Cyber: Fifth Dimension of Warfare
By Michael Krull
Cyberspace is devilishly difficult to control. Every day, more than 12 quintillion bytes of information are generated worldwide (a quintillion is a billion billion). There are now more than 12 billion devices connected to the internet, and that is expected to grow to more than 50 billion devices in the coming decade.
Securing this proliferation of devices and data is increasingly difficult. The internet is used each and every day by people as they go about there lives in the 21st Century by conducting commerce, doing their banking, consuming radio and television broadcasts, and sharing their music and photos.
In addition to the 800 million smartphones using the internet, information is generated over the airwaves by industrial controls, military and civilian aircraft and satellites, remote oil rigs and mining operations, security systems, cars, navigational devices, computers and even TVs.
Controlling all of this activity is computer code. Most computer program codes are hundreds of thousands of lines in length – or more. The more sophisticated the program, the more code. One flaw in this code has the potential to let unwanted people – hackers – in to take over or disable the program.
According to the Pentagon, cyberspace is the new and fifth domain of warfare, after land, sea, air and space. For centuries, militaries have been destroying the enemy by conventional means, such as catapults, cavalry charges, bombs, artillery barrages and airstrikes. Now, individuals or teams working in a small room can attack using only lines of computer code and a data line and not break a sweat or even to see their target.
Securing cyberspace is a race between the good guys and the bad guys – white hats versus black hats. As in all other domains of warfare, the bad guys don’t have to play by the rules. In other words, the bad guys don’t need to bother with privacy concerns, intellectual property rights, and the other niceties that the good guys need to observe.
Yet, cyberspace and cyberwarfare is not confined to traditional combatants – the people we pay to do the fighting – and that is part of the problem. The same is true of attackers; they may or may not be affiliated with a nation-state or a military.
In the United States, private corporations, not governments, own roughly 85% of critical infrastructure. By critical infrastructure, we’re talking about power plants, oil refineries, logistics (trucking, rail, air) companies, agribusiness and food processing companies, telecommunications providers, media, etc.; in short, the companies which make the country tick. All of these are subject to attack, whether by a foreign government, terrorist group, criminal syndicate, anarchists, social “hacktivists,” or leisure hackers. Unlike a traditional military attack, the barriers to enter this arena are low – one doesn’t need to invest billions in military hardware to attack, one only need a laptop and a good Internet connection.
Every hour of every day, there are attacks of one sort or another: corporate espionage, corporate or government spying, probing of an entity’s cyber defenses, leisure hacking and other kinds of accidental or malicious intrusions. These are aimed at both government entities and private corporations and could be perpetrated by anyone, anywhere.
General Keith Alexander, Director of the National Security Agency, acknowledged recently that China, through cyber intrusions and attacks, is actively stealing intellectual property not only of U.S. firms, but anyone who is thought to have information and intellectual property worth stealing to help Chinese economic and military advancement. China is not the only country or entity doing this.
What could be the result of a cyber attack on the United States? Like any attack it depends on the intent of the attacker and the extent of the damage that the attacker is looking to inflict. An attack on a single company - a bank, say - could compromise passwords of those customers who do their banking online, or it could actually result in money being stolen. This has happened in the last two weeks in Europe.
If the attacker is looking for information that will help him or her, companies in the same industry may attack, and since only information will be stolen – no visible damage done to information – it will be difficult to detect, depending on the sophistication both of the attacker and the attacked.
If an attacker – a nation-state, terrorist or anyone with the intent to inflict major damage or disruption – were to attack the nation’s power grid for example, the result would be chaos, and perhaps cascading chaos as systems dependent on electricity were to also fail and cause damage or disruption. For a small glimpse, witness the recent storm that hit Ohio, Pennsylvania, West Virginia, New Jersey, Delaware, Maryland and Virginia. Millions without power for days – close to a week for some. Still, there was a sense of order. But if it was a true attack, who knows how long it might take to find the malicious computer code and fix it, or if it would be one attack or a series of attacks?
How would political leaders respond to such an attack? What would be the public perception of the political response? The corporate response? Where would the line between political and private control over privately held critical infrastructure be once the problem was resolved? All questions with which we need to grapple – and quickly.
How do we defend against this growing threat? First, we need to recognize that it is a problem and take it seriously. Like any form of defense, the first action to take is to concede that there is a threat.
Secondly, companies and government entities should run robust intrusion prevention systems rather than intrusion detection systems. Intrusion detection is too late – the bad guys are already in and causing problems. Better to prevent them from entering in the first place and detect when they are trying to enter a computer network.
Finally, as a nation, we need to make it clear to any government or other entity that we will respond forcefully if we are subject to a cyber attack. It is well known that the President always has a military aide nearby with various scenarios at the ready, as well as our country’s nuclear launch codes in order to respond to a military strike against our country.
We should make it known that we also have thought through various response scenarios to a cyber attack, and that the President is prepared to respond to one as he would a traditional military attack. Granted, a cyber attack may not come from a nation-state, but we should make it known that we will hold governments responsible for rogue actors using their infrastructure for an attack on the United States or U.S. interests. It may take longer to respond, but we will respond forcefully. This was the case on September 11, 2001. We did not know who perpetrated the attack, but once we knew, we responded.
Michael Krull is a graduate of Luther College and Iowa State University. He has worked on disaster relief for the State Department, a major Washington, DC public relations and political consulting firm, and is currently working for American Solutions for Winning the Future. He is a member of the Council on Emerging National Security Affairs.