Cyberspace and National Security: Selected Articles II
Cyberspace and National Security: Selected Articles II
and National
Security
Selected Articles II
Edited by Gabi Siboni
bc
d
Cyberspace and
National Security
Selected Articles II
Edited by Gabi Siboni
bc
d
Contents
Foreword | 5
A Blueprint for Cyber Deterrence: Building Stability through Strength | 7
Frank J. Cilluffo, Sharon L. Cardash, and George C. Salmoiraghi
Duqus Dilemma: The Ambiguity Assertion and the
Futility of Sanitized Cyberwar | 29
Matthew Crosston
The Strategic Uses of Ambiguity in Cyberspace | 43
Martin C. Libicki
An Interdisciplinary Look at Security Challenges in the
Information Age | 51
Isaac Ben-Israel and Lior Tabansky
Cyber Warfare and Deterrence:
Trends and Challenges in Research | 69
Amir Lupovici
In Defense of Stuxnet | 83
James A. Lewis
Unraveling the Stuxnet Effect: Of Much Persistence and
Little Change in the Cyber Threats Debate | 95
Myriam Dunn Cavelty
The Threat of Terrorist Organizations in Cyberspace | 105
Gabi Siboni, Daniel Cohen, and Aviv Rotbart
The INSS Cyber Program | 133
Foreword
Israels rapid development as a leading player in the cyber realm is one of
several factors that have spurred research in Israel in general, and at the
Institute for National Security Studies (INSS) in particular, on cyber-related
issues. In order to broaden the scope of the research underway at INSS,
the INSS Cyber Program has long promoted international cooperation
in the field, reflected, for example, in the INSS conference on defensive
operations and intelligence in cyberspace, held with the Cyber Security
Forum Initiative (CSFI), a large and important organization in the United
States cyber community. This years conference is also held in collaboration
with various entities in Israel, including the Ministry of Intelligence, the
National Cyber Staff, the IDF Computer Service Directorate, and the chief
scientist in the Ministry of the Economy.
The conferences focus on defensive operations and intelligence allows
INSS to highlight its work in this field, which complements a variety of
related professional activities underway in Israel and around the world.
This years conference has several important objectives, among them: to
deepen cooperation among government agencies and organizations in
the cyber field in Israel and the United States; to enhance exposure of the
Israeli cyber market among American technology companies that seek to
develop business in Israel or to lend exposure to Israeli capabilities and
technologies abroad; and to expand international cooperation in the cyber
field with other countries.
As with previous conferences, we have compiled several articles written
by researchers at INSS and institutions elsewhere around the world. These
articles were prepared within the framework of the Institutes Cyber Program,
and were first published in the INSS journal Military and Strategic Affairs.
Gabi Siboni
Director, Cyber Program, INSS
dissuade, deter, and compel both state and non-state hostile actors. Placing
potential threats into conceptual relief this way helps clarify the sources
of danger and serves as a starting point for determining and attaching
responsibility for hostile action(s) against a country or its allies. This then
allows the relevant players who have been targeted by hostile actors to
proceed with necessary discussions and action as both a precursor to,
and actual execution of, appropriate and effective response measures. The
rubric thus yields a further corollary benefit by aiding to identify areas that
would benefit from or even require cooperation among affected/targeted
entities. In short, this framework provides a starting point to explore ways
to deter hostile actors, and as such offers a conceptual lens that can be of
value to the US and its allies alike. Neither the range of actors nor their
potential activities detailed below is meant to be exhaustive. It is instead a
snapshot, and a rough one at that, intended to help convey a sense of who,
what, how, why, and so on, as a prelude to a more in-depth discussion of
strategy and policy in the area of cyber deterrence.
State Actors
Foreign militaries may engage in computer network attack/computer
network exploitation (CNA/CNE) to limit, degrade, or destroy another
countrys abilities, in furtherance of a political agenda. Foreign militaries are
increasingly integrating CNA and CNE capabilities into their war fighting and
military planning and doctrine.2 Such efforts have conventional battlefield
applications (i.e., enhancing ones own weapon systems and platforms,
and/or stymieing those of others); and unconventional applications, as
cyberspace extends the battlefield to incorporate broader civilian and societal
elements. Cyber domain activity may cover intelligence preparation of the
battlefield, to include the mapping of critical infrastructures of perceived
adversaries.3
Foreign intelligence and security services: Exploits may include political,
military, economic, and industrial espionage; theft of information from or
about another government; or theft of intellectual property, technology, trade
secrets, and so on in the hands of private corporations and universities.
Many foreign intelligence services are engaged in industrial espionage in
support of private companies.4 Ultimate aims of activities by this actor
category include the desire to influence decisions, and affect the balance of
power (regionally, internationally, and so on). Convergence of human and
8
Non-State Actors
Non-state terrorist organizations may conduct CNA/CNE in furtherance of a
specific political agenda. They place high value on the internet (to recruit,
train, fundraise, plan operations, and so on).6 US and allied counterterrorism
efforts yielding success in the physical world may lead al-Qaeda and their
ilk to enter the cyber domain ever more deeply. The latter might try to learn
lessons from (or even surf in the wake of) the actions of Anonymous
and other hacktivists who use the cyber domain to bring attention to the
cause they espouse.
Non-state criminal enterprises, which include theft of intellectual property,
identity, and the like, as well as fraud, are generally motivated by profit.
Cyber-specific tools and techniques can yield major monetary rewards. The
global cybercrime market was valued at $12.5 billion-plus in 2011,7 though
estimates vary (validity of calculation methodologies and impartiality of
certain sources is debated and empirical evidence is difficult to obtain).
Hybrid aspects: Alliances of convenience are possible among non-state
actors (terrorist and criminal groups, and even individuals) to fill capability
gaps, generate force multiplier effects, and so on. Similar arrangements
of mutual convenience are also possible between state and non-state
(terrorist, criminal, lone hacker) entities; a non-state actor serves to expand
a states skills and capabilities, or acts as a states proxy for other purposes.
Such arrangements further compound the attribution challenge (who is
responsible) and provide for additional plausible deniability.
Against deterrence in the nuclear realm,8 the cyber counterpart bears
both similarities and differences.9 The cyber domain in particular demands
a focus on actors, rather than weapons/capabilities alone; hence prioritizing
these actors according to the scope, scale, and nature of the threat that they
pose is critical. Only after racking and stacking them can we focus on the
actors that matter most, and do so in a way that confronts and neutralizes
their specific intentions and capabilities.
Defense and offense are both crucial components of a multilayered
and robust US posture and strategy designed to ensure national safety.
Deterrence can provide an additional layer of protection by preventing
those with interests inimical to the United States from leaving the starting
blocks. To preserve as well as further national/homeland security, it is
therefore important to think through, develop, and sustain over time in
a quickly evolving (technological and security/defense) ecosystem the
requisite US capabilities and capacities to support the country, credibly
and effectively, in standing ready and being able to dissuade, deter, and
compel its adversaries. While concerted efforts directed toward these ends
should be pursued in parallel with committed efforts to defend systems,
such an approach and stance must not be taken as a substitute for building
and maintaining strong additional means of reconstitution that give rise
to strong resilience. Indeed, resilience itself may be a powerful deterrent.
Reflecting the wisdom of Sun Tzu, the capacity to bounce back after an
incident plus the demonstrated will and ability to respond to a cyber attack
should serve to strengthen US deterrence efforts and thereby avoid battle
and bloodshed: For to win one hundred victories in one hundred battles
is not the acme of skill. To subdue the enemy without fighting is the acme
of skill.10
10
11
12
13
concerns of the major powers, for the impact of certain scenarios raised
above could significantly undermine, if not shatter, trust and confidence
in the system (be it American or another).
Nor is the threat unique to the United States. Asymmetric warfare is
of course one of the defining features of the Israeli experience on both
the kinetic and virtual battlefields.38 Consider also other (arguably) lesser
known casualties of the cyber struggle. As outlined by the Office of the
National Counterintelligence Executive in its 2011 Report to Congress:
Germanys Federal Office for the Protection of the Constitution (BfV) estimates that German companies lose $28 billion-$71 billion and 30,000-70,000 jobs per year from foreign
economic espionage. Approximately 70 percent of all cases
involve insiders.
South Korea says that the costs from foreign economic
espionage in 2008 were $82 billion, up from $26 billion in
2004. The South Koreans report that 60 percent of victims
are small- and medium-sized businesses and that half of all
economic espionage comes from China.
Japans Ministry of Economy, Trade, and Industry conducted a survey of 625 manufacturing firms in late 2007 and
found that more than 35 percent of those responding reported some form of technology loss. More than 60 percent
of those leaks involved China.39
Observations by French Senator Jean-Marie Bockel, recorded in an
information report of Frances Senate Committee on Foreign Affairs,
Defence and Armed Forces, are equally striking:
In France, administrative authorities, companies and vital
service operators (energy, transport, health, etc.) are victims
daily of several million cyber attacks.These cyber attacks
may be carried out by computer hackers, activist groups,
criminal organisations, as well as by competitor companies,
or even by other States. The finger of suspicion often points
towards China or Russia, even if it is very difficult to identify the authors of these attacks precisely.40
So too the assessment of Jonathan Evans, Director General of the United
Kingdoms Security Service:
Britains National Security Strategy makes it clear that cyber security ranks alongside terrorism as one of the four
14
16
and appreciate that the United States can and will impose a proportionate
penalty if attacked in a cyber manner and medium, though US response
may ultimately be cyber or kinetic, with all options on the table. Regarding
cyber response, offensive capability must be demonstrated in such a way as
to leave no doubt as to the consequences of breaching a US red line. Such
demonstration, however, must be undertaken with full recognition of the fact
that any tool, technique, tactic, or procedure employed could subsequently
be taken up, tweaked, and used in turn in retaliation, including against
allies. Response in this context is predicated on the ability to attribute an
attack to one or more specific actors (foreign powers).
On the intelligence side, since their inception states have been engaged
in stealing secrets. Though espionage has gone digital, taking and adapting
the worlds second oldest profession to the twenty-first century, foreign
governments are using cyber means for the original purpose: to obtain
information that can be used to shape and sharpen decision making. Put
another way, states are using cyber means (think of Russian and Chinese
hackers working in service of their governments, for example) to augment
their ability to collect information of interest to their respective policymakers.
The question then becomes, what information are these actors interested
in obtaining, and why? To the extent that practitioners of cyber deterrence
can inject insights and articulate a detailed answer to this double-barreled
query, the targeted government (be it US or allied) will be able to defend
systems better and tailor deterrence activities correspondingly.
Industrial espionage is a subset of this type of state sponsored activity.
The intent is to increase the economic prosperity or viability of business
concerns in a given state. Although the espionage activity is state directed,
the ultimate beneficiaries may be private or semi-private entities. On the flip
side, from the targets perspective, the consequences that follow from the
theft of trade secrets may be profound and extend beyond economic loss,
to diminished national stature in the eyes of the world. In the assessment
of US National Counterintelligence executive Robert Bear Bryant, cyberespionage is a quiet menace to our economy with notably big results.
