Abu Muqawama: Post
Abu Muqawama retains its autonomy and the views and beliefs expressed within the blog do not reflect those of CNAS. Abu Muqawama retains the right to delete comments that include words that incite violence; are predatory, hateful, or intended to intimidate or harass; or degrade people on the basis of gender, race, class, ethnicity, national origin, religion, sexual orientation, or disability. In summary, don't be a jerk.
The Curious Invisibility of Military Cyberpower
Military cyberpower is everywhere in the news. But is also still tremendously invisible. Take Misha Glenny's recent op-ed, "Stuxnet Will Come Back to Haunt Us"
THE decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
The phrase "militarization of the Internet," does not seem to mesh with the fact that military-funded research played a major role in developing the Internet. To go back even further, Alan Turing and Norbert Weiner, two monumental figures in the history of computing and robotics, were originally World War II-era military researchers in cryptography and command and control. We owe ubiquitous location-based mobile services, one of the drivers of today's emerging "post-PC" information ecosystem, to global positioning systems---also a military invention. It is good that most of what we associate as cyberspace can be exploited as public goods, but computing and information technologies have always been strongly associated with military command and control, targeting, and weaponry.
Glenny's focus on the Internet is part of a common fixation on the Internet as cyberspace, when in fact cyberspace is actually something far larger. As the National Defense University iCollege's Samuel Liles and Dan Kuehl have both argued, the invention of the "Victorian Internet" in the form of the telegraph and its order-of-magnitude improvement in military command and control marks the real beginning of military cyberpower. Cyberspace is, as Kuehl has written, a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, exchange, and exploit information via inderdependent and interconnected networks using information-communication technologies. The Internet is certainly part of cyberspace, but there was cyberspace long before anyone began to seriously discuss the idea of computer network operations. As Bob Gourley tweeted, superior American exploitation of cyberpower won the Battle of the Atlantic in World War II and exposed the Zimmerman Telegram in World War I.
Stuxnet itself is a curious candidate when one looks for a point at which a Rubicon has been crossed that would fundamentally change contemporary warfare. Stuxnet targeted centrifuges rather than human beings. Yet, the United States military uses cyberspace for instrumentally lethal military purposes every day. Drones? They operate on the network, which is part of cyberspace. The Tomahawks we lob at Yemen? And so on and so on. We based the Offset Strategy on the idea that we could exploit superior computing technologies to engineer conventional weapons with superior combat effectiveness against Soviet second echelons--weapons that would obviate the need for tactical nuclear weapons to compensate for raw Warsaw Pact armor. To focus on computer network attacks alone is to ignore the massive structure of military power and coercion built around cyberspace and how crucial it has been to warfare for decades. Cyberspace has been one of the many drivers behind US military hegemony, a fact that has not been lost on aspiring military competitors. Just like focusing on remotely piloted aircraft as uniquely dangerous weapons of war renders invisible the fact that manned aircraft are the actual "grunts" of the targted killing missions, regarding Stuxnet as uniquely horrible is only possible if other, more substantial, military uses of cyberpower are normalized.
There is a tremendous need to conceptualize cyberspace as a kind of pristine, Edenic realm corrupted by the Satan's Apple of Stuxnet. Just like space, cyberspace is seen as a zone that is beyond--or should be beyond--geopolitics. But space began with explicitly military origins and military spacepower facilitates Earthbound military operations. Operational domains have always been zones of conflict and contestation. Glenny's use of the phrases "monster" and "come home to roost" in his op-ed also reveal a framing of Stuxnet as a Frankenstein narrative, a kind of cyber version of the karmic theories of foreign policy and strategy Dan has criticized. But military cyberpower is not a monster cooked up by a mad scientist in a dreary castle, and "coming home to root" is a phrase that implies a kind of divine retribution more appropriate for a Old Testament prophecy than a security assessment.
