Military Officer | 6.1.08
By Alan W. Dowd

In the unseen reaches of cyberspace, our enemies are quietly taking the postmodern form of warfare we witnessed on 9/11 to a new level: They are no longer just transnational—they are non-national, hiding and attacking in a world where there are no borders. They are no longer just stateless—they are place-less. And they are no longer virtually invisible—they are, well, virtual.

Which is one reason why some argue that a war waged in cyberspace, with streams of code rather than bullets and bombs, can’t hurt us. They’re wrong.

With irony befitting a Greek tragedy, the very thing that makes the United States and its allies so powerful—their mastery of new technologies and capacity to incorporate them into their political systems, economies and armed forces—also makes them more vulnerable to a crippling attack in cyberspace. Just ask our friends in Estonia.

Testing Times

It all started not in cyberspace but in the real world, after the Estonian government decided to relocate a Soviet-era war memorial. The decision incensed Russia, Estonia’s giant neighbor to the east. What followed has been called “Cyberwar I,” “Web War I,” “a digital invasion,” “a cyber-riot.”

In layman’s terms, cyber-savvy Russian nationalists unleashed a withering volley of “distributed denial of service” attacks that crashed Estonian websites with countless computer-generated “zombie” hits, flooded servers in Estonia with junk data, and, as The International Herald Tribune explained, overwhelmed “the routers and switches…that direct traffic on the network.” As many as a million PCs may have been enlisted in the attacks, most of them unwittingly.[i]

The cyber-salvos hit NATO ally Estonia especially hard because the tiny Baltic country is one of the most web-dependent places on earth. In fact, the Estonian parliament considers Internet access a “fundamental human right.”[ii]Wired magazine notes that 90 percent of bank transactions in what some call “e-Stonia” are carried out via the Internet.

The attacks, which lasted about three weeks last April and May, crippled Estonia’s communications infrastructure. They targeted newspapers, the mobile-phone network, the country’s 911 equivalent and the country’s largest bank,[iii] costing millions of euros.

In addition, key government websites were attacked, including the president, prime minister, parliament, foreign ministry and Federal Electoral Committee, which is critical in a country where voting is conducted online.

“It turned out to be a national security situation,” Estonian defense minister Jaak Aaviksoo concluded after the dust settled in cyberspace. Although he conceded that Estonia was “not able to prove direct state links,” he was quick to note that some of the attacks were traced to Russian government offices.[iv]

That helps explain why Estonian president Toomas Hendrik Ilves has suggested that NATO may need to update its 20^th-century defense commitments in light of this 21^st-century threat.

“Cyber-attacks are a form of offensive action that can paralyze, weaken, harm a nation-state,” he says. “This might be a test run for something bigger and larger,” he ominously adds, “just like the Germans tested out Stuka bombers in 1936 in Spain.”[v]

Drawing a different but no less sobering historical parallel, network-security firm McAfee asks, “Are we in the midst of a cyber cold war?”[vi]

NATO, which sent specialists to Estonia to carry out a battle-damage assessment, seems awake to the danger. With Estonia, Germany, Spain and the U.S. leading the way, the alliance is developing a Center for Cyber Defense in Tartu, Estonia. And for good reason: NATO reports that all of its member states have weathered cyberattacks of some kind in recent years.[vii] U.S. Ambassador to Estonia Stanley Davis Phillips calls the Center for Cyber Defense “an essential part of our efforts to combat this growing threat.”

If the Russian government was involved in the attacks, it would seem to qualify as an act of war. In fact, high-level Russian military officials have argued that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there [are] casualties or not.”[viii]

Even if it was renegade cyber-nationalists, as Moscow claims, then this amounts to terrorism or piracy, and Russia is obligated to punish those responsible.

Either way, Moscow must police its corner of cyberspace—for its own security and that of its neighbors. After all, whether or not Russia was behind WWWI, Estonia thought so, which opened the door to far graver consequences: an Estonian request that NATO invoke Article V, which could have led to an old-fashioned war.

Cyber-superpowers

Estonia wasn’t the only country to come under cyber-assault in 2007.

