Cyberwar Is Harder Than It Looks

The Internet's vulnerability to attacks has been exaggerated.

|

In wartime, combatants often attempt to disrupt their enemies' supply systems, generally by blowing them up. Modern life is made possible by a set of tightly interconnected systems supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, finance, telecommunications, and emergency response. All of these systems are increasingly directed and monitored through the Internet. Would it be possible for our enemies to disrupt these vital systems by "blowing up" the Net?

The Obama administration is worried that they will. In May 2009, the administration issued its Cyberspace Policy Review, which described threats to the Internet as "one of the most serious economic and national security challenges of the 21st Century." A year later, the U.S. Cyber Command was launched with the aim of protecting American information technology systems and establishing U.S. military dominance in cyberspace. A January report by the U.K.-based market research firm Visiongain identifies cyberwar preparedness as the "single greatest growth market in the defense and security sector," forecasting that global spending will reach $12.5 billion this year.

A January report from the Organization for Economic Cooperation and Development—Reducing Systemic Cybersecurity Risk, by the British researchers Ian Brown and Peter Sommer—evaluates the most widely discussed threats to cyberspace security, from viruses to denial-of-service attacks. Such weapons already have become common in government and industrial espionage, identity theft, Web defacements, extortion, system hijacking, and service blockading. 

Two recent episodes should give us some sense of these weapons' effectiveness. In 2007, hackers launched cyberattacks against Estonian websites, apparently as a protest against relocating a Soviet-era statute. And a 2008 border dispute with Russia provoked a series of denial of service attacks against Georgia's Internet infrastructure. Good news: As James Lewis of the Center for Strategic and International Studies (CSIS) noted in a 2009 report, "in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services." Brown and Sommer conclude that it's "unlikely that there will ever be a true cyberwar."

By cyberwar the writers mean a war fought solely over and with information technologies. It takes a lot of effort, they point out, to figure out new vulnerabilities in already protected critical systems. Furthermore, the effects of an attack are difficult to predict and could include blowback against the perpetrators. Most important, "There is no strategic reason why an aggressor would limit themselves to only one class of weaponry." In a real war, cyberattacks would be combined with conventional efforts to blow up critical infrastructure.

Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare, since the target for retaliation is unknown. This means the main defense against cyberweapons has to be resilience: a combination of preventive measures and contingency plans for a quick post-attack recovery.

As Brown and Sommer observe, the Internet and the physical telecommunications infrastructure were designed to be robust and self-healing, so that failures in one part are routed around. "You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet," University of Toronto cyberwarfare expert Ronald Deibert writes in the January/February 2011 Bulletin of the Atomic Scientists. "There is a lot of redundancy in the networks; it's not a simple thing to turn off the power grid." Our experience with current forms of malware, such as hacker-generated viruses and trojans, is also somewhat reassuring. Responses to new malware have generally been found and made available within days, and few denial-of-service attacks have lasted more than a day. In addition, many critical networks, such as those carrying financial transactions, are not connected to the Internet, meaning insider information is required to make them vulnerable. 

While not everyone uses up-to-date malware detection, most governments and major businesses do, which means would-be attackers must take the time and effort to find new flaws and develop new techniques. The success of the Stuxnet worm, which attacked and disabled Iranian nuclear centrifuges in the summer of 2010, required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive. Developing Stuxnet likely took the kind of financial and research resources that are available only to a government.

Brown and Sommer want more governments to ratify the CyberCrime Convention, which promotes international law enforcement cooperation against computer crimes. The chief holdouts are Russia and China, and many recent cyberattacks appear to have originated from those territories. "We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control," notes Lewis of the CSIS. "The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were [sic] cut off, his door was smashed down and his computer confiscated."

Electronic privacy activists are less enthusiastic about the treaty. When the U.S. ratified the Cybercrime Convention in 2006, the Electronic Privacy Information Center and other watchdogs worried that the treaty could require American law enforcement agencies to turn people over to foreign police for engaging in activities that are legal here but treated as crimes in other countries.

More constructively, Brown and Sommer suggest strengthening connections between national computer emergency response teams. These largely private groups, mostly associated with universities, operate as a kind of early warning system and devise software fixes to stop the spread of new malware. The government also can encourage the development of properly tested hardware and software through its procurement policies. While full-fledged cyberwar probably won't happen, espionage, hacking, and malware will be with us always. Americans' decentralized, distributed efforts to defend against them will also defend against the threat of cyberwarfare.

Advocates of an open Internet were shocked at how easily the Egyptian government, in an effort to disrupt communications among protesters, shut down the Net inside Egypt in January. Disturbingly, Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.) have introduced legislation authorizing the president to shut down the Internet here during an emergency. If you're worried that someone might limit your access to information or disrupt vital systems that rely on the Internet, Washington may turn out to be more of a menace than a savior. 

Ronald Bailey (rbailey@reason.com) is reason's science correspondent.