Glenny's implicit comparison between a stable world of nuclear weapons and an unpredictable world of "advanced cyberwar" is also interesting because those nuclear weapons were part of a global American military command and control network enabled by exploitation of cyberspace. And in comparison to nuclear weapons, Stuxnet only inficted kinetic damage on the target--the Iranian nuclear program. As Thomas Rid observes, the collateral infection of other computers commonly cited in analysis of Stuxnet were not actually damaging:
Cyber-weapons with aggressive infection strategies built-in, a popular argument goes, are bound to create uncontrollable collateral damage.The underlying image is that of a virus escaping from the lab to cause an unwanted pandemic. But this comparison is misleading. Stuxnet infected more than 100,000 Windows hosts to increase the chances of reaching the targeted system – yet the worm did not create any damage on these computers. In the known cases of sophisticated cyber-weapons, collateral infections did not mean inadvertent collateral damage.
Glenny worries that Stuxnet and Flame will precipitate constant penetrations of networks in order to gain target intelligence for attacks during the initial period of war, but somehow has missed the fact that this has been a basic element of Chinese and Russian military doctrines for some time. The phrase "Advanced Persistent Threat" is commonly used as a euphemism for nation-state attackers seeking to conduct "long-range cyber recon" of United States military and defense networks to steal military secrets and develop a better understanding of their dynamics and vulnerabilities. And the United States has not been the only victim of long-range cyber recon, and the Chinese and the Russians are far from the only culprits. Glenny worries that Stuxnet will prompt nation-states to develop cyber weapons and use them, but neglects to provide strategic rationales or scenarios for such development and use. South Korea, for example, is developing cyber capabilities to deal with the North's development of computer network and electronic warfare capabilities. Cyberpower is an outgrowth of the South's existing national security policy rather than a special effort somehow prompted by the use of Stuxnet and Flame.
Military cyberpower, once invisible to all but a few defense specialists, is slowly becoming visible. In some ways the current wave of commentary on Stuxnet is simply a delayed reaction to what should have been apparent once the electromagnetic spectrum was utilized by Abraham Lincoln to command the American Civil War: a new operational domain has military as well as civilian purposes. The civilian use of cyberspace, like the civilian use of the ocean or space, provides commercial and cultural value, but there is also a power-political context that simply cannot be wished away.
Update: Mike Tanji wrote a far more concise (and hilarious) critique of the op-ed here.
Though you are correct in
Though you are correct in your assertion that there exists an overlap of purpose in the war-fighting environments (e.g. the utilization of cyberspace for civilian purposes), you argument falters, as it misses the primary consequence of the militarization of any domain - by crossing the Rubicon in the absence of international norms or treaties, the United States (or any nation, non-state actor, etc) invites reciprocating actions that may neither be proportional or limited to military targets solely. This is an especially dangerous proposition for the U.S., in which there is an "asymmetry of use" of cyberspace in comparison to other states (i.e. the U.S. is wholly dependent upon cyberspace and the infrastructure of the Internet for proper functioning). Additionally, your analogy to Lincoln's use of the telegraph and injection of Gorley's tweet to support your argument that computer network operations are not necessarily a new phenomenon do not adequately reflect the contemporary operating environment. Lincoln had a dedicated telegraph lines strung from the White House to the battlefields. Any destruction or disruption to these lines simply affected his ability for command and control. The severing of undersea fiber optic cables (even only if accidentally) affects millions of users (both government and civilian alike).
One final point. Though STUXNET did not manifest physical damage to 100,000 Window's hosts, does not imply a lack of collateral damage. The productivity losses and economic damages required to "treat" infected systems, though probably never accurately quantified, was no doubt damaging. Keep in mind that the primary purpose of a weapon system is not to destroy, but rather alter the dynamics of the battlefield and elicit a change in the mind of decision-makers.
Tanji's a hoot for sure. But
Tanji's a hoot for sure. But to the point... Just over a decade ago, when I participated in the first NIE on the cyber threat to the US, I was fairly sure that the "best and brightest" in cyberspace did NOT work for governments. I recall arguing hard on that point, but I don't think Larry Gershwin put it into the KJs. I've been out of the intelligence business for 8 years, & have no way to judge whether that supposition might still be valid.
Coopertrooper, I will reply
Coopertrooper, I will reply line-by-line.
