The Specter of Cyberwar, Part II

air-force-cyber.jpg

Staff Sgt. Alex Garviria, 721st Communication Squadron senior systems controller, and 2nd Lt. Rachel James, 721st CS crew commander, work in the Global Strategic Warning and Space Surveillance System Center at Cheyenne Mountain Air Force Station, Colo., Sept. 2, 2014. (U.S. Air Force photo by Airman 1st Class Krystal Ardrey)

For more than 20 years, experts have warned of the potential for cyberwar. Today, as more countries develop and operationalize offensive cyber capabilities and new geopolitical challenges emerge while longstanding conflicts persist, is cyberwar the serious threat that experts have long warned? Part I of this two-part series examined significant historical and recent developments in cyber conflict. Part II examines ongoing issues and potential effects of a cyberwar.

Imagine widespread power outages, train derailments, midflight airplane collisions, paralyzed financial markets, and toxic clouds from manufacturing facilities released over cities. This is all part of an imagined cyberwar scenario described by Richard A. Clarke in his 2010 book, Cyber War: The Next Threat to National Security and What to Do About It.

Critics labeled Clarke’s account “hyperbole,” “fear mongering” and “fiction.” Yet, no one criticized Clarke’s account based on its technical feasibility — merely its tone.

Within two months of the book’s publication, researchers discovered Stuxnet — the complex malware created jointly by the U.S. and Israel that successfully disrupted Iran’s nuclear program. Stuxnet has been called the world’s first “cyber weapon.”

Since 2010, many of the technological systems that factored into Clarke’s account have been found to be vulnerable or have been successfully attacked in the U.S. or abroad. There have also been findings and events not imagined by Clarke.

Persisting Cybersecurity Vulnerabilities

The following summary of facts, findings and events could provide insight into aspects of how cyberwarfare might unfold.

Industrial Control Systems

Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems — which are used in many applications ranging from the electric power grid to transportation systems — are increasingly connected to the public internet. In research reports published in 2016, cybersecurity firm Kaspersky warned of the risks from the U.S.’s ICS infrastructure being exposed to the public internet.

Stuxnet successfully targeted so-called “air-gapped” ICS — those disconnected from the public internet. Hacking air-gapped ICS is significantly more difficult than attacking ICS accessible via the public internet.

In December 2015, the Wall Street Journal reported that a former government official said Iranian hackers temporarily took control of a hydroelectric dam in Rye Brook, N.Y., in 2013.

In December 2015 and then again in December 2016, Ukraine power utilities were hacked. The 2015 cyberattack was the first known to cause outages in a country’s power grid. In both instances, Ukraine officials said that ICS/SCADA-enabled systems in substations were targeted in the hacks. Ukraine President Petro Poroshenko has accused Russia of “cyberwar,” but Russia denied the allegation.

The U.S. Department of Energy, in the second installment of its Quadrennial Energy Review released in January 2017, reported that the U.S. grid “faces imminent danger from cyberattacks:”

In the current environment, the U.S. grid faces imminent danger from cyberattacks. Widespread disruption of electric service because of a transmission failure initiated by a cyberattack at various points of entry could undermine U.S. lifeline networks, critical defense infrastructure and much of the economy; it could also endanger the health and safety of millions of citizens.

The Internet’s Domain Name System

The Domain Name System (DNS) is the technology used to match numeric Internet Protocol addresses (e.g., 111.1.1.1) to natural language names (e.g., fifthdomain.com). On Oct. 21, 2016, an unknown actor conducted a large-scale distributed denial of service (DDoS) attack against Dyn, a New England company that manages DNS servers for businesses.

A DDoS attack uses networked devices under a hacker’s control (i.e., a botnet) to send a high volume of network traffic to a target (e.g., web server). The volume of traffic overwhelms the target and makes its resources (e.g., websites) unavailable to users. The DDoS attack on Dyn temporarily prevented people in the U.S., Western Europe and Australia from accessing popular websites, including Twitter, PayPal and Netflix.

The Dyn attack, which some observers estimated to have reached 1.2 terabits per second (Tbps) but which Dyn could not confirm, came within a month of two other record-setting DDoS attacks. One was a 665 gigabits per second (Gbps) attack on Security Journalist Brian Krebs’s website on Sept. 20 and another was a 1.1 Tbps attack on a Minecraft server hosted by company OVH on Sept. 19. By comparison, all three DDoS attacks more than doubled the prior largest known DDoS attack, a 300 Gbps blitz on SpamHaus in 2013.

The attacks on Dyn, Krebs and OVH were all enabled by malware called Mirai, which gives hackers control over compromised internet of things-connected devices that can be used to flood targets with network traffic. Mirai’s developers have released the source code. Mirai and similar malware (e.g., Leet) are active in the wild.

Air Traffic Control Systems

In 2015, the U.S. Government Accountability Office (GAO) released a report warning the U.S. Federal Aviation Administration (FAA) about vulnerabilities within the air traffic control system. The report identified insufficient technical safeguards, such as access control, user authentication, and data encryption.

In addition, the report found that the FAA’s required implementation of a security program, as required by the Federal Information Security Management Act of 2002, was incomplete. The FAA had also failed to update its information security strategic plan to “reflect significant changes in [its] environment, such as increased reliance on computer networks.”

