By Jason Healey
There have been at least seven major “wake-up calls” in cyber conflict, attacks or other events that shocked and surprised defenders and decisionmakers, then were promptly forgotten until a similar shock “awakened” a new cohort of cyber leaders.
This pattern will repeat itself until policymakers and practitioners pay attention to history.
A study of the past 25 years reveals three main lessons.
The first and most important: There is, in fact, history to be learned. Contrary to received wisdom, cyber conflict, as distinct from the fast-changing technologies through which it is fought, has changed only gradually.
A second lesson is that the probability and consequences of disruptive cyber conflict have been overhyped for decades, while the impacts of intrusions have been underappreciated. How often have you heard about a “cyber Pearl Harbor,” as opposed to the data theft that is actually occurring?
Lastly, the more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air and on the sea. For example, when cyber warriors talk about attacks “at the speed of light,” that is only true at the tactical and technical level — tactical engagements often happen quickly in any domain of warfare. The broader cyber conflicts of which they are part unfold over weeks, months and years.
As in any domain, it is the job of senior decisionmakers to abstract these smaller tactical truths into a larger strategic whole.
Ultimately, the major difference between online and physical war is the one U.S. cyber warriors least want to recognize: Few, if any, strategic cyber conflicts have been decisively resolved by governments. Instead, it is the non-state actors (such as telecommunications providers, cybersecurity companies, and non-government cyber-sharing organizations) that have played the most central role. If there has been any “partnership,” the government has been a very junior and quite needy one.
Cyber conflicts are disruptions caused by malicious actors with implications far beyond mere technical or criminal problems. They occur in the overlap between national security and cyber security, where nations and non-state groups use offensive and defensive cyber capabilities to attack, defend and spy on each other, typically for political or other national security purposes.
From the U.S. perspective, there have been eight critical cyber conflicts, seven of which were “wake-up calls” that led quickly to new doctrines and organizations.
The Cuckoo’s Egg. In 1986, cyber intruders broke into dozens of computers at military commands and research institutions, looking for information to sell to the KGB. The case was exposed by Cliff Stoll, an astronomer-turned-system administrator, who stumbled on the hack while hunting down a $0.75 billing discrepancy.
With a handful of collaborators, Stoll tracked down the hackers in Hanover, West Germany. They were arrested and sent to prison. It wasn’t a “wake up call,” however, because few outside of the U.S. Department of Justice paid attention.
The Morris Worm. In 1988, this attack rapidly spread over trusted network connections, unintentionally taking down a considerable portion of the fledgling Internet. It became the first of the wake-up calls that led to immediate institutional changes: DoD sent funding to Carnegie Mellon University, which created the Computer Emergency Response Team, the first emergency responders for cyberspace.
The Morris Worm taught two lessons: Widespread, persistent attacks are difficult to maintain in the face of determined defenses, and the private sector, not the government, has the agility and subject-matter expertise to solve the problem.
A decade later, two events further focused the attention of senior decisionmakers.
In 1997, NSA hackers launched ELIGIBLE RECEIVER, a “no-notice interoperability exercise” in which red teams intruded into DoD networks with alarming ease. Their success accelerated plans to create a new cyber-response organizational structure and to implement DoD-wide mechanisms to defend against sustained cyber assaults.
The following year, such assaults moved from theoretical to real. A set of actual widespread attacks on unclassified DoD systems, dubbed Solar Sunrise, told Pentagon leaders that they lacked an adequate command structure for response.
The attacks also highlighted the problem of attribution. After Deputy Defense Secretary John Hamre told President Clinton that the attacks “might be the first shots of a genuine cyber war, perhaps by Iraq,” forensics determined them to be the work of California teenagers aided by an Israeli mentor.
Within a year, the first joint cyber war-fighting organization was established, a 24-person Joint Task Force for Computer Network Defense (JTF-CND) that became the first unit empowered to issue orders to computer defenders elsewhere in DoD, rather than merely asking for cooperation or providing suggestions. It was also the first joint cyber warfighting command anywhere in the world, and the predecessor for today’s U.S. Cyber Command.
The JTF-CND and other new U.S. government organizations soon coordinated on the first major cyber espionage case, the still largely classified Moonlight Maze. More than a scare, these intrusions, which appear to have started around March 1998, were deeply worrying acts of espionage. Traced to the Russian Academy of Sciences, the intruders apparently penetrated “hundreds of computers at NASA, the Pentagon, and other government agencies, as well as private universities and research laboratories.”
