sign in sign up
<<
Home , GhostNet, Submarine warfare

OLSON

Underground petroleum and water resources near Denver City, Texas, make distinctive land-use patterns SHADOW

BOXING NASA-JSC Cyber Warfare and Strategic Economic Attack By Soren Olson

First attack the enemy’s strat- culture of strategic fads (for example, hybrid effects. Moreover, with two of the three major , fourth-generation warfare, irregular war, exploits in the Siemens software that Stuxnet egy, then his alliance, next his , and counterterrorism) attacked remaining unpatched several years army, and last his cities. and our force-centric threat assessment indi- later, the willingness of private companies cate that changes in the character of war and to protect critical infrastructure systems is —Sun Tzu, The Art of War corresponding implications may be missed. called into question.1 These two observa- The character of war now undeniably involves tions combine to suggest that cyber warfare .S. critical infrastructure and attacks against economic and domestic will not respect traditional institutional resources are open to assault infrastructure and cyber methods will be the responsibilities. Indeed, one must wonder if by “clever and persistent” cyber of choice. it might be unwise to leave defense against U attacks. Such attacks could dra- Lacking the flashy nature of weapons strategic-type attacks—by foreign nations matically affect the supply chain of our most systems, protection of domestic infrastructure and others—to private companies and the strategic resource, petroleum. Two decades and economic systems does not command a domestic security apparatus. of warnings concerning cyber vulnerabilities sufficiently high priority in strategic planning. Many authors use pre- and post-9/11 to inherent in U.S. infrastructure have effectively While the Department of Defense (DOD), characterize a shift in a how terrorism was gone unheeded. Bureaucratic constructions Department of Homeland Security, and other viewed. Prior to September 2001, terrorism such as U.S. Cyber Command (USCYBER- parts of the U.S. strategic community have was largely seen as a criminal behavior.2 After COM) create the illusion of security but do begun to respond to the threat posed by cyber the impact of terrorism was demonstrated, it not address the true problem. As we focus on warfare, more needs to be done. Action must became a matter of national defense. Similarly, creating effects in the enemy, we largely ignore be taken despite domestic infrastructure and cyber security must be thought of in terms of the effects the enemy can create in us. Our economic systems being run by civilians and before and after Stuxnet; the tendency to view outside traditional DOD jurisdiction. the use of cyber weapons as criminal must be Second Lieutenant Soren Olson, USAF, is a graduate Further complicating the issue of replaced with a view that sees their use against of the Department of Military and Strategic Studies jurisdiction is the Stuxnet program. Stuxnet any U.S. interest as a hostile act. at the Air Force Academy. He is demonstrated conclusively that nationally currently undergoing pilot training at Columbus Air developed cyber weapons are being directed Force Base. at civilian targets in order to achieve strategic ndupress.ndu.edu issue 66, 3 rd quarter 2012 / JFQ 15 Forum | Shadow Boxing DOD (Cherie Cullen)