Trade secrets developed over thousands of working hours by our brightest
minds are stolen in a split second and transferred to our competitors.45
US productivity and innovation may also suffer as a result, with further
potential knock-on effects for future growth and development. If military
relevant information is exposed and extracted, there may also be national
17
18
19
20
21
facts reach all key defenders of national assets and resources, including
those owned and operated by the private sector (critical infrastructure).
Partner for success. No single component of government or even the
government as a whole can go it alone in the cyber domain. Genuine
intra- and cross-sector partnerships are essential. Within government, for
example, the careful synchronization and harmonization of military and
intelligence functions (Titles 10 and 50) for cyber deterrence purposes could
prove valuable, as it has in the counterterrorism context. The importance
of inoculating ahead of time extends beyond the public sector to critical
networks and systems that lie in private hands. Accordingly, the private
sector must commit to undertake the steps necessary to reinforce homeland/
national security. To ensure that bar is met, federal authorities should
reach out to the private sector, taking a carrot and stick approach that
combines both positive and negative incentives designed to produce the
desired outcome.
Think and act internationally. Transnational challenges require transnational
solutions, and cyberspace is by definition borderless. Trusted partners on
the international level can and should bring much to the table in this context.
Admittedly, national interests may impede the ability to share the most
sensitive of data and information. Nevertheless, it would be self-defeating
to refrain from leveraging key bilateral relationships and alliances, from
the Five Eyes intelligence partnership (Australia, Canada, New Zealand,
the United States, and the United Kingdom) to NATO to the EU plus other
strategic partners such as in the Mediterranean region and Asia, to include
Israel, Singapore, India, and Japan.
With inspired leadership the cyber warfare equivalents of Billy Mitchell,
Bill Donovan, or George Patton, who truly understood the tactical and
strategic uses of new technologies and weapons the United States can
forge and execute a powerful cyber deterrence strategy that looks through
its adversaries eyes in order to be adequately prepared for cyber events,
ideally with just bits and bytes rather than bullets, bombs, and bloodshed.
Notes
1 Eric Sterner, Deterrence in Cyberspace: Yes, No, Maybe, in Returning
to Fundamentals: Deterrence and U.S. National Security in the 21st Century
(Washington, D.C.: George C. Marshall Institute, 2011), p. 27.
2 Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information
High Ground: Chinese Capabilities for Computer Network Operations and
22
5
6
7
8
9
10
11
12
13
14
23
24
24
25
26
27
28
29
30
31
32
33
34
35
36
25
37
38
39
40
41
42
43
44
45
46
47
26
48
49
50
51
52
53
54
27
Duqus Dilemma:
The Ambiguity Assertion and the
Futility of Sanitized Cyberwar
Matthew Crosston
Dr. Matthew Crosston is the Miller Endowed Chair for Industrial and International
Security and Founder and Director of the International Security and Intelligence
Studies (ISIS) program at Bellevue University.
This article was first published in Military and Strategic Affairs 5, no. 1 (2013): 119-31.
29
Whether one believes LOAC can or cannot apply to the cyber domain,
whether one pushes for an international cyber treaty or thinks such treaties
will be meaningless, one aspect is constant: the desire for rules governing
cyberwar behavior. The problem is in attempting to create a code of cyber
conduct that demands a distinct separation between civilian and military
sectors. The cyber domain is not amenable to this separation since the
aforementioned fusion, where participants, facilities, and targets are
hopelessly entangled between civilian and military institutions, has basically
been a missing explanation as to why the global effort to enhance and
clarify norms has remained uneven and inadequate.
30
initiate and enact a cyber attack depend upon and work within countless
numbers of civilian networks. In addition, many of the actors that are
part of the planning, initiation, and deployment of cyber attacks are not
necessarily formal military but rather civilian employees of government
agencies. In other words, the world of cyber conflict and cyberwar is not a
world that can achieve such explicit classification. In fact, future trends only
show this fusion growing deeper and tighter in time. As such, any attempt
to introduce norms and rules that are predicated upon knowledgeable
differentiation will likely end up confused and ineffective.
This ambiguity assertion, for lack of a better term, has so far been
relatively ignored in the various cyber debates. The latter tend to revolve
around how loose or rigid, how informal or formal, how international or
local such codes of constraint should be. Many of these proposed codes
aim to constrain cyber behavior so as to protect banking, power, and
other critical infrastructure networks except when nations are engaged
in war.4 Without addressing the ambiguity problem, however, states
find themselves in a quandary: where are the lines of distinction between
civilian and military drawn? Perhaps the biggest dilemma, therefore, is
not the problem of figuring out attribution (who was the trigger man), but
rather this futile attempt to clear up the inherent and purposeful ambiguity
that characterizes the critical infrastructure used to house, develop, and
utilize a states cyber capabilities.
Many of the current cyber discussions are flawed by the manner in
which they implicitly want to analogize conventional conflict with cyber
conflict, to make cyber attacks equivalent to armed attacks. To do this,
however, the conversation must turn to legal definitions and parameters:
when does cyber conflict constitute the use of armed force or a formal act
of war? What actions would constitute a war crime? How much damage
does it take to trigger a necessary retaliatory response?5 These questions are
much more difficult to answer in the cyber realm because of the logistical
nightmare provoked by the ambiguity assertion. This fact has not been
emphasized appropriately to date, nor is it strategically addressed at all.
Up to now, questions have focused instead more on comparable lethality,
damage estimates, and the aforementioned attribution problem. To an
extent, however, all of these problems are enveloped by the civilian/military
ambiguity issue. The inability to establish that separation means that lethality
could be more extreme by being more than just military casualties, damage
31
could be more devastating by being more than just military facilities, and
attribution might not even be relevant: defining the WHO of an attack does
not solve the problem if the HOW behind the WHO is inextricably fused
among government, military, and civilian properties and people. In other
words, many assume that figuring out WHO in cyberwar will solve most
problems. The ambiguity assertion reminds everyone to be careful what
they wish for: in cyber war, the WHO will never be conveniently distinct
because of the HOW.
International law clearly does not alleviate the problem of civilian/
military ambiguity in cyber conflict. Whether the discussion extends to
codes of conduct, treaties, or international laws writ large, none of these
potential documents attempts to address the inherent structural problem
of modern societies and how they currently organize, conduct, and develop
their cyber capabilities. Further confirming this is the equal amount of
time, effort, and frustration expended in the sister projects of establishing
terms and defining parameters. Examining that frustration will illustrate
how impactful the ambiguity assertion is when contemplating how the
world should deal with the rules for cyberwar.
32
and finance, and so on. The ambiguity assertion, however, articulates the
difficulty in obtaining such explicitness: most if not all of a states cyber
capability utilizes and depends upon critical civilian infrastructure that also
provides many important civilian functions. No state to date has created
a cyber operations capability that is wholly distinct and separate from
civilian networks and civilian infrastructure. In other words, go after the
military targets and you will also de facto be going after civilian targets.
The literature to date seems to ignore this fact. Consequently, much of the
literature engages in a false riddle, trying to impose a theoretically precise
answer on an empirically ambiguous reality.
This is further confirmed by the number of respected scholars, diplomats,
and policymakers who miss the relevance of the ambiguity assertion by
demanding that the laws of cyberwar should actually forbid the targeting
of purely civilian infrastructure, indicating that cyber actors should try to
respect the Geneva Conventions as much as conventional actors do.7 The
problem, of course, is that in cyberwar, purely civilian infrastructure is a
category of diminishing returns. Indeed, given the obvious trend that sees
only intensification and deepening of the civilian/military fusion, purely
civilian infrastructure will end up more myth than reality.
The failure to address this structural riddle has been matched by an
over-emphasis on agency. This manifests itself mainly in the focus on
limiting and controlling potential cyber actions from adversarial states.
James Lewis of CSIS emphasizes how a state can reduce risks for everyone
by imposing common standards, like moving from the Wild West to the
rule of law.8 Eugene Spafford concurred, citing how cyber security is a
process, not a patch, requiring continual investment for the long term
as well as the quick fix, without which states will always be applying
solutions to problems too late.9 These are some of the brightest and most
respected names in the cyber discipline. Their warnings are not irrelevant,
but the emphasis on state actor agency, while failing to recognize the
impact and importance of inherent cyber structure, leaves a vulnerable
gap in cyber strategic thinking. Indeed, the contemporary failure to create
explicit norm coordination should be seen as a demand to consider new
strategy that can accept this structural incompatibility as inherent and not
something to overcome. For structural ambiguity is not only intrinsic:
states are purposely deepening the ambiguity for its strategic advantage
and economic efficiency. States, therefore, should not focus on how to
33
34
assets and mitigate action already undertaken. This might help explain
why formal strategic documents concerning cyberspace end up being
nothing but simple platitudes about how the United States intends to
protect itself. Take for example the Department of Defenses (DoD) Strategy
for Operating in Cyberspace, released in mid-2011 and consisting of five
strategic initiatives:
Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that the DoD can take
full advantage of cyberspaces potential.
Strategic Initiative 2: Employ new defense operating concepts to protect domestic networks and systems.
Strategic Initiative 3: Partner with other US government departments and agencies and the private sector to enable a
whole-of-government cyber security strategy.
Strategic Initiative 4: Build robust relationships with US allies and international partners to strengthen collective cyber security.
Strategic Initiative 5: Leverage the nations ingenuity through
an exceptional cyber workforce and rapid technological innovation.
Take full advantage; employ new concepts; partner with others;
build robust relationships; leverage ingenuity. All of these phrases are
wonderful slogans, but they are not accompanied by any explicit new
strategic thinking that could hope to actually institute said initiatives.
Trying to adapt conventional strategy slightly and then force the cyber
domain into it is likely to remain a project bearing little fruit. Examining
that conventional strategy and proposing new strategy that engages the
structural dilemma is the final section of this paper.
36
and civilian targets does not seem to bother Dunlap in its impact on the
applicability of LOAC:
LOAC tolerates incidental losses of civilians and civilian objects so long as they are not excessive in relation to
the concrete and direct military advantage anticipated. In
determining the incidental losses, cyber strategists are required to consider those that may be reasonably foreseeable
to be directly caused by the attack. Assessing second- and
third-order reverberating effects may be a wise policy
consideration, but it does not appear LOAC currently requires such further analysis.21
Dunlaps distinction is actually quite important given the current
intellectual climate: he has introduced some much-needed realism into
the debates by reminding people that LOAC has never been a flawless
strategy that provides perfect protection for civilians and civilian objects.
The problem highlighted here, however, is that his concerns over military/
civilian differentiation are misplaced.
These pro-LOAC arguments are effectively built around the fact that
cyberwar does not have to have a perfect record in delineating and then
protecting civilians because LOAC does not, either. But these arguments
assume that such delineation is generally possible. The future of cyberwar
is unlikely to be able to create such possibility because it has long been
established how many of the militarys critical functions, assets, service
providers, and supply chains all rely heavily on civilian traffic and networks.22
As such, new strategy needs to be positioned so as to prevent the use of
cyber weapons in general, because once they are used, the likelihood of
incurring civilian risk, damage, and casualties will be de facto. Sanitizing
the impact of cyber weapons once they are used by trying to constrain
targeting choices will not work.
