The other day I tried an exercise to see if I could characterize the various parts of the current discussion on cyberwarfare. I went through around two days worth of English-language articles on cyber events, cybercrime, and cyberwarfare. Looking at perhaps 70 in all from diverse sources, I found that only 16 were worth reading. Most of those not worth one’s time were variations of the “cyber is a big deal: no its not” argument. Even the 16 were not necessarily worthwhile because they were informative or thought-provoking. Some were disturbing and others odd. Interestingly, only a few pieces touched on economic warfare as I understand it. Cyber disruptions of manufacturing and commerce, not to mention economic espionnage, among many other things, ought to be a substantial and ongoing concern.
As of the end of October (as I learned has been CyberSecurity Awareness Month), here are some tendencies I see in media treatments of things cyber. The articles that they are partially based on (i.e., those from my exercise) follow in random order the EWI Digest and Blog.
THE STUXNET LIBEL
Lately, there have been a spate of pieces in print and on the Web that suggest that Israel and the United States have modified the Stuxnet malware that they are suspected of creating and using against Iran’s centrifuges to disrupt manufacturing in Europe and create other mischief. I predict this will linger. In the pieces that follow, you find this libel in articles by Richard Silverstein and the Voice of Russia.
CYBERWARFARE THEORY
To my dismay, I’ve learned that there is already an ongoing academic debate on whether cyber-whatever can be properly called warfare. Authors like Thomas Rid, Jeffrey Carr, and Sean Lawson (here following), largely dither about what Clausewitz would have said. Why they don’t bring Sun Tsu into it, I can’t say. The U.S. Government, eschewing theory, has said that it is prepared to respond militarily to cyber attacks. Our theoreticians can’t get far enough along to come to the conclusion that cyber attack could be a cause of war and, therefore, part of war. More interesting and important is the role of cyber operations in war. Rumor has it that the United States had considered cyber disruption of the Libyan command and control systems: this, to allow for risk-free bombing of military targets. At any rate, there’s a great deal to think about in terms of how cyber might be used in conjunction with non-cyber warfare. In my two-day survey, I came across nothing in that area. I did, however, see one thing new on the developing fears front.
DEVELOPING FEARS
For some time now, there has been considerable attention given to the threat of “Trojan chips.” The fear is that malware will get into computers thanks to compromised chip manufacturing, especially if done in Asia. Dennis Omanoff, Senior Vice President and Chief Supply Chain Officer at McAfee, points out something that is much less exotic and, therefore, a greater threat: supply chain vulnerability. The notion here is that computer and server shipments might be interdicted and have things put into them before they move on. I know enough about the insecure nature of container shipping to be worried.
CYBER THREATS AND MULTILATERALISM
It is well known that that the Russians, Chinese, and, of course, the Iranians (in their way) are all in favor of Internet censorship. Thanks to Anonymous, the ACLU, and millions of young hackers the world over, there is a strong force that opposes, for example, the Anti-Counterfeiting Trade Agreement and other Internet controls.
The Brits are hosting the London Cyber Conference on November 1-2. Reuters has a pretty good piece on the politics of the conference, which focuses on (I think can be said) the Brits’ own confusion as to what needs to be done and how to avoid offending the Chinese (thereby setting the possibility of any kind of agreement back 10 years). Whoever wrote the piece thinks that effective international cyber conventions are a decade off. I’m even more pessimistic. To me, cyber capabilities are like nuclear capabilities. Who can be talked into doing without them, especially since they’re in the hands of both state and non-state actors within states? Cyber conventions may be signed eventually, but these, even more than arms control agreements, will remind us of Ambrose Bierce’s definition of ‘peace’: “a period of cheating between two periods of fighting.”
Dare one say that cybercrime and cyber warfare is not conducive to enhanced multilateralism? I think so. No common “norms.” Take that Anne-Marie Slaughter!
CYBER PATRIOT ACT?
I ran across a very weak article, entitled, both paradoxically and provocatively “Security is Sexy.” It is a plea for no cyber-edition of the Patriot Act. It does show, however, the basic contradiction on the part of people of the author’s persuasion: security entities must not be allowed to hack, but the anonymous and self-appointed virtuous must be given carte blanche.
WHAT IS THE U.S. GOVERNMENT UP TO?
Through all I read, the U.S. government looks better than I expected. In addition to the assertion that cyber attack may bring military retaliation, we learn that Homeland Security, the NSA, etc., are hiring thousands of computer geeks. DOD now has its Cyber Command, and entities likes DARPA and IARPA continue apace. Janet Napolitano does, however, continue to talk out of both sides of her mouth, uttering hints about increasing threats while arguing that we’re really ahead of the game and have nothing to worry about. But even she is not afraid to use “China” and “cyberattacks” in the same sentence. FACTOID: [Dennis] “Omanoff cited statistics showing that McAfee reviews about 100,000 potential malware samples per day, identifies over 55,000 new, unique pieces of malware per day and identifies about 2,000,000 new malicious web sites per month.” Holy cow!
The most interesting estimate of what the United States is up to comes, most recently, from the Voice of Russia. The article’s title, “Cyber Warfare, Massive ‘Hacker-like Penetration’: The U.S. in Search of an Absolute Weapon,” is not off the mark. Anyone sensible about cyberwarfare would conclude, as is implied in the piece, that the advantage goes to the most aggressive and advanced in the cyber area. Because of state actors and non-state actors alike, cyber defense will never be absolute. But it sure would be helpful if our adversaries couldn’t secure their air defense systems and conceal their identities and locations.
TWO GREAT THINGS
I conclude this EWI Digest/Blog with two articles very much worth anyone’s time. I’ve run them previously, but read them now if you haven’t. The first is by Walter Russell Mead, that blogger of bloggers. He provides more insight into the problem of the cyber threat than anyone else I’ve read. The second is a Wired piece on how Râmnicu Vâlcea, in Romania, became an important center of international cyber crime. Read this and Stieg Larsson’s Girl with the Dragon Tattoo, and you’ll actually know what’s possible in the cyber realm.