SPECIAL SERIES:Cybersecurity: The Next Great Battlefield
In this series of articles running through July, RealClearPolitics and RealClearDefense take an in-depth look at the intersection of cybersecurity, technology, and warfare in the 21st century.
Nearly four decades ago, Ronald Reagan ran for president vowing to upgrade U.S. armed forces on land, sea, and in the air. Thirty-five years ago this month, even as he made good on his campaign promises to the military, President Reagan proposed his Strategic Defense Initiative, which introduced the idea of extending American war-making ability to a fourth domain: outer space.
Although critics of the proposed missile shield immediately dubbed it “Star Wars” after the blockbuster movie, which filled theaters before SDI had even been envisioned, the advanced weapons systems the United States already possessed were run by what was then considered space-age technology -- computers. But as Reagan would soon learn to his surprise (after watching another Hollywood movie, “WarGames”), the only computer network that is truly secure is the one that no one can use.
What this suggested, even then, was that cyberspace is much more than a means of enhancing the weaponry of the four domains of war. It also constituted its own potential field of battle. Now that America’s erstwhile adversaries in Moscow have once again placed themselves in opposition to Western-style democracy in general, and the U.S. in particular, Russia has given form to this new dimension: cyberattack, warfare’s fifth domain.
How to confront that threat – and to protect the nation from other cyberattacks originating from many sources against innumerable American targets, public and private – has become one of the defining foreign policy challenges of Donald J. Trump’s presidency.
Who Fired First?
“At the Abyss,” the 2004 memoir by former Reagan administration National Security Council official Thomas C. Reed, painted a picture of futuristic war. Except that in Reed’s telling, the event happened in the past – in 1982. Using what was referred to as a “logic bomb,” the CIA seemingly launched the first incursion -- what we’d now call a cyberattack -- against the Soviet Union.
This attack took the form of a CIA digital incursion into the Soviet computer network controlling a Siberian gas line. The result was said to be a catastrophic explosion resembling a nuclear mushroom cloud when seen via satellite. There are reasons to doubt this ever happened. For one thing, at a time of thawing in Russian-American relations, the former KGB official in charge of the region denied it. In addition, it seems doubtful that Soviet pipelines in that region were run digitally at the time. But there are two aspects to the story that are instructive. First, it showed how early in the Digital Age intelligence services were envisioning computer networks as a technology that could be sabotaged and even used as offensive weapons against their hosts.
Whether such a cyberattack occurred or not, infiltrating Soviet systems seems to have been part of an concerted interagency effort within the U.S. government. An initiative that included the CIA, the FBI, and the Department of Defense was described in a document known in defense circles as The Farewell Dossier. Here is an excerpt from that document:
"contrived computer chips [would make] their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory. The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft. The Soviet Space Shuttle was a rejected NASA design. When [CIA chief William] Casey told President Reagan of the undertaking, the latter was enthusiastic. In time, the project proved to be a model of interagency cooperation, with the FBI handling domestic requirements and CIA responsible for overseas operations. The program had great success, and it was never detected."
Whether this took place or was merely wishful thinking, the legend of the “logic bomb” demonstrated an organized and concerted theory into how cyberwarfare might be waged. Nonetheless, it was not until 2011 that the Pentagon would declare the Internet a “Domain of Warfare,” following the first-ever plan for cyberspace and after the establishment of U.S. Cyber Command (CYBERCOM) in 2010, nearly 30 years after the alleged 1982 incursion.
Also lost in the intervening years between The Farewell Dossier and the acknowledgment of cyber as a domain of warfare is the level of cooperation it envisioned at U.S. federal agencies, which drifted apart and no longer coordinated efforts in ways that would help address the exploding cyberthreats of today. Instead, the CIA reverted to identifying and mitigating large threats, DoD focused on purely operational security, and the FBI for the most part resumed its traditional law enforcement role.
In response to evolving cyber crime, the bureau established the FBI Computer Investigations and Infrastructure Threat Assessment Center (CITAC) in 1996. During testimony before Congress, Michael Vatis, deputy assistant director and chief of the FBI's National Infrastructure Protection Center (NIPC), stated that CITAC:
should not merely provide warnings of imminent or ongoing attacks, but should also provide the focal point for coordinating the government's operational efforts to deter, contain, investigate, and respond to attacks on the nation's critical infrastructures. Such an entity should also provide a principal mechanism for sharing threat and vulnerability information between the government and the private sector.”
