As we check email, listen to music online, and log onto our favorite social networks, we never see nation-states exchanging blows or even the remnants of their combat. However, military officials and cybersecurity experts agree that the Internet is an active battleground. Some say it has the characteristics of a jungle, with militant hackers taking on the role of guerillas as they launch attacks from hiding. Others see the Internet as a more conventional terrain, open for strikes between superpowers in the form of viruses aimed at national infrastructure. In either case, cyberwarfare, the expanding form of warfare in which nation-states use computer code to attack enemy networks, has emerged from the pages of science fiction thrillers to make its mark in the public sphere.
In June, The New York Times revealed that the United States built and deployed Stuxnet, a virus targeting the computers that run centrifuges in Iranian nuclear facilities. Since then, three other prolific viruses with suspected state-backing have been discovered. Officials from the United States, Iran, and China have become increasingly open about efforts to enhance their cyberwar chests. Given the nature of cyberwarfare, the wide gaps in cybersecurity legislation, and the numerous areas of vulnerability to malicious hackers, it remains clear that the American network is at great risk.
The Nature of Cyberwarfare
After World War II, the United States and the USSR rushed to recruit German aerospace engineers to help advance their rocket technologies. John Arquilla, Chair of the Department of Defense Analysis at the Naval Postgraduate School, sees that situation as analogous to the current high demand for skilled hackers. He told the HPR that several countries around the world are recruiting “master hackers” as part of their attempts to get ahead of the technological curve. Many have characterized the international scramble for hackers as a new arms race. While historically arms races involved stockpiling weapons such as naval warships or nuclear bombs, in the cyber realm, the military with the largest budget does not necessarily have a clear advantage. In fact, Arquilla describes America’s spending on cybersecurity as ineffectual, “Sadly, the more you spend, the less security you may get. [The United States is] not getting very much security for [its] dollar.” The intangible nature of cyberwarfare has disadvantaged the United States, which has traditionally thrived in military conflicts that are more directly dependent on economics.
Because technological superiority is necessary for success in a cyber conflict, non-state terrorist groups are also at a disadvantage. Without knowledge of or access to sophisticated attack functions, insurgents would likely be forced to recruit experts to levy a serious attack. Arquilla reasons that they would be reluctant to do so because “if the person they recruit is actually working for us, we could undermine the whole group.”
The organizations poised to benefit from the nature of cyberwarfare include countries like Iran, which would suffer severely in a total war with the United States, but could inflict serious damage through covert cyber attacks. Although Iran has not taken responsibility for any acts of cyberwarfare, experts widely believe that Tehran has at least provided funding and support for anti-American hacker groups. On August 15, Saudi Arabia’s largest oil company, Aramco, was the target of an unusually malicious attack in which three quarters of their corporate computers were wiped clean. On the blank PCs, the hackers left one image: a burning American flag. After analyzing the virus, cybersecurity experts noted similarities to a virus called Flame that was first used by the United States and Israel to spy on computers of the Iranian government casting suspicion on a potential retaliatory attack.
The ability of hackers to remain anonymous leaves the United States in an awkward position. With little concrete evidence that Iran or other adversaries are responsible for attacks, American officials must choose between ignoring the attacks, escalating the cyberwar, or initiating a more conventional war. The nature of cyberwarfare debases the traditional advantages the United States has enjoyed in traditional conflicts.
The U.S. Government is Offline
The pervasiveness of the Internet makes it difficult not only to secure, but also to legislate. Current cybersecurity law is vague and lacking in technical details, while judicial precedents on the subject remain limited. Cybersecurity expert and Columbia Professor of Computer Science Salvatore Stolfo has grown frustrated with the government’s stagnation on issues of the Internet. He tells the HPR that while “time and technology and capability marches on, the government is ignoring it.” The United States is certainly at risk from a technical perspective, but he sees it “more as a political and legislative problem than a technical one.”
Besides the sheer complexity of the field, there are two primary factors preventing the government from taking effective steps towards cybersecurity. The first is that the Internet has become taboo in the halls of Congress following public outrage over the Stop Online Piracy Act that was introduced early this year. This bill, with the intention of preventing piracy, sought to give the government the power to regulate the World Wide Web. After Wikipedia, Reddit, and thousands of other sites led protests against SOPA, the House of Representatives announced it would postpone drafting the bill. Since this incident, both the Republican and Democrat Parties have officially supported net neutrality. Though the Internet has subsequently been left alone by Congress, Stolfo asserts that net neutrality and cybersecurity are two different issues, insisting that “now is the time, when we’re not under stress, to… design policies and laws that defend the network and defend our civil liberties. They can coexist with each other if thoughtful people actually took interest in … deliberating over it.”
The second obstacle to comprehensive cybersecurity legislation is jurisdiction. Because the Internet is diffuse entity, there is no one government agency responsible for its security. The two major organizations with jurisdiction over the web are the Department of Homeland Security, which has established a National Cyber Security Division, and the Department of Defense, which has formed the United States Cyber Command. While the two have begun to collaborate, Stolfo says that legislators and bureaucrats remain “confused” in the realm of cybersecurity. He fears that only a major cyberattack on American infrastructure would be impetus enough for the government to make significant advances on cyber policy.
Holes in the Network
During this summer’s Aspen Security Forum, General Keith B. Alexander, Director of the National Security Agency and Commander of the United States Cyber Command, offered his assessment of the country’s cybersecurity. On a scale from one to ten, he gave it a three. Arquilla agrees with this analysis, describing the United States as “vulnerable at every level” in terms of cyber attacks. However, some experts, such as Executive Director of the Center on Law, Ethics and National Security and Duke Law Professor Maj. Gen. Charles J. Dunlap, Jr., are more optimistic about American cybersecurity. Dunlap told the HPR, “Fortunately, we have not suffered a cyber Pearl Harbor that everyone fears. I believe that if it was easy to do, it would’ve already happened because there are enough actors out there on the world scene with enough hatred for the U.S. to then try to harm us in any way. The fact that it hasn’t happened does say something.” With this in mind, Dunlap acknowledges that “the U.S. needs to be prepared to conduct both defensive and offensive cyber operations.” Arquilla identifies three different levels of vulnerability that the United States needs to address: infrastructure, commerce, and individuals. The DHS found that between October 2011 and February 2012, there were 86 reported attacks on computer systems that control critical U.S. infrastructure, compared with only eleven in the same period the year prior. Though none have been disastrous thus far, dams, energy grids, and others are on increasingly high alert. In the area of commerce, authorities are growing concerned not only about the exposure of the digital stock market, but also about the vulnerabilities of companies that rely on proprietary information. In the case where such information is stolen by hackers, Stolfo notes that “the law is completely confused and silent.”
The United States so far remains largely unscathed in the battleground of the Internet. However, as nation-states turn towards cyberwarfare, the vulnerabilities in the American network must be addressed. A cyber Pearl Harbor may never happen, but legislators must realize that a devastating cyber attack on American infrastructure, commerce, and even individuals is a very real possibility. Whether or not politicians support net neutrality, they must not remain neutral as the nation’s net comes under attack.