While the Defense Department struggles to find ways to organize train and equip America's cyberwarriors, its leaders ignore one basic question: why should they be the ones to do the job?
Speaking at the Air Force Associations annual conference outside Washington, Secretary of the Air Force Michael Donnelly tried to justify the decision to cancel production of the F-22 fighter jet by saying that the last time an American soldier was a attacked from the air was in 1950 in Korea, and the last time an American soldier was attacked in cyberspace was a second ago. As far as it goes this is perfectly true, but so far, no one killed by cyberwar have been buried in Arlington.
Like terrorism, cyberwar overlaps both crime and conventional war. Unlike terrorism, which is a political act of war, cyberwar has evolved from hacking and still uses tools and techniques devised by hackers.
In a 2006 speech, former Air Force Secretary Michael Wynn described the cyber enemy as "hackers, cyber-vigilantes, terrorists, and even hostile nation-states." He might have added, blackmailers and various other species of cyber criminals. However, only nation-states and terrorists are the proper concern of the military. Hackers and criminals are already being targeted by law enforcement agencies.
Hackers seek out vulnerable points inside internet-linked computers to create so-called "First Day Exploits;" with enough of these, they can create a 'Botnet' which might include hundreds of thousands of infected machines. "Botnet" is term for a collective softwear robots, or "bots," and often refers to a collection of compromised computers. The "botnet" can be used both offensively and for espionage purposes --without the owners of the machines even recognizing that their systems are being invaded this way.
It may turn out that the military should play only a small part in the government's overall cyber security operation. But as we saw with state-supported terrorism, there is a grey area: The May 2007 cyber attack on the small Baltic nation Estonia was one of the first examples of a seemingly public/private offensive launched against a nation state.
Estonia was attacked after the Tallinn government decided to remove a Soviet-era war memorial from the center of their capital city to a cemetery on the outskirts. Russia considered this an outrage against the memories of the Red Army forces that had driven out the Nazis in 1944; the Estonians have a different attitude towards those events.
Speaking at a conference on Cyberwar last September, the President of Estonia explained that "The DDOS (Distributed Denial Of Service) attacks, though not technically very complex, were of great significance, ... The were intended to create social unrest .. They were clearly organized ... As the Estonian CERT (Computer Emergency Response Team) graph of the DDOS attack showed, they stopped at exactly 2400 GMT at the end of May 9th." When asked how this was possible, the head of the Estonian CERT answered, "I guess the money ran out."
Experts speculate that the Kremlin hired a gang of cyber criminals to carry out the attack. They used one or probably more, 'botnets' infected with software that allowed the gang to use them. Hacking and the use of botnets for DDOS seem to be the primary cyberweapons, at least so far.
It may be significant that we have not yet seem any effective use by any of America's potential foes of cyber-sabotage. This may be due to the reluctance of civilian targets to publicly discuss such events, but it may also be because this has not happened ? One has to wonder if these attacks are harder to carry out than had been feared.
Alternatively, the attacks that have been carried out might be analogous to the old Army tactic called "reconnaissance by fire," in which a unit opens fire on suspected enemy positions in the hope that any response will expose their real positions. The attacks on the Defense Departments networks are not only a massive effort to locate weaknesses, but are also a way to force the US military to use, and thus expose, its defensive techniques.
The massive attacks may also serve a diversionary purpose, the goal of which is to push the defense to concentrate its efforts on one area while the most important activity takes place somewhere else -- which has been particularly effective in hiding espionage programs. Repeatedly, US industry has failed to effectively protect its secrets and intellectual property against cyber spies. The relentless, untiring nature of cyber attacks and cyber spying is more than a match for fallible human computer-security experts.
The US military fears that its unclassified networks, especially those connected to its unsecured communications and logistical support systems, will be subject to very large scale and debilitating DDOS attacks in any future conflict. But the Defense Department, as far as we know, is far more confident in the ability of its classified systems to withstand an all-out attack.
Perhaps the greatest danger is the introduction of hidden programs inside microchips and other devices, that, when activated, will destroy or degrade the weapons and other military systems which use them. As so many of these devices are made overseas, it is hard to know if they have been tampered with. This is what gives military leaders nightmares. In recent years the Pentagon has put considerable resources into finding ways of detecting and neutralizing these programs. As of now there are no reliable reports of their successes or failures.
Back in March, the Obama administration promised to appoint a Cyberczar to supervise America's complex set of cyber-security institutions. Reports, that may or may not be reliable, claim that there is a nasty fight going on inside the White House between the National Security Council, the Economic Team and the Political Team over this appointment. Meanwhile Melissa Hathaway, who had been the President's Cyber Director, resigned in August; so far, no one has been named to replace her.
The US military has the most to lose if the administration cannot come up with both an effective and respected individual to leader to fill the post. The Air Force, which has taken a lead role in cyber operations, is already suffering from a "span of command" problem. As an institution, it is trying to do too much with too few resources. Secretary of Defense Robert Gates should take advantage of the new cyber-command, scheduled to be activated this month, to turn it into a truly national military organization. It should be independent of service loyalties, with its own budget and career cadre.
In the 1993 book. The Mesh and the Net, published by the National Defense University Press, its author, Martin Libicki looked at the influence on future warfare of the information technologies of that era. He estimated that ".. most elements of the new battlefield will arrive by 2010, exactly when every aspect appears and is demonstrated will depend on who is fighting whom and where." He was, as the British say; 'Spot on." He went on to propose a new institution: " The basic argument for a separate Information Corps, and an associated command structure linking operations and intelligence, is that it would facilitate joint operations, promote the information revolution in warfare, unify the disparate information elements and give them an identity, create a common ethos for information warriors, and provide a unified interface with civilian information infrastructures."
This was a good idea then; it is an even better idea today.