"Though you are correct in your assertion that there exists an overlap of purpose in the war-fighting environments (e.g. the utilization of cyberspace for civilian purposes), you argument falters, as it misses the primary consequence of the militarization of any domain - by crossing the Rubicon in the absence of international norms or treaties, the United States (or any nation, non-state actor, etc) invites reciprocating actions that may neither be proportional or limited to military targets solely. "
This misses the point. How can cyberspace be "militarized" if it came into being in large part as a DARPA effort? How is the use of cyberspace, say, to drop a PGM not "militarized?" The Chinese and Russians certainly think so. Foreign policy is also not karma. Reciprocal actions happen because of self-interest or political purpose, rather than a sense of shock and horror that the United States executed a computer network attack. The United States has plenty of tools to respond to cyber attacks against civilian infrastructure, and attribution is an issue in the shady world of cybercime and espionage but not necessarily within the framework of operational cyberwarfare--where the adversary uses force for political purposes. The fact that Stuxnet was a covert operation also casts strong doubt on the idea that cyber treaties can deliver "no more Stuxnets."
"This is an especially dangerous proposition for the U.S., in which there is an "asymmetry of use" of cyberspace in comparison to other states (i.e. the U.S. is wholly dependent upon cyberspace and the infrastructure of the Internet for proper functioning).Additionally, your analogy to Lincoln's use of the telegraph and injection of Gorley's tweet to support your argument that computer network operations are not necessarily a new phenomenon do not adequately reflect the contemporary operating environment. Lincoln had a dedicated telegraph lines strung from the White House to the battlefields. Any destruction or disruption to these lines simply affected his ability for command and control. The severing of undersea fiber optic cables (even only if accidentally) affects millions of users (both government and civilian alike)."
I did not say that computer network operations were nothing new--they are. Rather, cyberpower is not new. It has been an part of the contemporary operating environment for close to 200 years. Its role within the information domain has certainly increased, but different evolutions of cyberspace matter. Again, this is the problem of arguing that the Internet = cyberspace. The Internet is an important part of cyberspace, but does not equal its entirety. There is not an asymmetry of use--most of the developed and developing world relies on some form of cyberspace. The statement that the United States is * wholly* dependent on cyberspace and that attacks would be catastrophic is also belied by research by scholars such as Sean Lawson: (http://mercatus.org/publication/beyond-cyber-doom).
"One final point. Though STUXNET did not manifest physical damage to 100,000 Window's hosts, does not imply a lack of collateral damage. The productivity losses and economic damages required to "treat" infected systems, though probably never accurately quantified, was no doubt damaging. Keep in mind that the primary purpose of a weapon system is not to destroy, but rather alter the dynamics of the battlefield and elicit a change in the mind of decision-makers."
Collateral damage in war as we understand it is a matter of lives lost and homes demolished. What you are describing is cyber *hassle* not cyber *warfare *. Economic losses are a problem for sure, but we have a long 20th century history of infrastructure attacks in total war conditions to measure against--and those attacks were certainly not decisive.
Ralph, Tanji is one of the
Ralph,
Tanji is one of the few things that keeps me sane. Too much hype and fearmongering.
Hmmmmm.... How about a
Hmmmmm.... How about a different angle? How about unregulated military technology as an enabler for crime? Every yahoo who has taken a semi-auto rifle with a large-capacity magazine and wreaked havoc has taken something whose technology was developed in response to military need but which has been repurposed to a criminal act. Weapons like stuxnet provide a technology bonanza for criminals.
The issue would seem to be that arms sales are regulated, but weapons like stuxnet have their code freely published. Our government requires private citizens to register their weapons purchases but allows a free market in zero-day exploits:
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-d...
So, the current environment reminds me of the early days of machine guns and silencers in America – ripe for a Valentines Day massacre (a la a cyber weapon that inflicts real-world harm like taking down a large power grid) that will provide the impetus for government regulation.
Visitor 1:23, That is
Visitor 1:23,
That is actually a much more productive line of inquiry. The problem is that these kinds of markets, although much more professionalized than they used to be, are also not exactly new. We should be skeptical of government ability to truly regulate such a market, considering that code markets defy many of the monitoring tools we typically use in arms control arrangements (for example, national technical means).
