Cyberwar Is Harder Than It Looks

The Internet's vulnerability to attacks has been exaggerated.


In wartime, combatants often attempt to disrupt their enemies' supply systems, generally by blowing them up. Modern life is made possible by a set of tightly interconnected systems supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, finance, telecommunications, and emergency response. All of these systems are increasingly directed and monitored through the Internet. Would it be possible for our enemies to disrupt these vital systems by "blowing up" the Net?

The Obama administration is worried that they will. In May 2009, the administration issued its Cyberspace Policy Review, which described threats to the Internet as "one of the most serious economic and national security challenges of the 21st Century." A year later, the U.S. Cyber Command was launched with the aim of protecting American information technology systems and establishing U.S. military dominance in cyberspace. A January report by the U.K.-based market research firm Visiongain identifies cyberwar preparedness as the "single greatest growth market in the defense and security sector," forecasting that global spending will reach $12.5 billion this year.

A January report from the Organization for Economic Cooperation and Development—Reducing Systemic Cybersecurity Risk, by the British researchers Ian Brown and Peter Sommer—evaluates the most widely discussed threats to cyberspace security, from viruses to denial-of-service attacks. Such weapons already have become common in government and industrial espionage, identity theft, Web defacements, extortion, system hijacking, and service blockading. 

Two recent episodes should give us some sense of these weapons' effectiveness. In 2007, hackers launched cyberattacks against Estonian websites, apparently as a protest against relocating a Soviet-era statute. And a 2008 border dispute with Russia provoked a series of denial of service attacks against Georgia's Internet infrastructure. Good news: As James Lewis of the Center for Strategic and International Studies (CSIS) noted in a 2009 report, "in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services." Brown and Sommer conclude that it's "unlikely that there will ever be a true cyberwar."

By cyberwar the writers mean a war fought solely over and with information technologies. It takes a lot of effort, they point out, to figure out new vulnerabilities in already protected critical systems. Furthermore, the effects of an attack are difficult to predict and could include blowback against the perpetrators. Most important, "There is no strategic reason why an aggressor would limit themselves to only one class of weaponry." In a real war, cyberattacks would be combined with conventional efforts to blow up critical infrastructure.

Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare, since the target for retaliation is unknown. This means the main defense against cyberweapons has to be resilience: a combination of preventive measures and contingency plans for a quick post-attack recovery.

As Brown and Sommer observe, the Internet and the physical telecommunications infrastructure were designed to be robust and self-healing, so that failures in one part are routed around. "You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet," University of Toronto cyberwarfare expert Ronald Deibert writes in the January/February 2011 Bulletin of the Atomic Scientists. "There is a lot of redundancy in the networks; it's not a simple thing to turn off the power grid." Our experience with current forms of malware, such as hacker-generated viruses and trojans, is also somewhat reassuring. Responses to new malware have generally been found and made available within days, and few denial-of-service attacks have lasted more than a day. In addition, many critical networks, such as those carrying financial transactions, are not connected to the Internet, meaning insider information is required to make them vulnerable. 

While not everyone uses up-to-date malware detection, most governments and major businesses do, which means would-be attackers must take the time and effort to find new flaws and develop new techniques. The success of the Stuxnet worm, which attacked and disabled Iranian nuclear centrifuges in the summer of 2010, required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive. Developing Stuxnet likely took the kind of financial and research resources that are available only to a government.

Brown and Sommer want more governments to ratify the CyberCrime Convention, which promotes international law enforcement cooperation against computer crimes. The chief holdouts are Russia and China, and many recent cyberattacks appear to have originated from those territories. "We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control," notes Lewis of the CSIS. "The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were [sic] cut off, his door was smashed down and his computer confiscated."

Electronic privacy activists are less enthusiastic about the treaty. When the U.S. ratified the Cybercrime Convention in 2006, the Electronic Privacy Information Center and other watchdogs worried that the treaty could require American law enforcement agencies to turn people over to foreign police for engaging in activities that are legal here but treated as crimes in other countries.