Around the same time as Estonia’s cyber-siege, several German government ministries, including the chancellery and foreign ministry, were penetrated by China. In interviews with Der Spiegel magazine, German officials blamed the People’s Liberation Army (PLA) for the massive attacks. Hans Elmar Remberg of Germany’s Office for the Protection of the Constitution pointedly used the phrase “Chinese cyberwar” in describing the attacks.[ix]

If the attacks on Estonia were intended to test Western defenses and intimidate the tiny Baltic nation, China’s attacks are aimed at stealing Western technology. “Across the world,” according to Remberg, “the People’s Republic of China is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their technological gaps as quickly as possible.”[x]

In June 2007, for instance, the Pentagon was forced to disable email systems that serve the Office of Secretary of Defense, after it was discovered that the PLA had hacked into the system. Some 1,500 computers were taken offline.

After the cyber-attacks, Lt. Gen. Robert Elder, who heads the embryonic Air Force Cyberspace Command, reported that Beijing is striving to become a cyber-superpower stronger than the U.S. Indeed, Beijing’s growing cyber-warfare capabilities are no surprise to Pentagon planners:

• The Pentagon’s 2007 report on the military power of China notes that the PLA is establishing information warfare units and integrating computer network operations (CNO) into the wider military. Quoting China’s own strategy papers, the report warns that Beijing’s goal is “to weaken the enemy side’s information superiority” and ultimately field a force capable of “winning informatized wars by the mid-21^st century.”[xi] 
• In 2005, the Pentagon concluded that the PLA was expanding the role of CNO into military exercises. In addition, the Pentagon posited that Beijing might consider using electro-magnetic pulse to disable the information-dependent militaries of its enemies.[xii]
• In 2001, after U.S. and Chinese planes collided near Hainan, China attacked 1,200 industry and government websites.[xiii] That same year, the Congressional Research Service (CRS) reported that China was deploying a “Net Force” to complement the rest of its military.[xiv]
• In 1999, during the Kosovo war, Chinese cyberattacks defaced websites of several federal agencies.
• In 1998 and 1999, Washington uncovered hundreds of attempts by China to penetrate computer networks at U.S. nuclear laboratories. The Department of Energy was even forced to shut down part of its network for two weeks in 1999.

The bad news is that China is one of many waging cyberwar against the U.S. There were more than 37,000 attempts to penetrate U.S. government and industry networks in 2007,[xv] and CRS reports that at least 20 countries conduct operations against America’s swath of cyberspace.

The worse news is that America’s cyber-capabilities are not nearly as strong as they need to be. According to Gen. James Cartwright, who commanded U.S. Strategic Command (STRATCOM) until his recent appointment to vice chairman of the Joint Chiefs, “We lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battle-space.”[xvi]

Cartwright concedes that “America is under widespread attack in cyberspace.” Calling cyberspace “the nervous system of our country,” he warns that America’s “freedom to use cyberspace is threatened by the actions of criminals, terrorists and nations alike.”[xvii]

For instance, Pentagon spokesman Patrick Ryder confirms there are “millions of scans of the DoD Global Information Grid (GIG) per day.”[xviii] The GIG is crucially important to our nation’s security, as it allows U.S. forces and commanders to share and access information anywhere on earth.

An Air Force video provides a real-world example: The GIG enables a Marine in Iraq, an unmanned Predator drone flying overhead and its technician back in the States, a patrolling
F-18 pilot, and a commander far away from the front to communicate and collaborate on how best to eliminate an enemy sniper position—all in the span of two minutes.  

The result is what Air Force Secretary Michael Wynne calls “the new American way of war,” one that is “virtually dependent on cyberspace.”[xix]

Due to that dependence on cyberspace and our enemies’ determination to exploit it, Cartwright argues that it’s time to “apply the principles of warfare to the cyber domain.” That means cyber-attacks must be deterred and if necessary answered in kind.

“The defense of the nation is better served by capabilities enabling us to take the fight to our adversaries,” according to Cartwright.[xx]

Toward that end, Washington is moving on several fronts:

• Joint Task Force-Global Network Operations (JTF-GNO), under STRATCOM, has taken the lead in operating and defending the GIG—and pursuing “global information superiority.”
• Elder is standing up the Cyberspace Command. “I believe we’re going to be able to ratchet up our capability,” Elder predicts,[xxi] adding “We want to go in and knock them out in the first round” of a full-blown cyberwar.
• As Government Executive has detailed, the Army is soliciting “a wide range of offensive information tools.” Likewise, the Air Force is teaming with industry to develop cyber-weapons that “disrupt, deny, degrade or deceive an adversary’s information system.”[xxii]
• The Department of Homeland Security (DHS) is fielding what The International Herald Tribune cleverly calls an “information highway patrol,” including some 2,000 personnel, to protect America’s information infrastructure.
• In early 2006, just a year before the one-sided web war on Estonia, DHS led a preparedness exercise dubbed Cyber Storm, which enfolded numerous federal and state agencies, four foreign allies, seven power utilities, 11 IT firms, and STRATCOM, JTF-GNO and other nodes of the Defense Department.