Commander, U.S. Strategic Command, General C. Robert Kehler

Evolution of a altered the character of war. Cyber warfare is In 1991, the National Research Council Of the challenges facing U.S. strategists, one of these. stated, “Many disasters may result from the tendency to dismiss vulnerabilities inher- Change in the character of war is intentional attacks on systems, which can ent in domestic infrastructure is likely the always noticeable after the fact, but the be prevented, detected, or recovered from most insidious. The hubris with which cyber development of the technologies and through better security.”9 The report called for vulnerabilities are viewed is well illustrated by methods that are the basis of the change a coherent strategy. Six years later, a Presiden- the following: is not. The roots of shifts in warfare are tial committee noted that there was still no often present and undergoing develop- coordinating agency as had been previously Cyber attacks have a potentially important ment for years prior to their first decisive recommended. Oddly, it asserted that con- role to play against unprepared and unlucky employment. Use of railroads, telegraphic trary to the 1991 report, the nature of cyber adversaries that have enough sophistication to communications, and headlong assaults threats was still poorly understood.10 In 2001, acquire and grow dependent upon informa- into fortified positions during the Civil War arguments about the relative strengths of tion systems but not enough to defend them foreshadowed operations in I.6 defense and offense in this new domain11 were against a clever and persistent attack.3 The Germans tested coordination of ground so indecisive that a congressional subcommit- and air elements in the Spanish Civil War, tee recommended the cyber security of critical U.S. domestic infrastructure is dependent years before it was employed on a large scale U.S. infrastructure and networks be left to the on cyber technologies,4 and dismissing or against the Polish and French in World private sector.12 limiting the cyber threat to existing con- War II.7 Similarly, the Yom Kippur War Advocates for relying on private indus- cepts of warfare will ensure we are unpre- in 1973 used airpower to pin and hammer try to defend critical infrastructure should pared and unlucky. ground formations—a technique that would recall that businesses cannot always be Many assert that advances in technology be used nearly 20 years later in Operation relied on to serve national interests. Private fundamentally change our world. Similarly, Desert Storm.8 In each example, the years companies are unquestionably patriotic and when new technologies, weapons, and tactics between initial development and large-scale responsible, yet strategists must not forget are observed, many strategists call them implementation served only to increase the the names of projects, companies, and people revolutions in military affairs (RMA). These lethality of the final product. Cyber warfare synonymous with short-term focus: the Ford RMAs are asserted to change how warfare is has been developed and tested in a similar Pinto, Enron, Fannie Mae/Freddie Mac, and conducted.5 Regardless of RMA’s utility as a manner to these examples, and reports have Bernie Madoff. Nor can strategists discount concept, some developments in warfare such consistently warned of the danger such the possibility of a private company intention- as technology, weapons, or methods have warfare poses. ally leaving cyber vulnerabilities for its own

