Is preemptive cyberwarfare good national security policy?

Is preemptive cyberwarfare good national security policy?

Summary: This article by our own David Gewirtz, one of America's leading cyberwarfare experts, begins by quoting Dwight Eisenhower and ends by quoting Kanye West. If that doesn't say "must read," nothing does.

TOPICS: Security, Government

On August 11, 1954, then President and former five-star Army general Dwight D. Eisenhower, spoke of war. He said:

A preventive war, to my mind, is an impossibility today. How could you have one if one of its features would be several cities lying in ruins, several cities where many, many thousands of people would be dead and injured and mangled, the transportation systems destroyed, sanitation implements and systems all gone? That isn't preventive war; that is war.

When considering cyberwar, Eisenhower’s statement can prove quite instructive. When exploring the question of where cyberattacks and cyberespionage fit into the pantheon of battle scenarios, there has always been the general feeling that cyberwar is to “real” war as fantasy football is to football.

In other words, cyberwar doesn’t do physical harm, so it’s not quite as real as war. Or is it?

As Ike pointed out, if an attack – no matter what it’s called – destroys our systems of civilization, it’s war. In that context, whether the weapons are flung by solid fuel rockets or Core i7 processors, where there is destruction, there is war.

In October 2012, a malware infection introduced via USB drive (reminiscent of the Stuxnet attacks), was reported by ISC-CERT (PDF) as having delayed the restart of an unnamed U.S. power plant by three weeks. According to Homeland Security, 40 percent of cyberattacks have targeted the energy sector. Back in May, ISC-CERT reported ongoing attacks against America’s natural gas pipeline companies.

When there are constant, advanced, persistent attacks targeting America’s energy grid, and when some of them make it through to the point of keeping at least one power plant offline for weeks, that’s no longer just cyberwar, that’s war.

This past week saw an almost breathtaking array of cyberattacks, initiated by a widely varied set of actors, with a widely multifarious set of agendas:

  • China is almost undoubtedly the source of persistent penetration attempts against both The New York Times and The Washington Post. These were espionage operations designed to uncover names of Chinese dissidents and, presumably, then either incarcerate them – or worse.
  • Twitter was hacked, and 250,000 accounts were compromised. According to the company, this was a very professional attack.
  • Our own ZDNet site (along with other major media Web sites) saw red when a malware alert was shown to visitors attempting to read our articles. As it turns out, one of our advertising partners, NetSeer, was hacked, and their site was infected by malware. When Google detected it, any site linking to or serving NetSeer content was blocked by a warning.
  • Hacker collective Anonymous took aim at the banking sector, and reportedly posted 4,000 login credentials for senior banking officials. Anonymous also hacked into (repeatedly, it turns out) and defaced two government Web sites.
  • The Department of Homeland Security advised that all users – all users – stop using Java because exploits actually in the wild could lead to computers being remotely controlled by attackers and criminals.
  • A few days later, DHS advised users (again, all users) to disable UPnP (Universal Plug ‘n Play) technology – a key technology that makes it easier to connect devices like printers to internal networks. Over 80 million devices were identified in an Internet-wide scan as being vulnerable to accepting and executing malevolent code payloads.

And this has only been in the last week. Not only are we seeing more and more cyberattacks, the velocity of the increase is increasing as well.

When United States Secretary of Homeland Security Janet Napolitano says there’s a growing potential for an imminent cyber 9/11, I’m sorry to say I have to concur.

Two years ago, shortly after I’d begun what would become extensive research into Stuxnet, I asked, “Is using preemptive cyberwarfare good national security policy?”

At the time, I was still thinking of war and espionage and crime as separate things, threats that could be sorted into separate buckets. But as I’ve come to know more and more about how cyberwar is evolving, it’s become clear that these things are becoming conflated.

Nation states use cybercrime to fund their internal operations, other nation states use cyberespionage to track down and detain dissidents. Activist hackers attack our government resources and financial institutions. And, of course, there are those attacks against our power grid.

Into this reality comes a report that the President can order “preemptive” cyberstrikes if the United States faces attack. Like the original Stuxnet report from The New York Times, this one is attributed to unnamed, but apparently credible sources. Because neither of these reports can be verified, they can’t be considered fact. That said, whether verifiably true or not, these claims certainly fit with the evolving nature of cyberwar and America’s role in this new battlespace.

In 2010, I asked, “(1) is a preemptive attack of any form necessary for national security, and (2) can that attack be more effective or save more lives using virtual weapons?”

As President Eisenhower said, “a preventative war” is “an impossibility.” Likewise, it has become clear that – given the millions of cyberattacks happening on any given day – there is no longer any such thing as a “pre-emptive” cyberattack. We're unlikely to get them before they (at the very least) try to get us. 

