The cyberwar plan, not just a defensive game

In May 2007, President Bush authorized the National Security Agency, based at Fort Meade, Md., to launch a sophisticated attack on an enemy thousands of miles away without firing a bullet or dropping a bomb.

At the request of his national intelligence director, Bush ordered an NSA cyberattack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The devices allowed the fighters to coordinate their strikes and, later, post videos of the attacks on the Internet to recruit followers. According to a former senior administration official who was present at an Oval Office meeting when the president authorized the attack, the operation helped U.S. forces to commandeer the Iraqi fighters'

communications system. With this capability, the Americans could deceive their adversaries with false information, including messages to lead unwitting insurgents into the fire of waiting U.S. soldiers.

Former officials with knowledge of the computer network attack, all of whom requested anonymity when discussing intelligence techniques, said that the operation helped turn the tide of the war. Even more than the thousands of additional ground troops that Bush ordered to Iraq as part of the 2007 "surge," they credit the cyberattacks with allowing military planners to track and kill some of the most influential insurgents. The cyber-intelligence augmented information coming in from unmanned aerial drones as well as an expanding network of human spies. A Pentagon spokesman declined to discuss the operation.

Bush's authorization of "information warfare," a broad term that encompasses computerized attacks, has been previously reported by National Journal and other publications. But the details of specific operations that specially trained digital warriors waged through cyberspace aren't widely known, nor has the turnaround in the Iraq ground war been directly attributed to the cyber campaign. The reason that cyber techniques weren't used earlier may have to do with the military's long-held fear that such warfare can quickly spiral out of control. Indeed, in the months before the U.S. invasion of Iraq in March 2003, military planners considered a computerized attack to disable the networks that controlled Iraq's banking system, but they backed off when they realized that those networks were global and connected to banks in France.

By early 2007, however, two senior officials with experience and faith in the power of cyber-warfare to discretely target an adversary stepped into top military and intelligence posts. Mike McConnell, a former director of the National Security Agency, took over as director of national intelligence in February of that year. And only weeks earlier, Army Gen. David Petraeus became the commander of all allied forces in Iraq. McConnell, who presented the request to Bush in the May 2007 Oval Office meeting, had established the first information warfare center at the NSA in the mid-1990s. Petraeus, a devotee of counterinsurgency doctrine, believed that cyberwar would play a crucial role in the strategy he had planned as part of the surge. In September 2007, the general told Congress, "This war is not only being fought on the ground in Iraq but also in cyberspace."

Some journalists have obliquely described the effectiveness of computerized warfare against the insurgents. In The War Within, investigative reporter Bob Woodward reports that the United States employed "a series of top-secret operations that enable [military and intelligence agencies] to locate, target, and kill key individuals in extremist groups such as Al Qaeda, the Sunni insurgency, and renegade Shia militias. ... " The former senior administration official said that the actions taken after Bush's May 2007 order were the same ones to which Woodward referred. (At the request of military and White House officials, Woodward withheld "details or the code word names associated with these groundbreaking programs.")

Woodward wrote that the programs began "in about May 2006." But the former administration official emphasized that the specific operations that turned the advantage back to U.S. forces came a year later. Published reports suggest that military commanders were eyeing cyber-warfare techniques in advance of Bush's 2007 order. In an October 2005 article in Aviation Week & Space Technology, reporter David Fulghum noted, "Computer network attack and exploitation... are also now the primary tools in combating what senior U.S. Army officials identify as their No. 1 target -- the wireless communications networks used by insurgents and terrorists."

In 2005, military planners focused their efforts largely on sensors that could intercept wireless signals in the combat zone, not on the penetration of the cellular phone network itself. Pursuing the latter would be a far more ambitious and riskier maneuver that, by law, would require presidential authorization. It would also call upon the secret skills of the NSA's com-puter hackers.

The lessons of the 2007 cyberwar are instructive today, as the director of the NSA, Army Lt. Gen. Keith Alexander, is expected to take over the Defense Department's new Cyber Command. The command will be the vanguard of the Obama administration's cyberwar efforts, as well as the front-line defender of military computer networks. U.S. networks, like those of the Iraqi fighters, are also vulnerable to outside attack, and an increasing number of penetrations over the past two years have led Defense officials to put cyber-security at the top of their agenda.