16 JFQ / issue 66, 3 rd quarter 2012 ndupress.ndu.edu OLSON exploitation or at the direction of another In March 2009, Forbes described a resources, such as petroleum infrastructure, national power. In light of these concerns, it cyber espionage ring known as “GhostNet.” have been unable to even keep abreast with would seem unwise to place the mandate of GhostNet is thought to have infiltrated revealed vulnerabilities of supervisory control national defense on private industry, particu- the government networks of 117 nations.18 and data acquisition systems (SCADA).25 They larly when the stakes are high and the ability Such intrusions demonstrate the capabil- are not prepared for the onslaught that history or willingness of companies to defend against ity of foreign attackers to penetrate criti- dictates will be orders of magnitude greater cyber weapons, such as Siemens in the case of cal defended networks over long periods. than any cyber attack previously employed. Stuxnet, is questionable. Finally, the Stuxnet worm was discovered Historically, nations that import energy Despite past errors, there is no ques- in July 2010 and is an example of cyber from sources prone to invisible attacks do not tion that U.S. cyber capabilities are increas- warfare coming of age. In a situation where fare well. In World War II, U.S. submarines ing, particularly with the recent creation traditional military attack was politically intentionally targeted Japanese petroleum of USCYBERCOM. However, apologists impractical, this complex series of 1s and 0s imports.26 After 2 years of invisible battering, for current cyber defense efforts should is asserted to have seriously damaged or even less than 28 percent of oil shipped reached consider this recent assessment of U.S. cyber delayed the Iranian nuclear program.19 Japan.27 Furthermore, the “loss of raw materi- defense efforts by the Government Account- Despite its demonstrated capability als and petroleum and inability to transport ability Office: to produce kinetic effects, the true signifi- items to the front lines lay at the heart of cance of cyber warfare lies in its strategic Japan’s weakening ability to maintain effective U.S. Strategic Command has identified that application. Cyber warfare is ideally suited military strength.”28 In the face of a sustained DOD’s cyber workforce is undersized and to Sun Tzu’s definitive order of attack when and coordinated attack, it is nearly impossible unprepared to meet the current threat. . . . engaging an enemy: “First attack the enemy’s to completely defend an expansive network It remains unclear whether these gaps will strategy, then his alliance, next his army, and against an invisible enemy. be addressed since DOD has not conducted last his cities.”20 With cyber warfare, the true danger lies a more comprehensive department wide An adversary looking to attack the strat- in the ability of an enemy to coordinate dis- assessment of cyber-related capability gaps egy of the United States should first determine parate actors and launch them against global or established an implementation plan or what it seeks to protect. Security of energy interests while simultaneously attacking U.S. funding strategy to resolve any gaps that may domestic petroleum infrastructure. In the late be identified.13 1500s, England used privateers to attack the the anonymity of cyber Spanish economy by raiding the gold-laden Twenty years of disaster, investigation, and warfare allows coordinated vessels sailing out of Central America. More policy change have repeatedly led to the same “submarine”-like attacks recent examples are the American use of the regrettable outcomes. against the physical and cyber Contras and mujahideen during the Cold Refinement of cyber warfare continued aspects of the U.S. petroleum War, as well as the Soviet support of Central even as this dark comedy of concern and inac- supply chain American guerrillas. Among pawn employ- tion played out. By 1999, one defense official ments, the Russian use of “patriotic” stated the Federal Bureau of Investigation against the Georgian banking and commu- (FBI) was investigating some 6,080 daily supplies is the driving priority of current U.S. nication systems in 2008 is most applicable.29 attacks that were recorded on DOD computer foreign policy, and trillions of defense dollars Each example points to the malleability of systems.14 In 2001, researchers at Dartmouth have been spent on maintaining access to independent groups by a greater power. University predicted that cyber attacks would Middle East oil supplies.21 It is a cruel irony The value of pawns in cyber warfare is be the asymmetric weapon of choice for that in spite of this investment, persistent that they further complicate attribution. A hostile groups and countries well into the vulnerabilities in the oil supply chain dem- power can find and map vulnerabilities and future.15 In 2003, the Guardian commented onstrate that the U.S. commitment to critical then coordinate strikes using intermediaries. that U.S. Federal organizations were expe- resource defense remains lacking.22 Past mapping of network and infrastructure riencing such a staggering number of cyber vulnerabilities has not been treated as an act attacks on critical networks that the attacks Crude Threat of war. Thus, while the source of information were code-named “.”16 At this As the world’s largest consumer of enabling the attacks may be known, so long point, the Federal Government began pon- petroleum, the United States is unable to as the originating hostile power uses pawns, dering whether commercial cyber networks supply its demand from domestic sources. there would be little direct action the United should be considered critical infrastructure Accordingly, some 36 percent of imports States could undertake. and thus protected, but it took little significant come from concentrated overseas routes Today, the spread of al Qaeda affili- action. A 2005 Presidential committee found and another 27 percent is transported into ates and other armed groups results in more that the “computers that manage critical the continental United States via overland pawns willing to attack American interests. U.S. facilities, infrastructures, and essential pipelines.23 Even domestic petroleum depends This is the opportunity that a coordinating services can be targeted to set off system-wide on the domestic pipeline system. The ability nation-state would offer such groups: failures, and these computers frequently are to attack or defend this global and domestic accessible from virtually anywhere in the petroleum supply network rests on computer It should be clear that the energy infrastructure world via the Internet.”17 systems.24 Commercial guardians of critical of the United States is its lifeblood, and as such, ndupress.ndu.edu issue 66, 3 rd quarter 2012 / JFQ 17 Forum | Shadow Boxing it is one of the most critical of all infrastruc- loss of service, loss of stakeholder confidence, system to system across counties, states, and tures. The assets of the oil and gas industry are or the failure of the business itself.”32 regions in a hub-to-hub progression.34 thus clear targets for economic jihad.30 Similarly, the anonymity of cyber When examining the layout of the U.S. warfare33 allows coordinated “submarine”- petroleum infrastructure, concentration of Somali pirates are already using infor- like attacks against the physical and cyber pipelines run by SCADA systems at logistics mation from within shipping companies to aspects of the U.S. petroleum supply chain. hubs are clear domestic chokepoints. There seize vessels off the Horn of Africa.31 These The proliferation of armed groups along are six primary hubs in the United States. pirate groups have demonstrated a willingness global shipping routes could allow an These hubs are vulnerable to cyber sabotage to act on information received concerning actor to coordinate an equivalent directed either at the SCADA systems or the the vulnerabilities of Western shipping com- submarine campaign against the physical power grid supporting the hubs, as was dem- panies. Modern pirates, armed with inside links of the global oil supply chain. This cam- onstrated in 2007 when “an ice storm knocked information, do token amounts of damage paign of resource disruption would be aided out power to the hub in Cushing, Oklahoma, compared to the havoc an anonymous, mali- by direct cyber attacks against the SCADA shutting down four crude oil pipelines [and] cious state actor could generate with a coor- systems that run petroleum logistic hubs in halting transport of roughly 770,000 barrels of dinated campaign. However, direct physical the United States. oil per day.”35 attacks augmented by information procured Logistics hubs serve as gateways for Though little known now, the 1982 from cyber warfare are only one part of the regional supply. They are characterized by U.S. cyber attack on the Trans-Siberian oil threat: “The reliance on cyber technologies interconnections among many pipelines and, pipeline used a Trojan program that caused creates the opportunity for interrupted com- often, other modes of transportation—such an explosion within the pipeline equivalent munications, false or misleading transactions, as tankers and barges, sometimes rail, and to a 3-kiloton weapon: “The U.S. managed fraud, or breach of contracts, and can result in usually trucks, especially those used for local to disrupt supplies of gas and consequential transport—that allow supply to move from foreign currency earnings of the U.S. Air Force (Lou Hernandez) U.S. Air Force