More constructively, Brown and Sommer suggest strengthening connections between national computer emergency response teams. These largely private groups, mostly associated with universities, operate as a kind of early warning system and devise software fixes to stop the spread of new malware. The government also can encourage the development of properly tested hardware and software through its procurement policies. While full-fledged cyberwar probably won't happen, espionage, hacking, and malware will be with us always. Americans' decentralized, distributed efforts to defend against them will also defend against the threat of cyberwarfare.

Advocates of an open Internet were shocked at how easily the Egyptian government, in an effort to disrupt communications among protesters, shut down the Net inside Egypt in January. Disturbingly, Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.) have introduced legislation authorizing the president to shut down the Internet here during an emergency. If you're worried that someone might limit your access to information or disrupt vital systems that rely on the Internet, Washington may turn out to be more of a menace than a savior. 

Ronald Bailey ( is reason's science correspondent.

NEXT: British Keytarist Arrested for Singing "Kung Fu Fighting"

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Something that might become viable (and my libertarian leanings point me this way) is a kind of alternate internet.

    You look at explosion of wi-fi and some of the tricks coming down the pike for updated 802.x updates (draft y with hand-offs, ultralong range out to a kilometer etc.).

    I’ve always wondered…if I sent a packet to my wi-fi router, and it sent that packet to another router it saw, and then it sent it to another, etc…how far could that packet go without ever actually hitting the real ‘internet?’ A guy in New York I bet could beam his packet anywhere in the city without ever hitting a telco asset doing that.

    Figuring out a way to get an ‘alternate’ local internet that local nerd-boy can set up for his buddies, which then joins onto his other buddies’ network setup a mile away and talking through coffee-can antenna line…before long you’ve got a bizarre, ad-hoc, WPA-encrypted ‘internet.’

    Its a thought. Could be a start-up in there somewheres…

    1. It’ll never work, for technical reasons.

    2. Interesting idea, except that you would have to actively coordinate the encryption on the routers, and then their subnet masks would become a problem as well. I think you could do it (I am not a network admin and do not want to be, ever), but it would take coordination and would probably be pretty fragile.

      1. Yeah, that’s where the ‘new’ hardware would have to come in. You’d need two tables, two DNS’s, everything.

        And it would be so delicate…and how do you keep the routing just on your weird net? Someone in the daisy chain would have the wrong checkbox checked somewhere and you’d be leaking packet-shit all over the Man’s internet and not even know it.

        But it would be funny when NSA shmuck did a traceroute and the MAC they crosscheck against from one of their illegal databases shows, say, California but the packet ‘disappears’ into a device somewhere around Yuma. It’d be good for a laugh anyways.

        Plus the latency would be absolutely terrible. Chat, torrents and pr0n, but no games.

        1. Current tech would suck for it, but I wouldn’t be surprised to to see someone write a firmware upgrade (or an add-on to dd-wrt) that would have software that facilitated this. For instance, regular wireless connections would work as normal, but “black net” connections could hop through the router with the right shared key or something like that and try and hit another nearby router. Any that had been set up to allow the “black net” would facilitate it.

          That’s just spitballing, but it could be kind of cool.

          1. I was thinking same thing on the key. You’d need ‘master oscillator’ type deal and then RSA-type hash+pass and that’d be your ‘key’ for a blacknet node.

            And you’re right about the Linux-on WRT tweaks for firmware. WRT54G is Model T of wi-fi.

          2. Hmmmm…about encryption too is you can run two layers with your firmware. One for gateway-client for all the peeps on a node, but connected nodes would run their own keys between themselves and after client-send gateway would amend the original encrypt with the gateway encrypt. Cell towers do that already. You’d just have a homebrew version of that.

            You’d throw another millisecond on the packets but you trade speed at the beginning so who cares.

