Cyberwar Is Harder Than It Looks

Internet vulnerability to attacks exaggerated, says new report.


Modern life is made possible by sets of tightly interconnected systems, supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, telecommunications, finance, and emergency response. In wartime, combatants have traditionally sought to disrupt their enemies' supply systems, generally by blowing them up. Nowadays, many of these systems are increasingly directed and monitored through the Internet. Would it be possible for our enemies to disrupt these vital systems by "blowing up" the Internet?

The Obama administration is evidently worried about this possibility. In May 2009, the administration issued its Cyberspace Policy Review [PDF] which declared, "Threats to cyberspace pose one of the most serious economic and national security challenges of the 21st Century for the United States and our allies." A year later the U.S. Cyber Command was launched with the aim of protecting U.S. information technology systems and establishing U.S. military dominance in cyberspace. A new market research report identifies the cyberwar sector as "single greatest growth market in the defense and security sector," forecasting that global spending on cyberwarfare will reach $12.5 billion this year.

A new report, Reducing Systemic Cybersecurity Risk, [PDF] by British researchers Ian Brown and Peter Sommer for the Organization for Economic Cooperation and Development (OECD) evaluates threats to the security of the Internet and other aspects of cyberspace, including hacking, viruses, trojans, denial-of-service, distributed denial of service using botnets, root-kits, and disruptive social engineering techniques. Such weapons have become ubiquitous and already used in government and industrial espionage, identity theft, web-defacements, extortion, system hijacking, and service blockading.

The recent denial of service attacks on Estonia and Georgia give us some sense of the effectiveness of cyber attacks. As James Lewis at the Center for Strategic and International Studies noted, [PDF] "These countries came under limited cyber attack as part of larger conflicts with Russia, but in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services."

Brown and Sommer conclude, "It is unlikely that there will ever be a true cyberwar." By cyberwar, they mean one fought solely over and with information technologies. Why? Because it takes a lot of effort to figure out new vulnerabilities in already protected critical systems and the effects of an attack are difficult to predict, including blowback on the perpetrators. More importantly, they note, "There is no strategic reason why an aggressor would limit themselves to only one class of weaponry." In a real war, cyberattacks would be an adjunct to conventional efforts to blow up critical infrastructure.

Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare because the target for retaliation is unknown. This means that resilience is the main defense against cyberweapons, a combination of preventive measures and contingency plans for a quick post-attack recovery. If cyberwarfare against infrastructure was easy, terrorists like Al Qaeda would have already tried the tactic against us and our NATO allies. 

Brown and Sommer observe that the Internet and the physical telecommunications infrastructure were designed to be robust and self-healing, so that failures in one part are routed around. "You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet," says University of Toronto cyberwarfare expert Ronald Deibert in the January/February 2011 issue of the Bulletin of the Atomic Scientists. "There is a lot of redundancy in the networks; it's not a simple thing to turn off the power grid." In addition, our experience with current forms of malware is somewhat reassuring. Responses to new malware have generally been found and made available within days and few denial of service attacks have lasted more than a day. In addition, many critical networks such as those carrying financial transactions are not connected to the Internet requiring insider information to make them vulnerable.

While not everyone uses up-to-date malware detection, most government agencies, major businesses, and many individuals do, which means that would-be attackers must take the time and effort to find new flaws and develop new techniques. For example, the success of the Stuxnet worm that attacked and disabled Iranian nuclear centrifuges required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive.

Brown and Sommers urge governments to ratify the CyberCrime Convention. The chief treaty holdouts are Russia and China, countries from which many recent cyberattacks appear to have originated. "We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control," notes James Lewis. "The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were cut off, his door was smashed down and his computer confiscated." 

Another fruitful way to address emerging cyber threats suggested by the authors is to strengthen connections between national Computer Emergency Response Teams (CERTs). CERT experts operate as a kind of early warning system who also devise software fixes to stop the spread of new malware. And they think that public policy, including procurement, can be used to encourage the development of properly tested hardware and software.

While blowing up the Internet probably won't happen, espionage, hacking, and malware will be with us always. Whatever we do to defend against them, will also defend against the threat of cyberwarfare. 

Ronald Bailey is Reason's science correspondent. His book Liberation Biology: The Scientific and Moral Case for the Biotech Revolution is now available from Prometheus Books.