Cyber War: The Next Threat to National Security and What to Do About It (30 page)

Hanssen now spends twenty-three hours a day in solitary confinement in his cell at the supermax prison in Colorado Springs. He is allowed no letters, no visitors, no phone calls, and when addressed by prison guards, is referred to only as “the prisoner” in the third person (“the prisoner will exit his cell”). At least Hanssen escaped with his life. The spies he betrayed were not so lucky. At least three Russians in the employ of the American intelligence community were betrayed by Hanssen and killed by the Russians. A fourth was sent to prison. Spying used to be a dangerous business for the spies. Today it is done remotely.

The spies who stole the information on the F-35 didn’t need to wait for a recruit to be promoted to gain access, they didn’t have to find someone motivated to betray his country, and no one had to risk getting caught and going to a supermax, or worse. Yet with the information stolen, they may be able to find a weakness in the design or in the systems of the F-35. Perhaps they will be able to see a vulnerability to a new kind of cyber weapon they will use in a future war to eliminate our dominance in the air by dominating cyberspace. That may not even be the worst-case scenario. What if, while the hackers
were in our systems, exfiltrating information, they also uploaded a software package? Maybe it was designed to provide a trapdoor for access to the network later, once their original way in was patched. Maybe it was a logic bomb set to take down the Pentagon’s network in a future crisis. Moving from espionage to sabotage is just a few clicks of the mouse. Whoever “they” are, they may be in our systems now just to collect information, but that access could allow them to damage or destroy our networks. So, knowing that nations have been in our systems “just to spy” may give the Pentagon and the President a moment of pause in the next crisis.

Banning cyber espionage effectively would present huge challenges. Detecting whether a nation is engaging in cyber espionage may be close to impossible. The ways in which the U.S. and Russia now engage in cyber espionage are usually undetectable. Even if we had means of noticing the most sophisticated forms of network penetration, it could be exceedingly difficult to prove who was on the keyboard at the other end of the fiber, or for whom he was working. If we agreed to a treaty that stopped cyber espionage, U.S. agencies would presumably cease such activity, but it is extremely doubtful that some other nations would.

The ways in which we collect information, including by cyber espionage, may offend some people’s sensibilities and may sometimes violate international or national laws, but, with some notable exceptions, U.S. espionage activities are generally necessary and beneficial to U.S. interests. Moreover, the perception that espionage is vital is widespread among U.S. national security experts and legislators. One question I always asked my teams when I was engaged in arms control was, “When it comes time to testify in favor of the ratification of this agreement, how will you explain to the U.S. Senate how you came to agree to this provision, or, since it will likely be me testifying, how the hell do I explain why we agreed to this?” With an agreement to limit espionage, I would not even know where to begin.
And so, when looking at a Russian proposal to ban cyber espionage, one is left wondering why they proposed it and what it says about the overall intent and purpose of their advocacy of a cyber war treaty. The Russian proposal to ban cyber espionage comes from a country with a high degree of skill in such activity, a nation that has regularly orchestrated cyber warfare against other states, has one of the worst records when it comes to international cooperation against cyber crime, and has not signed the one serious international agreement on disruptive cyber activity (the Council of Europe Cyber Crime Convention).

In rejecting the Russian proposal for an international agreement prohibiting cyber espionage, I recognize that cyber espionage does have the potential to be damaging to diplomacy, to be provocative, and possibly even destabilizing. As former NSA Director Ken Minihan said to me, “We are conducting warfare activities without thinking that it is war.” That is dangerous, but there may be other ways to address those concerns. Over the course of the Cold War, the CIA and its Soviet counterpart, the KGB, met secretly and developed tacit rules of the road. Neither side went around assassinating the other’s agents. Certain things were generally out of bounds. There may be a parallel in cyber espionage. What I recommend is consideration of quiet understandings. Countries need to recognize that cyber espionage can easily be mistaken for preparation of the battlefield and that such actions may be seen to be provocative. Nations should not do things in cyberspace that they would not do in the real world. If you would not put a group of agents in somewhere to extract the information you are hoping to steal on the Net, you probably should not take it electronically. Because there is so little difference between extraction and sabotage, countries should be careful about where they prowl and what they take in cyberspace.

