinn. This Cooperative Cyber Defense Center of Excellence has a (growing) staff of thirty experts tasked to provide state-of-the-art research assistance to NATO countries working to develop cyber assets in their own national military arsenals. The center has no operational mission at present since NATO regards cyber defense as primarily the responsibility of the individual members -- a position that many officials predict may need rethinking in the future. For the moment, the center is sponsored by eight allied nations, and later this November the U.S. and Poland will sign on as official sponsors. (The U.S. has been supporting the Tallinn center until now with the presence of a Navy commander there.) The center’s Director, Estonian Colonel Ilmar Tamm, told “European Affairs” that the new full-fledged U.S. commitment will expand the center’s role.
The EU’s own cyber research unit is ENISA (European Network Security Agency) headquartered in Heraklion on the Greek island of Crete. It recently conducted the first EU-wide “simulation exercise” to prepare for better cooperation against the threat to critical systems from nation-state or other hackers). The exercise simulated a targeted stealth operation aimed at extracting secrets from EU member states’ cybersecurity agencies, and 20 European nations took part (along with experts from the U.S. Department of Homeland Security). The EU in the past has focused cyber security primarily on protecting personal privacy and the safety of database information from old-style hackers. But that focus is perceptibly shifting along the same lines as in the U.S. -- towards alarm about state actors.
The U.S. cyber war assets continue expanding, an expansion that has come in response to a rising tide of cyber attacks by other governments working through national means including so-called “patriotic hackers.” This expansion starts from a very low base, so total cyber expenses, while classified, are a tiny piece of the U.S. defense budget. But the effort is being driven up by the growing threat. McAfee, the U.S. security firm, released material last summer that it called the “hard evidence “ of a cyber-espionage operation that had penetrated 72 governmental and other organizations in the U.S. and elsewhere with the purpose of copying military secrets and industrial designs. The McAfee report was called “Operation Shady Rat” and offered circumstantial evidence pointing to China as the likely culprit. There have also been successful large-scale and successful cyber raids on Western technology secrets such as those last year reported and publicized by Google – and widely blamed on China. Beijing has denied any governmental complicity.
But such denials ring increasingly hollow as, time after time, sophisticated hacks indicate China as the only reasonable suspect. The Financial Times recently reported the existence of “cybermilitias” mobilized by the Chinese People’s Liberation Army to steal military and commercial secrets including intellectual property worth billions of dollars and even the design secrets of the neutron bomb, a once-touted weapon now abandoned by Western arsenals. These attacks have “a level of sophistication and are clearly supported by a level of resources that can only be a nation-state entity,” said Republican Congressman Mike Rogers, chairman of the House Permanent Select Committee on Intelligence. He held hearings this summer that elicited a chorus of demands for action against the Chinese government’s attacks. “I step back in awe at the breadth, depth, sophistication and persistence of the Chinese espionage effort against the United States of America,” testified Michael Hayden, former director of the CIA after his years heading the National Security Agency that handles communications intelligence. Rogers concluded: “I feel very comfortable saying that Chinese nation- state activities have led to the exfiltration of intellectual property at a staggering rate.”
In the past the U.S. government has seemed unwilling to directly confront Russia and China with accusations of government-sponsored cyber crime. But a new “gloves-off” approach may be at hand after a remarkably pointed and frank “j’accuse” report by 14 U.S. intelligence agencies in November: it gave Congress an assessment that named both China and Russia as leading actors in the theft of government and economic secrets over the internet. Despite the Obama administration’s hopes for a “reset” with Russia and its wider economic agenda with China, possible policy changes are being driven by evidence of the scale of Russian and Chinese economic theft conveyed in the report. It said that “the computer networks of a broad array of U.S. government agencies, private companies, universities and other institutions — all holding large volumes of sensitive economic information – are targeted by nation-state supported cyber espionage.”
It said that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage...[and] Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”
Russia, of course, was widely blamed for the 2007 cyber attack on Estonia that first brought into focus the role of national players in a world previously dominated by rebellious hackers, nihilists and criminals. (This epidode is chronicled in detail in a European Affairs piece). For two weeks Estonia's internet was essentially closed down. Because of the now widely-practiced use of proxy servers and other levers of anonymity on the net, there is still no conclusive “attribution” of the attack to the Russian government. But Jaak Aaviksoo, the Estonian Minister of Defense at the time of the attack, said recently at a Brookings Conference in Washington, “if it barks like a dog and looks like a dog it is likely a dog. I won’t say more because it is sensitive.”
Aaviksoo’s take away from that seminal event in large-scale cross-border hacking: “To be effective against a nation state hack you need a credible deterrent. You need to be able to respond with kinetic force.” Aaviksoo adds, “we have to [be ready to] act like the bad guys, meaning informally and not bureaucratically.”
Estonian Defense Minister Dr. Mart Laar takes a similarly tough-minded posture. “It is time to call evil by its name and to call out names of nations who support cyber crimes,” he told European Affairs this month, citing President Ronald Reagan’s decision to publicly call out the Soviet Union as an “evil empire” in 1982 as an important turning point for public attitudes in the cold war.
The U.S. is a nation highly vulnerable to cyber attacks because it is so dependent on networked control in both military and civilian infrastructure -- much more so than Russia or China, for example. The U.S. is therefore thought to be the most advanced in its cyber war capabilities both defensively and offensively. The offensive tools are shrouded in secrecy, although there seems to be some loosening of information on this -- perhaps because strategists explain that effective deterrence depends on a credible and known offensive counter threat. The Washington Post reported recently that the Pentagon has developed a list of cyber weapons and tools that can sabotage an adversary’s critical networks. Cyber technologies are being integrated into operational units in the field, coordinated by the newly-formed U.S. Cyber Command.
Given this trend, it is probably only a matter of time before the proponents of offensive cyber war prevail, and cyber weapons are deployed and used against an enemy. It is often said that in the history of warfare there has never been a weapon that was created and not used. The still-intense reluctance about deploying offensive cyber attacks because of fear of unleashing counter measures may be outweighed by the pressure of probing assaults that are continuously being discovered. Cyber threats from nation-states will thus continue to inject more pressure into the policy discussions across the Atlantic.
William Marmon, Managing Editor European Affairs