Winning in Cyberspace
Part three: Winning in Cyberspace
By James Adams
In August 1945, the US dropped two nuclear weapons on the Japanese cities of Hiroshima and Nagasaki killing at least 129,00- people and causing damage that lasted generations. Six days after the bombing of Nagasaki, the Japanese surrendered and the possibility of the US sustaining heavy casualties through an invasion of Japan was averted.
This was the first use of nuclear weapons and showed the world both the power and threat of nuclear weapons which began an arms race between the US and the Soviet Union that eventually embraced other countries. It could be argued that the threat of nuclear war has been the defining military and foreign policy concern of the last 70 years.
The many steps along the road to a nuclear capability and the exact status of each country’s nuclear arsenal has remained a closely guarded secret. Pakistan and India ran secret nuclear weapons programs for decades before testing a device. The threat of Iraq developing a nuclear weapon was sufficient to provoke a US invasion of the country. Fears about a nuclear arms race in the Middle east with Saudi Arabia and Iran on the front line has spurred huge international efforts to control further proliferation in the region.
But the reality of nuclear weapons, their potential for global carnage and the destabilizing effect of proliferation have concerned world leaders for generations. And there have been a few close calls to underline the threat.
For example, in 1983, the Soviet Union readied its nuclear forces (land, sea and air) for a preemptive first strike against the United States and its allies. The world was on the brink of nuclear war and it was all a huge misunderstanding.
For some years prior to 1983, Nato had run a communication exercise called Able Archer which was designed to simulate an escalation in tension between Nato and the Warsaw Pact that would culminate in allied forces going to DEFCON 1, the highest level prior to nuclear release. Such exercises were routine on both sides and each side generally alerted the other so that there were no misunderstandings. However, on this occasion, political rhetoric got in the way.
In Washington, President Reagan was leading the charge against what he termed the ‘Evil Empire’. In a speech in 1982 he declared: “Freedom and Democracy will leave Marxism and Leninism on the ash heap of history”. The words were accompanied by a major investment in psychological operations against the Soviet Union and its allies. Reagan’s words were heard loud and clear in Moscow where General Secretary Leonid Brezhnev and KGB head Yuri Andropov took him at his word. They believed that Reagan would launch a preemptive nuclear strike to create that ‘ash heap’.
And so the Soviets began Operation RYaN a worldwide covert intelligence effort to understand when a nuclear attack was coming and what could be done to preempt it. In Britain, for example, the KGB were required to keep watch on government offices to report if there were any changes in work patterns (lights burning at night was seen as particularly significant) and were told to report any stockpiling of food or preparations to use nuclear bunkers.
As Able Archer began, the Soviet leadership detected signs of differences in the usual process of the exercise and they took this as yet another signal that the US was using the exercise as a cover for a first strike (other signals misinterpreted in Washington were Reagan’s announcement of the Star Wars space defense program and the deployment of Pershing II intermediate range nuclear missiles in Europe). The KGB officers in the field faithfully reported what they knew their masters wanted to hear and the tension mounted. The Soviet leadership ordered the ballistic missile submarine fleet to be readied and the ICBM silos were also readied for launch.
Fortunately, the British Secret Intelligence Service (SIS) had in place a senior KGB double agent named Oleg Gordievsky and he raised the alarm about imminent nuclear war. Urgent hot line conversations followed the crisis wound down.
Two years later, Gordievsky had defected and SIS prepared a 50 page briefing on Soviet leadership thinking which President Reagan read in its entirety. The result was a toning down of the anti-Soviet rhetoric out of Washington.
Although all this happened a long time ago, it’s worth mentioning because of the context in which it occurred. Already in place were a number of international treaties to limit the spread of nuclear and other weapons of mass destruction. There were regular exchanges between Warsaw Pact and Nato officers, observers were allowed on military exercises and a great deal of effort both privately and publicly was placed on establishing transparency. All of this was designed to prevent exactly the kind of misunderstandings that occurred in 1983 and brought us to the brink of destruction.
Flash forward 20 years to Iran.
Around 2004, Israel began raising the Issue of Iran’s covert nuclear program. Israel claimed to have hard intelligence that Iran was determined to acquire a nuclear weapon and that if the country became a nuclear power, Israel would consider this a direct threat to its survival. The US agreed that a nuclear armed Iran would be dangerous and would likely provoke a new arms race in the Middle East. Israel made very clear that they would take whatever steps were necessary to prevent the nuclear weapons program succeeding. There had already been assassination of key figures in Iran which were believed to have been carried out by Mossad and Israeli intelligence had also been very active on the underground arms market sabotaging shipments of raw materials and destroying others. But none of this had been enough and Tel Aviv said unequivocally that they were willing to bomb Iranian nuclear facilities just as they had done in Iraq.
