Rockets to Rootkits: The Future of Warfare and the Internet

August 10, 2011, Bellevue College

Sometime in the near future, it’s another day at the office for Joseph Smith, an up and coming businessman at a technology firm based in downtown San Francisco.   After driving in to the office and after several cups of coffee, Joseph is ready to tackle his work.  What the coffee doesn’t prepare him for is the virus ticking down in the city’s power-grid controls like a time bomb.  At 6:23pm, the lights go out.  Before he can find a flashlight, Joseph hears the explosion of breaking glass and crunching metal below his window, and looks out to see a car wreck in the nearby intersection beneath now-dark traffic lights.  Toxic fumes from a nearby treatment plant waft towards the city center, only slightly faster than the nuclear fallout from the power plant 15 miles away.

What on earth has just happened?  This may sound like a fantasy only seen in movies like Die Hard, but it is exactly the implied picture of a cyber-attack by China as portrayed by former US counter-terrorism advisor and first Head of Cyber-Security Richard Clarke, who believes that despite our exceptional offensive capabilities, our country’s defenses against cyber espionage and sabotage are dangerously lacking.

Such attacks are capable of powerful blows to vital city infrastructure systems that are made vulnerable by direct or indirect connection to the internet.  When confronted with the figures of American military expenditures, which top the next six highest military spending nations combined (SIPRI), most Americans make the seemingly logical and mathematical assumption that no country on earth could challenge us in direct warfare.  While we do have more jets and tanks than any other country, we are falling far behind in a new form of warfare that is every bit as powerful as land or sea combat, but one in which we are much less prepared defensively.  We cannot fight with jets and tanks against malicious code attacks on infrastructure, cyber-espionage, and botnets .  Over the next few years, we can expect warfare to move from trenches and rockets to Trojans  and rootkits  for three different reasons: cyber-warfare is anonymous, it’s cheap, and it’s super effective.

The phenomenon of waging war online has already introduced new complications to the way that countries must approach national defense in several different ways.  Back in the 1950’s and 1960’s, The United States had the military might to defend itself purely by intimidation because back then, when one country attacked another, it was transparent; globally, everyone knew with relative certainty who was attacking which country and how.  Mutually-assured-destruction awaited anyone who dared to blatantly attack a super-power or their allies.  This is no longer the case however, because cyber-attacks are by nature nameless.  Many people in the United States still believe that because we have thousands of missiles that can strike any target on the planet, we can immediately retaliate to a cyber-attack with superior force, with the same sort of mutually-assured-destruction mindset for discouraging would-be hackers.  Mutually-assured-destruction is an excellent method of deterrence against conventional attacks coming from an identifiable source, but it is hard to strike back at an opponent you can’t see.  The internet can provide an intelligent terrorist organization, crime network, or hostile foreign country with the ability to fight in what is essentially a global house of mirrors—when a country gets hit, the blow can appear to have come from somewhere anywhere, or even multiple locations.  The victim cannot say who hit them and from where with absolute certainty like they once could, and unlike Enter the Dragon, we cannot simply take Bruce Lee’s approach and shatter all of the mirrors.  One recent example of this kind of attack-origin ambiguity was the discovery of the Stuxnet virus, a worm which specifically targeted Siemens computers that controlled a centrifuge in the Natanz fuel enrichment plant in Iran (Langner).  The virus was designed to slowly crack the centrifuge over several months, and eventually cause it to explode by overriding the electronic fail-safes with false data and preventing the system from noticing any problem.  Discovered in June of 2010, and later decoded in July by the German scientist Ralph Langner, the origin of the virus is still unknown.  Many believe that it is of Israeli or American origin, but an intelligently hidden cyber-warhead can prove extremely difficult if not impossible to track back to its maker, and neither country has taken responsibility for the virus.  This characteristic allows international organizations and governments to utilize the internet to spy on, steal from, and even overtly attack other nations like privateers on the high seas, armed with the shield of plausible deniability to protect themselves from a war with planes and missiles.

