Cyberwarfare: Policy Challenges for 21st Century Threats
December 06, 2016
By Gavin Alcott
In June of 2010 computer security analysts in Belarus discovered a set of apparently pedestrian malicious files while diagnosing an Iranian client’s computer. However, with some examination, what appeared to be a common virus was actually a highly sophisticated bug targeting vulnerabilities inherent to all Windows systems. Posting their findings online, the bug, dubbed Stuxnet, quickly grabbed the attention of the cyber security community because of its unprecedented complexity. Only after years of analysis and an eventual confidential confirmation by US officials, was the significance of Stuxnet revealed. Jointly developed by Israeli and US intelligence services to target the Iranian nuclear program, Stuxnet was the world’s first digital weapon, successful in destroying almost a quarter of Iranian Uranium centrifuges, and the first round fired in the latest form of warfare—cyberwar.
The State of Cyberwarfare
Since Stuxnet there has been an exponential acceleration of the development of both offensive and defensive cyber capabilities across the world in both the public and private sector. The US has consolidated its position as a global cyber superpower through increased organization and spending. In 2009 the US united its cyberwar capabilities under the US Cyber Command (USCYBERCOM) headed by the director of the NSA. Since then, spending on cyber capabilities has exploded, with the 2017 Department of Defense budget calling for a 15% increase in spending for cyber operations, bringing the total budget of the program to $6.7 billion dollars. Though most experts concede that American cyber capabilities are superior worldwide, parallel development by rival nations means that US preeminence faces challenges. Notably, other cyber-powerhouses include Russia, China, and Iran, all of whom have been suspected in attacks targeting the US and her interests. Russia, for instance, has been implicated in a host of attacks, including the recent breach at the DNC. In 2009, China was suspected of stealing information on the development of the F-35, the US Air Force’s costly new fighter jet, and using the information to develop a suspiciously similar plane. Finally, Iran has also targeted us interests in cyber-space, including a 2013 attack on major US banks and even the computer systems of a NY state dam. Clearly, despite US supremacy in cyber-space, vulnerabilities still exist. In fact, the US Director of National Intelligence identifies cyber-attacks as the single greatest threat to national security. He is not alone in this analysis, as Pew Research found in May of this year, Americans rank cyber-attacks as the second greatest global threat to national security, only falling behind ISIS. But what are these of these vulnerabilities? What gaps in policy remain regarding the use and responses to cyber warfare attacks?
Significant US Cyber Vulnerabilities
Private Sector Vulnerabilities
Broadly speaking, the most significant of US cyber vulnerabilities lies not in the public, but private sector. As US Army General Martin E. Dempsey explains, civilian businesses and infrastructure are attractive targets because of their significantly lower security (when compared to government targets) and potential to disrupt national security. Exposure in the private sector is significant, with Justin Harvey of Fidelis Cybersecurity estimating that 90% of US companies are not equipped to defend against current cyber threats. The most common attacks targeting US firms are cyber espionage and service disruption through distributed denial of service (DDoS) attacks, which in total cost US companies an estimated $300 billion per year. The vast majority of these threats are from China, from which 70% of corporate intellectual property hacks originate
The greatest dangers to national security in terms of magnitude of impact come from the potential for a devastating attack targeted at key infrastructure. Today computers control everything from hospitals to transportation systems to the electrical grid and an attack on any of these systems could prove devastating. The threat to these systems is very real, as demonstrated in an experiment by the Department of Homeland Security in 2009, which proved that vulnerabilities in the power grid could be exploited using computer-based attacks on control systems to cease operations and destroy vital equipment. While the likelihood of such an attack is remote compared to cyber espionage and cyber thievery, the potential destruction from just one such attack warrants significant concern.
Despite the best efforts of cyber defense experts, the US government remains susceptible to cyber-attacks. Since 2006 the number of cyber-attacks against federal agencies has exploded by 1,300% to more than 70,000 last year. Even more alarmingly, 11 out of 18 agencies with ‘high-impact systems’—systems that “hold information, that if lost could cause ‘catastrophic harm to individuals, the government of the country’, reported attacks affecting their systems. This included an attack on the Office of Personnel Management which resulted in the stealing of personal information, including Social Security numbers and fingerprints of 5.6 million Americans.
Policy Gaps Related to Cyber-warfare
While the US must clearly take specific steps to close gaps in its cyber-defenses, there remain many unanswered policy questions related to cyber-warfare. While the DOD has published specific strategic goals for the development of defensive and offensive cyber options and acknowledged that these options will be integral to future conflict, many gaps still exist in the existing policy framework surrounding the use and misuse of cyber capabilities. At the moment, the decision-making calculus with regard to cyberwar is extremely inconsistent, leading to potentially dangerous situations. While cyber-attacks are certainly dangerous and harmful, it is unclear how responses should manifest or how they fit into the framework of conventional war. For instance, in the case of Stuxnet, from Iran’s perspective, had Iranian centrifuges been destroyed by more conventional means (perhaps an air strike), they could rightfully interpret such an attack as an offensive declaration of war. However, with cyberwar the waters are much murkier. It is generally difficult to identify the source of a cyber-attack with high levels of certainty and thus retaliation is difficult to mount, and policy ambiguity reflects this reality. Additionally, even when formal accusations are made, a nation can easily point to a group of rogue ‘cyber-terrorists’ in their country and blame the attacks on a group outside of their control. Because of these unique characteristics, cyber-attacks are conducive to deniable, ‘black’ operations. However, at the same time, there is significant danger for miscalculation and incorrect or disproportionate retaliation. In order to address these issues, significant steps have to be taken to develop a cyber ‘rules of engagement’, to better outline the appropriate role of cyberwarfare both offensively and defensively.
Despite world-class cyber capabilities, US policymakers and other government agencies have a long way to go to develop both public and private sector best practices in this new technological age. Although arguably a global leader in both offensive and defensive cyber operations, there remain significant and potentially catastrophic gaps in security in key areas of US cyberspace. Additionally, more coherent and specific rules of engagement must be developed to reduce the risks for miscalculation and to better define the appropriate use of cyber war capabilities in decades to come.
Additional Blog Posts
Student Blog Disclaimer
The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Penn Wharton Public Policy Initiative’s strategies, recommendations, or opinions.