The anti-LOAC camp makes the same mistake when discussing why
the law of armed conflict does not bring clarity to cyberwar:
The laws of war are in place to ensure that parties to a conflict target combatants rather than civilians, and, if civilians
are targeted, to ensure that such individuals have forfeited
their protected status. To determine whether cyber-attacks
properly distinguish between civilian and military targets,
one must understand [the] distinction.23
37
The opposition camp fails in the belief that such a distinction can in
fact be created in the cyber realm. This camp does not see the strategic
influence of the ambiguity assertion, focusing rather on the deficiencies
within LOAC and other contemporary norms and treaties: in short, make
better laws and the cyber world will come to heel. As such, this camp is
even further from cyber reality, ignoring a problem that is only going to
deepen and intensify over time. The opposition camp, in essence, is a more
liberal approach to conflict because the end goal is to create an atmosphere
of trust that can minimize higher levels of violence and treachery.24 This
flies even more in the face of the current and future structure of cyberwar.
Both of these camps believe in being able to monitor and regulate and
circumscribe cyberwar after it has begun, as happens successfully with
conventional war. This is a false hope. The ability to monitor, regulate,
and circumscribe cyber action is best done through strategy that can
inculcate preemptive fear and thereby induce caution and hesitation.
Current conventional strategies that aim for trust, target distinction, and
minimizing noncombatant impact are simply inexplicably ignoring how
cyberwar is organized, structured, and operationalized.
Liberal thinking also dominates the legal community, which is heavily
leaned upon for law projects and the strategic thinking that purportedly
infuses said projects for the cyber domain:
[An effective solution to the global challenge of cyber attacks] cannot be achieved by individual states acting alone.
It will require global cooperation. We therefore outlined the
key elements of the cyber treaty namely, codifying clear
definitions of cyber warfare and cyber-attack and providing
guidelines for international cooperation on evidence collection and criminal prosecution that would provide a more
comprehensive and long-term solution to the emerging
threat of cyber-attacks.25
The only thing left to add here is to note yet another camp focusing
on mitigating risk and limiting damage in the cyber domain ex post facto.
Regardless of philosophical standing, political agendas, or theoretical
acumen, every camp that examines the problem of parameters and definitions
in the cyber domain seems to exclude considerations of preemptive strategies
built upon fear and inducing reluctance to action. General Alexander of
US Cyber Command cited the need to establish the lanes of the road for
what governments can and cannot pursue and asserted that establishing
38
those lanes was the necessary first step to addressing the challenge of
cyber attacks.26 What all of the camps examined here have in common is
a tendency to give lip-service to strategy, but then really focus exclusively
on ex post facto operations to establish progress. If the focus continues
to be on agency action rather than on structural deficiency, then progress
will not simply remain slow: it will become non-existent.
39
who can be a victim during cyberwar, even the philosophical and ethical
questions meant to be asked about cyberwar itself. Duqus Dilemma is an
entreaty to move away from unattainable goals and idealistic dreams in a
futile hope to create sanitized cyberwar. Cyberwar will never be sanitized.
Consequently, contemporary strategic thinking about the cyber domain
must start treating the ambiguity assertion with the same gravity that the
more famous attribution problem receives.
Notes
1 Tom Leithauser, Rules of War Should Apply to Cyber Conflict, Cybersecurity
Policy Report, February 14, 2011.
2 Tom Gjelten, Shadow Wars: Debating Cyber Disarmament, World Affairs
173, no. 4 (2010): 33-42.
3 Ibid.
4 Aliya Sternstein, Experts Recommend an International Code of Conduct for
Cyberwar, National Journal, June 10, 2011.
5 Andrew Liaropoulos, War and Ethics in Cyberspace: Cyber-conflict and
Just War Theory, European Conference on Information Warfare and Security
177-XI (July 2010).
6 Vida Anatolin-Jenkins, Defining the Parameters of Cyberwar Operations:
Looking for Law in All the Wrong Places? Naval Law Review 51, no. 132
(2005): 1-34.
7 Don Tennant, The Fog of (CYBER) War, Computerworld 43, April 27, 2009,
pp. 28, 30-32.
8 James Fallows, Cyber Warriors, Atlantic Monthly 305 (March 2010): 58-60,
62-63.
9 Ibid.
10 John Curran, Updated Rules for Cyber Conflict Coming Soon, Defense
Officials Say, Cybersecurity Policy Report, March 26, 2012.
11 Lolita Baldor, Cyber Warriors, Army Times, August 6, 2012, p. 23.
12 Siobhan Gorman and Julian Barnes, Rules for Laws of War: US Decides
Cyber Strike Can Trigger Attack, The Australian, June 1, 2011.
13 Anonymous, Military Ponders Cyberwar Rules, Los Angeles Times, April 7,
2008.
14 Ellen Nakashima, Pentagon Seeks to Expand Rules of Engagement in Cyber
War, Washington Post, August 10, 2012.
15 Ibid.
16 Ellen Nakashima, Cyber Offense Part of Strategy, Washington Post,
November 16, 2011.
17 Wesley Andrues, What US Cyber Command Must Do, Joint Forces
Quarterly JFQ 59 (Fourth Quarter 2010): 115-20.
18 Ibid.
40
19 Ibid., p. 120.
20 Charles Dunlap, Perspectives for Cyber Strategists on Law for Cyberwar,
Strategic Studies Quarterly (Spring 2011): 81-99.
21 Ibid., p. 90.
22 Erik Mudrinich, Cyber 3.0: The Department of Defense Strategy for
Operating in Cyberspace and the Attribution Problem, Air Force Law Review
68 (2012): 167-206.
23 Michael Gervais, Cyber Attacks and the Laws of War, Journal of Law and
Cyber Warfare 30, no. 2 (2012): 525-79.
24 Ibid., p. 561.
25 Oona Hathaway et al., The Law of Cyber-Attack, California Law Review, Inc
(2012): 817-85.
26 Ibid., p. 884.
27 Hannah Lobel, Cyberwar Inc: The Law of War Implications of the Private
Sectors Role in Cyber Conflict, Texas International Law Journal 47, no. 3
(2012): 617-40.
41
43
44
people (e.g., false radar images) or their equipment (see Stuxnet). In the
latter cases, obviousness is self-defeating; once it is clear that you have
successfully deceived a system, the systems administrators are unlikely
to allow the system to operate as it has.
Is Stuxnet an Exception?
One would imagine that a cyber attack that actually broke something might
have passed the point where everyone could be try to hide its existence. The
Stuxnet worm was discovered in June, 2010, and its target was identified as
an Iranian nuclear facility in September. The earliest suspicions tagged the
Bushehr reactor as its target,2 and the Iranians denied that any such reactor
was affected. Within a few weeks, the Natanz centrifuge plant was identified
(more plausibly) as its target. Initial Iranian denials were contradicted in late
November, 2010, the day that assassins killed two Iranian nuclear scientists,
and when Ahmadinejad admitted that there was a worm that had caused a
great deal of trouble, which was then taken care of.3 How badly did Stuxnet,
in fact, hurt Irans nuclear development? Statistics from the IAEA would
indicate that it may have led to the premature retirement of 10 percent of
Irans centrifuges and thus, at most, it bought the worms creators several
months reprieve from the data at which Iran would have enough nuclear
material to build its first bomb.4 Other reports quote officials predicting that
the earliest that Iran can (as of early 2011) assemble such material would
be 2015, a delay of several years.
There is a lot more (apart from what it accomplished) that is currently
unclear about Stuxnet.5 One question is how it got into Natanz in the first
place; suspicions that the worms designers received witting or unwitting
help from Russian contractors appears to have soured Irans working
relationship with them.6 More important is exactly who wrote and released
the worm. Was it an individual (its sophistication says otherwise)? Was
it Israelis as suggested by several clues internal to the code but who
knows that these clues were not planted to mislead suspicion? Was it
Americans? Was it both, working together?7 Or, was it the Chinese?8 With
all the ambiguity, it is no wonder that Iran has yet to retaliate (at least in
any noticeable way). That noted, Syria did not respond to the strike on
its suspected nuclear facility, and Iraq did nothing but complain when its
Osiraq reactor was bombed and there was no ambiguity who did it in both
cases. Conversely, Irans strong ties to Hamas and Hizbollah suggest that
45
it may have had ways of expressing its displeasure that were unavailable
to Syria (in 2007) or Iraq (in 1981). Furthermore, Iran has yet to make much
of a big deal about the incident; likening it to an act of war after months of
silence and denials would be quite a volte-face.
The advantages of using Stuxnet rather than airpower to degrade Irans
nuclear capability are fairly clear (assuming the worm, in fact, did as its
designers hoped): comparable effect, and induced distrust among its
victims as to which of its suppliers or supplies may still be contaminated,
but with less condemnation (indeed, perhaps a sneaking admiration) and
fewer strategic risks.
46
47
the more jihadist of Libyas rebels who greet the intervention of US forces
by switching sides). Or, hints could be offered (e.g.: if this capability fails
tomorrow, you will know why). Conversely, if the government won, it may
suspect that its information systems were tampered with by Western forces,
but it may not be able to prove as much. It may complain, but if Libya were
expected to blame its shortfalls on the West, then such complaints, in the
absence of evidence, would have little force. More to the point, it may not
want to claim as much if it wants to pretend afterwards that it has no reason
to make enemies of the West all over again. If the civil war drags on, the
West can pretend that it had made no prior help and thus had made no
commitment to escalate its assistance (even if hints were dropped to the
rebels, they would have an even harder time proving to others that Western
hackers were offering assistance, since unlike the government, they would
likely have no access to the tampered computers). The greatest problem in
offering such assistance is the possibility of getting caught, but if the target
of the attacks is on the outs with the rest of the world, it is unlikely that it
will get much help tracing the attacks. So attractive is such assistance (at
least from the helpers perspective) that it may be a routine feature on
both sides of any conflict where the outcome is uncertain and networks
matter to war fighting capabilities. And again, admitting that ones systems
have been hacked is always at least a little embarrassing.
Four, cyber attacks do not need to be directed towards adversaries,
although the risks of making new enemies if the source of the cyber attacks
are discovered are obvious. Consider a situation in which two neutral states
are inching towards war that one might prefer not take place. Suppose that
a third state is capable of introducing faults into both sides surveillance
and/or command-and-control systems that raise doubts whether they have
pierced the fog and overcome the friction enough to undertake military
operations. If systems go haywire, either target state is more initially likely
to blame the other for its woes (if they understand that such woes were
obvious and induced rather than non-obvious or accidental) rather than a
third party; chances are that the initial presumption is likely to color their
forensic activities and conclusions. Furthermore, there is a good chance
that such blame will be kept private given the embarrassment involved. Yet
risks exist in such maneuvers; such machinations may drive states towards
war if one side or both comes to convince itself, for instance, that the cyber
48
Conclusion
Cyberwars many tactical ambiguities lend force to a strategy built on
strategic ambiguities. There may be many cases in which an aggressor
state does not want what it has done it to be obvious. Even the target state
in some cases may conclude that pretending as much (even if it must turn
a blind eye to the evidence) has advantages over trying to clarify matters
or even claiming clarity in absence of the real thing.