To avoid such an escalation, it was agreed that the US and Israel would work together in an effort to sabotage the nuclear program using a cyber weapon. This was principally a joint effort by the Tailored Access Organization which is part of NSA’s Signals Intelligence Directorate and Unit 8200 in Israel with some additional assistance from the CIA and Mossad who both had assets inside Iran’s nuclear program.
The result was a project codenamed Olympic Games, later known as Stuxnet, that involved inserting a piece of malware inside the nuclear facility at Natanz where centrifuges were going to enrich uranium for nuclear weapons. It was a very complex piece of coding that had to be inserted into the Natanz network from a hard drive. But once inside, the bug was particularly designed to interfere with the Siemens computers that controlled the centrifuges. Instead of simply destroying the equipment, the TAO operators controlling the bug were able to inject apparently random flaws in the system. One day some centrifuges would speed up and disintegrate while on another they might slow down and hardly function. For the Iranian computer operators, the bug was designed to send a fake ‘normal’ signal while everything was really falling apart.
Over the course of four years, the operation was a success with around 20 per cent of the centrifuges having to be replaced and the nuclear weapons program slowed by several years.
But then disaster struck as the bug leaked out from the closed Iranian network into the wild. Stuxnet was specifically designed not to cause damage to other networks but it was noticed and a number of security firms began to peel apart the code and to publish the results. At last the Iranians knew why their system had been experiencing such problems.
While the Stuxnet affair had certainly delayed Iran’s nuclear program by, it also blew the lid off any pretense that cyber warfare was not a fact of 21st century life. To the covert world, this had been apparent for years. America had a very good idea of the capability of some foreign countries, especially Russia and China, and they had a very good idea of America’s capabilities. But unlike with Hiroshima, there was little public knowledge about what was going on. They knew what we knew and we knew what they knew but nobody else had a clue. And that’s pretty much how the intelligence community hoped things would remain. After all, the secret world is a natural place for the intelligence communities of the world to live and play.
But then Edward Snowden came along to disrupt all that secrecy. Snowden, a system engineer contractor for the NSA working in Oahu, Hawaii, carefully downloaded to a thumb drive thousands of documents classified Top Secret and above, and took them with him to Hong Kong. Over a period of months he met with a select group of journalists and released the documents which revealed that NSA had been secretly spying on Americans and storing millions of bits of personal information relating to phone calls and internet traffic. The purpose of the intercepts was so that NSA could correlate terrorist data to spot individuals or trends that might threaten America. The reality was that the NSA, Congress and the government lost much credibility with the American public and to many Snowden was seen as a whistleblowing hero.
Snowden also revealed that the NSA had launched 61,000 cyber attacks against hundreds of computers in China and Hong Kong. To those in the know, this was very much scratching the surface of what had actually been going on. TAO at NSA with the assistance of the CIA had carefully mapped the infrastructure of every nation from China to the Ukraine that might be considered a threat to the US now or perhaps in the future. In addition, the secret codes of many countries from Syria to France has been intercepted and decrypted. The personal calls of every major leader, whether friend or foe, had been routinely intercepted.
Some of this was of real value: if there was a secret meeting with top diplomats from Syria, for example, it was helpful to have bugs in their hotel rooms to listen to the before and after conversations and then to have taps on the diplomatic traffic so that the US side would be fully prepped not only on what was said publicly in the meetings but what the real (and supposedly hidden) agenda might be.
But Snowden also revealed a 50 page TAO catalog of tools and techniques that was a bible for any country wishing to follow in America’s footsteps. (It’s worth noting again here that whatever Snowden’s merits as a whistleblower might have been, he did enormous damage to America’s security. The release of the TAO document alone has provided several nations with a blueprint for action. It is certain that attacks against US infrastructure will be the result and several of our enemies now have the capability to cause great loss of life. Even so, not a single person inside the intelligence or national security structure has been held accountable for Snowden and his damage which has already cost billions of dollars.)
What really mattered about Stuxnet was not the tactical success of slowing down Iran’s nuclear program but the strategic importance of the unleashing of a weapon by America against another country that caused physical damage to its infrastructure. This was not just a matter of spying but of physical destruction which is normally limited to acts of war.