            1. I bet you someone is working on a version of this right now.

              1. Take a look at netsukuku. The core of their concept is the implementation of an anarchic distributed DNS. They don’t seem to have had much activity as of late, but I have seen some comparatively recent interviews in Italian publications.

                1. I checked that link out, its cool for sure. Epi is right people are working on it.

                  But reading it is like Holy Engrish Batman.

                  1. Hey, this guy’s ripping off fuzzy ideas I had two hours ago but two years ago and in horrible detail:


                    That Engrish-spewing bastard. I should sue him, somehow.

        2. Bluetooth has the ability to transfer data through several devices creating an ad-hoc network. It is not commonly used though.


    3. Why even bother coordinating the network. If I make my super router available for anyone to use for routing purposes, you could just broadcast your content (encrypted or not, you decide) and it would be re-broadcast to all other routers in the area. With sufficient coverage, the information could be available to anyone who is in range of any broadcast and if they have the encryption key, they can access the info. If the info is not encrypted, then your broadcast is essentially the same as a public website. I guess broadcast is the wrong term because the information would be going in both directions.

      With the tech you described, this might work well in and around large cities, but once you get into the hills, you will lose your connection, like the early days of cellular.

      If there were a technology that could broadcast over very long range without interference, say thousands of miles, without interference from other signals or the Earth itself, you could create a network that would be almost impossible to disrupt, especially if the routers are all mobile. I am sure we will find some way to manipulate some particle or wave or whatever to allow for a robust transmitter like this. Just keep firing up the old particle accelerator till we find what we need.

  2. off-topic, but why is Nick Gillespie so positive about Ron Paul now? When news of Ron Paul’s racist, homophobic newsletters came out, Gillespie was disappointed in the old fart. What happened to change his mind?

    1. Hey Edward, does your head naturally cram itself up your ass, or do you have to work at it? A lot of stretching is involved, I assume.

      1. Nah, he has no spine. It’s easy for him.

  3. The Internet’s vulnerability to attacks has been exaggerated.

    Hit Ctrl-F3, then Insert-Enter.

    Go ahead, I dare you.

  4. Stuxnet was a thing of beauty.

    Seimens had to be in on that as the mfg of the centrifuge.

    (not “semen” Episiarch – no cock jocks please)

    1. Seimens didn’t make the centrifuge. They made the IDC that ran voltage to the thing, and ultimately Stuxnet exploited a Windows vulnerability, like every script-kiddie running your computer as a spam-bot is doing right now Shrike.

    2. Oh shriek, once again, you expose your unbelievable stupidity, impenetrable denseness, and inability to read.

      shriek, apropos of the picture included with this article, I’m going to give you some advice: your only winning move, shriek, is not to post.

  5. If by threat of cyberwar, you mean the threat of some misanthropic fuck messing with my ability to frag some kids on Black Ops on the PS3, then this dystopia hath already arrived.

    1. That and likely some 75 Million credit cards… First Sony distributes root kits and now this. Weapons of mass annoyance they are. The concept of turning off the internet is like cutting off all TV because someone hijacked Fox for a few hours.

      1. Plus Norio Ohga died this week…and along with Akio Morita those two were kind of the ‘two Steves’ of Sony. Passing of an era there, and no one noticed.

        That plus the earthquake and all, tough times for Sony. I’m a long-time fan of that (evil, capitalist) company and I hope they get their shit together.

        1. Whereas I hate them and everything they stand for and hope against hope that this is the final blow that kills them.

          1. Gotta ask, aside from their present antics…why you a Sony-hater?

            1. The rootkit thing is a big part of it — basically, they engaged in criminal behavior and violated other people’s physical property rights to protect their intellectual property rights.

              Also, their fucking memory sticks are incompatible with everything which locks you in. Not that I buy them (I do have a PS3 since it’s a cheap Blu Ray player, but that’s about it), but the business practice rankles me.