But the downside to strategic ambiguity should be noted. States may
arrogate the right to carry out all sorts of mischief in cyberspace on the
belief that they will never be called into account. The lack of accountability,
however, is inherently dangerous. Sometimes it is unwarranted (the state
49
Notes
1 By contrast, legislation had to be passed in 2006 to permit the United States
to share civilian technology with India, which like Israel is a non-signatory
to the Non-Proliferation Treaty, but unlike Israel, a declared nuclear power.
See Peter Baker, Signs India Nuclear Law: Critics Say Deal to Share Civilian
Technology Could Spark Arms Race, Washington Post, December 19, 2006,
www.washingtonpost.com/wp-dyn/content/article/2006/12/18/
AR2006121800233.html.
2 Robert McMillan, Was Stuxnet Built to Attack Irans Nuclear Program?
IDG News, taken from PCWorld, September 21, 2010.
3 William Yong, Alan Cowell, Bomb Kills Iranian Nuclear Scientist, New York
Times, November 30, 2010.
4 Joby Warrick, Irans Natanz Nuclear Facility Recovered Quickly from Stuxnet
Cyberattack, Washington Post, February 16, 2011. See also the report by the
Institute for Science and International Security, http://media.washingtonpost.
com/wp-srv/world/documents/stuxnet_update_15Feb2011.pdf.
5 What is most clear about Stuxnet is how it worked because the worm was
captured alive, so to speak, in the wild before it could self-destruct (which
it should have done if it was unable to find a specific programmable logic
device that met certain preset parameters associated with a particular type
of centrifuge).
6 The Stuxnet Worm: A Cyber-Missile Aimed at Iran? Economist, September
24, 2010, www.economist.com/blogs/babbage/2010/09/stuxnet_worm.
7 William Broad, John Markoff, David Sanger, Israel Tests on Worm Called
Crucial in Iran Nuclear Delay, New York Times, January 15, 2011.
8 Jeffrey Carr, Stuxnets Finnish-Chinese Connection, December 14, 2010,
blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/.
9 Many observers take issue with the characterization of Hizbollah as a
puppet of Iran. Yet there is a difference between Hizbollah acting only on
Irans orders, and Iran having enough influence on Hizbollah to discourage
it from unwise actions.
10 An influential article reviewing the possibilities of Western intervention
in Libya mentioned electronic warfare in the form of communications
jamming, but nothing about cyber warfare. See Thom Shanker, U.S.
Weighs Options, on Air and Sea, New York Times, March 6, 2011, http://
www.nytimes.com/2011/03/07/world/middleeast/07military.html.
11 If the fact that Chinas stealth fighter surprised Hu Jintao when meeting with
Secretary of Defense Gates is any indication, its military is not absolutely
beholden to its political leadership and thus the countrys effective
leadership may also be somewhat of a coalition.
50
Introduction
Developments in electronics and computers since World War II have
affected a broad range of fields and created the information age. This
article focuses on interrelationships among information technology, the
information age, and security. More specifically, it aims to contribute to a
discussion of the national security issues stemming from the development
of information technology.
Much of the driving force behind computer development has been derived
from military applications. Following new possibilities, thinking about
the effect of technological change on defense issues has also progressed.
In addition, the information age, which continues to develop rapidly,
along with advances in computer communications and the penetration
of computers into every area of life, has given rise to cyberspace. These
developments challenge existing perceptions and force reconsideration of
basic concepts. The need for an informed public debate and the design of
a firm policy has likewise grown, given the fact that the cyberspace risk is
already concrete as dramatized by events in Estonia in the spring of 2007,
as well as the Stuxnet affair.1 In Estonia, daily life was disrupted following
a technically simple but massive attack on internet-based services. With
Stuxnet, it appears that a technically complex cyber weapon was used,
designed to cause precise damage to the system controlling the industrial
process at a protected nuclear fuel enrichment facility in Iran. The weapons
design and method of operation included camouflage of its activity for
Prof. Isaac Ben-Israel is head of the Yuval Neeman Workshop for Science, Technology
and Security at Tel Aviv University. Lior Tabansky is a Neubauer research associate
working on the Cyber Warfare Program at INSS, which is supported by the
Philadelphia-based Joseph and Jeanette Neubauer Foundation.
This article was first published in Military and Strategic Affairs 3, no. 3 (2011): 21-37.
51
Theoretical Background
Technological change occupies many thinkers who struggle to assess its
social effects. Although the scope of this article does not permit a full review
of the field, three thinkers relevant to an understanding of the dynamic
reality must be mentioned.
The term Third Wave, taken from the theories of the bestselling authors
Alvin and Heidi Toffler, refers to a time period (table 1). According to the
Tofflers, we are in the midst of a transition to the Third Wave, in which the
economy is based on knowledge and control of information,2 instead of on
industrial mass production. Similarly, the form of warfare is changing as
well. The name of the game has become obtaining information about the
enemy and denying it information about yourself. The side that controls
information technologies will win the war, even if it faces many weapons
rolling off Second Wave assembly lines.
52
The First
Wave
The Second
Wave from
the mid-17th
century
until the end
of the 20th
century
The Third
Wave from
the end of
the 20th
century
onwards
Principal
Resource
Organized
agriculture
Weapons
Landowner Sickle
Sword
Computer
Cyber
warfare
Method of Waging
War
Face-to-face
battle at point
blank range; land
conquest
Machines used at
medium range,
poor accuracy,
attempt to damage
production
capacity
Attempt to damage
information
through the use
of computers.
Remote damage
to functional
capacity, without
physically reaching
the target
Status
Material
Objective
Mental
Subjective
experiences
Knowledge Objective
Examples
Example in
Cyberspace
Tables, airplanes
Hardware
Pain, happiness
Displays (the user
experience)
Mathematics, physics Software
53
Unlike material, knowledge can be used again and again and shared with
many consumers without being diminished. Knowledge or information is
a non-rival, partially excludable good. Paul Romer, a pioneer researcher in
the new theory of economic growth, discusses the economic consequences
of knowledge, and lays the foundations for a different knowledge-based
economy.4 He argues that growth in the economy, the basis of power and
prosperity, is not solely a result of changes in capital and manpower. The
development of knowledge is a new, potent source of endogenous growth.
The character of this knowledge-based growth differs from what is familiar
in the traditional economy.
If we combine Poppers metaphysical basis with Tofflers sociology and
Romers economic theory, we can suggest that the wars of the First and
Second Wave were conducted mainly in World 1 (material). In these wars,
the side with the largest and strongest army that was best able to mobilize
troops and develop the mental factors (World 2) among its troops (e.g. the
spirit of battle, motivation, and courage) would be victorious. According to
this theory, future wars will also spread to World 3, the world of information.
Without derogating the value of these elements in the future, while past
wars relied on physical force (the First Wave) and present wars rely on the
power of machinery (the Second Wave), future wars will rely more and
more on brainpower.
54
55
Cyberspace
The ongoing growth of computers and communications networks generated a
new situation at the beginning of the 21st century: an additional computerized
layer above the existing older systems that effectively controls their function.
The spread of computers, their integration in various devices, and their
connectivity to communications networks have created a new space.
Cyberspace is composed of all the computerized networks in the world,
as well as of all computerized end points, including telecommunications
networks, special purpose networks, the internet, computer systems, and
computer-based systems. The concept also includes the information stored,
processed, and transmitted on the devices and between these networks.11
This picture enables us to understand what is happening in World 312 while
focusing on the encounter with national security issues.
Unlike land, sea, air, outer space, and the electromagnetic spectrum,
cyberspace is not a product of nature. Cyberspace is created by human
beings, and would not exist without the information technologies developed
in recent decades. Knowledge which is perhaps the most important element
in cyberspace is a product of cumulative human endeavor.13 The structure
and design of cyberspace as it is today has significant consequences for
national security (table 3).14
Weak Point
Rapid change
56
57
Table 4 shows that the topics listed under information warfare are
actually classic topics existing throughout the history of war. In the
course of history, several classic methods of warfare have been developed
for information warfare, including intelligence gathering by human
sensors (as in Joshuas use of spies in the conquest of the Promised
Land) and the development of special gathering technologies (such as
airborne intelligence sensors, satellites, etc.). Classic methods have also
been developed in the prevention aspect of information warfare, such as
camouflage, dummies and masks, jamming and blocking, deception and
misdirection, propaganda, and so on.
Further analysis of table 4 indicates that the increasing dependence of
information systems on computing is practically the only innovation in this
field. In other words, while information warfare is not new, this is not true
of computer-based information systems. Cyberspace makes it possible
to define new targets, weapons, and methods of warfare. What is new
about Third Wave warfare or war in the information age is not information
warfare per se, but computer warfare. For this reason, it is best to limit the
discussion by focusing on computer warfare in cyberspace. The change in
cyberspace is so great that the basic concepts, such as war, weapon,
attack, and defense, require a new explanation.
Computer warfare in cyberspace is unauthorized access to the adversarys
computer systems for the purpose of intelligence gathering, disruption,
deception, and prevention and delay of the use of information, while
preventing the enemy from doing the same to ones own computer systems.
A traditional attack (barrage, bombing, physical sabotage) on computer
systems will also certainly cause disruption, prevention, and delay in the
use of information. Such a physical attack, however, is not classified as
cyberwar.
The characteristics of cyberspace19 also define warfare in this sphere.
The characteristics of cyberspace make it difficult to distinguish between
a deliberate attack and malfunction, and complicate the effort to attribute
action to a specific party, thereby also making it difficult to respond to an
attack. The characteristics of cyberspace today empower marginal players,
and give the attacker an advantage over the defender.
In recent years, a discussion has developed about the vulnerability
created by the indispensability of cyberspace in all life processes in a
developed society.20 Computer warfare is not confined to military systems;
58
59
60
The US, the worlds only superpower, is a pioneer and leader in the
discussion of its cyber vulnerability.28 A countrys critical infrastructure
is an obvious target in any conflict. Nonetheless, why has such concern
been raised now, and in the strongest countries? The answer lies in the
transition from the wars of Tofflers Second Wave to the wars of the Third
Wave, the information wave. Discussion of critical infrastructure protection
has been renewed because of the emergence of a new threat that could
not have been carried out before. The development of cyberspace makes
it possible, for the first time in history, to attack critical infrastructure
systems in cyberspace, without physical access to the site and without
exposure during or after the attack.
Critical infrastructure protection is one of the key issues of cyber security.