A few years later, Beijing began giving the impression that it was trying to steal its way into the first rank of world powers. In 2005, the press began reporting on Titan Rain, a set of Chinese espionage intrusions that appeared to have begun several years earlier against DoD, defense contractors, and the departments of Homeland Security, State, and Energy.
Additional reports emerged about other Chinese-linked intrusions: GhostNet (involving espionage into the offices of the Dalai Lama); Shadows in the Cloud (hacking into embassies and other targets of interest to China, such as national Olympic committees); Night Dragon (targeting global energy companies); and thefts of information on the F-35 Joint Strike Fighter program from Lockheed Martin, BAE Systems, and other companies.
Russia is more widely known for ignoring, encouraging or coordinating its patriotic hackers to conduct cyber operations against Estonia in 2007 and Georgia a year later.
The first campaign followed Tallinn’s decision to move a statue of a Soviet soldier used as a local rallying point by Russian nationalists. From late April to mid-May of 2007, denial-of-service attacks disrupted government websites, online financial transactions and national connectivity. As with attacks before and since, neither the Estonian nor allied governments had many direct levers to reduce their impact, and so the private companies that owned the networks did the heaviest lifting.
Though the Estonian attacks have been portrayed as a cyber disaster, they were actually a tactical and strategic defeat for the ethnic Russian attackers. The Estonian government was not coerced, the statue was still moved and the attacks caused no long-term economic damage. Instead, the attacks stained Russia’s international reputation while leading Estonia, NATO and others to improve their vigilance.
The Georgian cyber conflict coincided with Russia’s August 2008 invasion over the breakaway region of South Ossetia. The cyber assault, which began before the physical invasion, was met with complacency by the Georgian president until they grew into intrusions, defacements and large-scale botnet DDoS attacks against government, news media and other sites. At its height, Georgian leaders were essentially unable to use the Internet to communicate internally or send word to the international community about what was happening.
(Several of the Georgian government sites were transferred to the United States, apparently without the knowledge of the U.S. government, arguably violating U.S. neutrality and making those ISPs legitimate targets during a time of war.)
The ferocity of the cyber assault, its targeting and its apparent coordination with Russian military forces led some analysts to conclude that Russia was not just ignoring or encouraging its patriotic hackers (as they did in the conflict with Estonia), but were actively coordinating or directing their actions.
Yet another wake-up call was issued in 2008, via a widely read article in the journal Foreign Affairs by William Lynn, then U.S. deputy defense secretary. Lynn described an intrusion, dubbed Buckshot Yankee, into unclassified and classified networks of U.S. Central Command. Malicious software placed on a thumb drive “by a foreign intelligence agency” spread through command networks and sent information back to its controllers.
As with Moonlight Maze, reports emerged that Russia’s intelligence services were behind the intrusion. But unlike previous espionage attempts, the intruders were able to access not just unclassified military networks but also the SIPRNet network (used for passing operational commands) and the JWICS network (for the highest-classification intelligence information).
However, it was the mid-2010 revelations around the Stuxnet virus that most alarmed cybersecurity professionals. Extremely sophisticated, Stuxnet was the first malware to target industrial control (SCADA) systems. In fact, security researcher Ralph Langer discovered, Stuxnet was a “guided missile” designed to destroy industrial systems of the specific make and configuration found in the Iranian nuclear program.
White House sources quoted in the New York Times soon confirmed that Stuxnet was part of a U.S.-Israeli covert operation, codenamed OLYMPIC GAMES, meant to disrupt Iranian nuclear ambitions.
Lessons and Findings
There are clear lessons and findings from this history, each with policy implications.
Lesson 1: Cyber conflict has changed only gradually over time; thus, historical lessons derived from past cases are still relevant.
In other areas of national security, military personnel, diplomats and policymakers study the history of their fields to avoid old mistakes. But even though the U.S. military teaches young cadets and officers the implications of Gettysburg, Inchon, Trafalgar and MIG Alley, they ignore the lessons of cyber conflicts.
(Cyber history has even been intentionally falsified. The Army Cyber Command’s “Command Update” briefing from last year, for example, teaches that the main online threat prior to 2007 was “Cyber ‘Noise’ on Networks.”)