While espionage targeting government systems may have gotten out of hand, America’s real crown jewels are not our government se
crets, but our intellectual property. U.S. stockholders and taxpayers spend billions of dollars funding research. China steals the results for pennies on the billions and then takes the results to market. The only real economic edge that the U.S. enjoyed, our technological research prowess, is disappearing as a result of cyber espionage. Calling it “industrial espionage” doesn’t alter the fact that it is crime. By hacking commercial organizations around the world to steal non-defense data to increase China’s profits, the government in Beijing has become a cleptocracy on a global scale. Even if a major cyber war involving the U.S. never happens, Chinese cyber espionage and intellectual property war may swing the balance of power in the world away from America. We need to make protecting this information a much higher priority, and we need to confront China about its activities.

If consequences can be created for certain kinds of destabilizing cyber espionage, countries may more tightly control who does it, why it is done, and where it is done. Most bureaucrats want to avoid scenes in which they have to explain to an outraged Secretary of State, or similar senior official, how the intelligence value of an exposed covert operation was supposed to outweigh the damage done by its discovery. Thus, while I recognize that some cyber espionage may have the potential to be less valuable than the corresponding amount of damage it may cause, I think that risk is best handled by discussions among intelligence organizations and governments bilaterally, privately. An arms control agreement limiting cyber espionage is not clearly in our interest, might be violated regularly by other nations, and would pose significant compliance-enforcement problems.

BANNING CYBER WAR?

Would it be a good idea, then, to agree to an outright ban on cyber war as defined here (that is, excluding cyber espionage)? An outright ban could, theoretically, prohibit the development or possession of cyber war weapons, but there would be no way to enforce or verify such a ban. A ban could also be articulated as a prohibition on the use of cyber weapons against certain targets or on their deployment prior to the outbreak of hostilities, rather than their mere possession or their use in espionage. To judge whether a ban on conducting cyber war would be in our interest, assuming it could be verified, let’s look at some hypothetical cases.

Imagine a scenario similar to the Israeli raid on the Syrian nuclear facility with which this book began. Change the scenario slightly so that it is the United States that wants to prevent some rogue state from developing a nuclear weapon and it is the United States that decides it has to bomb the covert site where the nuclear weapon is going to be made. The U.S. might well have the same kind of capability to turn off an adversary’s air defense system by employing a cyber weapon. If we had agreed to a ban on the use of cyber weapons, we would face a choice between, on the one hand, violating the agreement, and, on the other hand, sending in U.S. pilots without having done all that we could in advance to protect them. Few civilian or military leaders in this country would want to have to explain that U.S. aircraft were shot down, U.S. pilots taken prisoner or killed, because even though we could have shut off the adversary’s air defense system we did not because of an international agreement.

Or imagine a scenario in which the U.S. was already in a limited shooting war with some nation, as we have been in recent history with such nations as Serbia, Iraq, Panama, Haiti, Somalia, and Libya. The U.S. forces might be in a situation where they could substitute a cy
ber weapon for conventional explosive, kinetic weapons. The cyber weapon might result in lower lethality and do less physical damage, have less long-lasting effects. An outright ban on the use of cyber weapons would force the U.S. to choose, once again, between violating the agreement and doing some unnecessary damage to the adversary.

A simpler scenario would not involve a shooting war or a U.S. preemptive attack, but rather something as routine as a U.S. ship sailing peacefully in international waters. In this scenario, a U.S. destroyer sailing parallel to the North Korean coast would be attacked by a North Korean patrol boat, which fires missiles at the destroyer. The U.S. ship might have a cyber weapon that could be beamed into the guidance system of the incoming missiles, causing them to veer away. If there were an outright ban on the use of cyber weapons, the U.S. might even be prohibited from using them to defend its forces from an unprovoked attack.