Anacortes Oil Refinery at base of Mount Baker, Washington

18 JFQ / issue 66, 3 rd quarter 2012 ndupress.ndu.edu OLSON for over a year.”36 Though this example shows In 2007, total world oil production amounted attack, such as a vulnerable supply line that that cyber warfare’s kinetic effects can be to approximately 85 million barrels per day provides a vital strategic resource. Second, fearsome, such are not necessary to cause (bbl/d), and around half, or over 43 million the use of cyber against strategic resources catastrophic economic damage. bbl/d of oil, was moved by tankers on fixed is in accordance with Sun Tzu’s maxim “to maritime routes. The international energy defeat the enemy without fighting and, when Fear of Fear? market is dependent on reliable transport. necessary, to win first, and then fight.” These Deliberate attacks by a nation-state, The blockage of a chokepoint, even temporar- two concepts support the idea of removing using a combination of cyber weapons ily, can lead to substantial increases in total a strategic resource via asymmetric and and traditional arms, have already been energy costs. In addition, chokepoints leave anonymous means. The example of subma- directed at economic targets. The addition oil tankers vulnerable to theft from pirates, rine warfare in World War II, interdicting of cyber means and economic targeting to terrorist attacks, and political unrest in the strategic resources, though not anonymous, the character of war was first demonstrated form of or hostilities as well as shipping demonstrates the ability of economic target- by the Russians: accidents.38 ing by an invisible opponent to bring a great power to its knees. When Russia invaded Georgia, a large One commentator asserts that cyber However, the cyber warfare foreshad- portion of its military operations focused not attacks also look for “digital chokepoints,” owed by Stuxnet and envisioned here would on securing the areas inhabited by ethnic Rus- such as the electrical grid. As he explains, require resources in numbers that are avail- sians but on Georgian ports and facilities for “Cyberspace is complex terrain, but the same able only to state actors.42 Furthermore, such handling oil and gas. Unstable ground condi- idea obtains: squeeze a vulnerable throat.”39 an indirect approach is distinctly contrary tions, augmented by cyber attacks, soon made Cyber warfare, like submarine warfare, is to typical Western strategy.43 Whose hand all of the Georgian pipelines seem unreliable. ideally suited to closing chokepoints. This should the United States expect to wield Meanwhile, 2 days after the invasion began, approach was successfully employed by the cyber warfare against its interests? It stands to reason that the nation with the clearest motive and intent is the most likely to challenge the active defense for infrastructure systems would take years of reigning superpower. development before they could be trusted to match modern The idea of using cyber warfare to strike weapons at an unanticipated target, such as strategic resources, is perfectly in line with the Chinese concept of warfare known as shashoujian:44 the Turkish section of the Baku-Tbilisi-Cey- United States against the Japanese; planners “Once strengths and weaknesses have been han pipeline was attacked by local militants, must anticipate a similar attack against the identified and assessed, the strengths can be supposedly on their own initiative. One result U.S. oil supply chain if only because of the avoided, and the weaknesses can be targeted of these developments was that BP Azerbaijan potential for catastrophic damage. An inci- for attack using shashoujian.”45 shifted its oil transport to the Russian Baku- dent that closed the Strait of Malacca even Since 2004, has conducted at Novorossiisk pipeline, even though the costs temporarily would reroute 50 percent of the least 14 major cyber attacks, including Titan were double those of the Georgian pipelines.37 world’s shipping and cause further doubts Rain and GhostNet, on targets ranging from about the reliability of energy transport. The ExxonMobile and the German chancellor Cyber warfare was employed to leverage potential economic damage from a coordi- to Indian and DOD military networks.46 a target that was purely economic. BP shifted nated cyber campaign executed on global oil The signs of weapon development have been its oil contracts based on perception; physical chokepoints by a major power—or on domes- noted, and the call for economic weaponiza- compromise of the Georgian pipeline was not tic chokepoints—is inestimable.40 tion by Chinese experts has gone out: “It is necessary. Due to the influence of percep- only necessary to break with our mental habit tion, Georgia experienced serious economic Shadow Puppets of treating the weapons’ generations, users, damage with no physical destruction of Cyber weapons, potential proxies, and combinations as being fixed to be able to infrastructure. and supply chain vulnerabilities all exist. turn something that is rotten into something Given the ease with which economic What remains to be examined is what might miraculous.”47 The authors later give an damage can be inflicted on a single economic motivate an actor to coordinate such a example of what might be accomplished with target, in this case a pipeline, one can see how campaign. Sun Tzu and Carl von Clausewitz such an approach: the global system the United States relies on suggest what might cause such a campaign is at risk. Furthermore, proliferation of pawns against U.S. petroleum supplies. First, con- On October 19, 1987, U.S. ships attacked would make it easy for a power to use them sider Clausewitz’s assertion that “Strong an Iranian oil drilling platform in the Persian to coordinate attacks against the maritime fortifications force the enemy elsewhere.” Gulf. News of this reached the New York Stock routes and land-based logistic hubs used for Even in economic decline, the U.S. military Exchange and immediately set off the worst transport of petroleum. Only a few of these has demonstrated its ability to fight in three stock market crash in the history of Wall attacks would need to succeed to undermine conflicts on the opposite side of the world.41 Street. This event, which came to be known as the foundation of the international energy This military strength forces potential Black Monday, caused the loss of $560 billion system and reliable transport: opponents to find a more effective angle of in book value to the American stock market.48 ndupress.ndu.edu issue 66, 3 rd quarter 2012 / JFQ 19 Forum | Shadow Boxing