Cyber-defenders know what to prepare themselves for because the United States has used the kinds of weapons that now target the Pentagon, federal agencies, and American corporations. They are designed to steal information, disrupt communications, and commandeer computer systems. The U.S. is forming a cyberwar plan based largely on the experience of intelligence agencies and military operations. It is still in nascent stages, but it is likely to support the conduct of conventional war for generations to come. Some believe it may even become the dominant force.

A New Way Of War

Senior military leaders didn't come of age in a digital world, and they've been skeptical of computerized attacks. Mostly younger officers, who received their early combat education through video games and Dungeons & Dragons, wage these battles. To them, digital weapons are as familiar and useful as rifles and grenades.

Over the past few years, however, the cyber-cohort has gained influence among the ranks of military strategists, thanks in large part to the ascendancy of Gen. Petraeus. The man widely credited with rescuing the U.S. mission in Iraq is also a devotee of "information operations," a broad military doctrine that calls for defeating an enemy through deception and intimidation, or by impairing its ability to make decisions and understand the battlefield. In past conflicts, the military has jammed enemy communication systems with electromagnetic waves or dropped ominous leaflets from planes warning enemy forces of imminent destruction. Today, cyber-warriors use the global telecommunications network to commandeer an adversary's phones or shut down its Web servers. This activity is a natural evolution of the information war doctrine, and Petraeus has elevated its esteem.

Computerized tools to penetrate an enemy's phone system are only one part of the cyberwar arsenal. And they are perhaps the least worrisome. Alarmed national security officials, and the president himself, are paying more attention than ever to devastating computer viruses and malicious software programs that can disable electrical power systems, corrupt financial data, or hijack air traffic control systems. In 2007, after McConnell got Bush's sign-off for the cyber campaign in Iraq, he warned the president that the United States was vulnerable to such attacks.

Then-Treasury Secretary Henry Paulson Jr., who was present at the meeting, painted a chilling scenario for Bush. He said that in his former position as the CEO of Goldman Sachs, his biggest fear was that someone would gain access to the networks of a major financial institution and alter or corrupt its data. Imagine banks unable to reconcile transactions and stock exchanges powerless to close trades. Confidence in data, Paulson explained, supported the entire financial system. Without it, the system would collapse.

The following year, when a lack of confidence in the accuracy of Bear Stearns's accounts threatened to bring down that major bank, McConnell tried to use the experience as a teaching opportunity. He privately warned other senior administration officials that a cyberattack could cause the same painful consequences, and he began studying what an attack on the system that clears market trades might look like. According to The New York Times, officials were halfway through their research when the credit markets froze. A senior intelligence official remarked, "We looked at each other and said, 'Our market collapse has just given every cyber-warrior out there a playbook.' "

Bush's response to cyber-threats took the form of a multibillion-dollar defense plan, known as the Comprehensive National Cybersecurity Initiative. In its initial stages, the plan was classified, and critics later complained that the administration had cut itself off from valuable expertise and debate. But according to McConnell, who spoke about the initiative at a recent panel discussion at the International Spy Museum in Washington, the initiative was classified because it involved an "attack," or offensive, component.

McConnell, an authority on cyberwar, chose his words deliberately, and it was a telling admission. "Computer network attack" is a technical term, describing an action designed to cause real-world consequences for an adversary -- such as those that Paulson and McConnell warned the president about in the Oval Office, and such as those that the U.S. used in Iraq. The United States' cyber strategy, in other words, encompassed defensive tactics and an offensive plan. The Obama administration inherited the CNCI and has enhanced it with the creation of a national cyber-security coordinator, a White House official who is supposed to ensure that the defensive and offensive sides work together.

Cyber-Forces Already Deployed

As the White House vets candidates for the "cyber-czar" post, the military and intelligence agencies are honing their cyber skills and have already marshaled their forces.

"We have U.S. warriors in cyberspace that are deployed overseas and are in direct contact with adversaries overseas," said Bob Gourley, who was the chief technology officer for the Defense Intelligence Agency and is a board member of the Cyber Conflict Studies Association. These experts "live in adversary networks," Gourley said, conducting reconnaissance on foreign countries without exchanging salvos of destructive computer commands. "Like two ships in the same waters, aware of each other's presences, it doesn't mean they're bumping or firing on each other."

President Obama confirmed that cyber-warriors have aimed at American networks. "We know that cyber-intruders have probed our electrical grid," he said at the White House in May, when he unveiled the next stage of the national cyber-security strategy. The president also confirmed, for the first time, that the weapons of cyberwar had claimed victims. "In other countries, cyberattacks have plunged entire cities into darkness."