The topic is outside the scope of this study, and deserves a specific discussion
of its own.29
Information warfare immediately invites examination of the concept
of war itself: is a cyber attack on computerized information involving no
use of firepower an act of war? What constitutes a legitimate target in
such a war? The extensive military use of civilian infrastructure (mainly
communications) complicates the distinction between military and civilian
targets. For example, the computer infrastructure of the US Department of
Defense consists of 15,000 networks and seven million facilities dispersed
all over the world. Most of the US Defense Department communications,
however, are channeled through commercial civilian networks.30 Civilians
(even women and children) can be as effective as soldiers in computer
warfare. Does this make them potential targets of a response? How should
we act in a case of widespread economic damage? Moreover, the meaning
of such an attack is unclear. Assume that one day the computer systems
of the Israeli banks crash. Assume also that we manage to determine with
certainty that the enormous damage was caused deliberately by a deliberate
penetration, and assume that we succeed in tracing the attacker to the
territory of a neighboring country. Now, is this an act of war? Ostensibly, the
damage caused is only economic; there are no (direct) human casualties.
Countries have frequently responded with restraint to traditional attacks that
caused economic damage but did not take human life.31 Economic damage,
however, is liable to paralyze an entire country. How do we estimate the
indirect damage caused by an attack? Assume that a cyber attack caused
prolonged disruption in the supply of electricity. Assume that one of its
61
results is putting road lights and traffic lights out of commission, and the
resulting darkness causes fatal traffic accidents. Should a victim of such
an accident be considered a cyber warfare casualty? Should we respond
with firepower and ground maneuver, or with a cyber counterattack?
The problem is more complicated than the scenarios described, because
a computer attack does not require a base in a country, and it can also be
conducted by organizations and even by individuals.
Computer warfare is also conducted between friendly countries
competing for diplomatic and economic intelligence. Is this warfare? Is
it acceptable or advisable to use computer warfare in peacetime for such
purposes?
A special problem in cyber warfare is detecting an attack; in contrast to
a traditional attack occurring in World 1, the material world, the location of
the strike and the attackers identity are not necessarily exposed following
the attack. There are no defined front lines in computer warfare, and
geographic distance has almost no meaning in electronic networks. Given
the characteristics of cyberspace, detecting an attack cannot be taken for
granted: an attack and a malfunction have similar effects. While the computer
world has become more sophisticated, as reflected in the multiplicity of
software and applications and the growing number of transistors in each
component, malfunctions are not less likely. The statistical probability of
a software bug or programming error is constant, and its nominal value
rises with increased complexity of software.32
The capability to detect that computers have been attacked and damaged,
rather than malfunctioning naturally, is inadequate. Without the ability
to distinguish in real time between an attack and malfunction, large scale
investment in constant cyber readiness is necessary. Defense against cyber
threats must encompass all aspects of attack and be updated with new
developments, and its cost is rising steadily. The argument on difficulty of
defense is similar to the argument against an active anti-missile defense and
the argument that defense against suicide terrorists is futile. Nevertheless,
it is possible to devise a response to the new threats,33 although the burden
is substantial, since the characteristics of todays cyberspace give a clear
advantage to attack over defense.34 The field of encryption is one of the few
areas in cyberspace in which the defender still enjoys an advantage over
the attacker.35 Given the difficulty of identifying the fact of an attack, its
geographic location, and the identity of the attacker, a state of uncertainty
62
Conclusion
Cyberspace is a fairly new product of the information age, and cyber
security is part of the transition to the information age. In order to cope
with this challenging change, a multidisciplinary perspective should be
adopted. Therefore some of the information ages important theoretical
origins were presented, including ideas of the Tofflers, Karl Popper, and
63
Paul Romer. Clearly there are other sources, and further multidisciplinary
research on the information age is welcome.
The problems in dealing with security challenges are a function of the
characteristics of cyberspace: rapid action, the rate of change, intricacy, and
complexity. Cyber attack and defense take place in World 3, the world of
knowledge. The significant consequences of the key issues of cyber warfare
described in the last section of this study should be investigated in depth.
The key development is not information warfare; it is computer warfare
in cyberspace. Discussion of solutions to computer matters tends to focus
on the technical realm, far away from public debate and public policy.
Clearly professional understanding of the field under discussion is essential,
and it presents enormous challenges requiring a solution at the national
public policy level. However, a review of the main issues of cyber security
paints a complicated picture, beyond the technical computer professions.
In order to provide national security in the dynamic environment of the
information age, it is therefore correct to utilize inputs from every relevant
field of knowledge, including the social sciences, psychology, biology,
medicine, and philosophy. This study aims to encourage interdisciplinary
research into the cyber security challenges, contribute to the development
of an informed national security policy, and thereby contribute to security
and prosperity in the information age.
Notes
1 The Meaning of Stuxnet: A Sophisticated Cyber-Missile Highlights the
Potential and Limitations of Cyberwar, Economist (GBR) Economist 397,
no. 8702 (2010), September 30, 2010, from the printed edition.
2 Information or data is distinguishable from knowledge, which also
requires conceptualization and understanding of the raw information. This
distinction is unimportant for the purposes of this article.
3 Karl Popper, Objective Knowledge: An Evolutionary Approach (Oxford: Oxford
University Press, 1972), chapters 3-4.
4 Paul M. Romer, Endogenous Technological Change, Journal of Political
Economy 86, no. 5, pt. 2 (1990): S71-S102.
5 E. Mollick, Establishing Moores Law, Annals of the History of Computing,
IEEE 28, no. 3 (2006): 62-75.
6 Ray Kurzweil, The Law of Accelerating Returns, (2001).
7 Isaac Ben-Israel, From Sword Blade to Computer Memory, Odyssey 9,
October 2010.
8 For information on RMA, see: Michael E. OHanlon, Technological Change
and the Future of Warfare (Washington, DC: Brookings Institute Press,
64
9
10
11
12
13
14
15
16
17
18
19
20
65
21
22
23
24
25
26
27
28
29
30
31
32
33
66
William Lynn III, Defending a New Domain, Foreign Affairs 89, no. 5
(September-October 2010); Martin Coward, Network-Centric Violence,
Critical Infrastructure and the Urbanization of Security, Security Dialogue
40, no. 4-5 (2009): 4-5; Walter Gary Sharp, The Past, Present, and Future of
Cybersecurity, Journal of National Security Law and Policy 4, no. 1 (2010).
For a discussion of the technical issues, see Jeffrey Carr, Inside Cyber Warfare:
Mapping the Cyber Underworld (OReilly Media, 2009); and Rick Lehtinen,
Deborah Russell, and G. T. Gangemi, Computer Security Basics (Sebastopol,
CA: OReilly & Associates, 2006).
Faulty hardware implanted by the CIA in a system for transporting gas
purchased by the Soviet Union allegedly caused an enormous explosion in
Siberia in 1982. See W. K. Clark and P. L. Levin, Securing the Information
Highway: How to Enhance the United States Electronic Defenses, Foreign
Affairs 88, no. 6 (2009).
For the economic consequences, see the discussion by Paul Romer
mentioned above.
Following the September 11, 2001 terrorist attacks, the policy support
threshold was lowered: sometimes circumstantial evidence, such as
ideological support of an enemy or provision of logistic services to terrorists,
is sufficient.
A detailed discussion of these matters is beyond the scope of this study.
The Aurora Experiment, conducted in the national laboratories in Idaho,
US; See James Andrew Lewis, Thresholds for Cyberwar, Washington, DC:
Center for Strategic and International Studies, 2010.
The Meaning of Stuxnet, note 1.
United States, Presidents Commission on Critical Infrastructure Protection,
Critical Foundations: Protecting Americas Infrastructures: The Report
of the Presidents Commission on Critical Infrastructure Protection,
Washington, DC: US GPO, 1997.
See Lior Tabansky, Critical Infrastructure Protection against Cyber
Threats, Military and Strategic Affairs 3, no. 2 (2011): 61-78; Myriam Dunn,
Securing the Digital Age: The Challenges of Complexity for Critical
Infrastructure Protection and IR Theory, in Johan Eriksson and Giampiero
Giacomello, eds., International Relations and Security in the Digital Age
(Routledge, 2007).
Lynn, Defending a New Domain.
Israeli governments behaved in this manner for years, when thousands of
rockets trickled into Israel from Gaza and hit open areas in the western
Negev.
One of the measures of software complexity is the number of source lines of
code (SLOC). Windows NT 3.1, the Microsoft operating system, which was
introduced in 1993, had 4.5 million SLOC. Windows XP, introduced in 2001,
had 45 million SLOC. Linux Fedora 9 has 204 million SLOC.
See Tabansky, The Struggle against Terrorism in the Information Age.
67
69
70
71
shows that the strategy of deterrence may be expected to fail when applied
to threats created by cyber warfare.16
Capabilities
Cyber warfare allows weak players to move the confrontation into a sphere
in which they can maximize profits while risking little which makes
deterrence harder to establish. In effect, an actor that is more technologically
developed is also more susceptible to cyber warfare.17 In fact, the possibility
of retaliation against a weaker player is reduced, and thus the ability to
establish a credible threat of deterrence is also lessened. For example, it
is very difficult to deter players, especially individuals, who do not own
information systems that can be threatened with damage.18 This challenge
also exists in the confrontation with nations with less developed information
systems infrastructures, where the possibility of creating an effective threat
by means of cyber warfare alone is limited.
Credibility
A second challenge to deterrence against cyber threats relates to the
defenders credibility. The defenders vulnerability may limit its willingness
to tap its capabilities out of concern that retaliation could lead to escalation.
The problem for the defender is that such escalation is liable to be much
more dangerous to itself than to the challenger, which in turn is likely to
strengthen the challengers belief that the defenders willingness to act
is low.19 This challenge is further amplified by the fact that cyber warfare
entry costs are usually lower for the weaker side.20 In other words, the
cost to the challenger of engaging in cyber warfare is often limited, which
further increases the difficulties in presenting and executing the deterrent
threat required in order to prevent such action.
Internal as well as international public opinion may limit the credibility
of the threat of retaliation because of the nature of cyber warfare. In
situations in which it is difficult to establish the identity of the source
of the attack,21 the ability to employ a retaliatory measure likely to cause
damage is constrained.22 A potential challenger may view these constraints
as undermining deterrence credibility. In this way a potential aggressor,
assessing that the chances of the defender making good on its threats are
low because of the damage it is likely to incur as a result, will be more
willing to take risks and challenge the defender.
72
73
75
the problems of states that must now deal with a much more complex
setting than in the past.
Moreover, research on cyber warfare tends to deal with more classical
aspects of security, whereas the arena of threats is complex and varied.37
For example, states are worried about the growing strength of economic
players (such as Google) or ideological ones (e.g., individuals seeking to
promote government reforms) using cyberspace. Irrespective of whether
or not the existing definitions of cyber warfare include interactions with
these actors, a considerable contribution could be made by analyzing
these relations using theories of deterrence. The concept of the strategy of
deterrence might be used, for instance, to study the interactions between
Google and China with regard to the implied or direct threats presented
by these players to one another in the context of search engine censorship.