Though this is an inaccurate claim, the this inability to immediately fix a problem 9 National Research Council, Computers validity of the statement is irrelevant insofar should not deter strategists from considering at Risk: Safe Computing in the Information Age as the Chinese believe it is true. the uncomfortable implications of an infra- (Washington, DC: National Academies Press, 1991), 2–3. Admittedly an attack by the Chinese structure that is indefensible against modern 10 President’s Commission on Critical against the international links of the U.S. cyber weapons and might not be reliable in Infrastructure Protection, Critical Foundations: petroleum supply chain would injure their case of limited or full-spectrum conflict. Protecting America’s Infrastructures (Washington, 49 own economy. For this reason it seems We must recognize that while there are DC: The White House, October 1997), 78, avail- unlikely they would attack international links significant vulnerabilities among the links in able at . except as a prelude to full-scale war with the the U.S. oil supply chain, they are but symp- 11 Professionals for Cyber Defense, letter to United States.50 However, the theory of eco- toms of a larger problem. Warnings about President George W. Bush, February 27, 2002, nomic interdependence should not be used as cyber warfare have been present for years, but available at . a shield to dismiss the possibility of economic reminiscent of another prominent defense 12 General Accounting Office, Critical Infra- cyber attack. Prior to , the theory failure prior to 9/11, actions taken remain structure Protection: Significant Challenges for circulated that nations would not go to war as insufficient. In light of these facts, we face the Developing National Capabilities, report to the Subcommittee on Technology, Terrorism, and the economic devastation would be too great, uncomfortable truth that China, as well as Government Information, Committee on the Judi- yet it proved wrong. other nations, possesses a weapon, and our ciary, U.S. Senate, April 2001, available at . Shadows’ War its shadow. JFQ 13 Government Accountability Office, Defense The destructive potential of cyber Department Cyber Efforts: DOD Faces Challenges warfare in the economic, social, and physi- in Its Cyber Activities, report to Congressional cal realms demands that it be accorded the Notes Requesters, July 2011, available at . 1 Paul Roberts, “Many Stuxnet Vulnerabilities afford nuclear weapons. Defending against 14 “Guarding Cyber Pentagon,” CNN.com, Still Unpatched,” Threatpost.com, Kaspersky Lab available at