There are enough existing zero-days sitting around (because of private industry's lack of interest in doing anything) to provide a lot of material for use by criminals, terrorists, or nation-state attackers. It is possible a criminal could extort in the manner that Enron did with California (selective brownouts). But whether or not the attack would be operationally profitable depends on a host of features. Recommend this paper on more: http://www.au.af.mil/au/ssq/2011/spring/libicki.pdf
You are contradicting
You are contradicting yourself...first you say that cyberspace came into being as part of the larger DARPA effort, but then you mention that cyberpower has been around for close to 200 years. By virtue of this, you are implying that cyberspace is a purely man-made domain, and that employment of the electromagnetic spectrum equates to cyberpower. How can a particular type of power be employed if one lacks access (or in this case, the domain has yet to be developed) to a warfighting environment? Obviously, this is a semantic argument over your use of the "cyber" modifier, but highlights the importance of making distinctions of what constitutes computer network operations and signals intelligence.
As an aside, though it was DARPA that established the first useful computer networks, the infrastructure (i.e. copper wires, switching stations, and relays) was purely commercial (basically, DARPAnet constituted a really long phone call in which the information exchange medium was data vice voice). So yes, fiber optic cables, satellites, microwave transmitters and receivers can be militarized. Unfortunately, the U.S. has adopted a laissez-faire approach cyber-security and defense - the majority of critical infrastructure (to include transmission mediums) are privately owned and operated, and business lacks incentives to combat national security risks. Though the U.S. has the luxury of selecting methods to respond to cyber-attack, one cannot argue strongly that critical infrastructure is adequately protected. Even if the potential for a catastrophic cyberattack is currently low, a business as usual approach will surely invite a calamity in the future. Although the development and implementation of any treaty presents its own challenges, the steps taken to initiate some measure of international cooperation would be worthwhile for their norm setting value.
I suggest a read of Joint Pub 1-02, DoD Dictionary of Military and Associated Terms; collateral damage = Unintentional or incidental injury or damage to persons or objects that would not be lawful military targets in the circumstances ruling at the time. In the STUXNET example, I would say that the unintentional infection of computer systems that were not targets constitutes collateral damage.
Another aside - "Economic losses are a problem for sure, but we have a long 20th century history of infrastructure attacks in total war conditions to measure against." I agree that attacks on infrastructure conducted during WWII were not sufficient to break the will of the belligerents, but I don't think that "we have a long 20th century history." WWII is the only instance of total war that fits our discussion.
Coopertrooper, The
Coopertrooper,
The contradiction is wholly unintentional and due to a typo. Blogging can sometimes create *mental* system errors. I did not mean to say "cyberspace" when referring to the DARPA efforts. Of course, it is a simplification to say that the military created the global Internet (just like the infamous "Al Gore created the Internets"), which is why I didn't--my wording says it played a major role. I don't think cyberspace is a wholly man-made domain for reasons I have already stated. I also have also always made distinctions between computer network operations, signals intelligence, and other uses of military cyberspace. But they are all military uses of the wider infrastructure of cyberspace, most of which people are dimly aware of. It doesn't quite make sense to argue that use of kinetic CNO represents a militarization of cyberspace, just as an potential anti-sat weapon is only one small part of the overall military usage of outer space.
Some have argued that the real US interest in CNO has always been within the context of augmenting US military advantages and trying to deal with adversary recon-strike complexes rather than symmetrical responses to adversary CNO/CNE. I hew to the definition of cyberspace laid out by Daniel Kuehl here and think it is the most useful. http://www.amazon.com/Cyberpower-National-Security-Defense-University/dp.... Obviously, the US would likely get better money spending on the margin on critical infrastructure protection than CNO weapons for covert operations or for near-term military scenarios that its other arms of conventional power already grant substantial advantage. But if the Sanger account is to be believed (and it is also kind of dodgy), a policy decision was made to forestall Israeli and other responses that would have been substantially more lethal. I am not sold on the idea that the Israelis would have launched an airstrike. But it may have done other things that could have been regionally destabilizing, to say nothing of other actors (Saudis, Kuwaitis). We can agree or disagree with the policy judgment, but it was not unequivocally bad or easy to make ( like invasion of Iraq).
Nowhere have I written that critical infrastructure protection is not a significant problem. As a friend put it to me on Facebook yesterday, it is equivalent to running a private air force/missile system instead of the SAGE system during the Cold War while devoting resources to the government-operated Strategic Air Command for offense. But, just as the United States never adopted a European-style General Staff system, it is also a manifestation of American political culture. Will the US change? That remains to be seen. Norms and cooperation also depend on where one sits. Great powers have different reasons for either not wanting to participate in such a process or twisting it to their advantage--as the Russian and Chinese pursuit of ITU management reveals. Glenny's op-ed is set within a Cold War framework that assumes malware and zero-day exploits can be regulated in a manner similar to nuclear weapons, which Mike Tanji and others have dismantled elsewhere.
