Cyber War: The Next Threat to National Security and What to Do About It (27 page)

In nuclear war strategy there were two central issues regarding who could do what, and they came under the general heading of “positive control.” The first was, simply: Could some U.S. military officer who had a nuclear weapon use that weapon even if he was not authorized to do so? To prevent that from happening, as well as to prevent someone from stealing and then setting off a bomb, elaborate electronics were embedded in the bomb’s design. The electronics physically blocked the bomb from detonating unless the lock had received an alphanumeric unlocking code. On many weapons, two officers had to each confirm the code and simultaneously turn physical keys to accomplish their part of the unlocking sequence. This was called the “two key” control. Part of that code was kept away from the weapon and would be sent down by higher authority to those who would unlock it. These “permissive action links,” or PALs, grew more sophisticated over the years. The U.S. shared parts of its PAL technology with some other nuclear-weapon states.

The second issue regarding positive control was: Who should be the higher authority capable of sending down the unlocking codes for nuclear weapons? The theory was that under normal circum
stances that authority would rest with the President. A military officer attached to the U.S. President carries at all times a locked case in which reside the “go codes” for various nuclear attack options. I learned during the attempted military coup in Moscow in 1990 that the Soviets had a similar system. President Gorbachev, who was taken hostage at one point in the crisis, had the nuclear “go codes” with him at his vacation villa. The Gorbachev incident highlights the need for having the decision-making authority devolve if the President is unable to act. The U.S. government refuses to acknowledge who below the President has the authority to unlock and use nuclear weapons and under what circumstances that power devolves. All personnel who have physical access to nuclear weapons must undergo special security review and testing as part of a personnel reliability system designed to weed out persons with psychological or emotional issues.

Cyber weapons would have a far lesser impact than nuclear weapons, but their employment under certain circumstances could be highly damaging and could also trigger broader war. So, who gets to decide to use them, and how do we make sure they are not used without authorization? Who should decide what networks we should be penetrating as part of the preparation of the battlefield?

Until we gain more experience with cyber weapons, I would argue that the President should at least annually approve broad guidelines about what kinds of networks in what countries we should be penetrating for both intelligence collection and for the embedding of logic bombs. Some will criticize that as overly restrictive, noting that we have been penetrating networks for intelligence collection for years without presidential review. That may be true, but in many cases there are only a few keystrokes’ difference between penetrating a network to collect intelligence and hacking your way in to cause destruction and disruption. Because there is the risk, however low, that logic bombs and other penetrations may be discovered and
misunderstood as hostile intentions, the President should decide on how much risk he wants to take, and with whom.

The decision to use a cyber weapon for disruptive or destructive purposes should also rest with the President, or, in rare cases where quick action is necessary, with the Secretary of Defense. There may be circumstances in which regional commanders should have some predelegated authority to respond defensively to an ongoing or imminent attack. However, Cyber Command and its subordinate units should employ some form of software control analogous to the two-key control on nuclear weapons to ensure that an overzealous or massively bored young lieutenant cannot initiate an attack.

Even with proper command controls in effect, there is the potential for accidental war. In the Cold War, early radar systems could sometimes not distinguish between huge flocks of Canada geese and formations of Russian bombers. Thus, there were times when the U.S. launched the portion of its bombers that were kept on strip alert and sent them heading toward their destinations until air defense authorities could clarify the situation and determine for sure if we were under attack.

In cyber war, it is possible to imagine accidental attacks developing if somehow the wrong application were used and instead of inserting code that copied data, we mistakenly used code that deleted data. Alternatively, you could imagine the possibility that a logic bomb might be accidentally triggered by the network operator or by some other hacker who found it. The chances of that happening are very low, but Cyber Command and others engaged in hacking into other nations’ networks must have strict procedures to ensure that no such mistake occurs. The greatest potential for accidental cyber war is likely to come in the form of retaliating against the wrong nation because we were misled as to who attacked us.

8. ATTRIBUTION

In Exercise South China Sea, neither side doubted the identity of who was attacking them. There was a political context, rising tensions over the offshore oil fields. But what if, instead of China having done the attack, it was Vietnam? In the exercise scenario, Vietnam and the U.S. are allied against China. So why would our ally attack us? Perhaps Vietnam wants to drag the U.S. deeper into the conflict, to get Washington to stand up against China. What better way than letting Washington think that China was engaged in cyber war against us? And when China denied that it was them, we would probably just write that off as Beijing engaging in plausible deniability. (If you want to contemplate a similar scenario, and if you will forgive a bit of shameless self-promotion, read my novel
Breakpoint
, which deals with cyber war attribution, among other things.)

The cyber experts at Black Hat were asked at the 2009 meeting whether they thought the problem of attribution was as important as some suggest, that is, is it really that hard to figure out who is attacking you, and does knowing who attacked you really matter? To a person, they answered that attribution was not a major issue to them. It was not that they thought it was easy to identify the attacker; rather, they just did not care who it was. These were mainly corporate people whose networks had been attacked and when it had happened, their chief concern was getting the system back to normal and preventing that kind of attack from happening again. Their experiences dealing with the FBI had convinced most of them that it was hardly worth it even to report to law enforcement when they had been attacked.