With the global economy in the state that it’s currently in, there’s second reason that we can expect countries and organizations to utilize their computers for warfare more often in the coming decade: it’s immensely cheaper to fire off a virus than a missile.  While the logistics of waging a conventional war today usually involve things like fuel for overseas flights and expensive protective equipment and weapons (not to mention the human body cost), the logistical concerns of waging a cyber-war would mainly be about having a solid network, maintaining good computers, and feeding your relatively small army of engineers and tech-support staff with enough sub sandwiches and milk-shakes to keep them happy.  Smaller, perhaps less developed nations that wouldn’t necessarily have the pre-existing resources to sustain this kind of operation would not even have to worry about those needs; they can simply rent out a few foreign hackers and engineers and a botnet to conduct their operation.  Botnets are usually only used by online criminal gangs, mainly for spam distribution, but could easily be used to attack another country with a Distributed Denial of Service (DDOS)  attack, as used by the online group ‘Anonymous’ to attack Visa, Amazon, and Mastercard after the companies froze accounts associated with WikiLeaks figurehead Julian Assange. Alternately, they could be used to attempt to break into a secure system using ‘brute force’—trying hundreds of thousands of passwords (or more) a second in an organized fashion—which could result in access to national secrets or administrative privileges to infrastructural systems like power grids or banks.  Either method could easily, if done intelligently, result in as much damage as blowing up a building with a cruise missile.  To put the cost-ratio in perspective, a single cruise missile is generally estimated to cost between $750,000 and $900,000; the average price to rent a bot-net is a mere $9 an hour, or $67 a day (Danchev).

An important consequence of the low cost-base of digital warfare is the ease of access factor; because it’s so cheap, other countries are no longer the only real threat to the United States.  International organizations, including terrorist organizations, can easily utilize cyber-attack methods to carry out their own goals and missions. Some may even be ahead of what most think of as more powerful nations like the United States in technological proficiency and tip-toeing around the cyber-security systems in place. “We were laughing at Democratic activists” said Maajid Nawaz, a former Islamic extremist and founding director of the counter-extremism think-tank Quilliam. “We felt they were from the age of yesteryear. We felt that they were out of date. I learned how to use email from the extremist organization that I used. I learned how to effectively communicate across borders without being detected.”  Organizations like Nawaz’s could never hope to afford to buy their own cruise missile, singular, let alone plural. But if they are clever enough, they could inflict the same extent of havoc on a target nation at a minute fraction of the cost.  By economics alone, it is a safe assumption that most organized attacks against the United States in the coming decades won’t be with expensive bombs and guns, but with more cost-effective digital warheads.

Despite economic issues and worries over diplomatic privacy, the military’s first and foremost necessity is effectiveness; secrecy and cost-efficiency come secondarily.  Given a choice between a cruise missile and a virus, it seems obvious that the cruise missile would me a far more effective military tool, if perhaps not the cheapest.  There are a few things wrong with this line of thinking. First and foremost, while the United States has the money to buy expensive military toys, other countries may not, and would probably rely on digital methods of assault that no amount of anti-missile defense systems could ever really have a chance of defending against. There is more to it than that though: the problem with this perceived superiority of the cruise missile over a computer virus, even in an offensive scenario, is that it assumes that the best military target is something physical that you can locate and then proceed to blow up.  Professional militaries often target communication hubs in order to isolate the enemy.  While striking radar towers, radio centers, and phone companies has been extremely successful in the past, modern communication takes place online more often than not.  While it is possible to attack a server with a missile, it might be impossible to do so without civilian collateral damage, and the server will probably have a back-up regardless.  A cheaper, faster, more effective, and discretionary method of accomplishing the mission would be to use a virus that destroys the server, perhaps without even needing to geographically locate where the server is. A DDOS attack that overloads and slows down the server from electron-speed to molasses-speed would also be extremely effective at hampering communication.

Paramilitary groups and terrorist organizations usually have different aims: publicity and terror. While bombing a building or kidnapping and killing people does attract attention and inspire fear, it is often a third-person spotlight. People see and hear about it from the news, online, and from friends and neighbors, and it catches their attention for a while because it is interesting, but violent events don’t stay in your conscious mind as much because they hold little real-world relevance to an average individual.  A terrorist group that manages to electronically seek out and destroy bank records, or that shuts down or vandalizes a mega-website like Facebook or Google, would be generating exposure and sensation of the first-person variety, because what they have done has a real-world, everyday impact on everyone.  Thus, under the right circumstances, electronic attacks are not only as powerful as conventional attacks, but can sometimes actually be more effective than simply dropping a bomb on a building and calling it good.

Many skeptics object that although these are all legitimate claims, cyber warfare may never ‘catch on’.  James Lewis from the Center for Strategic and International studies argues that “there have been no cyber-wars and perhaps two or three cyberattacks since the internet first appeared” (Jackson).  Along the same lines, Foreign Policy’s Zack Keck argues that the effectiveness of the Stuxnet worm is the result of the Iranian facility’s lack of common security precautions, and that we are unlikely to see any copycats in the future, as was predicted by other cyber-security experts and several companies.  Cyber-warfare simply seems to lack the dependability of traditional military operations.  Joseph Smith won’t really have to worry about his San Francisco home being attacked by hackers because those attacks don’t work when proper regulations are followed.  If so, then let us examine a slightly less extreme scenario.