If you could get together some fighter pilots from 1918 and a similar group of F-22 or F-15 pilots, they would within minutes be telling breathless tales of dogfights, and how they had zipped through complex aerial maneuvers to shake an adversary or line up a kill shot. They can share this experience because the dynamics of dogfighting (such as the advantages of relative height, speed and maneuverability) have remained stable over time, even though a hundred years of technology has made dogfights faster, more lethal and at altitudes and ranges unimaginable to the pioneers.
So it is with cyber conflicts. Even though today’s conflicts are far more dangerous, the underlying dynamics echo what has come before. Perhaps nothing better illustrates the parallels between cyber problems then and now than comparing a few quotes about cyber security:
• “I liken it to the very first aero squadron, when they started with biplanes. We’re at the threshold of a new era. … We are not exactly sure how combat in this new dimension of cyberspace will unfold. We only know that we are the beginning.” (Lt. Col. “Dusty” Rhoads, 1996) vs. “I almost feel like it’s the early days of flight with the Wright Brothers. First of all, you need to kind of figure out that domain, and how are we going to operate and maintain within that domain.” (Maj. Gen. Webber, 2009)
• “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.” (Lt. Col. Roger Schell, 1979) vs. “[Our red teams] do get into most of the networks we target.” (NSA Red Teamer, 2008)
• “Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … [while the perpetrators are] insulated from risks of internationally embarrassing incidents.” (Cliff Stoll in 1988) vs. “Foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private-sector targets.” (NCIX Counterintelligence Report to Congress, 2010)
Despite being on average more than two decades old, the first quotes in each pair are nearly indistinguishable from the more recent quotes. Far from reminiscing about the trite concerns of days past, today’s practitioners make clear how yesterday’s problems are still with us.
Lesson 2: The probability and consequences of disruptive cyber conflicts have often been hyped, while the real effects of cyber intrusions have been consistently underappreciated.
History tells us that the most important cyber conflicts have not involved war or terror, but espionage. Cyber spying against the United States, which began no later than the mid-1980s, has grown to staggering proportions. For at least a decade, China has been stealing trade secrets, negotiating strategies and other intellectual property of companies from the United States and many other countries.
As recently splashed across the media, the United States is extremely active in its own, quieter cyber espionage for political and military (but not commercial) secrets. Yet cyber espionage has, until very recently, been nearly ignored in national debates.
Instead, the attention has focused on large-scale catastrophic disruptions. Despite two decades of warnings about a “cyber Pearl Harbor,” no one is known to have died from a cyber attack, and there is little evidence that disruptions have caused even blips in national GDP statistics.
Actual cyber incidents have so far tended to have effects that are either widespread but fleeting (such as the Morris Worm which took down an estimated 10 percent of the early Internet) or persistent but narrowly focused (like the 2007 attacks on Estonia). No attacks, thus far, have been both widespread and persistent.
Cyber attacks, as it turns out, can easily take down web pages; teenaged hackers have made plenty of headlines for defacing or blocking access to various sites. But keeping a large number of targets down over time in the face of determined defenses has thus far been beyond the capabilities of all but the most capable cyber powers.
Lesson 3: The more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air and on the sea – with one critical exception.
This broad lesson has the most significant implications for modern militaries and policymakers, as it flies in the face of common perceptions about cyber warfare, especially the role of the private sector as well as speed and duration, warning, attribution, and deterrence. Each of these will be discussed separately below.
• Private Sector Decisiveness: The biggest difference between cyber conflicts and their traditional equivalents is the one most often overlooked: The decisive role is played by non-state actors, not governments. In most of the conflicts, including the responses to the Morris Worm, Stuxnet and Estonia, governments are on the side while individuals, companies and cooperative volunteer groups have repeatedly used their agility and subject-matter knowledge to mitigate and prevail. Rarely do governments muster the superior resources of their unwieldy bureaucracies to make a decisive difference.
• Unfold Over Time: Many of America’s cyber leaders stress that cyber operations occur at “nearly the speed of light” or at “network speed.” It is true that tactical cyber engagements can happen as quickly as our adversaries can click the Enter key, but so what? Any tactical engagement, whether in cyberspace or in the air, on land or at sea can take place at a lightning pace. Moreover, a single tactical cyber engagement is no more likely to win a war than a single dogfight. History has shown the more strategically significant the cyber conflict, the more likely it is a string of parallel and serial tactical engagements, with both adversaries contending against each other over time, just as in traditional warfare. The attacks on Estonia lasted for weeks. Stuxnet and MOONLIGHT MAZE seem to have been going on for years. The Chinese espionage effort has been running for a decade and counting.
