European Affairs

Healey ‘s own insightful 80-page narrative of the history of  cyber conflict, a “first” he claims, is particularly compelling,  providing authoritative and well sourced--to the extent that declassification and leaks have permitted--accounts of the major events in cyber conflict around the globe—commencing with the first known case of cyber espionage in 1986 when two German hackers got into the Lawrence Berkley Laboratory computer system, extracted confidential materials, and sold them to the Soviets.    This story was told in a 1989 book, “Cuckoo’s Egg”  by the astronomer Clifford Stoll, who was also responsible for catching the culprits. Healey reprints a fascinating 1989 piece by Stoll on the same subject of this classic “first shot” in cyber conflict.  Cuckoo’s Egg  incident is cited by Healey as the  first of a series  of “wake-up calls” for the U.S. and others around the world about the dark and unintended consequences of the spreading dependence on the internet in all aspects of society, including the military and intelligence worlds.

Until recently, Healey says, these “wake-up calls” were largely ignored by U.S. military and civilian leaders as “noise in the system.”   Increasingly problematic incidents included   the “Morris Worm” that infected and took down a large portion of the fledgling internet in 1988, and “Eligible Receiver,” a simulated attack in 1997, by a  NSA Red Team which, without inside knowledge,  penetrated classified military and intelligence systems.   Specific incidents, however,  would  often elicit  agonized calls of a pending cyber disaster, after which little was done.    Healey documents the first use of the words “cyber Pearl Harbor”  to 1991,   22 years ago, in testimony to Congress by Winn Schwartau, an expert on cyber terrorism.  Leon Panetta, repeated the refrain as secretary of Defense last year when he said, “And as far as I’m concerned, that [cyber} represents the potential for another Pearl Harbor.”   By this time the U.S. had mobilized the U.S. Cyber command, with at least 800 staffers and headed by a four star general.  But Healey contends the serious reaction was unnecessarily delayed by ignoring or discounting  the reality of threats over the years—perhaps because of an unwillingness to look back to the history of cyber conflict.

Healey argues that more careful study of the history of cyber conflict could have avoided some of the common misconceptions that form the conventional wisdom on the subject today.  For example, he cites the common notion that because cyber-attacks take place at the speed of light, it is necessary to have a command structure that reacts quickly without time for reflection and strategic response.  Correct, says Healey, that specific attacks happen at light speed, just like the moves in an old fashioned aerial dogfight, but that overlooks the need for a strategic framework, the equivalent of an air campaign, that could stretch over weeks and months and requires a strategic analysis separate from the response to individual incidents.  He notes that both the Stuxnet attack on the Iranian centrifuges and the Russian-based cyber-attacks on Estonia in 2007, took place over extended periods.  

Another flawed notion in cyber, says Healey, is the idea that “attribution” is difficult in cyber-attacks because of the ability to route them from servers in locations other than the perpetrator’s home.   True, says Healey, cyber-attacks can be disguised because of the nature of the internet.  But in actual practice it is almost always clear and obvious where the attack is originating because of the surrounding political and tactical situation as well as other facts and circumstances particular to the incident.   The more serious the attack, says Healey, the clearer the attribution will be.

Another insight Healey draws from the history of cyber conflict, is that despite the rising rhetoric about cyber “war,” that word is misused in talking about cyber conflict.  There has been not a single death attributed to cyber conflict-- “no smoking holes” in the military vernacular.  The destruction of several hundred Iranian centrifuges  is  the most serious physical damage created by cyber conflict  to date.  Healey doubts that real cyber “war”  will be a reality any time soon because of the existence already of  de facto deterrence, based on the growing recognition that all out cyber war could result in a sort of Mutually Assured Destruction. To increase deterrence,  Healey advocates a much more vigorous U.S. posture in calling out nation states that deploy cyber espionage or other forms of aggressive cyber conflict and the aggressive deployment of  “active defense” or offensive  cyber in response to nation state and non-state actors.    For too long, the U.S. has been reticent about Chinese cyber activity, usually calling them “advanced persistent threats” (APT), rather than identifying  the perpetrator more directly.

“A Fierce Domain” skillfully chronicles the coming  of age of the dark side of cyber and is a helpful effort to provide the useful teachings of history to a subject that has often been overinflated with hype and uninformed alarmist rhetoric.

“A Fierce Domain:  Conflict in Cyberspace, 1986 to 2012,”  by Jason Healey, editor,  CCSA/Atlantic Council, 352 pages.