For national security officials, however, knowing who attacked you is much more important. The President may ask. You may want
to send the attacker a diplomatic note of protest, a demarche (what we called in the State Department a “démarche-mallow.”), as Secretary Clinton did after news of the attempted hacking on Google from Mainland China went public. You might even want to retaliate to get them to stop doing it. One way to find out who the attacker was is to use trace-back software, but eventually you will probably get to a server that does not cooperate. You could, at that point, file a diplomatic note requesting that the law enforcement authorities in the country get a warrant, go around to the server, and pull its records as part of international cooperation in investigating a crime. That could take days, and the records might be destroyed by then. Or the country in question may not want to help you. When trace-back stops working, you do have the option of “hack back,” breaking into the server and checking its records. Of course, that is illegal for U.S. citizens to do, unless they are U.S. intelligence officers.

Hacking into a server to trace the origin of an attack may not work, either, if the attacker worked hard at covering up his origins. You may have to be online, watching live when the attack packets actually move through the servers. It is unlikely that you will find that, say, even after bouncing through a dozen servers in as many countries to cover their tracks, the attacking packets had originated in some place called the “Russian Offensive Cyber War Agency.” Just to be safe, if it were the Russian government, they probably would have directed the attack from a server in another country and, if it were an intelligence-collection operation, the data they copied would probably have been sent to a data-storage unit in a third country.

So when it comes to figuring out who attacked you, unless you are sitting on the network the attacker uses and you see it coming (and sometimes not even then), you may not know right away. Computer forensics may be able to say that the original keyboard used in developing the attack code was designed for Arabic, or Cyrillic, or Korean, but that is hardly dispositive as to the identity of
the hacker. And if you do find that the attack came from Russia, based on what happened to Estonia and Georgia, the authorities there will likely blame citizen hacktivists and do nothing to them.

This attribution difficulty could mean that nations trying to identify their attackers may need to rely upon more traditional intelligence techniques, such as spies penetrating the other side’s organization, or police methods. Human intelligence, unlike cyber, does not move at velocities approaching the speed of light. Quick responses may not be available. In nuclear war strategy, attribution was not generally thought to be a major problem because we could tell where a missile or bomber had been launched. Cyber attack may be similar to a suitcase bomb going off in an American city. If we see the attack being launched because we are watching the cyber equivalent of their missile silos and bomber bases, we might be able to assign attack attribution with a high degree of certainty. But if the attack starts on servers in the U.S., it may take a while to tell the President that we really know who attacked us. How sure do you need to be before you respond? The answer will likely depend upon the real-world circumstances at the time.

9. CRISIS INSTABILITY

The late Bill Kaufmann once asked me to write a paper on something called “launch on warning.” The Strategic Air Command had the idea that as soon as we saw a Soviet nuclear attack coming we should launch as many bombers as we could and fire our land-based missiles. As the Soviets had improved the accuracy of their missiles, it had become possible for them to destroy our missiles even though we kept them in hardened, underground silos. As with everything in strategic nuclear doctrine, even this idea of “fire when you see them coming” got complicated. What if you were wrong, if your
sensors made a mistake? Perhaps they were attacking, but with a small force aimed at only a few things, should you still throw the kitchen sink at them? Therefore the Air Force had evolved a strategy called “launch under attack,” which essentially meant that you waited until you had a better picture, until some of their missiles’ warheads were already going off in your countryside.

The launch on warning strategy was generally thought to be risky because it added to crisis instability, the hair-trigger phenomenon in a period of rising tensions. If you don’t make the right decision quickly, you lose, but if you have to make the decision quickly, you may make a losing decision. What I was able to conclude for Kaufmann was that we had enough missiles at sea, and those missiles had grown sufficiently accurate, that we could ride out an attack and then make a rational decision about what had just happened before we sized our response.

There is a similar issue with cyber war. The U.S. expects to see an attack coming and move quickly to blunt the cyber assault and destroy the attacker’s ability to try it again. The assumption about being able to see an attack coming may be invalid. Nonetheless, we will assume that the U.S. strategy is to see the attack coming and act. To act, you have to go quickly and without a lot of assessment of who the enemy was or what they were going to strike. If you do not go quickly, however, you suffer two possible disadvantages:

• The attacking nation will probably pull up the drawbridge over the moat after its attackers charge out of the castle, by which we mean that as soon as they launch a big attack, a nation like China may disconnect from the rest of the Internet and “island” subnets;
  
• The attacking nation may be going after the Internet itself and the telephone infrastructure in the United States, which might make it harder for the U.S. to launch a cyber retaliation.
  

Thus, there could be a real case of
first mover advantage
, and that leads to crisis instability, a hair trigger, no time to think. Now, remember the earlier discussion about
ambiguity of intent
, what one side indicates by the types of targets it goes after in the preparation-of-the-battlefield period. If a nation believes that the other side has already laced its infrastructure (including cyber and electrical networks) with destructive software packages or logic bombs, that consideration, combined with the first mover advantage, could cause a decision maker in a time of rising tensions to have a very itchy keyboard finger.

10. DEFENSIVE ASYMMETRY

The team playing China won this exercise, forcing a withdrawal of U.S. forces and causing the United States to negotiate a face-saving way out. The chief reason they won was that they had been able to overcome U.S. defenses and to erect relatively effective defenses of their own. The U.S. was looking for an attack to originate overseas, and China used servers in the U.S., perhaps directed by Chinese “students” operating out of coffee shops. The U.S. was looking for the signatures of attacks that it already knew about and the Chinese used “zero day” exploits. Most important, the U.S. had no national defense mechanism for the civilian infrastructure, including the finance industry, the electric power grid, and rail systems.

China, on the other had, not only had a national command system that could dictate to its infrastructure, they had a defensive plan. When it was clear that cyber war was under way, China’s electric and rail systems shifted to a non-networked control system. When the Chinese lost satellite communications, they had a backup radio network up in an hour. In short, China had not thrown out their old systems, and had a plan to use them.