The most difficult scenario in which to show restraint would be if cyber weapons were already being used against us. If an adversary tried to shut down a U.S. military network or weapon system by using cyber techiques, it would be tempting to ignore the international agreement and respond in kind.

The two sides of the case for and against a complete ban on the use of cyber war weapons are clear. If we really believe that a ban on cyber weapons is in the U.S. interest, we should be willing to pay some price to maintain the international standard of not using such weapons. We have been in situations in the past where we might have enjoyed some immediate military advantage by using a nuclear weapon or a chemical or biological weapon, but we have always decided that the larger U.S. interest is in maintaining a global consensus against employing such weapons. Nonetheless, because cyber weapons can be less lethal, banning their use in conjunction with kinetic combat may be hard to justify. If shots are already being fired, using cyber weapons might not be destabilizing or escalatory
if (and this is a very big if) their use did not expand the scope of the war. The U.S. military will make the case (strongly) that cyber war weapons are a U.S. advantage and that we have to use our technological advantage to compensate for how thinly our forces are spread around the world and how sophisticated the conventional weapons have become that are in the hands of possible opponents.

Balancing our desire for military flexibility with the need to address the fact that cyber war could damage the U.S. significantly, it may be possible to craft international constraints short of a complete ban. An international agreement that banned, under any circumstances, the use of cyber weapons is the most extreme form of a ban. In the previous chapter, we looked briefly at the proposal of a no-first-use agreement, which is a lesser option. A no-first-use agreement could simply be a series of mutual declarations, or it could be a detailed international agreement. The focus could be on keeping cyber attacks from starting wars, not on limiting their use once a conflict has started. We could apply the pledge to all nations, or only to those nations that made a similar declaration or signed an agreement.

Saying we won’t be the first ones to use cyber weapons may in fact have more than just diplomatic appeal in the international arena. The existence of the pledge might make it less likely that another nation would initiate cyber weapons use because to do so would violate an international norm that employing cyber weapons crosses a line, is escalatory, and potentially destabilizing. The nation that goes first and violates an agreement has added a degree of international opprobrium to its actions and created in the global community a presumption of misconduct. International support for that nation’s underlying position in the conflict might thus be undermined and the potential for international sanctions increased.

A no-first-use declaration could result in reduced flexibility in many of the kinds of cyber scenarios I discussed above. Waiting to respond in kind once we detected that the cyber weapons had been
used in a conflict, or used specifically against us, may also create a disadvantage in the cyber war phase of a conflict.

BANNING ATTACKS ON CIVILIANS?

There are less restrictive approaches than banning the use of cyber weapons, or even forswearing first use. One possibility would be to issue a unilateral declaration or to agree to an international protocol placing civilian targets off limits to nation-states’ use of cyber weapons. There is ample precedent in the international laws of war for a limited ban on certain weapons or activities, as well as to treaties that call for the protection of civilians caught up in wars.

In World War I, aircraft were used in combat for the first time. They were mainly employed for reconnaissance, machine-gun strafing of troops, and attacking each other in the air, but some aircraft were used to drop explosives on the enemy. This first, small use of aerial bombing opened the possibility of creating larger aircraft in the future to carry more, and bigger, bombs. Within a decade bomber aircraft were being manufactured. One of the earliest science fiction authors, H. G. Wells, vividly portrayed what such bombing aircraft could do to a city in his 1933 novel
The Shape of Things to Come
. By 1936 he and the filmmaker Alexander Korda had adapted the book into a movie,
Things to Come
, which horrified audiences. In 1938 in Amsterdam, an international conference agreed to limits on “New Engines of War.” That agreement led, later that year, to a “Convention for the Protection of Civilian Populations against Bombing from the Air.”