SPECIAL SERIES:Cybersecurity: The Next Great Battlefield
In this series of articles running through July, RealClearPolitics and RealClearDefense take an in-depth look at the intersection of cybersecurity, technology, and warfare in the 21st century. Below is Part 4.
The first great cyberattack of the century was a deliberate, targeted and slow-moving affair. It was a sophisticated operation tailored toward a specific tactical outcome to serve American and Israeli strategic purposes. When the malware that came to be known as Stuxnet was introduced into the centrifuges at Iran’s Natanz uranium enrichment plant, its handlers knew exactly what they wanted to accomplish. This was a worm with a marksman’s mentality, designed to move harmlessly through digital systems until it met its target and struck. When its code was exposed, new versions were deployed, like a team of digital 007s set to activate after the identity of their predecessor is compromised. The last series of attacks reportedly took the spin out of one-fifth of Iran’s nuclear centrifuges.
The nature of the Stuxnet operation -- the goal it set out to achieve as much as the methods employed -- reflected the dynamics between the actors who carried it out. It was a digital extension of a pattern of behavior in an adversarial world.
“When we did Stuxnet, it was designed to achieve a very specific purpose,” explains Michael Connell, a research scientist for the Center for Naval Analyses. “We designed it to be non-lethal and restricted, to affect only the centrifuges associated with Iran’s nuclear program. Its effects were designed to be tactical in nature.
“When, on the other hand, Russians are attacking Ukrainian power stations, it was designed for a different purpose,” Connell added. “It was designed to say to the Ukrainian public, ‘Hey, your government can’t take care of you.’ And that is the way Iranians think too.”
Cyberspace today can be compared to the outset of the nuclear age, a time and space where capabilities are in constant evolution and norms to govern behavior do not exist. One bracing difference is the sheer number of players involved. Although deployed against Japan, “the bomb” was invented in the United States by a nation worried that Nazi Germany would unleash its terrible power first. After World War II, the arms race initially featured two superpowers: the U.S. and the Soviet Union. The tools of cyberwarfare are more egalitarian. Another way to say this is that although Washington is currently consumed with trying to determine the extent of Russian meddling in the 2016 election, Russia is not the only adversary. This arms race – the one in cyberspace -- is a multi-headed monster.
In cybersecurity, one key to defending U.S. national interests is understanding the nature and ultimate aims of the adversary: What are Iran’s regional foreign-policy goals? What does North Korea need to do to maintain its regime’s stability? What are China’s plans for reaching strategic parity with the United States, and does it even want to achieve dominance? Whether you are an individual, a private company, or the U.S. government, self-defense begins with strategic knowledge of the game.
Islamic Republic of Mabna
Don’t bother looking for an Iranian cyber doctrine; the Islamic Republic benefits from strategic ambiguity online in much the same way as it does on the land-based battlefield, operating through proxies and dissimulating responsibilities across its various domestic power poles, most notably the Islamic Revolutionary Guard Corps.
One of the biggest operations tied to Iran that hit the West was carried out in the fall of 2012 and was the work of a group calling itself the Izz ad-Din al-Qassam Cyber Fighters. Known as “Operation Ababil,” the attack targeted U.S. banking infrastructure. As outlined in a report by the Carnegie Endowment for International Peace, the attackers “deluged their targets with high volumes of malicious traffic.” In the process, the Iranians locked hundreds of thousands of customers out of their accounts, vandalism that cost tens of millions of dollars to fix.
In 2013, Iranians are believed to have accessed the Navy Marine Corps Intranet, which stores unclassified information and communications.
In 2013, Iranians are believed to have accessed the Navy Marine Corps Intranet, which stores unclassified information and communications. This act of cyber-espionage convinced U.S. experts that Iranian capabilities were becoming more sophisticated. “The wake-up call for the U.S. with Iran was that break-in of the Navy’s networks. That was espionage, but the fact they were able to do that showed that the Iranians do have some capabilities,” Connell said. “It surprised everybody.”
Iran has a highly educated population, and groups such as the Basij militia recruit talented hackers to serve the national cause. Such recruitment serves a dual purpose: offering relatively high-paying jobs to tech-savvy young Iranians ameliorates the brain drain that worries national leaders while also bolstering Iran’s cyber capabilities.
What does Iran intend to do with those capabilities? Tehran’s concerns are regime stability and regional influence. For that reason, most – but not all -- of the country’s malicious cyber activity is directed at internal dissidents as well as diplomats and employees of various non-governmental organizations. The most significant outside attacks are aimed at regional rivals Saudi Arabia and Israel. In the most successful effort, known as the Shamoon attack, proxies tied to Iran overwrote the hard drives of Saudi Aramco computers, causing damage in the tens or hundreds of millions of dollars. Iranians viewed the attack as retaliatory; it was meant to send the message that Iran may not be able to stop cyberattacks on its own infrastructure, but the regime can and will respond in kind.
Sometimes the Iranians show that they are willing, and able, to reach out beyond their nation’s own sphere of influence. This was brought home to Americans a month ago when the Justice Department charged nine Iranians and sanctioned an Iranian company for allegedly stealing some 31 terabytes of intellectual property from 144 U.S. universities and another 176 universities in 21 other countries. Deputy Attorney General Rod Rosenstein described the effort as state-sponsored, and said it was one of the largest digital theft operations ever uncovered.
U.S. authorities said that the hackers worked at the Mabna Institute under the auspices of Iran’s Islamic Revolutionary Guard Corps, the highly trained military cadres assigned to protect the clerics who run the world’s largest theocracy.