That doesn’t mean the United States (and other Western nations) shouldn’t field armies of cyberwarriors. We are clearly under attack. We must, absolutely must, fight back and defend ourselves.

But let’s not fool ourselves.

Certainly some sorts of digital attacks can cause damage without directly putting lives at risk, but the simple fact is: people are going to get hurt. There will be collateral damage.

Whether destruction is being perpetrated by a recognized nation or a despised organization, whether the fighters use conventional weapons or digital ones, in the immortal words of Kanye West, “It’s a war going on outside, we ain’t safe.”

Topics: Security, Government


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Very dangerous territory

    We're surely in very dangerous territory. Non-state actors (hackers) do a tremendous amount of costly damage to U.S. economic interests already. Provoking a nation-state with comparatively huge talent and economic resources could prove very costly, indeed, to the U.S. economy. OTOH, we are already engadged in pre-emptive cyberwar as it is: Stuxnet being exhibit A. Tread with caution, is probably the best advice.
  • Perhaps...

    ...the Cold War doctrine of measured responses is in order.; that is to say, if we're confronted with a hostile act, we reserve the right to respond in kind; but "the punishment should fit the crime" (we don't nuke the other side's capital because it's naval vessel fired on one of ours).

    I figure if I was President in this circumstance, I'd be talking with my Secretary of State and CIA director (the CIA is still in charge of covert operations) about Chinese targets to hack, but I'd proceed with caution (in particular, making sure I don't end up killing people).
    John L. Ries
    • Tit-for-tat

      I've never quite understood "proportionate response." My thought is is that if attacked, we hit back with an overwhelming response. Hitting first has firmly established itself as a bad idea.
      • Really?

        I'm guessing that the US and USSR would have blown each other up five times over if your advice had been followed.

        I'm all in favor of negotiating from a position of strength, but attacking a country because of a diplomatic slight (what Woodrow Wilson did at Veracruz) doesn't accomplish anything useful.
        John L. Ries
    • Perhaps .... As long as no one gets killed?

      Since we're quoting Dwight D. Eisenhower

      "A vital element in keeping the peace is our military establishment. Our arms must be might, ready for instant action, so that no potential aggressor may be tempted to risk his own destruction. . . . American makers of plowshares could, with time and as required, make swords as well. But now we can no longer risk emergency improvisation of national defense; we have been compelled to create a permanent armaments industry of vast proportions. . . . This conjunction of an immense military establishment and a large arms industry is new in the American experience. . . .Yet we must not fail to comprehend its grave implications. . . . In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist."

      The USA kills dozens a week with drone strikes, 75% of which are innocent women and children, and the elderly but that's OK?

      Furthermore, the USA says that it will have as many as 30,000 drones flying in US sky's to monitor the population soon (all hackable).

      "The potential for the disastrous rise of misplaced power exists and will persist." to quote the authors own source. Words of wisdom no one bothered listening to. Seems to be pretty persistent. Congress isn't even consulted any longer, the prez just orders "hits" and can now order them on US citizens as well under NDAA.

      So which America are we speaking of, the old America of laws, liberty and justice for ALL or the new suto one of today?
      • Hacking of the sort the Chinese are accused of...

        ...isn't worth killing people over... particularly not the innocent bystanders whose lives would be endangered by something like sabotaging a nuclear power plant.

        But I think a list of Chinese spies stationed abroad would be of great interest to governments all over the world (even ones not friendly to the US).
        John L. Ries
  • Our Cyberwar efforts should be focused on defense

    Pre-emptive strike is always the wrong answer.

    The only people we should be targeting are terror groups that have declared war on us and the nuclear research of Iran and North Korea (ok, I know bottle rockets aren't very scary but still...).
  • Wrong focus

    Most of our vulnerabilities come from bad software, either in the form of lousy, buggy coding or inherently poor design. Remember those cylindrical locks that Kryptonite and others used for bike locks that ended up being quickly hackable with a Bic pen? Much of our software is like that -- once a clever hack is discovered, everyone who might be interested in something like that knows about it right away. Fixing the vulnerability usually takes a bit more time. Microsoft, Adobe, and Oracle in particular have been hopeless in securing their products and I think Government time and resources would be better spent on helping companies with widely used but vulnerable products that they themselves have been unable to fix.
  • In both Iraq wars, the coalition forces engaged in preemptive strikes.

    When one thinks about it, those armed forces led by the US in both Gulf Wars initiated military action against Iraq on the day and time of the coalition's choosing. In that regard, those strikes were preemptive.

    But here's the thing. Once those preemptive strikes took place, the use of massive military force did not let up until coalition strategic goals had been accomplished.

    One has the feeling that many persons feel a preemptive Cyber attack would be a "stand alone" attack - much like the Stuxnet virus attack was.

    That's NOT THE WAY a preemptive military strike should be conducted. Never engage in a stand alone attack if strategic goals are involved.