With every attack, network defenders learn new techniques, which in turn make them better warriors. If they are fortunate enough to capture the weapon itself, they can pick apart its command codes -- its digital DNA -- and appropriate them. "You can analyze the attack code, change it, and then use it or counter the next attack," said Dave Marcus, the director of security research and communications for McAfee Labs, which dissects cyber-threats for government agencies.

The same expertise required to build a virus or an attack program to knock down an opponent's firewall can be put to work building more-sophisticated virus detection systems and stronger firewalls. "Our defense is informed by our offense," Gourley said.

Because the United States has studied how attacks are waged, "we certainly would know how to cause these effects," said Sami Saydjari, the president and founder of the Cyber Defense Agency, a private security company, and a former Defense Department employee. "If the president gave an order, we'd have cadres of people who'd know how to do that."

The Man-Made Battlefield

Military officers describe cyberspace as the fifth domain of war, after land, sea, air, and space. But cyberspace is unique in one important respect -- it's the only battlefield created by humans.

"We have invented this, and it cuts across those other four," said retired Air Force Lt. Gen. Harry Raduege, who ran the Defense Information Systems Agency from 2000 to 2005. He was responsible for the defense and operation of the Pentagon's global information network. "Cyberspace has no boundaries," Raduege said. "It's just everywhere, and it permeates everything we do.... We continue to improve our capabilities, but so do the adversaries."

No nation dominates the cyber-battlefield today. "Military forces fight for the ownership of that domain," said Matt Stern, a retired lieutenant colonel who commanded the Army's 2nd Information Operations Battalion and who now works in the private sector as the director of cyber accounts for General Dynamics Advanced Information Systems. "But because of the ubiquitous nature of cyberspace -- and anyone's ability to access it -- military forces must not only contend with the threats within their operational environment, they must also fight against threats in cyberspace that are global in nature."

Cyberspace is also the domain that, as of now, the United States stands the greatest chance of ceding to another nation. In July, an independent study of the overall federal cyber-workforce described it as fragmented and understaffed. The study blamed a hiring process that takes too long to vet security clearances, low salaries, and the lack of a unified hiring strategy. "You can't win the cyberwar if you don't win the war for talent," said Max Stier, the president of the Partnership for Public Service, an advocacy group that helped write the study. The co-author was Booz Allen Hamilton, the government contracting firm where former intelligence Director McConnell now runs the cyber-security business.

The Defense Department graduates only about 80 students per year from schools devoted to teaching cyber-warfare. Defense Secretary Robert Gates has said that the military is "desperately short" of cyber-warriors and that the Pentagon wants four times as many graduates to move through its teaching programs over the next two years.

That will be difficult, considering that the military and intelligence agencies compete directly with industry for top talent. Beltway contractors have been on a hiring spree ever since the Bush administration began the comprehensive cyber-security plan. Raytheon, which has assisted Pentagon special-operations forces using advanced cyber-technology, posted an ad to its website earlier this year titled "Cyber Warriors Wanted." The company announced 250 open positions -- more than three times as many as the Defense Department is moving through its education programs.

Despite a relative shortage of skilled warriors, the military services have charged vigorously into cyberspace. The Army, Navy, Air Force, and Marines all have their own cyber-operations groups, which handle defense and offense, and they've competed with one another to control the military's overall strategy. It now appears that the individual service components will report to the new Cyber Command, which will be led by a four-star general. (NSA Director Alexander, the presumptive candidate, has three stars, and his promotion would require the Senate's approval.)

The military may be organizing for a cyberwar, but it's uncertain how aggressive a posture it will take. Some have argued for creating an overt attack capability, the digital equivalent of a fleet of bombers or a battalion of tanks, to deter adversaries. In a 2008 article in Armed Forces Journal, Col. Charles Williamson III, a legal adviser for the Air Force Intelligence, Surveillance, and Reconnaissance Agency, proposed building a military "botnet," an army of centrally controlled computers to launch coordinated attacks on other machines. Williamson echoed a widely held concern among military officials that other nations are building up their cyber-forces more quickly. "America has no credible deterrent, and our adversaries prove it every day by attacking everywhere," he wrote. Williamson titled his essay, "Carpet Bombing in Cyberspace." Responding to critics who say that by building up its own offensive power, the United States risks starting a new arms race, Williamson said, "We are in one, and we are losing."