People’s Republic of China
If Iran’s activities are mainly defensive and opportunistic, China’s are methodical and aggressive. Both of these state actors are known for stealing trade secrets, but the scale of industrial theft by the Chinese is in a league of its own and includes non-digital techniques as well.
“One classic method is to have an agent or someone who works inside a company and they use that position to flat-out copy documents,” said Cecile Shea, a fellow at The Chicago Council on Global Affairs. “We’re not just talking about national secrets, but commercial secrets. There have been cases of people walking out with info they weren’t supposed to be walking out of the building with.”
Meanwhile, the scale of Chinese cyber-espionage has been staggering. Naval Postgraduate School scholar Dorothy Denning points to a 2013 report by the American cyberintelligence firm Mandiant (now part of FireEye), on a single Chinese espionage group it labeled Advanced Persistent Threat 1, finding that this lone entity had stolen hundreds of terabytes of data from at least 141 organizations since 2006. Despite an agreement between former President Obama and Chinese President Xi Jinping to restrict economic espionage, FireEye has identified 13 active groups based in China that are breaching the networks of global corporations, many of them U.S.-owned.
The Office of the United States Trade Representative found that Chinese theft of American intellectual property costs between $225 billion and $600 billion annually.
After a recent seven-month investigation, the Office of the United States Trade Representative found that Chinese theft of American intellectual property costs between $225 billion and $600 billion annually. The true costs are probably even greater, unbalancing the fairness of the free market in the United States itself.
“It’s a huge problem, and especially if you’re a smaller start-up in Silicon Valley,” Shea said. “You can’t afford to have a competitor suddenly spring up out of nowhere developing a very similar tech to the one you’re working on. And if you’re talking about a company working in the classified realm, and a lot of companies large and small have contracts with the Department of Defense … the government can’t use that product anymore.”
Beijing is willing to engage when things get too hot, as Xi did with Obama. China even went so far as to arrest hackers allegedly involved in the high-profile 2015 intrusions into the Office of Personnel Management’s database -- an intrusion that exposed the personal and financial data of about 22 million federal U.S. employees. It also has reasons of its own to cooperate in forging global norms, as China itself is a high-profile target. But the goal of technological dominance is too crucial for a rising power like China to play nice. The stakes are just too high. As Shea points out, the moment the Chinese can become primarily innovators, as opposed to sticky-fingered imitators, is the moment “they will be able to surpass the U.S. as the economic power in the world.”
Rocket Man Is Also Cyber Boy
Despite the often-comically overheated rhetoric emanating from Pyongyang, North Korea has no realistic aspirations toward global leadership, economic or otherwise. North Korea’s core mission is simply the survival of its regime, and from that mission springs much of its behavior in the international arena – ranging from its destabilizing nuclear program to its aggressive cyberattacks.
North Korea’s attitude toward cyberspace reflects that core priority. In a nation where most of the population has no internet access, the Korean People’s Army employs up to 6,000 cyberwarfare experts trained at institutions such as Pyongyang’s University of Automation.
Their goals are relatively simple: North Korea, poor and under sanctions, wants money. And it demands respect. The latter was the motivation behind the famous 2014 attack on Sony Pictures, when hackers, as FireEye’s Denning describes, wiped out more than 4,000 computers and servers and later posted unreleased movies and sensitive emails. The attackers were apparently motivated by the upcoming release of the film “The Interview.”
The former motivation helps explain other high-profile North Korean hacks, including the WannaCry ransomware attack that spread to 150 countries, with notoriously disruptive effects on Britain’s National Health Service, and an attack on the Bangladesh Central Bank that netted $81 million.
So Many Adversaries, So Little Time
“Inadequacy” is a word that gets thrown around a lot when experts, politicians and journalists discuss U.S. understanding of the cyberthreats posed by China, Iran and others. In addition to special counsel Robert Mueller’s indictment of Russian operatives and entities for meddling in the 2016 U.S. election, the Obama administration indicted members of China’s military after hackers hit American companies, while the U.S. had indicted seven Iranian hackers for attacks on a dam and on banks even before March’s indictments of the Mabna Institute network.
"We need greater government investment in the types of R&D that the private sector is not likely to advance."
What seems to be missing, however, is a systemic U.S. government response. “We need greater government investment in the types of R&D that the private sector is not likely to advance,” insists Samantha Ravich, a senior adviser with the Foundation for the Defense of Democracies.
Cecile Shea suggests that something on the order of a new regulatory agency is needed.
“It’s the government’s job to protect American society and American consumers. If companies aren’t going to do a good job of that, Congress needs to create some sort of agency that provides advice and regulations,” Shea said. “Right now it’s a completely unregulated field. Who ends up being hurt are companies that pour a lot of money into cybersecurity and are not as profitable as they could be.” Considering our own leaders are clueless enough to use their own email servers and unsecured personal devices, such sweeping change may be hard to enact. And in a realm where not only governments but also organizations and individuals can carry out aggressive acts, and where technology evolves so fast, it isn’t clear that a regulatory agency would be enough, absent cyber literacy in the general population and proper investment by companies.
Government focus on cyberspace has, however, greatly increased in the last few years, and legislative initiatives have begun to come forward, including a cyber deterrence bill that “aims to establish a process for the federal government to identify, deter and respond to state-sponsored cyberattacks against the United States.”
At the root of the problem is that cybersecurity is not just a whole-of-government problem, but a whole-of-society challenge. Understanding how Iran, North Korea, China – and, of course, Russia -- think about cyberspace is a start, but we’re talking about a reality where a single user’s carelessness can allow a Stuxnet worm to wiggle its way into a complex system. As George Friedman puts it: “A system whose security depends on an absence of carelessness is a system designed to fail.”