              1. Sony always has cracked me up that way with the proprietary thing. For instance, you’ve got PS3 because its Blue Ray player. Sony won on proprietary format war there. Memory Stick? Not so much.

                But what really is kind of sad is you look at an iPod Touch…its a tiny proprietary thing that works great and only works with other Apple shit. And its full of media formats and crap unique to Apple, and they totally the experience of using it. But its built well enough and such that lots of people still own and use them and like them. Sony missed the boat on that revolution so badly you know the original executive talent there has been gone a long time.

                1. I have a PS3. I bought it for games and haven’t played one in a couple years at least. I justified the expense and the shelf space (cause you can’t fucking put a cable box on top of a rounded surface and purging shit underneath it makes my original model so hot the fucking fan will launch it into orbit) by using the blu-ray player.

                  Now I own an Apple TV and my $400 blu-ray player that plays games I don’t have time to play because I am busy getting all my stars on Angry Birds searves as a sleek reminder why I no longer shop at Best Buy.

                2. Sony missed the boat on that [portable MP3] revolution so badly you know the original executive talent there has been gone a long time.

                  What’s more impressive is how they missed the boat: continuing to promote the fucking miniDisc. They could convince the gullible-as-all-get-out Japanese to buy into a domestic technology for a little bit, but even that support was limited.

          2. Yeah, srsly cynical? What gives? And dude, if you’re the one that hacked this bitch, can you at least access the mainframe again real quick and approve my account so I can stream some netflix bro.

            1. Maybe you shouldn’t have only a PlayStation providing your entertainment needs, yo. There are these things called “TiVos” and “DVRs” and even “internet enabled DVD and Blu-Ray players”, you know.

              You poor people disgust me. Where the fuck did I put my monocle?

              1. For the record, I have my DVR and the PS3 still functions as a 3d blu ray (yes, I have a gimmicky 3D Samsung TV, but its actually pretty fucking epic on the Hubble bluray).

                Really, I just wanna kill shit on black ops. And maybe tear up some kids on Madden with my Chiefs.

                1. Can’t you stream Netflix through your DVR? Oh, you don’t have a TiVo, just a regular DVR.

                  (sneers at Sudden like a Mac user at a PC user)

                  There are actually a lot of DVD and Blu-Ray players that have ethernet connections and can stream Netflix now. A number even have wireless (though you pay more, obviously).

            2. You can still use Netflix, you just have to keep trying until it gives up on PSN login. It’s a bitch, but it works.

              1. Thank you cynical. Proceed to fuck up PSN all you want then. Just lay off my CC

      2. …cutting off all TV because someone hijacked Fox for a few hours.

        Hmmm. Wonder how I can ‘hijack Fox for a few hours’?

  6. well i think nobody say its easy afterall.

  7. well i think nobody say its easy after all

  8. The Internet’s vulnerability to attacks has been exaggerated

    IIRC, the “I Love You” virus almost shut the whole thing down a few years back.

    Also, I’m sure the Iranian nuclear program doesn’t feel that the threat of “Cyberattack” is exaggerated.

    1. Also, I’m sure the Iranian nuclear program doesn’t feel that the threat of “Cyberattack” is exaggerated.

      Iranians are victims of retard-shoving-USB-dongles-in-ports-they-shouldn’t-be attack.

      99.9% of all computer ‘threats’ depend on human error or suckertude to work; so very few of them are truly automated and outside he victim’s input.

      1. If you toss a bunch of USB keys into a parking lot, you can expect about 30% of them to be inserted into a PC…

        1. True story from about six years ago: Some cops in New Mexico do meth-bust on a trailer-in-the-park. Find some USB dongles, and they do what cops do which snoop through them all.

          One of the busteds was janitor for cleaning company that had the Facilities contract for Los Alamos National Laboratory.

          Turns out the janitor – the fucking janitor – was downloading docs out of the LANL technical library onto the dongle. For why I do not know. But amongst the gems on that dongle was shit like neutron-transport code-constants for the radiation baffle on W88’s!

