On August 11, 1954, then President and former five-star Army general Dwight D. Eisenhower, spoke of war. He said:
A preventive war, to my mind, is an impossibility today. How could you have one if one of its features would be several cities lying in ruins, several cities where many, many thousands of people would be dead and injured and mangled, the transportation systems destroyed, sanitation implements and systems all gone? That isn't preventive war; that is war.
When considering cyberwar, Eisenhower’s statement can prove quite instructive. When exploring the question of where cyberattacks and cyberespionage fit into the pantheon of battle scenarios, there has always been the general feeling that cyberwar is to “real” war as fantasy football is to football.
In other words, cyberwar doesn’t do physical harm, so it’s not quite as real as war. Or is it?
As Ike pointed out, if an attack – no matter what it’s called – destroys our systems of civilization, it’s war. In that context, whether the weapons are flung by solid fuel rockets or Core i7 processors, where there is destruction, there is war.
In October 2012, a malware infection introduced via USB drive (reminiscent of the Stuxnet attacks), was reported by ISC-CERT (PDF) as having delayed the restart of an unnamed U.S. power plant by three weeks. According to Homeland Security, 40 percent of cyberattacks have targeted the energy sector. Back in May, ISC-CERT reported ongoing attacks against America’s natural gas pipeline companies.
When there are constant, advanced, persistent attacks targeting America’s energy grid, and when some of them make it through to the point of keeping at least one power plant offline for weeks, that’s no longer just cyberwar, that’s war.
This past week saw an almost breathtaking array of cyberattacks, initiated by a widely varied set of actors, with a widely multifarious set of agendas:
- China is almost undoubtedly the source of persistent penetration attempts against both The New York Times and The Washington Post. These were espionage operations designed to uncover names of Chinese dissidents and, presumably, then either incarcerate them – or worse.
- Twitter was hacked, and 250,000 accounts were compromised. According to the company, this was a very professional attack.
- Our own ZDNet site (along with other major media Web sites) saw red when a malware alert was shown to visitors attempting to read our articles. As it turns out, one of our advertising partners, NetSeer, was hacked, and their site was infected by malware. When Google detected it, any site linking to or serving NetSeer content was blocked by a warning.
- Hacker collective Anonymous took aim at the banking sector, and reportedly posted 4,000 login credentials for senior banking officials. Anonymous also hacked into (repeatedly, it turns out) and defaced two government Web sites.
- The Department of Homeland Security advised that all users – all users – stop using Java because exploits actually in the wild could lead to computers being remotely controlled by attackers and criminals.
- A few days later, DHS advised users (again, all users) to disable UPnP (Universal Plug ‘n Play) technology – a key technology that makes it easier to connect devices like printers to internal networks. Over 80 million devices were identified in an Internet-wide scan as being vulnerable to accepting and executing malevolent code payloads.
And this has only been in the last week. Not only are we seeing more and more cyberattacks, the velocity of the increase is increasing as well.
When United States Secretary of Homeland Security Janet Napolitano says there’s a growing potential for an imminent cyber 9/11, I’m sorry to say I have to concur.
Two years ago, shortly after I’d begun what would become extensive research into Stuxnet, I asked, “Is using preemptive cyberwarfare good national security policy?”
At the time, I was still thinking of war and espionage and crime as separate things, threats that could be sorted into separate buckets. But as I’ve come to know more and more about how cyberwar is evolving, it’s become clear that these things are becoming conflated.
Nation states use cybercrime to fund their internal operations, other nation states use cyberespionage to track down and detain dissidents. Activist hackers attack our government resources and financial institutions. And, of course, there are those attacks against our power grid.
Into this reality comes a report that the President can order “preemptive” cyberstrikes if the United States faces attack. Like the original Stuxnet report from The New York Times, this one is attributed to unnamed, but apparently credible sources. Because neither of these reports can be verified, they can’t be considered fact. That said, whether verifiably true or not, these claims certainly fit with the evolving nature of cyberwar and America’s role in this new battlespace.
In 2010, I asked, “(1) is a preemptive attack of any form necessary for national security, and (2) can that attack be more effective or save more lives using virtual weapons?”
As President Eisenhower said, “a preventative war” is “an impossibility.” Likewise, it has become clear that – given the millions of cyberattacks happening on any given day – there is no longer any such thing as a “pre-emptive” cyberattack. We're unlikely to get them before they (at the very least) try to get us.
That doesn’t mean the United States (and other Western nations) shouldn’t field armies of cyberwarriors. We are clearly under attack. We must, absolutely must, fight back and defend ourselves.
But let’s not fool ourselves.
Certainly some sorts of digital attacks can cause damage without directly putting lives at risk, but the simple fact is: people are going to get hurt. There will be collateral damage.
Whether destruction is being perpetrated by a recognized nation or a despised organization, whether the fighters use conventional weapons or digital ones, in the immortal words of Kanye West, “It’s a war going on outside, we ain’t safe.”