Getting Serious About Cyberwarfare

Frank J. Cilluffo & J. Richard Knop

he future of military conflict will certainly include a cyber component. Com- puter network operations, including exploits and attacks, will be integrated into Tmilitary planning, doctrine and operations. Cyber warfare will simultaneously be its own domain and will also impact other domains (land, sea, air, and space)— from intelligence preparation of the battlefield (IPB), to computer network attack (CNA).

Nations that can best marshal and mobilize their cyber power—defined as “the ability to use cyberspace to create advantages and influence events in all other opera- tional environments and across the instruments of power”—and integrate it into strat- egy and doctrine will ensure significant national security advantage into the future.1 The U.S. cybersecurity community is evolving and developing in response to the threat climate that prevails, but remains in a nascent stage of maturity. To date, the cybersecurity community has not reached anything approaching the level of acumen displayed by the U.S. counterterrorism community. Its current state is akin to where our anti-terrorism efforts found themselves shortly after the 9/11 attacks. While our defense and intelligence architectures and capabilities in the cyber field outmatch and out- compete those on the civilian side, the future of U.S. cyberdefense and cyber-response is not assured even in a military context. The threat and the technology that supports it have markedly outpaced U.S. prevention and response efforts as a whole.

Frank J. Cilluffo is an associate vice president at The George Washington University, where he directs the Cyber Center for National & Economic Security. He previously served as a Special Assistant to President George W. Bush for Homeland Security.

J. Richard Knop is the founder and co-manager of FedCap Partners, LLC. He also serves as a member of The George Washington University Board of Trustees, where he over- sees the University’s Cybersecurity Initiative. Frank J. Cilluffo & J. Richard Knop

Despite multiple incidents that America.”3 The Chairman of the Joint could have served as galvanizing events Chiefs of Staff likewise expressed con- to shore up U.S. resolve to formulate and cern in testimony to the Senate Armed implement the changes that are needed Services Committee earlier this year: “I (and not just within Government) we as a believe someone in China is hacking into country have yet to take the steps needed our systems and stealing technology to enhance our security, readiness and and intellectual property.”4 He declined resilience. As General Keith Alexander, to link this activity directly to the Peo- Commander of U.S. Cyber Command and ple’s Liberation Army (PLA). However, director of the National Security Agency, Chinese Army officers have publicly noted recently, “The country is a ‘three’ expressed significant interest in and on a scale of one to ten when it comes to support for non-traditional means to cyber preparedness.”2 yield military advantage.5 As a report issued by the U.S.- China Economic and Security Review While bits and bytes are unlikely Commission has outlined, “Computer to replace bullets and bombs, network operations have become funda- terrorist groups may increase mental to the PLA’s strategic campaign their cyber savvy as time wears goals for seizing information domi- nance early in a military operation.”6 on and may affect our threat and The report also notes that even during vulnerability calculus accordingly. peacetime, computer network exploita- tion has likely become central to PLA and civilian intelligence collection oper- Threat matrix ations to support national military and The cyber threat is multifaceted. At civilian strategic goals.7 the time of a breach, just who is behind As foreign intelligence services the clickety-clack of the keyboard is not engage in cyber espionage against us, readily apparent. It could be an ankle- they often combine technical and human biter, a hacker, hacktivists, criminal or intelligence in their exploits.8 These terrorist groups, nation-states or those activities permit others to leapfrog many that they sponsor. The Internet is a bounds beyond their rightful place in medium made for plausible deniability. the innovation cycle. As the Office of From a homeland security perspective, the NCIX observes in its 2011 Report however, our principal concerns are by to Congress, “Moscow’s highly capable and large foreign states—specifically intelligence services are using HUMINT those that pose an advanced and per- [human intelligence], cyber, and other sistent threat. Russia and China fall in operations to collect economic informa- this category although their tactics and tion and technology to support Russia’s techniques may—and likely have been— economic development and security.”9 exploited by others. After Russia’s war with Georgia The U.S. National Counterintelli- in 2008, the military appraised its cam- gence Executive (NCIX) pulls no punches paign and made note of its poor perfor- in its assessment: “The nations of China mance in the domain of Information and Russia, through their intelligence Warfare.10 This led to a call for “Informa- services and through their corporations, tion Troops” within the Russian armed are attacking our research and devel- forces; however, no such body has yet opment... This is a national, long-term, to appear. Professor Igor Panarin, of the strategic threat to the United States of Ministry of Foreign Affairs’ Diplomatic

