-
Best Defense
Robots: Killing Our Warrior Spirit?
-
The Cable
Whistleblower: I'm Being Bullied By State Dept.
-
Passport
Syria: Is It the Sunnis' or Shiites' Fault?
Posted By David Rothkopf
Thursday, March 17, 2011 - 2:03 PM
Share
The Japanese nuclear crisis, though still unfolding, may, in a way, already be yesterday's news. For a peek at tomorrow's, review the testimony of General Keith Alexander, head of U.S. Cyber Command. Testifying before Congress this week and seeking support to pump up his agency budget, the general argued that all future conflicts would involve cyber warfare tactics and that the U.S. was ill-equipped to defend itself against them.
Alexander said, "We are finding that we do not have the capacity to do everything we need to accomplish. To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces. ... This is not a hypothetical danger."
The way to look at this story is to link in your mind the Stuxnet revelations about the reportedly U.S. and Israeli-led cyber attacks on the Iranian nuclear enrichment facility at Natanz and the calamities at the Fukushima power facilities over the past week. While seemingly unconnected, the stories together speak to the before and after of what cyber conflict may look like. Enemies will be able to target one another's critical infrastructure as was done by the U.S. and Israeli team (likely working with British and German assistance) targeting the Iranian program and burrowing into their operating systems, they will seek to produce malfunctions that bring economies to their knees, put societies in the dark, or undercut national defenses.
Those infrastructures might well be nuclear power systems and the results could be akin to what we are seeing in Japan. (Although one power company executive yesterday joked to me that many plants in the U.S. would be safe because the technology they use is so old that software hardly plays any role in it at all. This hints at a bit of a blessing and a curse in the fractured U.S. power system: it's decentralized which makes it hard to target overall but security is left to many power companies that lack the sophistication or resources to anticipate, prepare for or manage the growing threats.)
Importantly, not only does the apparent success of the Stuxnet worm demonstrate that such approaches are now in play but it may just be the tip of the iceberg. I remember over a decade ago speaking to one of the top U.S. cyber defenders who noted that even during the late 90s banks were losing millions and millions every year to cyber theft -- only they didn't want to report it because they felt it would spook customers. (Yes.) Recently, we have seen significant market glitches worldwide that could easily have been caused by interventions rather than just malfunctions. A couple years back I participated in a scenario at Davos in which just such a manipulation of market data was simulated and the conclusion was it wouldn't take much to undermine confidence in the markets and perhaps even force traders to move to paper trading or other venues until it was restored. It wouldn't even have to be a real cyber intrusion -- just the perception that one might have happened.
What makes the nuclear threat so unsettling to many is that it is invisible. It shares this with the cyber threat. But the cyber attacks have other dimensions that suggest that General Alexander is not just trying to beef up his agency's bank accounts with his description of how future warfare will always involve a cyber component. Not only are they invisible but it is hard to detect who has launched them, so hard, in fact, that one can imagine future tense international relationships in which opposing sides were constantly, quietly, engaging in an undeclared but damaging "non-war," something cooler than a Cold War because it is stripped of rhetoric and cloaked in deniability, but which might be much more damaging. While there is still ongoing debate about the exact definition of cyber warfare there is a growing consensus that the threats posed by both state-sponsored and non-state actors to power grids, telecom systems, water supplies, transport systems and computer networks are reaching critical levels.
This is the deeply unsettling situation effectively framed by General Alexander in his testimony and rather than having been obscured by this week's news it should only have been amplified by it.
JIJI PRESS/AFP/Getty Images
EXPLORE:EAST ASIA, NORTH AMERICA, ENERGY, FINANCE, GLOBALIZATION, INTERNET, JAPAN, MILITARY, SCIENCE & TECHNOLOGY 
Well done for pointing out the real threat to Western countries regarding nuclear power. Apart from sheer incompetence and complacency on the part of commercial operators, the greatest danger to nuclear installations is the potential for these highly devastating attacks.
What's amazing to me is that the US developed Stuxnet and saw how effective it was in practice, and yet has no plans to develop defences against this cyberwar strategy from outside powers.
Yesterday the chief of US cyber defences warned of how vulnerable they are:
"We are very thin, and a crisis would quickly stress our cyber forces," Gen Keith Alexander told Congress.
http://www.bbc.co.uk/news/world-us-canada-12768617
And yet the same kind of industry shills who said in Japan that nuclear plants were safe against all eventualities are doing their work:
Mr [Bruce] Schneier, who is chief security officer for BT, is due to address the RSA security conference in San Francisco this week
"Stuxnet and the Google infiltration are not cyber war - who died?" asked Mr Schneier.
http://www.bbc.co.uk/news/technology-12473809
An action that disables a nuclear centrifuge plant in another country clearly is war. And the deaths could result from the next such attack using the next generation of stuxnet-like worms.
