June 12, 2012

TSG IntelBrief: Coming War in Cyberspace?

As of mid-June 2012, reports abound in the media of cyberattacks on U.S. Government websites, to include the recent breach of the federal employees' Thrift Savings Program and probes of sensitive government networks. While some observers have described these activities as the advent of cyberwar, others maintain the threat of a cyber equivalent of Pearl Harbor or 9/11 has been deliberately inflated with the aim of either generating more business for security companies or to pass legislation and impose restrictions that are favorable to certain special interest groups.

On one side of the argument, there is the contention that cyberattacks to date have largely amounted to little more than a costly nuisance where their effects have been essentially mitigated by the employment of proper cybersecurity systems and procedures. Additionally, cyberattacks have yet to produce a scenario that could accurately be described as truly life-threatening. On the opposite side of the debate, policymakers and subject matter experts in the cyber realm point to the fundamental principle that war is less about violence than about imposing political will upon an adversary. Given this paradigm, the rapid advances in technology, they argue, have literally transformed the way war will increasingly be fought.


Defining Cyberwar

In common parlance, the term "cyberwar" is routinely used as an umbrella category that encompasses a range of activities, to include cybercrime, cyber espionage, and cyber sabotage. Even cybersecurity has been frequently confused with cyberwar when, in fact, the former might be likened to security guards on a domestic military installation while the latter would be represented by soldiers on a battlefield. Similarly, references to the so-called "Twitter Revolution" may further confound the issue since, as graphically demonstrated during the Arab Spring revolution of the past year, cyber-related tools and technologies — the Internet, Twitter, Facebook, text messaging, even cameras on cellular telephones — can serve as force multipliers by civilians and militaries alike.

Part of the problem in constructing a relevant cyber taxonomy may be found in the lack of total certainty inherent in the effort to quickly and accurately attribute a cyberattack. In contrast to a conventional war where battle lines are clearly and tangibly drawn, both the the identify of the attacker and the damage inflicted in cyberspace may remain undetected for long periods after the event. Without being able to determine the identity of actors behind a cyberattack, it can also be difficult to determine the actual intent — or even the target — of an attack. Uncertainty in both these areas could lead to serious miscalculations in formulating the proper response.

U.S. Department of Defense doctrine now recognizes cyberspace as a warfighting domain along with land, sea, air, and space. Along with other major powers, it has also taken definitive action to develop plans and capabilities for conducting military operations in this newly accessible dimension. While many have speculated, even protested, that this represents the militarization of cyberspace itself, what is commonly overlooked is the undeniable fact that a substantial portion of this new "battlefield" is owned and operated by the private sector. Perhaps in light of this, the military is attempting to harness the offensive and defensive capabilities resident in the private sector, which, in a curious reversal of convention, represents the front lines.

In an effort to grasp the potential evolution of the new battlefield, the Defense Advanced Research Projects Agency (DARPA) just unveiled its Plan X research program, which, among other tasks, will fund projects to map the internet and provide an attack-ready operating system. (Note: Google, a commercial enterprise, recently announced that it will be alerting users when they have become targets of state-sponsored cyber intrusion. This, of course, is predicated on the assumption that Google has the capability to successfully attribute attacks to nation states or their proxies.)


Major Cyber Attack?

A term often used in conjunction with "cyberwar" is APT, or Advanced Persistent Threats. Cyber operations of this nature involve a trove of intelligence-gathering activities and require the careful planning, broad reach, and technical capability that heretofore was thought to be only possessed by a nation state. As wide-ranging as the scope of the operation may be, its attack signatures may be difficult to identify; as a result, an APT may remain undetected for years. While denial-of-service attacks and website hacking are rampant, few cyberattacks reported by the media necessarily fall into the category of what the government would consider an APT.

One such APT is "Operation Aurora," a data breach of Google and several other companies, including defense contractors, that resulted in the loss of valuable intellectual property. Not all of the these cyber operations, however, were carried out for the purpose of economic gain. Non-profit organizations and human rights activists were also targeted, leading many to speculate that the attacks were coordinated by a nation-state with a strategic interest in learning more about the activities, resources, and plans of those  groups. "Shady RAT" is another case were governments and private sector organizations had vast amounts of data lifted though covertly-installed backdoors in computers.

A very recent example of an APT may be seen in the discovery of new variant of the Stuxnet virus, called Flame, which appears to be targeting sites primarily located in the Middle East. The malware's complexity and code bear similarities to Stuxnet, yet it appears to be more of a tool of espionage than a destructive weapon. Although espionage is a crime, nations generally do not go to war over the discovery of a foreign spy ring in their midst.  

Recent reports quoting "unnamed officials" seem to indicate that the U.S. and Israel were co-conspirators in engineering and launching the Stuxnet worm, as alleged at the time of its discovery in June 2010. Stuxnet is considered by some to be the first true "cyber weapon" that could produce kinetic repercussions, as the malware's intended target, Iran, confirmed that the centrifuges needed to build its nuclear program were indeed damaged enough to cause delays. While some consider this an act of war, others compare it to preemptive air strikes on chemical and nuclear weapons plants, which have neither resulted in mass casualties on either side nor have amounted to formal declarations of war. (American defense officials have nonetheless publicly declared that in the event of a "major cyber attack," the U.S. would reserve the right to respond with military force.)

What precisely constitutes a "major cyber attack" has still not been clearly defined, however, and a formal declaration may not be rendered until after the fact. The concept is likely to remain fairly nebulous until a cyber attack occurs that causes sufficient destruction — and probably the loss of life — for leaders in Moscow, Beijing, London, Berlin, or Washington to claim they have been the target of a major cyber attack. Until then, uncertainty lingers about how any of those governments might react (or retaliate) if an APT such as the Stuxnet virus targeted their public or private sector information systems.




Also available: TSG Specialized Reports: The Soufan Group's world-class network of intelligence analysts produces specialized geopolitical and risk assessment products tailored to the unique needs of our clients in the public and private sectors. We welcome the opportunity to discuss your requirements and explore how our intelligence services can assist you in achieving your strategic objectives. For more information, please contact us at:

Screen Shot 2013-10-21 at 9.32.42 AM