42 The Journal of International Security Affairs Getting Serious About Cyberwarfare

Academy, notes that “the objective is… aged to shut down Twitter, block web- certainly, to create centres which would sites and execute complex cyberattacks envisage so-called hacker attacks on within Iran.15 Also, it is useful to keep in enemy territory.”11 The present absence mind that many of the capabilities that of defined “Information Troops” within Iran does not yet have may be purchased. the armed forces does not preclude a pre- A veritable arms bazaar of cyber weap- occupation with their “lack of capacity to ons exists, and the bar to entry continues prosecute or defend against CNO within to get lower while the cyber weapons con- the military” and will continue to incite tinue to become more user-friendly (i.e., calls to action.12 point-and-click).16 Our adversaries just At worst, such exploits hold the need the cash and the intent. potential to bring the United States and its means of national defense and national Our cyber-offense and defense security to a halt—thereby undermining the trust and confidence of the Ameri- both require work. The two can people in their government. This is go hand-in-hand, with the one a dark scenario. Yet one wonders what bolstering and reinforcing the purpose the mapping of critical U.S. other. Imbalance between them infrastructure (by our adversaries) might serve other than intelligence preparation may give rise to significant of the battlefield. In 2009, theWall Street potential peril. Journal reported that cyberspies from Russia and China had penetrated the Unfortunately there is no lack of U.S. electrical grid, leaving behind soft- evidence of intent. By way of example, ware programs. These intruders didn’t U.S. officials are investigating “reports cause any damage to U.S. infrastructure, that Iranian and Venezuelan diplomats but sought to navigate the systems and in Mexico were involved in planned their controls.13 Indeed, the line between cyberattacks against U.S. targets, includ- this type of reconnaissance and an act of ing nuclear power plants.” Press reports aggression is thin, turning only on the based on a Univision (Spanish TV) matter of intent. documentary that contained “secretly Countries such as Iran and North recorded footage of Iranian and Ven- Korea are not yet on a par with Russia ezuelan diplomats being briefed on the and China insofar as capabilities are con- planned attacks and promising to pass cerned; but what Iran and North Korea information to their governments,” allege lack in indigenous capability they make that “the hackers discussed possible tar- up for in terms of intent. Here motivation gets, including the FBI, the CIA and the supersedes sophistication. From a U.S. Pentagon, and nuclear facilities, both mil- perspective, the challenge is asymmetric itary and civilian. The hackers said they in character and of course complicated were seeking passwords to protected by the nuclear backdrop. systems and sought support and funding Iran is increasingly investing in from the diplomats.”17 bolstering its own cyberwar capabilities. Iran itself is not a monolith when According to press reports, the govern- it comes to its cyber (or terrorist) activi- ment there is investing the equivalent of ties. Indeed, Iran’s Islamic Revolutionary one billion dollars to build out its offense Guard Corps (IRGC) operates as a semi- and defense.14 Iran has organized an “Ira- independent entity, and it is unclear just nian Cyber Army,” and has also employed how much they coordinate with Iranian pro-government hackers who have man- intelligence (the Ministry of Intelligence

The Journal of International Security Affairs 43 Frank J. Cilluffo & J. Richard Knop