It’s late April and Josephina Smetana is decides to go to the grocery store for some food.   She walks up to the checkout counter with some vegetables and some beef, but after she swipes her card, she is politely informed that her card was denied. Angered and confused, she quickly walks (empty-handed) to the local ATM.  It’s out of service, so she decides to check her account online.  She types in the URL address for her bank, and gets an error message: the bank’s website is experiencing heavy traffic and is inaccessible at this time.  There must be something wrong at the bank!  She types in the URL for several of the local news stations to try to find out why the bank sites are down, only to find the same error message on the news sites.  This is another cyber-attack, similar to the hypothetical one discussed previously in that it targets a nation—slightly different in its method of attack; it’s a DDOS attack instead of a Worm.  The important difference, however, is that this attack isn’t hypothetical.

On April 27th of 2007 the Estonian government removed a politically contentious Soviet memorial statue from WWII.  The following day, the entire nation fell under attack.  The Estonian Defense Minister, Jaak Aaviksoo, described the attack as targeting the online portion of Estonia’s digital infrastructure (Davis). “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”  Note that Estonia is a modern, developed country, and was not in any noticeable way more vulnerable to cyber-attack than other countries its size, as was implied of Iran by Zack Keck.  Estonia eventually broke the siege and got its systems running again only after temporarily severing all internet connections outside the country, effectively isolating them from the rest of the world. The bot-net attacks finally stopped several weeks after they started.  It is still debated who executed the attacks, most experts believe it was the result of either a ‘hactivist’ Russian gang or a Russian official’s aide acting of his own free will.  If such groups are capable of shutting down an entire country, if only briefly, what could a nation like China do with a coordinated effort?  The effectiveness, cost-ratio, and anonymity of cyber-attacks make them as powerful of tools in the international court as any aircraft carrier or tank, and we can count on seeing far more of them in the future.  The question we should be asking then isn’t: “is cyber-warfare a threat we need to take seriously?”, but rather: “Are we, as a nation, prepared to fight and win a full-out Cyber War?”

Works Cited

1. Clarke, Richard. Interview. Cyber War. NPR. WNYC, New York. 21 Apr 2010. Web. 5 Aug. 2011.
2. Danchev, Dancho. “Study Finds the Average Price for Renting a Botnet.” ZDNet. 26 May 2010. Web. 9 Aug. 2011.
3. Davis, Joshua. “Hackers Take Down the most Wired Country in Europe.” Wired. 21 Aug 2007. Web. 9 Aug. 2011.
4. Gross, Michael. “A Declaration of Cyber-War.” Vanity Fair. Apr 2011. Web.
5. Hersh, Seymour. “The Online Threat: Should We Be Worried About a Cyber War?” The New Yorker Nov. 2010: 1-7. Web. 2 Aug. 2011.
6. Hypponen, Mikko. “Fighting Viruses, Defending the Net.” TED. Mar 2011. Web. 2 Aug 2011.
7. Jackson, William. “The False Cries and Fog of ‘Cyber War’.” Government Computer News. 15 July, 2011. Web. 9 Aug. 2011.
8. Keck, Zachary. “Libicki: Stuxnet Isn’t All it’s Cracked Up to Be—But Then Again, Neither is Cyberwar Really.” Foreign Policy. 3 Mar 2011. Web. 9 Aug. 2011.
9. Langner, Ralph. “Cracking Stuxnet, a 21^st Century Cyber Weapon.” TED. Mar 2011. Web. 2 Aug 2011.
10. Nawaz, Maajid. “A Global Culture to Fight Extremism.” TED. Mar 2011. Web. 3 Aug 2011.
11. Neilson, Robert. Sun Tzu and Information Warfare. Washington DC: National Defense University Press, 1997. Print.
12. “SIPRI Military Expenditure Database, The.” Stockholm International Peace Research Institute. 2011. Web. 3 Aug. 2011.
13. Thompson, Loren. “Cyberwarfare May Be a Bust for Many Defense Contractors.” Forbes. 9 May 2011. Web. 9 Aug. 2011.
14. Thornburgh, Nathan. “Inside the Chinese Hack Attack.” Time.  25 Aug 2005. Web. 9 Aug. 2011