A Fight For First

Other experts concur that the United States cannot claim to be the world's dominant cyber-force. Kevin Coleman, a senior fellow with the security firm Technolytics and the former chief strategist for the Web pioneer Netscape, said that China's and Russia's abilities to defend and attack are just as good as America's. "Basically, it's a three-way tie for first."

China has proved its prowess largely by stealing information from U.S. officials and corporate executives. Last year, the head of counterintelligence for the government told National Journal that Chinese cyber-spies routinely pilfer strategy information from American businesspeople in advance of their meetings in China. And a computer security expert who consults for the government said that during a trip to Beijing in December 2007, U.S. intelligence officials discovered spyware programs designed to clandestinely remove information from personal computers and other electronic equipment on devices used by Commerce Secretary Carlos Gutierrez and possibly other members of a U.S. trade delegation. (See NJ, 5/31/08, p. 16.)

But it is the Russian government that has done the most to stoke fears of a massive cyberwar between nations. Most experts believe that Russian sources launched a major attack in April 2007 against government, financial, and media networks in Estonia. It came on the heels of a controversy between Estonian and Russian officials over whether to move a statue honoring Soviet-era war dead. Estonia, one of the most "wired" nations on Earth, is highly dependent upon access to the Internet to conduct daily business, and the cyberattack was crippling.

A year later, many security experts accused Moscow of launching a cyberattack on Georgia as conventional Russian military forces poured into the country. The assault was aimed at the Georgian centers of official command and public communication, including websites for the Georgian president and a major TV network.

The suspected Russian attacks startled military and civilian cyber-experts around the globe because of their scale and brazenness. "Estonia was so interesting because it was the first time anyone ever saw an entire country knocked out," said Ed Amoroso, the chief security officer for AT&T. "The whole place is like a little mini-version of what our federal government has aspired to" in terms of conducting so much business online. "It scared the heck out of people."

The attacks also underscored one of the most befuddling aspects of cyberwar. Not all of the computers that attacked Estonia were in Russia. The machines, in fact, were scattered throughout 75 countries and were probably hijacked by a central master without their owners' knowledge. Many of the soldier-machines in this global botnet were in the United States, an Estonian ally. To launch a counteroffensive, Estonia would have had to attack American computers as well as those in other friendly countries.

On May 5 of this year, lawmakers on the House Armed Services Subcommittee on Terrorism and Unconventional Threats and Capabilities asked the NSA's Alexander whether the attacks on Estonia and Georgia met the definition of cyberwar. "On those, you're starting to get closer to what would be [considered war]," he said. "The problem you have there is who -- the attribution." Although it was obvious to most experts that the culprits were Russian, it's easy for attackers to mask their true location. The anonymity of the Internet provides many alibis. Furthermore, it's hard to know whether the Russian government committed the attack, hired cyber-mercenaries to do it, or simply looked the other way as patriotic hackers turned their sights on rival countries.

Over the Fourth of July weekend this year, a series of attacks struck websites used by the White House, the Homeland Security Department, the Secret Service, the NSA, and the State and Defense departments, as well as sites for the New York Stock Exchange and NASDAQ. The attacks also hit sites in South Korea, and suspicion immediately turned to North Korea. But again, the inability to attribute the source with certainty impeded any response. The attacks appear to have emanated from about 50,000 computers still infected with an old computer virus, which means that their owners probably had no idea they were participating in a cyber-offensive. Some of those machines were inside the United States, said Tom Conway, the director of federal business development for McAfee. "So what are you going to do, shoot yourself?"

Holding Fire

The pitfalls of cyberwar are one reason that the United States has been reluctant to engage in it. The U.S. conducted its first focused experiments with cyberattacks during the 1999 bombing of Yugoslavia, when it intervened to stop the slaughter of ethnic Albanians in Kosovo. An information operations cell was set up as part of the bombing campaign. The cell's mission was to penetrate the Serbian national air defense system, published accounts and knowledgeable officials said, and to make fake signals representing aircraft show up on Serbian screens. The false signals would have confused the Serbian response to the invasion and perhaps destroyed commanders' confidence in their own defenses.

According to a high-level military briefing that Federal Computer Week obtained in 1999, the cyber-operation "could have halved the length of the [air] campaign." Although "all the tools were in place ... only a few were used." The briefing concluded that the cyber-cell had "great people," but they were from the "wrong communities" and "too junior" to have much effect on the overall campaign. The cyber-soldiers were young outsiders, fighting a new kind of warfare that, even the briefing acknowledged, was "not yet understood."