and Security, or MOIS). This complicates goals and objectives include training and U.S. efforts in terms of both threat assess- mobilizing pro-regime (Government of ment and response. Moreover, despite Iran) activists in cyberspace. In part this the imposition of sanctions on Iran, it is involves raising awareness of and school- quite clear that the IRGC is not running ing others in the tactics of cyberwarfare. out of money; the Corps has a substan- Hezbollah is deftly exploiting social tial economic enterprise internal and media tools such as Facebook to gain external to Iran including telecommuni- intelligence and information. Even worse, cations.18 This coupled with the foreign each such exploit generates additional terrorist organizations (FTOs) Iran sup- opportunities to gather yet more data as ports and sponsors, notably Hezbollah, new potential targets are identified, and makes Iran a key threat.19 Note further tailored methods and means of approach- that Iran’s ability to conduct electronic ing them are discovered and developed.21 warfare, including the jamming and Looking beyond the horizon, the spoofing of radar and communications outlook is likewise concerning. While systems, has been enhanced by acquisi- bits and bytes are unlikely to replace tion of advanced jamming equipment. In bullets and bombs, terrorist groups may the event of a conflict in the Persian Gulf, increase their cyber savvy as time wears Iran could combine electronic and com- on and may affect our threat and vul- puter network attack methods to degrade nerability calculus accordingly. As Gen. U.S. and allied radar systems, thereby Alexander observed recently, al-Qaeda frustrating or at least complicating both and others who wish to do harm to the offensive and defensive operations.20 United States “could very quickly get to” a state in which they possess “destruc- tive” cyber capability that could be From the standpoint of defense, directed against us.22 Bear in mind that the nation would be well served cyberterrorism (and terrorism in general) by a cyber-deterrence strategy is a small numbers business. Big num- that is clearly and powerfully bers are not needed to generate serious consequences. Indeed, nineteen hijackers articulated. Having singled out were able to take nearly three thousand certain adversaries in open-source lives and cause substantial economic government documents, logic damage in the 9/11 terrorist attacks. dictates that we should specify How prepared are we? (without divulging sensitive or With national and economic secu- compromising details) the broad rity at stake, the imperative of prepared- outlines of what we are doing ness is clear. Yet we have a way to go on about these activities directed this front before it could be reasonably concluded that the United States is giving against us. enough focus to cyberdefense and cyber- response in the military realm. (Of course, If past is prelude, Iran has leaned the cyber threat spectrum impacts more on proxies in the past to do its bidding, than the defense community alone. The and this factors into the cyber domain broader public sector, the private sector, as well. Hezbollah has also entered the the interface and intersections between fray, establishing the Cyber Hezbollah them, as well as individual citizens, are organization in June 2011. Law enforce- also at risk. This article, however, relates ment officials note that the organization’s simply to the military domain.)

44 The Journal of International Security Affairs Getting Serious About Cyberwarfare

Prevention and response requires, the broad outlines of what we are doing among other things, capabilities and about these activities directed against capacities that can be executed and us.23 It may be that the equivalent of an implemented in real time against sophis- above-ground nuclear test is needed in ticated and determined adversaries. order to demonstrate U.S. wherewithal Underlying those abilities and the exer- to actual and prospective adversaries, cise of that power, in turn, must be fun- who might thereby be dissuaded from damental operating principles carefully a course of action or, alternatively, com- derived, defined and debated in the clear pelled toward specific steps. What that light of day, that represent the product of equivalent test may be is not altogether a national conversation on the subject. clear nor is the feasibility or possible con- Policy and strategy in this area sequences of conducting it, but these are have suffered to date because concepts the sorts of questions that merit national and categories which constitute the evo- reflection at this time. Force protection lution and end-product of our thinking as is another, as second-strike capabilities a nation have lagged behind both tech- may be needed to ensure it. nology and practice (particularly that of our adversaries). These various elements may still be brought into better align- Before going on the offensive, ment, but doing so will require concerted prudence dictates that we first effort and commitment on the part of our inoculate ourselves against military and civilian leaders. Remember that we have risen in the past to similar the very measures that will be challenge successfully, forging strategy visited upon others. Blowback and policy in another new domain devoid is always a risk in military of borders, namely outer space. engagement and all the more Our cyber-offense and defense both require work. The two go hand-in-hand, so in the cyber context, where with the one bolstering and reinforcing unintended consequences may the other. Imbalance between them may materialize once a cyber-weapon give rise to significant potential peril. Fortunately discussions are under way is released into the wild. at the Pentagon and elsewhere regarding the rules of engagement that should, do, An “active defense” capability, and will inform and guide U.S. actions meaning the ability to immediately in cyberspace. Contingency planning attribute and counter attacks, is needed that incorporates attacks on U.S. infra- to address future threats in real-time. structure is needed, as is red-teaming Active defense is a complex undertak- and additional threat assessments which ing, however, as it requires meeting the should include modalities of attack and adversary closer to its territory, which potential consequences. in turn demands the merger of our for- From the standpoint of defense, the eign intelligence capabilities with U.S. nation would be well served by a cyber- defensive and offensive cyber capabilities deterrence strategy that is clearly and (and potentially may require updating powerfully articulated. Having singled relevant authorities). A significant break- out certain adversaries in open-source through in the counterterrorism realm government documents, logic dictates post-9/11 was the synchronization of that we should specify (without divulg- Title 10 and Title 50 of the United States ing sensitive or compromising details) Code—a development that harmonized