In this sense, dividing research on deterrence and cyber warfare according
to different types of threats (e.g., internet war, cyber terror, cybercrime,
cyberwar) and the actors operating them (states, individuals, economic
institutions) may be not only more accurate and productive but may also
identify the conditions for raising the chances of success of each actors
strategy of deterrence against its enemy.
The second theme that should be expanded is analysis of the traditional
literature on the strategy of deterrence in critical and original ways. This
has already been done in some of the essays published on the topic.
However, it remains to analyze further concepts regarding deterrence
strategy already discussed in the literature, such as immediate deterrence,38
general deterrence, and extended deterrence,39 and to try to understand
the significance and relevance of applying these practices to cyberspace.
Similarly, the concept of ambiguity should be studied. This concept may
serve as a framework for practical thinking in confronting the dilemma
inherent in the need for revealing capabilities on the one hand,40 balanced
against the concern that the enemy will be able to exploit this exposure to
increase its own strength and immunity to attack. Using insights developed
in different contexts may provide an interesting foundation for developing
ideas on cyberspace ambiguity, not only with regard to intention and
willingness to make good on threats but generally with regard to the existence
of capabilities. In this respect, it is possible, for example, to analyze the
different efforts made by several nations in recent years in the field of
cyber warfare. Not only are the means developed by nations likely to
76
strengthen their strategy of deterrence against these threats, but the very
prominence of these efforts may also serve as a deterrent tool. The same
is true of the American establishment of a strategic command to manage
cyber warfare:41 it has a range of objectives and functions, but its very
reference and prominence allow not just improvements in capabilities but
also demonstrate US willingness to invest resources in reducing threats
and damage. It may be that stressing the desire to invest in measures of
this sort and revealing the scope of the budgets, resources, and manpower
dedicated to the subject even absent a detailed breakdown of the measures
acquired and their capabilities can help increase the credibility of the
deterrent message against threats in cyberspace, especially with regard
to threats involving high levels of violence on the part of other nations. In
other words, a partial revelation of capabilities while maintaining ambiguity
about their essence allows for a reduction of the harmful effects described
above but also transmits a forceful message. At the same time, one may
expect that the low entry threshold for operating in cyberspace, especially in
cases of asymmetrical confrontations, will continue to present a challenge
to establishment of a strategy of deterrence seeking to prevent threats in
this realm.
Conclusion
The research that deals with cyber warfare deterrence discusses primarily
the difficulties inherent in deterring enemies from using this strategy.
Although deterrence may work under certain circumstances, the problems
associated with the defenders capabilities, the defenders willingness to
use them, and the defenders ability to convey a message of deterrence to
its potential enemy greatly limit the possibility of successful deterrence.
Nonetheless, in light of the benefits inherent in the strategy of deterrence
in reducing the scope of violence of conflicts, it is important to try to further
the research dealing with the connections between deterrence and cyber
warfare. This essay has indicated some directions for further thought and
development of these ideas. However, as claimed by Morgan, these insights
should be applied carefully, because additional empirical knowledge about
the essence of cyber warfare is required, in terms of both the damage it
can generate and the way in which it may be used.
77
Notes
1 Amir Lupovici, The Emerging Fourth Wave of Deterrence Theory: Toward
a New Research Agenda, International Studies Quarterly 54, no. 1 (2010): 70532.
2 Cyber warfare refers here to a certain type of information warfare, though
at times the concept of information warfare serves as a synonym for
cyber warfare. This type of warfare is based on various attempts to prevent,
disrupt, or destroy the enemys information systems, while protecting the
information systems of the defender against similar threats. See Richard
J. Harknett, Information Warfare and Deterrence, Parameters 26, no. 3
(1996): 93-107; Gary F. Wheatley and Richard E. Hayes, Information Warfare
and Deterrence (Washington, DC: National Defense University Press, 1996),
pp. v-vi, 5-6; Roger C. Molander, Andrew S. Riddile, and Peter A. Wilson,
Strategic Information Warfare: A New Face of War, Parameters 26, no. 3
(1996): 83, 86-90. For a review of central concepts in cyber warfare, see Lior
Tabansky, Basic Concepts in Cyber Warfare, Military and Strategic Affairs 3,
no. 1 (2011): 75-92.
3 On the general tendency of research dealing with cyber warfare and
security to analyze policy oriented issues and to minimize the incorporation
of broader theoretical dimensions, see Johan Eriksson and Giampiero
Giacomello, The Information Revolution, Security, and International
Relations: (IR)relevant Theory? International Political Science Review 27, no. 3
(2006): 221-44.
4 This essays use the common terms to describe the actors involved in
deterrence strategy: the defender the actor seeking to use the strategy
of deterrence in order to prevent undesirable action against it, and the
challenger the actor seeking to act against the defender. The sometime
usage of the alternative terms the deterring actor or the deterred actor is
problematic because it assumes the success of the strategy.
5 For an excellent survey of definitions of the concept of deterrence by
punishment, see Patrick M. Morgan, Deterrence Now (New York: Cambridge
University Press, 2003), pp. 1-2.
6 Alexander George and Richard Smoke, Deterrence in American Foreign Policy:
Theory and Practice (New York: Columbia University Press, 1974), p. 11.
7 Deterrence by denial also differs from the strategy of defense. While there
is an overlap, defense seeks to provide a solution to a situation in which the
strategy of deterrence has failed, while deterrence by denial seeks to prevent
the action by making the challenger understand that it lacks the capacity to
execute the action because of the defenders capabilities.
8 Glenn Snyder, Deterrence and Defense (Princeton: Princeton University
Press, 1961). Nevertheless, deterrence by punishment and deterrence by
denial may in theory support one another. If a potential challenger is made
to realize that not only are its chances for success low but it will also be
78
required to pay a steep price for aggression, there is a higher chance it will
refrain from action.
9 Thomas Schelling, Arms and Influence (New Haven: Yale University Press,
1966).
10 Albert Carnesale, Paul Doty, Stanley Hoffmann, Samuel P. Huntington,
Joseph S. Nye, Jr., and Scott D. Sagan, Living with Nuclear Weapons
(Cambridge: Harvard University Press, 1983).
11 For a discussion of conventional deterrence, see., e.g., John J. Mearsheimer,
Conventional Deterrence (Ithaca: Cornell University Press, 1983) and Jonathan
Shimshoni, Israel and Conventional Deterrence: Border Warfare from 1953 to
1970 (Ithaca: Cornell University Press, 1988).
12 For example, it has been claimed that the development of international
norms calling for the ban on nuclear weapons and international public
opinion in support of this call have weakened the strategy of deterrence
because they have raised the cost of their use of them. See T. V. Paul,
Nuclear Taboo and War Initiation in Regional Conflicts, Journal of Conflict
Resolution 39, no. 4 (1995): 696-717.
13 Various researchers have debated the question of how to increase the
credibility of the threat and have even proposed measures to attain this
goal, e.g., by means of costly signals. See James Fearon, Domestic Political
Audiences and the Escalation of International Disputes, American Political
Science Review 88, no. 3 (1994): 57792. Still, some researchers have cast
doubt on the effectiveness of some of these measures. For a discussion of
the topic, see, for example, Paul Huth, Reputations and Deterrence: A
Theoretical and Empirical Assessment, Security Studies 7, no. 1 (1997): 72-99.
14 Morgan, Deterrence Now, pp. 15-16.
15 For an excellent survey demonstrating the different types of Israeli
deterrence, see Uri Bar-Joseph, Variations on a Theme: The
Conceptualization of Deterrence in Israeli Strategic Thinking, Security
Studies 7, no. 3 (1998): 12-29.
16 Harknett, Information Warfare and Deterrence; Bruce D. Berkowitz,
Warfare in the Information Age, in John Arquilla and David F. Ronfeldt,
eds., Athenas Camp: Preparing for Conflict in the Information Age (Santa
Monica: RAND, 1997), pp. 183-84; Emily O. Goldman, Introduction:
Security in the Information Technology Age, in Emily O. Goldman, ed.,
National Security in the Information Age (London: Taylor & Francis, 2004), p.
3; John Arquilla. Thinking about New Security Paradigms, in Emily O.
Goldman, ed., National Security in the Information Age (New York: Routledge,
2004), pp. 210-13. Morgan reaches similar conclusions, claiming that the
different elements affecting the practices of deterrence of the Cold War,
based both on this strategy and on supportive measures such as arms
control, are less relevant to deterrence in cyberspace, though he does
not entirely rule out the possibility of using different types of deterrent
strategies in confronting these threats. See Patrick M. Morgan, Applicability
79
17
18
19
20
21
22
23
80
24
25
26
27
28
29
30
31
32
33
34
81
35
36
37
38
39
40
41
82
done using such warfare but also that some of the codes of the virus itself
were revealed and could conceivably serve various actors in their attempts
to damage sensitive infrastructures. See., e.g., Experts Fear Hackers Can
Launch Stuxnet-Like Attacks on Power Plants, Prison Gates, The Globe and
Mail, October 24, 2011.
Morgan, Applicability of Traditional Deterrence Concepts and Theory to
the Cyber Realm, p. 63.
For reference to this issue in the context of information warfare, see, e.g.,
Goldman, Introduction: Security in the Information Technology Age, p. 3.
For a discussion of the range of these threats, see Tabansky, Basic Concepts
in Cyber Warfare, especially pp. 80, 86-88.
A basic distinction existing in the study of deterrence deals with the
difference between general deterrence, based on the attempt to prevent the
enemy from thinking at all about the possibility of attacking (e.g., as with
nuclear deterrence), and immediate deterrence, touching on a situation in
which an actor would like to take an action (e.g., move troops) and by using
threats the defender dissuades the enemy from taking such action. An
important discussion in this context could deal with the meaning of each of
these types of deterrence in cyberspace.
Libicki, for example, has started to analyze extended deterrence in
cyberspace. See Libicki, Cyber Deterrence and Cyberwar, pp. 104-6), and it
is possible to develop the discussion of theoretical issues discussed in the
literature with regard to extended deterrence. For a discussion of the concept
of extended deterrence see., e.g., Paul Huth,, Extended Deterrence and the
Prevention of War (New Haven: Yale University Press, 1988).
The literature about deterrence stresses that it is necessary to transmit
the threat message to the enemy, including the price it will have to pay.
Therefore messages about defensive capabilities or revealing capabilities
have been noted as important elements in this context.
U.S. Cyber Command Fact Sheet, US Department of Defense, May 25,
2010, http://www.defense.gov/home/features/2010/0410_cybersec/docs/
cyberfactsheet%20updated%20replaces%20may%2021%20fact%20sheet.
pdf.