Moreover, CNO, unlike electronic warfare, does not simply cause something to stop working. Rather, it utilizes the very system it infects to create desired effects. The desired effect in question was directed entirely at the target. "Damage" or "injury" are terms that do not mesh well with something that did not even disrupt the functioning of the infected devices in question. If this is collateral damage, and it is by no means legally clear at present (and hopefully the Talinnin Code will clear up LOAC on this issue), information hygiene treatment for infected code is makes it off an extremely trivial nature relative to most other weapons in military history.
WWII was not the only instance of total war in the 20th century. It was certainly the most destructive, but there were others (Iran-Iraq War, for one), but they mostly occured in the Third World. The beauty of the Lawson monograph is that it also looks at the history of disaster response and empirical research in that field too.
Visitor on June 25, 2012 -
Visitor on June 25, 2012 - 1:23pm
So, the current environment reminds me of the early days of machine guns and silencers in America – ripe for a Valentines Day massacre (VDM)(a la a cyber weapon that inflicts real-world harm like taking down a large power grid) that will provide the impetus for government regulation.
Visitor, the problem with your analogy is after about 80 years of draconian regulation many people have no clue or are still using the existence of firearms as cause for fear of a VDM. What you speak of was first regulated by the Supreme Court in 1934 creating the NFA http://en.wikipedia.org/wiki/National_Firearms_Act . Law after law has been layered on top of that subject. In 1986 the manufacture of machine guns for civilian transfer was banned by the NRA and Ronald Reagan themselves. Reagan signed the legislation while the NRA looked away. To own a machine gun today (it is a fixed population predating 1986) in the US of A a individual has to go through multiple background checks and fingerprinting at both the local LE level and FBI. Usually, but not always, local LE does a walk through inspection of the premise where the firearm will be stored to insure security. Transport of the firearm across state lines is only allowed by permission by the BATF (form 5320, http://www.atf.gov/forms/download/atf-f-5320-20.pdf ), routes, timelines, and point-to-point destination are documented for approval. There is a transfer tax each time the firearm changes hands, once to the individual and again away (the only way not to pay the second time is to die and will the firearm to an heir). Icing on the cake is when you have been fingerprinted, inspected, background check (to the level of a security clearance by local LE and again by FBI), at the end of the process the purchaser still has to fill out a 4473 (http://www.atf.gov/forms/download/atf-f-4473-sp.pdf , yes you can ask for one in English if you are not participating in Operation Fast and Furious) and be ran through NICS!
Today a transferable M240 is $275,000. Transferable AK47 is $17,000. The gun that started it all, the 1921 Thompson Sub machine gun costs in the range of $75-100,000. The guns that did the VDM are priceless museum pieces, if they ever came to market they would fetch a load of cash. Got that spare change in your pocket?
We still have people in our society that think transferable machine guns will cause a VDM ! Who in the F*ck is going to go through all that paperwork to be stupid? They can buy the bank, not rob it.
Move to Libya and the AK47s are free, green stamps are redeemable in RPGs. Hillary Clinton made it so and she is working on another generation of free ownership in Syria.
Elkus is taking a long winded approach to saying that today's technology has matured. Programing is taught and the secret propagates itself. No amount of regulation will end bad behavior because people will always find a way to be stupid.
There is a whole defense contractor industry that is going to wrap itself around the problem for a profit.
The Lobby will be enriched and tomorrow it require more cause the old technology changed.
Really all this is meaningless.
First strikes for major powers will be on the communication structure, all your communications defense will be pointless. An insurgency, is not going to destroy cyberspace cause they need a mouth piece.
I am waiting for the Credit and Debt Card Companies to realize people will find out that their system has no security, never did. Secure online banking is an oxymoron when a virus can record your key strokes.
Visitor 8:17 am, That is
Visitor 8:17 am,
That is right re: bad behavior---and Tanji gets at it better than me in the linked post.
In some future posts I'll expand more on this as well as some specific scenarios.
Add your comment