This FP article is definitely one to put in the file for use later when the worst occurs.
It is not cyber warfare as much as cyber chaos
While the damage that can be done is quite reasonably discussed, I believe the author predisposes us to think in the wrong terms when he uses the term cyber war. Yes, states can develop and use cyber tools to supplement traditional physical and propaganda weapons, but the weapons of destruction in the cyber realm are not exclusive to states - and the correlation of physical actor to cyber assault remains an Achilles heel. For commercial and personal users it is as if the world has regressed to an era in which payments to local warlords were used to make one's farmlands less attractive to roaming marauders. Security vendors play the role of these warlords in todays environment, but even their collaboration to improve tactics will not calm the chaos; what is needed is a methodology that will allow rapid tracing so that attacks can be attributed, and elimination of jurisdictional barriers to prosecution. Otherwise there will always be the lingering fear that the marauders will return.
I've read your comment four times now and I still don't understand it. What does "correlation of physical actor to cyberassault remains an Achilles heel" mean? Does it possibly mean that it's difficult to find people who launch cyberattacks, or something else altogether?
...the correlation of physical actor to cyber assault remains an Achilles heel...
Not just to identify the person, but to do so in a country that has laws that are amenable to prosecuting or extraditing the individual for a cyber crime.
I agree that we shouldn't only be worried about state-sponsored cyber attacks. However, I would argue that state-sponsored cyber attacks will remain the most difficult problem to address, especially if cyber warfare increases as a means of sabotage. Furthermore, I question the effectiveness of the necessary improvements you suggest.
Improved tracing techniques, a body of international law and removal of barriers to prosecution may indeed be helpful in arresting and prosecuting the odd, individual actor looking to create some trouble. But, the problem of holding states and leaders accountable for sponsoring cyber warfare would remain unchanged. For instance, the International Criminal Court already has great difficulty getting their hands on and prosecuting despots who commit human rights atrocities. To what extent do leaders who supplied arms to these despots also be accountable? Accusing states who use or support cyber warfare will not be any easier given it's such a grey area in terms of accountability. Even if the conditions were clear cut, the international system still lacks a solid means of punishing states (and individuals) effectively, both sanctions and threatening war are problematic on their own.
Unfortunately, I think that, in the area of cyber warfare, the burden will still remain on each state's (and organization's) ability to protect its own resources from these "roaming marauders" than to expect an effective and deterrent international judicial solution any time soon.
There is a pretty big fail safe in place, which is that nuclear plants along with most vital systems operate in a closed network. They aren't connected to the internet, so cyber warfare is not as easy as you may think.
This is the biggest problem I had with what Lieberman proposed with the giving the president more abilities to combat cyber warfare. He gave dams as an example, and they operate in a closed system.
It is always about money and how to get more of it. Used to be that generals had bragging rights by how many enemy soldiers their troops killed. Now it is all about having a big budget.
As Granderoho wrote it is not power plants and the like that need worry, it is the banks, with their internet linked tentacles covering the globe, that should worry. Oh, wait...... I forgot, the government can bail them out again.
Formal Verification is the answer
Formal verification of OS kernels has already been demonstrated. This is a recent (last 12 months) development. When a software or hardware system is formally verified against a set of security criteria, it is mathematically impossible to defeat those security criteria. Please look up formal verification OS kernel to leran more.
David Rothkopf is the CEO and Editor-at-Large of Foreign Policy. His new book, "Power, Inc.: The Epic Rivalry Between Big Business and Government and the Reckoning that Lies Ahead" is due out from Farrar, Straus & Giroux on March 1.
Read More
May/June 2013
-
Profile
-
FP Power Map
-
Think Again
Follow us on Twitter | Visit us on Facebook | Follow us on RSS | Subscribe to Foreign Policy
About FP | Meet the Staff | Foreign Editions | Reprint Permissions | Advertising | Writers’ Guidelines | Press Room | Work at FP
Services:Subscription Services | Academic Program | FP Archive | Reprint Permissions | FP Reports and Merchandise | Special Reports | Buy Back Issues
Privacy Policy | Disclaimer | Contact Us
11 DUPONT CIRCLE NW, SUITE 600 | WASHINGTON, DC 20036 | Phone: 202-728-7300 | Fax: 202-728-7342
FOREIGN POLICY is published by the FP Group, a division of The Washington Post Company
All contents ©2013 The Foreign Policy Group, LLC. All rights reserved.
(8)
HIDE COMMENTS LOGIN OR REGISTER REPORT ABUSE