The Journal of International Security Affairs 45 Frank J. Cilluffo & J. Richard Knop military and intelligence functions. Simi- Input and insights from the private larly, this synchronization can be lever- sector, including the owners and opera- aged to strengthen our active defenses tors of critical infrastructure, are also an in the cyber domain. We cannot simply important component for building robust firewall our way out of this problem. (national) situational awareness and a Before going on the offensive, how- shared knowledge of the battle-space. ever, prudence dictates that we first inoc- These owners and operators should be ulate ourselves against the very measures part of our Fusion Centers. Yet this is not that will be visited upon others. Blow- the case for more than half of the nation’s back is always a risk in military engage- Centers—despite the fact that a sizable ment and all the more so in the cyber majority of Fusion Centers are (according context, where unintended consequences to survey research conducted recently may materialize once a cyber-weapon is by The George Washington Universi- released into the wild. Identifying and ty’s Homeland Security Policy Institute) implementing the necessary precautions believed by their membership to have should therefore be an integral part of “relatively weak capabilities in regard to taking the offensive—and indeed a pre- the gathering, receiving, and analyzing cursor to it. of cyber threats.”24 Readiness is no simple matter in this context, certainly not across the board. The road ahead Government entities with the greatest History offers guidance on how to capabilities (such as NSA) do not have all move forward smartly. We must find the authorities, while departments whose the cyber equivalents of Billy Mitchell, capacities are less fully developed (such George Patton, Curtis LeMay and Bill as DHS) are endowed with relatively Donovan—leaders who understand greater authority. The result is a range both the tactical and strategic uses of of knock-on effects including challenges new technologies and weapons. Such for computer network defense (CND) and leadership, together with the elaboration computer network exploit and attack and articulation of doctrine to guide (CNE and CNA). Figuring out how best to and support the development and use of bridge the gap between authorities and U.S. cyber capabilities of all kinds, will capabilities is a vexing challenge, but one propel the nation much closer to where that would serve us well to think through it needs to be. carefully, taking into account all compet- At the end of the day, the ability to ing equities (security, privacy, civil liber- reconstitute, recover and get back on our ties, etc.). feet is perhaps the best deterrent. The All-source intelligence that under- storms that recently battered the National pins and enables prevention and response Capital Region, leaving close to a million is and will continue to be crucial for people without power during a week-long military and civilian efforts. As much heat wave, are instructive in terms of as technology matters in this area, there our shortcomings on resilience. Mother is simply no substitute for HUMINT. A Nature may be a formidable adversary, human source—whether a recruit in but just imagine the level of damage and place inside a foreign intelligence ser- destruction that a determined and cre- vice, a criminal enterprise, or a terrorist ative cyber-enemy could have wrought. organization—is the most valuable force multiplier, bar none. By helping to create a “rich picture” of the threat, HUMINT keeps our blind spots to a minimum.