Weapons Systems

In December 2016, cybersecurity company CrowdStrike reported on an Android application package (APK) (filename: “Попр-Д30.apk”) that has been “trojanized” with a variant of X-Agent, a well-known remote access toolkit that CrowdStrike claims to have linked to Russian intelligence. A “Trojan” application misleads users about its functionality, usually malicious.

The original (non-malicious) APK was developed by Yaroslav Sherstuk, an officer in Ukraine’s 55th Artillery Brigade, to help soldiers select target locations. Sherstuk’s APK has been downloaded by an estimated 9,000 Ukrainian soldiers. CrowdStrike claims the malicious APK is capable of “retriev[ing] communications and gross locational data from an infected device [that] makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.”

CrowdStrike also reported that, since 2014, “Ukrainian artillery forces have lost over 50 percent of their weapons in the two years of conflict and over 80 percent of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.”

Some have challenged CrowdStrike’s findings, including one security researcher and Sherstuk, who told the Associated Press the CrowdStrike report was “rotten information.” CrowdStrike has stood by its research. Debate aside, experts say this type of hybrid cyber-kinetic attack is likely the future of warfare.

Despite these facts, findings and events, there remains debate about how exactly these security vulnerabilities might factor into a cyberwar. Much of the uncertainty stems from ambiguous or conflicting policies, laws and international norms — or the lack thereof.

The Ambiguities of Cyberwar

Experts disagree on fundamental issues surrounding cyberwarfare, including the language that should be used to characterize it. British scholar Thomas Rid, author of Cyber War Will Not Take Place, urged caution on current cyberwar dialogue, which often emphasizes violence. Rid observed that no one has ever been hurt in a cyberattack.

To date, such warnings have not succeeded in changing the tone or tenor of discussion. In 2014, P.W. Singer, author of Cybersecurity and Cyberwar: What Everyone Needs to Know, observed that “Cyber Pearl Harbor” or “Cyber 9/11” had been referenced over 500,000 times in the media and government speeches.

In addition to the language of cyberwarfare, experts are unclear or disagree on basic concepts, such as the precise definition of cyberwarfare and what constitutes an act of cyberwar.

The Absence of a Comprehensive U.S. Cybersecurity Policy and Strategy for Cyber Deterrence

One potential challenge facing U.S. Cyber Command is the absence of a comprehensive U.S. cybersecurity policy and cyber deterrence strategy.

One of the first recommendations for a cybersecurity strategy emerged from the Presidential Commission on Critical Infrastructure Protection in October 1997. The so-called Marsh Report, named after the commission’s Chairman Robert T. Marsh, “found no evidence of an impending cyberattack,” but it did find “widespread capability to exploit infrastructure vulnerabilities. The capability to do harm — particularly through information networks — is real; it is growing at an alarming rate; and we have little defense against it.”

More than 19 years later, in opening remarks for a Jan. 5 U.S. Senate Armed Services Committee hearing on alleged Russian hacking of the 2016 presidential election, Sen. John McCain, R-Ariz., noted, “Our nation has had no policy, and thus no strategy, for cyber deterrence.” He called on Congress to develop a national policy.

For its part, the Obama administration has produced notable, if piecemeal, cyber policy studies and recommendations.

In July 2016, the White House published Presidential Policy Directive 41, which addresses “Cyber Incident Coordination.” In December 2016, the White House published the 100-page Report on Growing and Securing the Digital Economy by the Commission on Enhancing National Cybersecurity. The National Institute for Standards and Technology’s 2014 rollout of its voluntary Cybersecurity Framework was praised by the U.S. technology industry, although adoption by the private sector has been slow. Private sector adoption is key since “over 80 percent of U.S. information technology infrastructure is privately owned and operated,” according to CIA Director John Brennan. Yet, nothing to date has approached a comprehensive policy or strategy.

In a Jan. 11 press conference, President-elect Donald Trump said his administration would produce a report on “hacking defense” within 90 days of taking office. Details on the objectives and substance of the report were sparse.

The Uncertainty from Differing Cyberwar Norms

Another cause of uncertainty is the absence of international norms. In Cyber War, Clarke noted that countries are guided by different doctrines on acceptable tactics and targets for cyberwarfare. For example, Clarke described a fictional cyberwar simulation in which the president prevents U.S. Cyber Command from attacking an adversary’s financial systems or civilian air traffic controls. However, depending on the adversary, the U.S. might not be able to expect the same restraint.

To the public’s knowledge, the U.S. military has never launched a cyberattack against another country’s financial infrastructure. However, Russia has been accused of conducting cyberattacks against the financial infrastructure of Estonia in 2007 and the country of Georgia in 2008.

In Cyber War, Clarke summarized a book written in 1999 by two colonels in China’s People’s Liberation Army. Unrestricted Warfare, Clarke wrote, “proposes a strategy of ignoring the traditional rules of conflict, including, at its extreme, the prohibition on targeting civilians.”

Most recently, Russia’s alleged hacking of the 2016 U.S. election illustrated how countries adopt different cyber tactics. The incident raised hope among some that it will spur more discussion toward establishing international norms.

The Fifth Domain

The issues summarized in this two-part series are just some of what Fifth Domain will be reporting on and analyzing in its future coverage. Cyberwarfare and cybersecurity are broad, complex, important and rapidly evolving areas of national security. The aim of Fifth Domain is to inform and educate our readers on these important topics as they change.