Inside Cyber Warfare - Jeffrey Carr [8]
Increasing Awareness
The potential impact of attacks delivered in cyberspace has not always been as appreciated as it is today. As early as February 18, 2003, in an interview with PBS’s Frontline: Cyberwar!, noted expert James Lewis, director of the Center for Strategic and International Studies, said:
Some people actually believe that this stuff here that they’re playing with is equal, if not a bigger threat, than a dirty bomb. ... Nobody argues—or at least no sane person argues—that a cyber attack could lead to mass casualties. It’s not in any way comparable to weapons of mass destruction. In fact, what a lot of people call them is “weapons of mass annoyance.” If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft’s face on his website, it’s annoying. It’s irritating. But it’s not a weapon of mass destruction. The same is true for this.
Now contrast that statement with the following excerpt from “Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency” (issued December 2008), for which Mr. Lewis was the project director:
The Commission’s three major findings are: (1) cybersecurity is now a major national security problem for the United States; (2) decisions and actions must respect privacy and civil liberties; and (3) only a comprehensive national security strategy that embraces both the national and international aspects of cybersecurity will make us more secure.
That shows a significant difference of opinion on the part of Mr. Lewis in a relatively short period of time. Part of the reason for various respected individuals such as James Lewis to downplay the potential impact of cyber war is that past examples have not demonstrated any significant harm. Website defacements and extended downtime of a small country’s Internet access, while burdensome, have not resulted in human injuries.
Even in 2009, when there is little doubt remaining about the critical need to address cyber vulnerabilities, there are still voices of dissent such as Jim Harper, director of information policy studies at the CATO Institute, who said in an interview with Russia Today on July 31, 2009 that “Both cyber terrorism and cyber warfare are concepts that are gross exaggerations of what’s possible through Internet attacks.”
Although acts of cyber espionage such as Titan Rain or incidents of cyber crime resulting in major data losses such as Heartland Payment Systems are gravely serious in their own right, stove-piped thinking that excludes cyber crime from cyber war means that the potential for a threat case doesn’t cross over in the mind of the military strategist.
Critical Infrastructure
There is a growing awareness of the vulnerability of a nation’s critical infrastructure to network attack. Transportation, banking, telecommunications, and energy are among the most vulnerable systems and may be subject to the following modes of attack:
Insider threats
Anonymous access to protected networks via the Internet and Supervisory Control and Data Acquisition (SCADA)
Counterfeit hardware
Employee abuse of security guidelines leading to malware propagation inside the firewall
The following future threat scenario is modeled after the ones created for the latest National Intelligence Council (NIC) report “Global Trends 2025.” While containing many scenarios on a variety of national security issues, the NIC did not include a large-scale cyber event. The authors did, however, have this to say:
Cyber and sabotage attacks on critical US economic, energy, and transportation infrastructures might be viewed by some adversaries as a way to circumvent US strengths on the battlefield and attack directly US interests at home.
What follows is my offering to stimulate discussion and raise awareness within the National Security community of what is possible in the cyber realm.
NOTE
The question of whether a nuclear catastrophe could be initiated by a hacker attack was explored through multiple scenarios in a paper commissioned