• Long Warning Times: Relatedly, the most strategically meaningful cyber conflicts have been part of larger geopolitical conflicts, which typically offer ample warning time to defenders. Estonia, for example, had several weeks of warning after announcing plans to move the statue of the Red Army soldier. Not only was it clear that the Russian government and nationalist movements were gearing up for protests, but Estonian officials specifically watched Russian nationalist websites as they built support. Unfortunately, this forewarning was not transmitted to NATO or the European Union in a manner that could have led either to try to convince the Kremlin to rein in its nationalist allies.
• Obvious National Responsibility: As in Estonia, the more strategically significant the conflict, the more obvious it is which nation is most responsible. Of course, at the most tactical level, attacks can be difficult to attribute, but this technical truth need not have an outsized impact on national policymaking. For national security policymakers, “who is to blame?” is usually more important than simply “who did it?”
Even if the government of that nation isn’t conducting the activity itself, it can still be pressured into helping stop the attacks, or embarrassing it in international opinion if it fails to cooperate. In Estonia, analysts determined the attacks traced back to 178 countries, including the United States. Such useless forensic facts served to muddy the obvious truth: The attacks were supported or encouraged by the Russian government and that to make the attacks stop, Western decisionmakers needed to pressure the Kremlin.
• Deterrence Works: Just as nuclear weapons provided an upper limit under which the superpowers fought all kinds of wars, regular and irregular, so there is a ceiling to cyber conflicts. Despite early fears that nations would strike at each other using surprise, strategic attacks, while relying on anonymity within the Internet, nations have proved just as unwilling to launch a strategic or surprise attack in cyberspace as they have been on the land, in the air or on the sea.
Certainly, the most cyber-capable nations, including the United States, China and Russia, have been more than willing to engage in irregular cyber conflicts against less-powerful nations or non-state groups (e.g., Stuxnet, Estonia, Georgia, and Chinese espionage and attacks on Falun Gong and the Dalai Lama). But they have steered clear of surprise attacks completely out of the blue and significant disruptive attacks against peers. By keeping themselves well under the threshold of conducting full-scale strategic cyber warfare, nations have thus created a de facto norm of restraint.
If the United States and its allies continue to ignore their history, they will likely continue to overspend on doctrine and capabilities pitched against “speed of light” attacks, while underinvesting for longer-term responses. Response plans will continue to focus on the incident of the day, with little thought to surge and sustain a countereffort over weeks or months. Equipment plans will give short shrift to long-term defenses, such as installing new networking capabilities and Internet Exchange Points. The U.S. military will train their new cyber cadres to focus on the immediate, not the strategic. Even if the United States can somehow win the first battle, it won’t have thought deeply about the next one or the longer war.
Already, this focus on “speed of light” attacks has led America’s military leaders to argue for looser rules of engagement, which would allow lower levels of military authority to “shoot back.” This relaxation of the rules is probably unnecessary, since any significant cyber attack is likely to be part of a larger geopolitical conflict. It is also potentially counterproductive, because it could allow tactically minded escalations that hurt long-term U.S. economic or military interests.
Since some form of deterrence (or at least restraint) seems to be clearly working, military thinkers should reform their questions from “is there deterrence?” to “how can we extend the deterrence already working?”
Above all, the U.S. government should shift its thinking on the role of non-state actors. In cyber conflict, non-state actors are the heart of the defense and always have been. They are the “supported command” which requires government resources to decisively defeat attacks rather than the “supporting command” which must help the government.
Policymakers are beginning to understand the importance of cybersecurity and the implications of conflict in cyberspace. This understanding benefits from the context provided by history — and the seven wake-up calls so far — which is rich with lessons for newer generations of cyber defenders and policymakers, especially since these lessons contradict the most popular views of cyber conflict. The sooner the United States and its allies begin teaching these lessons from the past, the sooner they can lay an effective new path.
Jason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council. This essay is taken from his recently published book, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, the first-ever military history of cyberspace.