War planners fear unleashing a cyber-weapon that could quickly escape their control, a former military officer experienced in computer network operations said. These fears hark back to the first encounter with a rampant Internet virus, in 1988. A Cornell University student named Robert Morris manufactured a program that was intended to measure the size of the Internet but ended up replicating itself massively, infecting machines connected to the network.

The military took a lesson from the so-called Morris worm, the former officer said. Only four years after the war in Yugoslavia, planners again held off on releasing a potentially virulent weapon against Iraq. In the plan to disable the Iraqi banking network in advance of the U.S. invasion, the Pentagon determined that it might also bring down French banks and that the contagion could spread to the United States.

"It turns out that their computer systems extend well outside Iraq," a senior Air Force official told Aviation Week & Space Technology in March 2003. "We're also finding out that Iraq didn't do a good job of partitioning between the military and civilian networks. Their telephone and Internet operations are all intertwined. Planners thought it would be easy to get into the military through the telephone system, but it's all mixed in with the civilian [traffic]. It's a mess." This official said that to penetrate the military systems, the United States would risk what planners began calling "collateral computer network attack damage."

Because of the widespread damage that cyber-weapons can cause, military and intelligence leaders seek presidential authorization to use them. "They're treated like nuclear weapons, so of course it takes presidential approval," the former military officer said. McConnell, the ex-intelligence director, has compared the era of cyberwar to "the atomic age" and said that a coordinated attack on a power grid or transportation or banking systems "could create damage as potentially great as a nuclear weapon over time."

Unlike atomic bombs, however, cyber-weapons aren't destroyed in the attack. "Once you introduce them to the battlefield, it's trivially easy for the other side to capture your artillery, as it were, and then use it against you if you're not already inoculated against it, and then against other friendlies," said Ed Skoudis, a co-founder of the research and consulting firm InGuardians and an instructor with the SANS Institute, which trains government employees in cyber-security.

The risk of losing control of a weapon provides a powerful incentive not to use it. But until a new computer virus is spotted in the wilds of the Internet, no one can be certain how to repel it. That gives every aggressor the advantage of surprise. "Why would you expect an adversary to lay their cards on the table until it counts?" said Tom McDermott, a former deputy director of information security at the NSA. "Why would you expect to have seen the bad stuff yet?"

The Case For Restraint

During his subcommittee testimony in May, Gen. Alexander was asked whether the United States needed the cyber-equivalent of the Monroe Doctrine, a set of clearly defined interests and the steps the government would take to protect them. Without offering any specific proposals, Alexander responded simply, "I do."

The Obama administration's former White House chief of cyber-security, Melissa Hathaway, has called for international cyberspace agreements. In a number of speeches in 2008 while still with the Bush administration, Hathaway proposed a Law of the Sea Treaty for the Internet, which, she said, is the backbone of global commerce and communications, just as the oceans were centuries ago.

The odds for a broad international framework aren't good, however. The Russian government has proposed a treaty limiting the use of cyber-weapons, but the State Department has rejected the idea, preferring to focus on improving defenses and prosecuting cyberattacks as crimes. Officials are also wary of any strategy by the Russian government to constrain other nations' ability to attack. In September, a panel of national security law experts convened by the American Bar Association and the National Strategy Forum, a Chicago-based research institute, concluded that the prospects for any multinational agreement are bleak. "The advantages of having a cyber-warfare capacity are simply too great for many international actors to abjure its benefits," the panel stated.

Students of cyberwar find parallels between the present day and the early 1960s, when the advent of intercontinental missiles ushered in not only the space age but also an arms race. Like outer space then, cyberspace is amorphous and opaque to most, and inspires as much awe as dread. In this historical analogy, experts have embraced a Cold War deterrent to prevent the cyber-Armageddon that military and intelligence officials have been warning about -- mutually assured destruction.

Presumably, China has no interest in crippling Wall Street, because it owns much of it. Russia should be reluctant to launch a cyberattack on the United States because, unlike Estonia or Georgia, the U.S. could fashion a response involving massive conventional force. The United States has already learned that it makes no sense to knock out an enemy's infrastructure if it disables an ally's, and possibly America's own. If nations begin attacking one another's power grids and banks, they will quickly exchange bombs and bullets. Presumably, U.S. war planners know that. And it may be the most compelling reason to keep their cyber-weapons sharp but use them sparingly.