46 The Journal of International Security Affairs Getting Serious About Cyberwarfare

15. Tom Gjelten, “Could Iran Wage a Cyberwar on 1. Franklin Kramer, Stuart Starr and Larry Wentz, the U.S.?” NPR, April 26, 2012. http://www.npr. Cyberpower and National Security (Washing- org/2012/04/26/151400805/could-iran-wage-a- ton, DC: National Defense University, Center for cyberwar-on-the-u-s Technology and National Security Policy, 2009). 16. Frank J. Cilluffo, “Preparing for a More Aggres- 2. General Keith Alexander, “Protecting the Home- sive Iran,” Huffington Post, July 30, 2012, http:// land from Cyber Attacks,” The Aspen Institute, www.huffingtonpost.com/frank-j-cilluffo/pre- July 26, 2012, http://www.aspeninstitute.org/ paring-for-a-more-aggr_b_1718725.html. about/blog/general-keith-alexander-protecting- 17. Shaun Waterman, “U.S. Authorities Prob- homeland-cyber-attacks. ing Alleged Cyberattack Plot by Venezuela, 3. As cited in Siobhan Gorman, “China Singled Out Iran,” Washington Times, December 13, 2011, for Cyber Spying,” Wall Street Journal, Novem- http://www.washingtontimes.com/news/2011/ ber 4, 2011, http://online.wsj.com/article/SB10 dec/13/us-probing-alleged-cyberattack-plot-iran- 001424052970203716204577015540198801540. venezuela/?page=all. html#ixzz1ckLNwAJX. 18. Julian Borger and Robert Tait, “The Financial 4. General Martin Dempsey, testimony before the Power of the Revolutionary Guards,” Guardian Senate Committee on Armed Services, February (London), February 15, 2010, http://www.guard- 14, 2012, http://www.armed-services.senate.gov/ ian.co.uk/world/2010/feb/15/financial-power-rev- Transcripts/2012/02%20February/12-02%20 olutionary-guard. -%202-14-12.pdf. 19. Frank J. Cilluffo, Testimony before the U.S. 5. Qiao Liang and Wang Xiangsui, Unrestricted Senate Committee on Homeland Security and Warfare (Beijing: China’s People’s Liberation Governmental Affairs, July 11, 2012, http://www. Army, 1999). gwumc.edu/hspi/policy/publicationType_testi- 6. Patton Adams, George Bakos and Bryan Krekel, monies.cfm. “Occupying the Information High Ground: Chi- 20. Michael Puttre, “Iran Bolsters Naval, EW Power,” nese Capabilities for Computer Network Opera- Journal of Electronic Defense 25, no. 4, April tions and Cyber Espionage,” Report prepared for 2002, 24; Robert Karniol, “Ukraine Sells Kol- the U.S.-China Economic and Security Review chuga to Iran,” Jane’s Defense Weekly 43, no. 39, Commission by Northrop Grumman Corp, March September 27, 2006, 6; Stephen Trimble, “Avto- 3, 2012, http://www.uscc.gov/RFP/2012/USCC%20 baza: Iran’s Weapon in Alleged RQ-170 Affair?” Report_Chinese_CapabilitiesforComputer_Net- The DEW Line, December 5, 2011, http://www. workOperationsandCyberEspionage.pdf. flightglobal.com/blogs/the-dewline/2011/12/ 7. Ibid. avtobaza-irans-weapon-in-rq-17.html. 8. Frank J. Cilluffo and Sharon L. Cardash, “Com- 21. Cilluffo, Testimony before the U.S. Senate Com- mentary: Defense Strategy Avoids Tackling the mittee on Homeland Security and Governmental Most Critical Issues,” Nextgov, July 28, 2011, Affairs. http://www.nextgov.com/cybersecurity/2011/07/ 22. Robert Burns, “Cybersecurity Chief Urges commentary-defense-cyber-strategy-avoids- Action by Congress,” Seattle Times, July tackling-the-most-critical-issues/49494/. 9, 2012, http://seattletimes.nwsource.com/ 9. National Counterintelligence Executive of the html/politics/2018645510_apuscybersecurity. United States, “Foreign Spies Stealing U.S. html?syndication=rss. Secrets in Cyberspace,” Report to Congress on 23. See Krekel et al., “Occupying the Information Foreign Economic Collection, 2009-2011, 5, High Ground”; Office of the NCIX, Report to http://www.ncix.gov/publications/reports/fecie_ Congress on Foreign Economic Collection, all/Foreign_Economic_Collection_2011.pdf. 2009-2011. 10. Keir Giles, “Information Troops—A Russian 24. Frank J. Cilluffo, Joseph R. Clark, Michael P. Cyber Command?” Conflict Studies Research Downing and Keith D. Squires, “Counterterror- Centre, Oxford, UK, 2011. ism Intelligence: Fusion Center Perspectives,” 11. “Russia is Underestimating Information HSPI Counterterrorism Intelligence Survey Resources and Losing Out to the West,” Novyy Research (CTISR), June 2012, http://www. Region (via BBC World Monitoring), October 29, gwumc.edu/hspi/policy/HSPI%20Counterter- 2008. rorism%20Intelligence%20-%20Fusion%20 12. Ibid. Center%20Perspectives%206-26-12.pdf. 13. Siobhan Gorman, “Electricity Grid in U.S. Penetrated by Spies,” Wall Street Journal, April 8, 2009, http://online.wsj.com/article/ SB123914805204099085.html. 14. Yaakov Katz, “Iran Embarks on $1b. Cyber- Warfare Program,” Jerusalem Post, December 18, 2011, http://www.jpost.com/Defense/Article. aspx?id=249864.

The Journal of International Security Affairs 47