These activities were formally enshrined by President Obama in Presidential Policy Directive 20 that he signed in October 2012. The 18 page classified PDD, which was leaked by Snowden, defined both Offensive Cyber Effects Operations (OCEO) and Defensive Cyber Effects Operations (DCEO):
“OCEO can offer unique and unconventional capabilities to advance US national objective around the world with little or no warning to the adversary or target ad with potential effects ranging from subtle to severely damaging.
“The United States government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other US offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive.”
PDD-20 reflected two realities. First, the US had developed a significant cyber warfare capability and had successfully demonstrated its use. Aside from Stuxnet in Iran, the US had disrupted the Serbian command and control system in 1999 through a hack inserted from overseas and had attempted (and failed) to insert a Stuxnet type virus to disrupt North Korea’s nuclear weapons program. Just as importantly, US intelligence was now very confident that through its extensive mapping of foreign countries’ infrastructure combined with its careful insertion over many years of a number of dormant cyber weapons gave it a vast and new capacity to wage war. This included the ability to turn off the electricity in many major cities, disrupt the water supply, disable command and control networks and prevent several armed forces from mobilizing effectively.
But the issue that had tangled government lawyers up in knots was what actually constituted an act of war in cyberspace or what were the triggers that would allow the US to act. After all, cyber weapons were quite different from launching a fighter jet or firing an artillery shell. Huge loss of life and extensive damage could be caused by a single keystroke that might be made to appear as if it came from a completely different country.
Second, from the beginning of this century, the US has grown increasingly alarmed at the capabilities of other countries and their willingness to deploy cyber weapons very aggressively. There was a swift lesson in cyber escalation to be had from Iran. Immediately after they understood the full scope of the Stuxnet attack, the Iranians set up their own cyber warfare unit. In mid-2012, the Iranians launched an attack on the computer network of Aramco, the jointly owned Saudi, American oil company and shut down 30,000 computers. Two years later, the same Iranian hackers attacked the Las Vegas Sands hotel which is owned by Sheldon Adelson a staunch supporter of Israel who had advocated and Israeli nuclear strike in the Iranian desert to discourage Iran’s nuclear program. The hackers destroyed 20,000 computers and left behind a message that read: Encouraging the use of weapons of mass destruction under any condition is a war crime.”
Just as important is what Iran did not do. In 2013, Iranian hackers gained access to the control system of the Bowman Avenue Dam which is used for flood control near Rye in New York state. In that instance, the hackers gained access through a cell modem and while the dam is insignificant, the intrusion was just one of 295 hacks into industrial control systems in 2015. The challenge with such attacks is that we know exactly the kind of potential damage that can be cause by, for example raising the sluice gates on a dam ad flooding the populated valley below. We know because we have the capability and the plans to do exactly that against foreign targets in the event of war.
Today, there are around 60 countries with dedicated cyber attack capabilities. Of those countries, China and Russia lead the charge. What those two countries have in common is size (they have large resources of people, money and technology) and command economies where corruption is the rule rather than the exception. This means a blurring of the lines between national security and personal or national economic advantage. For more democratic countries, this blurring of the public and private sector lines poses a particular set of problems.
According to General Keith Alexander, the former Director of NSA, the loss of industrial information and intellectual property through cyber espionage constitutes “ the greatest transfer of wealth in history.” According to Alexander, US companies lose around $250 billion a year through intellectual property theft with another $114 billion in cybercrime and number that rises to $338 billion when the costs of down time due to crime are taken into account — an annual figure that dwarfs the economic impact of the 9.11 attacks.
“That’s our future disappearing in front of us,” said Alexander. “What we need to worry about is when these transition from disruptive to destructive attacks which is going to happen. We have to be ready for that. This is even more difficult than the nuclear deterrent strategies we used to think about in the past.”
Among the companies or organizations that have been attacked successfully are Google, which lost priceless source code to China, Booz Allen, Mitsubishi, Sony, which had the details of 47,000 actors along with executives’ salaries released on the web by North Korean hackers, AT&T, Visa, Stratfor, a security company, the US Chamber of Commerce, Symantec, another security company, Nissan, Visa, Mastercard, Juniper Networks, which provides encrypted communications for various government agencies and was hacked for three years before the penetration was discovered. In what must be one of the most spectacular hacks, the Office of Personnel Management learned in mid-2015 that the records of 21.5m Americans had been compromised including the background checks on thousands of government and intelligence community employees.