          Now LANL squirts glue in all the USB ports on the computers they buy and install out there. Bet you money the fifty-page technical doc on how-to-do-that (probably written by Stephen Chu) is explicit about USB ports.

          So I bet money there’s like probably several hundred PC’s out there at LANL with glued-in USB ports and naked SD slots right next to’em…lol. Ah, the gov.

          1. “So I bet money there’s like probably several hundred PC’s out there at LANL with glued-in USB ports and naked SD slots right next to’em…lol. Ah, the gov.”

            When you put it like that, I’m kind of surprised any of us is still alive right now.

      2. Hu hu ahhh hu hu . . . You said dongle.

  9. “Developing Stuxnet likely took the kind of financial and research resources that are available only to a government.”

    So… we only have to worry about getting into (cyber)wars with foreign governments, is what you’re saying? Whew, what a relief.

  10. Ninja w/ a crowbar. Now, that is some impressive clipart. Haven’t seen anything that awesome this side of the free stuff that comes with powerpoint.

    1. Ghetto ninja can’t afford a sword.

      1. That ninja’s got blue eyes…I say he’s Trailer-Park Ninja. His special move could even be a tornado.

        1. Done right, no can defense!

  11. Washington may turn out to be more of a menace than a savior

    Duh. Just copy this and include it in every article involving Warshington.

    Wash, rinse, repeat.

  12. Maybe we should worry more about about the real threat to the Internet, little old ladies with shovels looking for copper wire.

    1. It’s more likely that the infrastructure is destroyed physically than by software.

      Maybe those three countries she took down will make extra lines for redundancy. You know, the way the internet was designed to be run.

  13. Cyberwar is the thing that I can’t touch.

  14. Just copy this and include it in every article involving Warshington.

  15. Developing Stuxnet likely took the kind of financial and research resources that are available only to a government.

  16. i thought the CIA and FBI and whatever has been hacked a million times. Yet they claim they can protect the entire internets?

  17. In my opinion it’s just one step short of the “one party democracies” many dictators and so-called communist countries employ.

  18. Hi Ronald,

    Good piece. I agree that the general conception of the threat of cyberwar is not entirely correct and the fear is essentially off-base. Two points, however, need to be factored into the view your article articulates to more clearly understand the topic:

    o All war is a combination of efforts.

    – Every soldier knows that the Best Laid Plans do not survive first contact with the enemy. Military planners, therefore, plan as many methods of degrading the enemy’s capabilities as possible in hope that enough of them will work. Efforts to degrade cyber capability have long been used in traditional warfare, the real question is not whether there will ever be a cyber-only war, but who cyber assets will be used as part of future conflicts.

    o While I myself have also often extolled folks to be less fervent about their fears of cyber attacks on the Internet as a whole, “critical infrastructure” as defined by cyber assets involved in industrial processes is an exception that must be addressed separately.

    – The specific differences between these systems – both in form and usage – and what most would see as “the Internet” are pivotal in the discussion of cyber warfare.

    – While Sony-level attacks on traditional Internet assets express their actuarial impact in terms of values that themselves are virtual (largely financial), similarly successful attacks as part of a military conflict targeted against industrial processes can additionally express themselves in values that are physical (the composition of chemicals, speeds of motors, sudden releases of kinetic energy…).

    – Cyber attacks are by nature almost ever only partially successful. Partial success in using cyber attacks against physical process control systems could be well worth the effort as part of a broader military plan.

    That being said, the average person is more likely to be impacted by a blue Subaru on the highway than to suffer the physical effects of a cyber attack.

    There is no reason to have undue fear about cyber warfare, but there is plenty of reason to have awareness.



  19. Cyberwar’s attacks has been exaggerated and I think most of these attacks are made by our Security agencies.

  20. Developing Stuxnet likely took the kind of financial and research resources that are available only to a government.

Please to post comments

Comments are closed.