In Defense of Stuxnet
James A. Lewis
83
The use of cyber techniques as intelligence tools dates back to the 1980s;
cyber attack by militaries dates back to the 1990s.3 The development of
offensive cyber techniques has accelerated in this century, when high
speed global networks became widely available and the internet moved
from being an accessory to being the central infrastructure for economic
and governmental activity. Whether it is network-centric warfare or
warfare in informatized conditions (as China puts it), cyber attack is not
new to military planners.
the most to gain from disrupting Irans nuclear effort, what nation would
gain the most from spending immense resources to track Tibetan human
rights activists? In the last fifteen years, many collection programs like
Flame have become public; presumably there are others that are better
hidden. For espionage, cyber techniques are in good measure an extension
of traditional signals intelligence capabilities, and for China, an extension
of the distributed approach using multiple civilian agents seen in Chinese
human collection programs.
Both China and Russia use cyber exploits in ways that differ from the
cyber activities of Western services in important and potentially destabilizing
ways. Both rely on proxies private hackers acting at the direction of the
state for government purposes. Proxies provide an increasingly feeble
degree of deniability does any serious observer believe that China and
Russia do not control what happens on their networks and an advance
line of attackers that can shield state actions and, if necessary, be sacrificed
to placate other nations. Russian proxies have focused on financial crimes,
Chinese proxies on industrial espionage. Both nations provide a degree of
training and support to their proxies and insist on one cardinal rule no
hacking against domestic targets. If this rule is observed and if the proxies
cooperate in tasks assigned by the state, they are free to act against targets
in other nations. Russian proxies were responsible for the exploits against
Estonia and Georgia (the latter were precisely coordinated with Russian
military plans);4 Chinese proxies were responsible for the exfiltration of
data from many economic and military targets in the US and other nations.
In contrast, neither the US nor its allies use proxies to engage in state
sponsored financial crime, and the US does not engage in industrial
espionage. US doctrine for the use of cyber techniques as an extension of
traditional tools of coercion is different, but certainly not unprecedented.
85
National Labs. Perhaps five nations have this capability the US, the UK,
Israel, Russia, and China - and many other nations are trying to acquire
it. In this regard, the US may be primus inter pares, but it has peers (or near
peers) when it comes to cyber attack. Stuxnet may be the most advanced
such weapon (another hallmark of the US), but it is by no means a unique
capability.
Cyber attack is another option for military planners. With Stuxnet,
for example, planners could weigh the merits and disadvantages of cyber
attack, air strike, special operations teams, saboteurs, or missiles. Existing
military doctrines have been extended and adapted to the new mode of
attack. Nations have created cyber attack capabilities and have developed
doctrine and strategies for their use. These national doctrines are not the
same in all countries. We are in a period of experimentation as nations
evaluate this new military capability and explore how best to use their new
cyber capabilities. In addition to Russias use of cyber attack in Estonia
and Georgia and alleged Israeli use in Syria, we have seen Russia and
China carry out reconnaissance for attacks on US critical infrastructure
(according to the head of the US National Security Agency),5 and probes
by Iran against Israel and Gulf states. The US used cyber attacks in the
1990s during the conflict with Serbia and against Iraqi air defenses between
Persian Gulf wars.
The US, Russia, China, and others include attacks on critical infrastructure
as part of their doctrine for the military use of cyber attack. Publicly available
doctrine suggests that each country makes decisions on the use of cyber
attack in a manner consistent with planning for the use of other long range
weapons such as the benefits of a strike, the risk of escalation, and the
potential for collateral effect. US doctrine shows some parallels to thinking
about strategic bombing and the use of aerial bombing to reduce the will and
capacity of an opponent to resist while avoiding a prolonged confrontation
with its military forces. Russian doctrine pays greater attention to disrupting
political stability and military command systems through cyber techniques,
and this resembles Soviet doctrine on crippling first strikes against NATO
by attacking critical infrastructure. Chinas doctrine is more opaque, but
public discussion has emphasized attacks on infrastructure to disrupt the
US ability to intervene in a regional crisis.6
Putting cyber attack in the context of military decision making (and
assuming that state and non-state actors overall have similar military
86
planning processes) has implications for use of cyber attacks. Nations are
no more likely to launch a cyber attack that causes physical damage against
the US or its allies after Stuxnet than they were before its discovery, nor
are they likely to stop using cyber techniques for espionage and political
coercion. We have not seen physically damaging attacks that could cause
damage, destruction, or casualties (as opposed to espionage and crime)
against the US and its allies from those countries with this capability
because they assess the risk of a violent response as too high. This is the
same reasoning that keeps them from launching aircraft or missiles against
the US. However, international practice and law do not justify the use
of force in response to espionage and crime, making the risk of a violent
response small and acceptable.
This reluctance to attack may change as other nations with a different
tolerance for risk, such as Iran, acquire advanced cyber attack capabilities,
or as actors who overestimate their ability to remain covert gain advanced
capabilities. What we do not know is how far non-state actors have
advanced in their ability to develop similarly destructive techniques. The
only indisputable evidence is that to date, we have not seen non-state
actors engage in such attacks. This may reflect an absence of motive or of
capability, and we cannot estimate how quickly such actors may gain the
ability to carry out Stuxnet-like attacks.
To the credit of the designers of Stuxnet, it was carefully written to
avoid collateral damage. Other attackers may not be so careful, but this
has nothing to do with access to the Stuxnet code. Potential opponents
still go through the same calculus of benefit and risk in deciding whether
to use force against the US, and they are deterred by the likely US military
response using all military assets at its disposal, not just cyber attack. They
may now cite Stuxnet as part of any public justification of attack, but this
will be an excuse, not part of their decision making. Nations are no more
likely to launch a cyber attack against the US or its allies after Stuxnet than
they were before its discovery.
How militaries will use the potential of cyber attack has important
implications that explain why Stuxnet and Flame did not greatly change
matters. Like any weapon, cyber attack has its own characteristics. Cyber
attacks can be fast, covert, and contain less political risk in some scenarios.
Their drawback is a less destructive payload. An attack planner will consider
these aspects, and assess the likelihood of a cyber attack achieving the
87
88
available Stuxnet code was part of a larger and more complex exploit that
involved a range of espionage techniques. The code was only part of the
exploit and by itself insufficient. Stuxnet, if relaunched, would not work.
The best evidence of this is that while many systems around the world
were infected, only one, in Iran, was damaged.
Iran may seek revenge for Stuxnet, but it was not news to the Iranians
that the US and other nations are engaged in covert campaigns aimed at
hampering their illicit nuclear weapons program, nor have the Iranians ever
been shy about using violence against the US or Israel. Iran is responsible
for the deaths of American personnel in Beirut, the Persian Gulf, and Iraq.
Stuxnet is another chapter in a covert, sporadic conflict between the US
and Iran that has been going on for more then thirty years.
Iran is also not bashful about uttering threats, and makes no secret of its
own desire to develop and use cyber attack techniques. Venomous rhetoric
against Israel by Iranian leaders may simply be rantings designed for a
domestic audience, but this does not excuse them. States bear responsibility
for the public remarks of their leaders. Given these threats, and in the
context of repeated violations of its international commitments regarding
nuclear weapons, to say that a covert action involving the use of software
against Irans nuclear program is inappropriate an action that produced
no casualties or collateral damage is a strange conclusion.9
If we accept that the US was involved in Stuxnet, this is also not a
surprise. The US has a history of using covert action against aggressive,
non-democratic regimes. The capability was developed in World War II
(under the tutelage of the British) and was refined and expanded during
the Cold War. But the US has never used covert force against a democratic
nation or against a nation that posed no threat to international peace. We
can question the US ability to discern threats to peace there have been
many errors, but Iran is not one of them. Covert action is preferable to
other military responses in many cases, as it reduces the risk of direct
confrontation or expanded conflict. Covert action is a middle ground
between acquiescence and open war, another tool for legitimate defense
for state use even if it is repugnant to some.
The US justified these interventions on the grounds that it is leading
a coalition of nations in defense of democracy a role thrust upon it by
World War II and the Cold War. This role was generally accepted by the
community of democracies between 1941 and 1990. Even if we do not
89
accept the assertion that the US still leads a coalition of nations in defense
of democracy, we can make a strong case that Irans behavior threatens US
security and international peace, justifying active measures in response.
The advantages of Stuxnet are many and the only regret we should feel
is that it was discovered prematurely. Launching Stuxnet posed much less
political risk than air strikes. There was no collateral damage, no televised
images of smoking buildings and weeping civilians, and no downed pilot
being marched through the streets of Tehran en route to being tortured.
The weaponized code cost much less than a single F-16.
90
91
Conclusion
Technologically advanced militaries have created cyber techniques and
will make use of them to advance their interests. There is conflict (even if
it is not warfare). If Stuxnet and Flame point to any risk, it is that a lack
of knowledge of the military and negotiating terrain for cyber security and
a quasi-superstitious understanding of cyber attack will impede efforts
to make cyberspace more stable and secure. Stuxnet and Flame were not
apocalyptic, not particularly new, and not the dawn of some new era of
warfare. Technology has reshaped warfare since the start of the industrial age.
We may not like this, but states and armed groups have rarely forsaken a new
capability. Nations may reject massively horrific weapons, but everything
else will be used. Cyber attack is no different. States will behave as they
92
Notes
1 Malicious cyber action can be defined as software sent over digital networks
to illicitly access target computers and execute instructions without the
owners permission.
2 James A. Lewis, Katrina Timlin, Cybersecurity and Cyberwarfare, UNIDIR
Resources, 2001, www.unidir.org/pdf/ouvrages/pdf-1-92-9045-011-J-en.pdf.
3 Clifford Stolls The Cuckoos Egg: Tracking a Spy through the Maze of Computer
Espionage (New York: Doubleday, 1989) details Soviet cyber espionage in
the 1980s. While there is little public discussion of cyber attacks by the US
against Serbia in the 1990s, US officials have provided details in interviews.
4 US Cyber Consequences Unit, Overview by the US CCU of the Cyber
Campaign against Georgia, August 2009, http://www.registan.net/wpcontent/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.
pdf.
5 Militarisation of Cyberspace: How the Global Power Struggle Moved
Online, The Guardian, April 2012, http://www.guardian.co.uk/
technology/2012/apr/16/militarisation-of-cyberspace-power-struggle.
6 See, for example, Steve DeWeese, Capability of the Peoples Republic of China
to Conduct Cyber Warfare and Computer Network Exploitation, Northrop
Grumman, October 2009.
7 Robert Oppenheimer, scientific head of the project to develop an atomic
bomb, quoted this statement from the Bhagavad Gita at the first successful
test.
8 Cyber-like-nuclear scenarios involve long chains of dubious assumptions
about the political effect of attack and the resilience of the target. For a
longer discussion, see James Lewis, Assessing the Risks of Cyber Terrorism,
Cyber War and Other Cyber Threats, CSIS, December 2002, http://csis.org/
files/media/csis/pubs/021101_risks_of_cyberterror.pdf.