Dark Days

According to CRS, 80 percent of U.S. commerce depends on the Internet, which means an Estonia-style attack on America could have grave economic consequences—both here and abroad.

Many of us fume when our mobile phones take an extra minute to roam for a cell, when the credit-card machine at the gas station goes down, when the nearest ATM is out of service, or even when we can’t connect to the web. Now, consider how three weeks of that would impact your life, your finances, where you work or bank, America’s economy and the global economy. It pays to recall that the U.S. is not some tiny country on the far edge of Europe. As our friends around the world say, “When America sneezes, we catch a cold.” Just imagine what would happen to the world if America went dark.

Add to that the dangers to public safety, public health and national security. After all, far more than commerce depends on cyberspace. DHS, for instance, recently released a video dramatizing the effect of computer attacks on the U.S. electrical grid. But we don’t have to imagine the impact of a massive power-grid failure. Just consider the chaos that followed the East Coast blackout in August 2003: As the BBC detailed at the time, New York, Detroit, Toronto and Ottawa went dark; there were riots in Ottawa; nine nuclear reactors were knocked offline; six major airports were shut down; hospitals and prisons lost power; cellular towers failed; millions baked in the sweltering summer heat—and none of this was the result of a malicious attack.

“Cyberwar doesn’t make you bleed,” as Ene Ergma, the speaker of the Estonian parliament, told Wired. “But it can destroy everything.”[xxiii]

This is no time for Y2K-style panic, but it is time for preparation. It is better to prepare for the worst and hope that we never experience it, than to prepare for the best and put our hopes in the self-restraint of those who wish us harm.

[i] Mark Landler and John Markoff, “In Estonia, what may be the first war in cyberspace,” International Herald Tribune, May 28, 2007.

[ii] Michael Lesk, “The New Front Line: Estonia under Cyberassault,” Security and Privacy, July/August 2007.

[iii] Arthur Bright, “Estonia accuses Russia of cyberattack,” Christian Science Monitor, May 17, 2007.

[iv] Mark Landler and John Markoff, “In Estonia, what may be the first war in cyberspace,” International Herald Tribune, May 28, 2007.

[v] See Ilves interview with Radio Free Europe/Radio Liberty, June 2007.

[vi] McAfee, “Cyber Crime: A 24/7 Global Battle,” www.mcafee.com/us/research/criminology_report/default.html, 2007.

[vii] Rhys Blakely and Jonathan Richards, “Report: World headed for cyber cold war,” The Times of London, November 30, 2007.

[viii] See Steven Hildreth, “CRS Report to Congress: Cyberwarfare,” June 19, 2001.

[ix] “China rejects renewed accusations of cyber spying,” Deutsche Welle, October 23, 2007.

[x] Ibid.

[xi] Defense Department, “Annual Report to Congress on the Military Power of the People’s Republic of China 2007.”

[xii] Defense Department, “Annual Report to Congress on the Military Power of the People’s Republic of China 2005.”

[xiii] Eric Lichtblau, “CIA warns of Chinese cyber-attacks on US,” Chicago Tribune, April 25, 2002..

[xiv] See Steven Hildreth, “CRS Report to Congress: Cyberwarfare,” June 19, 2001.

[xv] Rhys Blakely and Jonathan Richards, “Report: World headed for cyber cold war,” The Times of London, November 30, 2007.

[xvi] James Cartwright, Statements before the Strategic Forces Subcommittee of the Senate Armed Services Committee, March 28, 2007.

[xvii] James Cartwright, Statements before the Strategic Forces Subcommittee of the Senate Armed Services Committee, March 28, 2007.

[xviii] AFP, “Several countries trying to hack into US military system: Pentagon,” September 3, 2007.

[xix] John Prime, “Service chiefs expound on Cyber Command,” Shreveport Times, September 25, 2007.

[xx] James Cartwright, Statements before the Strategic Forces Subcommittee of the Senate Armed Services Committee, March 28, 2007.

[xxi] Jim Wolf, “China aims to top US in cyberspace: US general,” Reuters, June 13, 2007.

[xxii] Bob Brewin, “Cyber Wars,” Government Executive, October 24, 2007.

[xxiii] Josh Davis, “Hackers take down the most wired country in Europe,” Wired, August 21, 2007.