An interesting situation was raised by the Sony hack. There is some debate about whether NSA knew about the attack as it unfolded (the North Korean networks are heavily penetrated) or whether it simply became clear after the event, like so many situations at NSA. What is certain though is that NSA would have confronted a dilemma if they had known as it was happening. However serious the potential damage, notifying Sony would have been against the rules. Sony, after all, is a foreign owned company and in the private sector which is two strikes against it. Yet many of the probes and attacks that have unfolded in recent years have been against the private sector including Wall Street and utility companies where and attack could be devastating. Surely, the rules by which intelligence is gathered and distributed no longer reflect the realities of cyberspace.
Easily the most aggressive nation in the cyber world is China where cyber espionage is a major asset of the political, military and economic communities. Given the corruption in China and the involvement of the State Security apparatus in many businesses, it is often difficult to distinguish between private sector activities and those of the Chinese intelligence community. Chinese hackers have stolen design information for more than 24 major U.S. weapons systems, including Army and Navy missile defense systems, the Navy’s new littoral combat ship and the $1.4 trillion F-35 Joint Strike Fighter. The loss of this information places U.S. weapons systems and personnel at risk while saving China billions in weapons development costs.
But it’s not just the military and our war fighting technology edge that is at risk. China has either tried or succeeded in breaking in to many of the Fortune 100 companies in America, has roamed through the Wall Street financial networks, stolen source code from many technology companies including Google and Adobe and has enough information about and access to our critical infrastructure to cripple the United States in the event of war. The number of ships, tanks and missiles that America has in its arsenal matters little if, before the first shot is fired, America is prevented from waging war.
The most important public study of Chinese government hacking was released by the security firm Mondiant and titled APT1. The 74 page report detailed the activities of the 2nd Bureau of the People’s Liberation Army General Staff Department’s 3rd Department know as Unit 61398. According to Mandiant, the Unit is staffed by hundreds, perhaps thousands, of people and since 2006 has compromised 141 companies across 20 major industries. The average attack maintains access to a victim’s network for a year with the longest access of five years
Every US ally — indeed every country with any technology assets of any kind — has also been robbed blind by China. As part of this systematic pillage, it is the view of western intelligence agencies that every piece of technology sold by any Chinese company is suspect. Computers have embedded within them chips that can read, store and then remotely send every piece of data that travels across the device. Every cellphone is similarly infected. This gives China access to the personal data of thousands of firms and millions of people.
Daily, the US receives more than 1m attacks from offices run by the People’s Liberation Army and similar efforts are made against every single country that has technology worth stealing. It is this cyber espionage that has fuelled China’s meteoric rise to a global economy. The nation has invented very little but has stolen almost everything.
So alarming has this become that President Obama raised the issue of cyber attacks at a summit meeting with Premier Xi Jinping of China in September 2015. After the meeting, it was announced that both sides had agreed not to hack each other’s companies for commercial advantage. This was a very one-sided deal as US intelligence agencies do no hacking of another countries’ systems to then pass on the information to an American company for commercial advantage. In any event, since the deal was signed, there has been no reduction in the level of attacks from China and nor will there be until there is some penalty for the attacks that are currently running at a rate of hundreds a day.
The troubling aspect of all this is that none of it is really new. Beginning in the last decade of the 20th century, in both Russia and Moscow strategy papers were being written that spelled out the future of cyberspace as an opportunity to obtain leverage against America and its allies. In both countries, it was recognized that in a straight race against America, neither country could hope to compete but if cyber were brought into play, then it would be possible to leapfrog over America’s technology advantages. Indeed, if employed correctly, cyber weapons could prove the decisive factor that would level the playing field and even give real advantage to the countries with command economies where there is a blurring of any distinction between the public and private sectors.
Sadly, everything has played out as those strategists predicted. For the cyber pillaging to be addressed, we need a new policy that is more than just asking other countries to behave as we would wish them to do. The nuclear arms race created a whole international structure of treaties, monitoring and compliance with heavy penalties for countries that did not obey the rules. Cyberspace demands the same recognition and the same international leadership if anarchy, chaos and potentially very heavy loss of life is not to be the end game.
Equally, the parallels between the nuclear arms race and the cyber arms race can be overdrawn. This is not just about developing an effective deterrence strategy with mutual assured destruction as a consequence of failure. America is the most interconnected and therefore the most vulnerable country to attack and there is no deterrence, especially if it is an undeclared capability, that will prevent attacks from other nations.