20 JFQ / issue 66, 3 rd quarter 2012 ndupress.ndu.edu OLSON

Policy and How It Changed the World (New York: Journal 236, no. 2 (February 2009), avail- Routledge, 2002), 110. able at . “How Dependent Are We on Foreign Oil?” Energy 37 U.S. Cyber Consequences Unit (US-CCU), in Brief (Washington, DC: Department of Energy, special report, Overview by the US-CCU of the June 24, 2011), available at . 2008, available at . 38 Center for Strategic Studies cessing Review (London: Touch Briefings, 2005), Energy Information Agency, World Oil Institute for National Strategic Studies available at . at . 26 Navy Department, Section III: Japanese 39 Austin Bay, “Grab the Planet By the Strategic Perspectives, No. 9 Anti-Submarine Warfare and Weapons, War Throat,” RealClearPolitics (April 22, 2009), John Parker’s Russia Damage Report, no. 58 (Washington, DC: U.S. 8, available at . recent history of WDR58/WDR58-3.html>. 40 Energy Information Agency, 4. Russia’s relationship 27 W.J. Holmes. Undersea Victory: The Influ- 41 Referring to Iraq, Afghanistan, and Libya. with Iran, the outsize ence of Submarine Operations on the War in the 42 Holger Stark, “Mossad’s Miracle Weapon: personalities involved, Pacific (Garden City, NY: Doubleday, 1966), 425. Stuxnet Virus Opens New Era of Cyber War,” Der and how the United 28 Michel T. Poirier, “Results of the American Spiegel Online, August 8, 2011, available at . state. As Vladimir . Strategy Is to Make War While Avoiding a the presidency, 29 David Hollis, “Cyberwar Case Study: Battle,” Armed Forces Journal 143 (November will he replay his Georgia 2008,” Small Wars Journal, January 6, 2005), available at . during which Russia negotiated the S-300 air defense blog/journal/docs-temp/639-hollis.pdf>. 44 Most commonly translated as “Assassin’s system contract with Tehran? Or will he continue 30 James J.F. Forest, Homeland Security: Pro- Mace,” it refers to the Chinese search for weapons Russia’s breakthrough in finding common ground tecting America’s Targets, Vol. III: Critical Infra- that are undetectable prior to use and cause such with the United States on Iran seen under former structure (Westport, CT: Greenwood Publishing damage as to make retaliation by the victim President Dmitriy Medvedev, who tore up the S-300 contract? Although Russia did not close the door Group, 2006), 136. impossible. to engagement with Tehran, Moscow voted for 31 Giles Tremlett, “This Is London—The 45 Jason E. Bruzdzinski, “Demystifying new, enhanced sanctions against Iran at the United Capital of Somali Pirates’ Secret Intelligence Shashoujian,” in Civil-Military Change in China: Nations Security Council and it continues to insist th Operation,” The Guardian, May 11, 2009, available Elites, Institutes, and Ideas after the 16 Party that Iran cooperate fully with International Atomic at . (Carlisle, PA: U.S. Army War College, Strategic in Putin’s resentment of U.S. power and suspicion of 32 National Petroleum Council, Securing Studies Institute, 2004), available at . “step-by-step” engagement with Iran is more of a Energy, June 2001). 46 Richard Stiennon, “A Brief History of regional issue. This paper details many salient issues including the history of the S-300 air defense system 33 U.S. Naval Institute and CACI Interna- Chinese Cyberspying,” Forbes.com, February between Russia and Iran, the recent Arab Spring, tional, Inc., “Cyber Threats to National Security: 2, 2011, available at

ndupress.ndu.edu issue 66, 3 rd quarter 2012 / JFQ 21