Vatis’ warnings soon rang true in the form of the “Solar Sunrise” attack in 1998. Taking advantage of vulnerabilities in the DoD’s “Solaris (UNIX-based) computer system,” hackers exploited the vulnerability by entering malicious code to examine and extract data from DoD sites around the world. So successful was the attack that it led the DoD to refer to it as “the most organized and systematic attack to date.” The perpetrators, however, were high school students from California, with an 18-year-old mentor from Israel.
The most widely recognized known example of cyberwarfare was Stuxnet, the American-Israeli project to dismantle Iran’s nuclear program, which propelled cyberwarfare into public consciousness. Possibly the most sophisticated cyber weapon ever deployed, Stuxnet apparently delayed the Iranian nuclear project for years, and also led to Iranian claims that the deaths of several scientists resulted from cyber-related explosions.
Whether that happened or not, what is known is that Iranians did not passively accept this sabotage. Nor did the Russians.
It was a senior researcher for Russia’s Kaspersky Lab, Roel Schouwenberg, whose work led to the discovery of Stuxnet. He reverse-engineered the worm to learn that this was a complex attack that must have taken a team of at least 10 two to three years to perfect, if not longer.
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/423891426&color=%23ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
The significance of Schouwenberg’s work was revealed last year when the U.S. government’s leading cybersecurity agency, the National Security Agency, fell victim to apparent Russian hackers. The NSA’s top hacking team, Tailored Access Operations (TAO), became the subject of “one of the worst security debacles ever to befall American intelligence.” The apparent carelessness of an NSA employee, who took classified material home, allowed Kaspersky Lab and the so-called “Shadow Brokers” to skillfully utilize privileged information in launching attacks into the CIA and NSA; that carelessness is also believed to have led to the WannaCry ransomware worm as well as the NotPetya malware.
Enter the 2016 presidential campaign and the resulting chaos following Donald Trump’s unlikely path to the White House. While much of the current drama centers on the narrative that Russia facilitated Trump’s precarious election, it appears that Russia’s objective, at least initially, was not aiding Trump but simply faciliating turmoil. It’s a form of Information Age warfare in the fifth domain with deep roots in age-old Soviet doctrine.
The big question now is what the Trump administration does about it.
This is the dilemma facing the administration and tasked to the Department of Homeland Security. The Information Sharing Act of 2015 and the Cybersecurity National Action Plan (CNAP) and the National Cyber Incident Response Plan (NCIRP) are all meant to address the gamut of critical cyber vulnerabilities. But have these initiatives led to greater security and response capabilities?
"U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries."
A report by the start-up SecurityScorecard in 2016 revealed that “U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare.”
The Government Accountability Office stated in 2017 that cyber-based “intrusions and attacks on federal systems and systems supporting our nation's critical infrastructure, such as communications and financial services, are evolving and becoming more sophisticated.” GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of cyber-critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.
As threats increase, the U.S. government falls further behind. Reporting in 2016, the GAO said that the number of reported cyber incidents across the federal government increased by an astounding 1,300 percent from fiscal year 2006 to fiscal year 2015.
In response, the Trump administration has upped spending from that of the Obama administration to a proposed $3.3 billion in the fiscal 2019 budget. However, the GAO again points out in another 2017 report that the U.S. government has largely failed to address increased threats “due to ineffective implementation of information security policies and practices.”
Will Trump’s efforts work? That remains to be seen, and the crux of the matter is that information security is considered a secondary or tertiary mission, often overridden by current operations. As Michael Vatis suggested in 1996, the success of the nation’s efforts will hinge on the government’s ability to coordinate civilian and private-sector cooperation in the name of national security.
The popular public discourse of the moment revolves around the security of the 2018 midterm elections. During a February Senate Armed Services Committee hearing, Sen. Claire McCaskill asked Adm. Michael Rogers, director of the NSA and the U.S. Cyber Command, if the U.S. could keep the Russians from interfering. Rogers said yes, but he also said that the U.S. wasn’t doing enough and that he had “never been given any specific direction to take additional steps outside my [normal] authority. I have taken steps with my authority.”
The Trump administration, however, claims that efforts to deter Russian meddling in U.S. elections are undercut by confusion over military authority to combat adversaries in cyberspace.
To convey a toughened stance on Russia and solidarity with European allies outraged by the poisoning of a former spy, the White House has given 60 Russian diplomats one week to leave the United States, the largest expulsion move to date. Although unrelated to Russia’s cyber aggression, this could be a sign that the administration is ready to do more than just spend money on cyber defenses.