Cyber is different, too, because it is the proverbial death by a thousand cuts. If we continue to lose $350 billion in economic value each year, our position as a leading economy power is being eroded rapidly while the economic power of the cyber attackers continues to grow at our expense.
And that takes no account of the possible action of modern terrorists who understand the potential of cyber warfare to leverage their impotence on the conventional field of battle.
Aside from President Obama’s meeting with the Chinese premier there have been numerous public and private discussions and conferences between countries and between countries and market states (large international companies). There has been much talk about a public-private partnership between industry and government but there is wariness on both sides. The intelligence communities culture of secrecy on the one hand and the private sector’s concern about abuse and leaks (see Snowden) mean that little progress has been made. Indeed the same conversations are happening in 2016 as began in 2000 with almost no difference in the content and tone.
Here are some suggestions for deescalating the war in cyberspace and creating some rules of the road.
1. As a national priority, the US will establish a public/private partnership to evaluate and maintain a vibrant and independent manufacturing base for all essential components of information technology, to include processors and semiconductors of all kinds and related hardware and software. The pace at which China is buying our cyber capability puts at risk our ability to defend ourselves in the future.
2. Such a partnership only works if the government recognizes that cyber intelligence is a national asset and that the old boundaries between national security (the armed forces and government) and the private sector no longer apply. Trust will begin with the intelligence community learning to share its knowledge. As Edward Snowden revealed, NSA has developed some astonishing and world-class cyber capabilities. Some of those capabilities could be very helpful to the private sector in mounting a more effective defense.
3. Agility has always been one of America’s strengths but holding on to the old ways of doing business has created inertia and does not service the nation. America should always move faster than command economies and failure to do so suggests strategic weakness. To combat this, the intelligence community and the private sector must learn to fight a common enemy together. CyberCom should become a true national resource with participation from private sector security companies as well as the public sector. Offense is the realm of NSA but Defense is a common challenge confronted by the nation as a whole.
4. Unilaterally America should announce the terms for a new Cyber Espionage Treaty. It is unrealistic to expect countries like China and Russia to abandon practices they deny doing in the first place and which are integral to their economic success. But an international treaty will bring visibility to a problem that has been too little discussed.
5. The Treaty would allow for cyber espionage against military targets but not against economic targets. Trade secrets would remain protected. Governments would be responsible for enforcing within their territory against private malefactors.
6. Meanwhile, institute a “No First Use Policy” involving physical damage or loss of life in recognition of the fact that we have already reached a point of mutually assured cyber destruction.
7. Prohibit by treaty attacks on the internet backbone itself, a lifeline for information and commerce for all civilized nations
8. The Treaty would also give governments the authority to defend private companies from attack.
9. Right now, attacks have no consequence and so are risk free. America needs to develop an attack response that is calibrated to force an attacker to weigh up the consequence of an action. This is not deterrence in the conventional sense but is warfighting and we are already engaged in a war which we are losing.
10.An international cyber court would adjudicate breaches of the agreement and enforce punitive penalties in the form of cash or trade sanctions.
11.A new international covert intelligence capability would be established to aggressively pursue breaches of the Treaty and to attack countries which failed to sign but committed cyber attacks.
12.In the event of war, a second cyber treaty would establish the rules for warfighting. For example, under what circumstances would America raise the sluice gates on the dams of the Yangtse River in China killing a million people or if China turn off all the power in Chicago in the middle of winter and killing very large numbers. We need to establish some rules for this new dimension of warfare.
13.There would also be rules for space assets, both commercial and intelligence.
14.The treaty would include new rules to control Artificial Intelligence research and deployment.
15.Congress needs to provide leadership on the whole cyber issue. A kindergarten is required because of laws passed by Congress to install a fire suppression system, have a first aid kit, EXIT signs on every door and practice evacuation in the event of a crisis. Despite the enormous cost of cyber attacks to the nation, Congress has been largely absent from the conversation with no meaningful legislation passed in the last 30 years. The nation should be able to look to Congress for legislation that establishes minimum standards for the protection of cyber assets just as it does for physical assets. It is a travesty and a betrayal of the national trust that this has not already happened.
Much of this action depends on the willingness of the sprawling US intelligence community to embrace a different way of doing business. The historical record does not provide encouraging signs that the community is willing or able to change enough to get the cyber job done. But change is possible and urgently needed. Just why this is so and what might be done, I will address in the next section.