    If a preemptive Cyber war is unleashed against another country by the US than it should be made known beforehand to any potential aggressive nation's policy makers that this Cyber strike is just an opening salvo against that nation and will be followed up with any necessary military force options that will achieve a strategic goal. (Whether that be regime change or the destruction of that nation's military apparatus.)

    My point is: Cyber war should be considered as part of a serious Military response and not as some sort of state funded electronic spying or infrastructure sabotage.

    Never confuse hacking with cyber warfare.
    • In the gulf war... was Iraq that invaded Kuwait (and we stopped once the Iraqis were driven out, except to establish no-fly zones). The U.S. response was classic balance of power action and, in my opinion, absolutely necessary.

      I still suspect we invaded Iraq in 2003 because the second President Bush decided he needed a head on his wall (but I still wonder what he did to convince Tony Blair's government to go along).
      John L. Ries
      • In the Gulf war ...... absolutely necessary?

        This is a Veteran's website so of course it won't be credible to many viewpoints here.

        There are dozens more. Simply Google "Bush Kuwait Sadam" if you actually wish to know what happened. Research, research and research is necessary, not the TV set.

        Of course this is 20 year old News to many but for those playing catchup here it is for you to read in its entirety along with the 20 year old documents released by the government. It's out of their own mouths. What more does one need?
    • I don't suggest...

      ... an invasion of China unless it's absolutely necessary. We have enough to do in Afghanistan and on the Korean DMZ; and a shooting war with China would be very bad for all involved.
      John L. Ries
      • The US

        could not win an invasion of China. We simply dont have enough troops. A invasion of China would be a huge disaster for both countries. It would make the current wars look like childs play.
  • Cyber Attack!!

    Nuke that Chinese!!! a menace of this world.
  • Somethinig I don't understand

    If I feel i MUST stick my arm out the window of a speeding car, eventually something is likely to rip that arm from my body. But, if I watch and ONLY stick my arm out the window when I can clearly see nothing ahead that could rip my arm off, then I have a many-magnitude increase in the likelihood of keeping my are attached to my body.

    Likewise, if I were the gvt and KNEW there were dangers looking to hack me, WHY am I providing a path into my system 24/7/365??
    Opening a port or two at specific times for specifiic reasons and NEVER unattended, seems like it would do much the same for keeping my arm from being ripped off.
    And what about the (apparently no longer used) ownership of a piece of wire that goes from me to my supplier, say, and never connects to the internet? I have worked at a place that owned its own dedicated data wires between plants. They activated ONLY when there was data to send, and disconnected as soon as the data transmission completed. We had two wires going to Ontario, and 3 gong to Texas. Those were the only ones I ever used and I have no idea what others there were, but they did exist.
    Wire might be a minute or three slower than RF, but it was safer and if anything anywhere along that line were tapped into or even magnetically moniitored, it showed up in the line's testing, intermingled with the data, as latitudinal and longitudinal balance disturbances and modifications of the echo factors and even data ampliitudes in some cases. Any such disturbance shut the comms down in millseconds while further, more accurate testiing would occur. Not perfect, but darned near perfect in those days. Oh, and data was also encrypted with rolling keys that changed randomly.

    Why are things like that not used in the gvt? Instead of encrypted data passing through 30 or more nodes, all access poiints for stealing data, in theory there were only two noded: The sending and recieving nodes. Even smultaneous two-way data passage was possible but seldom needed.

    And why is ANYTHING sent without reliable encryption methods?

    Actually, I know why: our gvt critters and such simply and plainly do not know HOW to accomplish those things and they're kept busy workiing on how to tap wi-fi connections et al rather than causing any true securty advances to occur.
    I'd like to think the gvt IT is top notch, but far too many occurrences prove that isn't so. That seems to be typical of way too many supposedly "good" security methods at most companies. Encryptioin alone would further the success of security a LOT without adding much complexity if those places thought about ti for just a moment.

    As often happens, if/when the gvt really hits onto good things like that such things, meaning methods, also roll down to the general-usage populations.
  • Re: Somethinig I don't understand

    Q: "Why are things like that not used in the gvt?"

    One answer is that dedicated site-to-site wiring can be disabled by a single attack anywhere along the cable's length. In contrast, a web of wires joining a pair of sites can be attacked at many different locations, and still function perfection well, by routing the signal around the attacked locations.

    A second answer is that the military tends to run 24 hours a day, every day of the year, so even if you only turned on your dedicated (internet isolated) LAN only when you wanted to use it, it would still be on all the time.

    Finally, given the vast number of military resources that are spread across the planet, which all need to exchange information, a hardened, military LAN that's disconnected from the internet would cost more than using off-the-shelf, commercial internet hardware.

    I take your point about only sending data in encrypted form, but I think that is why banks (and, I assume, the military) using Virtual Private Networks or VPNs.