9 See, for example, Robert Wright, How Obamas Cyberweapons Could
Boomerang, The Atlantic, June 2012; Misha Glenny, We will Rue Stuxnets
Cavalier Deployment, Financial Times, June 2012, http://www.ft.com/cms/
s/0/6b674600-afc7-11e1-a025-00144feabdc0.html#axzz25KCLvt33; or
Jason Healy, Stuxnets are not in the US National Interest: An Arsonist
Calling for Better Fire Codes, Atlantic Council, June 2012. Note that the
triggering event for these cries of anguish was not the actual attack, but a
news story about the attack, illustrating the media driven nature of much of
the discussion. Noise in the press is not a good measure of actual risk.
10 ITU Teams Up with Kaspersky Lab for ITU Telecom World 2012,
http://www.kaspersky.com/about/news/business/2012/ITU_Teams_Up_
with_Kaspersky_Lab_for_ITU_Telecom_World_2012.
93
11 Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat,
http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_
ITU_Research_Reveals_New_Advanced_Cyber_Threat/.
12 Munk School of Global Affairs, Iranian Anti-Censorship Software
Simurgh Circulated with Malicious Backdoor, May 2012, https://
citizenlab.org/2012/05/iranian-anti-censorship-software-simurgh-circulatedwith-malicious-backdoor-2/.
94
Cyber threats have been on the security political agenda for a number of
years. Since RAND researchers John Arquilla and David Ronfeldt suggested
in 1993 that cyberwar is coming!1 cyberwar has become the most prominent
buzzword in the debate surrounding computers, national security, and
cyberspace. Being at the mercy of well-publicized events and occurrences,
interest in the topic used to flare up whenever anything involving the
aggressive use of computers hit the news, only to disappear again when
other issues took over the limelight.
This changed in 2010. In particular, it was Stuxnet, the sophisticated
computer worm written to sabotage systems that control and monitor
industrial processes, that stirred up the international community in major
ways and catapulted the cyber topic into the sphere of public fears and to
the top of everybodys threat list. As a result, more and more countries
consider cyber attacks to be one, if not the major future security threat.
But how justified is this assumption? And what has Stxunet really
changed in the debate?
This article aims to provide a balanced picture of the phenomenon
of cyberwar. It will show how and why the meaning of cyberwar has
evolved from the narrow conception referring exclusively to military
interaction to its broad meaning, which has become detached from war
and encompasses almost every activity linked to the aggressive use of
computers. In particular, it will distinguish between different forms of
cyber conflict in order to lay the ground for a levelheaded threat assessment.
Dr. Myriam Dunn Cavelty is head of the New Risk Research Unit at the Center for
Security Studies in Zurich, Switzerland.
This article was first published in Military and Strategic Affairs 3, no. 3 (2011): 11-19.
95
It further shows that there is probably less change and more persistence
in the cyber threat debate at large than is currently acknowledged. The
threat image has been quite solid since the late 1990s, and Stuxnet has
not changed this to any substantial degree. The same can be said for the
countermeasures that are planned or envisaged.
96
against the US war machine might instead plan to bring the US to its knees
by striking against vital points at home, namely, critical infrastructures.3
The concept of critical infrastructure includes sectors such as information
and telecommunications, financial services, energy and utilities, and
transport and distribution. It also includes a list of additional elements
that vary across countries and over time.4 Most of these sectors rely on
a spectrum of software-based control systems for their smooth, reliable,
and continuous operation.
With the growth and spread of computer networks into more and more
aspects of everyday life, the object of protection moved from being perceived
to be limited proprietary (governmental, mainly military) networks to
encompass the whole of society or rather, its way of life provided by the
uninterrupted sub-structure of technology.5 On this basis, a comprehensive
threat image with two interrelated sides evolved. First, an inward-looking
perspective sees the very connectedness of infrastructure systems as
posing dangers, because perturbations within them can cascade into
major disasters with immense speed and beyond our control. Advances
in information and communication technology have thus augmented the
potential for major disaster in critical infrastructures by vastly increasing
the possibility for local risks to mutate into systemic risks. Second, an
outward-looking perspective focuses on the increasing willingness of
malicious actors to exploit vulnerabilities without hesitation or restraint.
Because critical infrastructure systems combine symbolic and instrumental
values, attacking them becomes integral to a modern logic of destruction
that seeks maximum impact.
In addition, the cyber dimension reformulates space into something no
longer embedded in place or presence. The enemy becomes a faceless
and remote entity, a great unknown that is almost impossible to track. This
results in two significant characteristics of the threat representation. First,
the protective capacity of space is obliterated; there is no place that is safe
from an attack or from catastrophic breakdown in general. Second, the
threat becomes quasi universal because it is now everywhere.
A Cyber Phenomenology
It comes as little surprise, then, that cyber threats are feared the way they
are. Nonetheless, every observer cannot help but notice how unspecified
the threats actually are. By leaving its military confines, the concept became
97
98
Threat Assessment
That said, how endangered are we? Conflicts in cyberspace have been a
reality for over a decade: elements of any political, economic, and military
conflict take place in and around the internet. Furthermore, criminal and
espionage activities aided by information and communication technologies
take place every day. But in the entire history of computer networks, there
have been very few examples of severe attacks that had the potential to
disrupt or actually did disrupt the activities of a nation state in a major way.
There are even fewer examples of cyber attacks that resulted in physical
violence against persons or property. The huge majority of cyber attacks
are low level and cause inconvenience rather than serious or long term
disruptions. In fact, it has been convincingly shown that a pure (or strategic)
cyberwar is very unlikely to ever occur, with attacks on computer systems
more likely to be used in conjunction with other, physical forms of attack.11
Did this estimation change with Stuxnet? Classifying Stuxnet according
to the escalation ladder is a challenge. Stories and speculations about the
worm, its origins, and its intent exist by the thousands.12 Well written or less
so, they all contain bits and pieces of a puzzle that is inherently unsolvable.
The pieces of the puzzle all seem to suggest that only one or several nation
states the usual cui bono logic pointing either to the US or Israel would
have the capability and interest to produce and release Stuxnet in order
to sabotage the Iranian nuclear program. Though the world will probably
never know for certain who is behind this piece of code, the majority of
99
strategic planners out there are willing to believe that a digital first strike
has occurred and a virtual Pandoras Box has been opened.
However, even if the most extreme case is assumed that the majority of
states in this world have developed effective and powerful cyber weapons
or will in the near future (which is very doubtful) the mere existence and
availability of such capabilities does not automatically mean that they will
be used. The cyber realm seems to lead people to assume that because they
have vulnerabilities they will be exploited. Still, in security and defense
matters, careful threat assessments need to be made. Such assessment
necessitates the careful deliberation of the following question: Who has
the interest and the capability to attack us, and why would they? For
many democratic states, the risk of war has moved far to the background.
The risk of a cyber attack of the severest proportions should be treated the
same if there is no natural enemy.
100
is not a new concept, of course, but its current rise indicates a significant
and crucial shift in thinking. While protective (and defensive) measures
aim to prevent disruptions from happening, resilience accepts that certain
disruptions are inevitable.
Such thinking is absolutely necessary and needs to become rooted deeply
in politicians minds and subsequently in the minds of the population.
Information networks can never be secure in the national security sense.
In fact, the opposite is true: cyber incidents are fated to happen, because
they simply cannot be avoided. In other words, even the most perfect
defenses will not be able to guarantee that nothing severe will happen in
a networked world.
States have the tendency to react forcefully to such a challenge and try
to increase the level of security by all means. But cyberspace should not
be mistaken for just another realm in which military action can be taken
at will. To continue reaping the benefits of the cyber age, it is necessary to
learn how to live with insecurity in pragmatic ways. Apart from legal and
strategic restraints that will certainly be factored into any consideration of
whether to use cyber attacks as weapons or not, the biggest impediment
should be fears of uncontrollable blowback. First of all, repercussions could
emerge directly through the interdependencies between various critical
assets that characterize the environment. Second, blowback may be felt
through the more intangible effect of undermined trust in cyberspace, with
damaging repercussions for the global economy.15
By implicitly or explicitly moving an issue into the realm of national
security and military actions, one tends to subject it to the rules of an
antagonistic zero sum game, in which one partys gain is another partys
loss. The logic of cyberspace, however, is a different one. Like the governance
of space and the oceans, its governance requires globally accepted norms.
The avenues currently available for arms control in this arena are primarily
information exchange and norm building, whereas attempts to prohibit
the means of cyberwar altogether or restricting the availability of cyber
weapons are likely to fail. However, these difficulties should not prevent the
international community from pushing all countries to adopt responsible
limits and self-restraint in the use of cyber weapons and from thinking
about new and innovative ways to enhance protection of vital computer
networks without inhibiting the publics ability to live and work with
confidence on the internet.
101
Notes
1 John Arquilla and David F. Ronfeldt, Cyberwar is Coming! Comparative
Strategy 12, no. 2 (1993): 141-65.
2 Greg Rattray, Strategic Warfare in Cyberspace (Cambridge: MIT Press,
2001); Michael OHanlon, Technological Change and the Future of Warfare
(Washington: Brookings Institution, 1999).
3 Myriam Dunn Cavelty, Cyber-Security and Threat Politics: US Efforts to Secure
the Information Age (London: Routledge, 2008).
4 Elgin Brunner and Manuel Suter, International CIIP Handbook 2008/2009
(Zurich: Center for Security Studies, 2009).
5 Myriam Dunn Cavelty, Cyber-Security, in Peter Burgess, ed., The Routledge
Handbook of New Security Studies (London: Routledge, 2010), pp. 154-62.
6 Chris Demchak, Cybered Conflict as a New Frontier, Atlantic Council,
October 28, 2010, http://www.acus.org/new_atlanticist/cybered-conflictnew-frontier.
7 Bruce Schneier, Schneier on Security: A Blog Covering Security and
Security Technology, Post: Cyberwar, June 4, 2007, http://www.schneier.
com/blog/archives/2007/06/cyberwar.html.
8 Cf. Clay Wilson, Computer Attack and Cyber-terrorism: Vulnerabilities and
Policy Issues for Congress, Congressional Research Report for Congress
(Washington: Congressional Research Service, 2003) and Dorothy Denning,
Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for
Influencing Foreign Policy, in John Arquilla and David F. Ronfeldt, eds.,
Networks and Netwars: The Future of Terror, Crime, and Militancy (Santa
Monica: RAND, 2001), pp. 239-88.
9 Martin Libicki, Defending Cyberspace and Other Metaphors (Washington:
National Defense University, 1997), p. 38.
10 Schneier, http://www.schneier.com/blog/archives/2007/06/cyberwar.html.
11 Peter Sommer and Ian Sommer, Reducing Systemic Cybersecurity Risk,
OECD/IFP Project on Future Global Shocks, 2011, www.oecd.org/
dataoecd/3/42/46894657.pdf.
12 Two prominent examples are: Mark Clayton, Stuxnet Malware is Weapon
out to Destroy Irans Bushehr Nuclear Plant, Christian Science Monitor,
September 21, 2010, www.csmonitor.com/USA/2010/0921/Stuxnet-malwareis-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant; and William J.
Broad, John Markoff, and David E. Sanger, Israeli Test on Worm Called
Crucial in Iran Nuclear Delay, New York Times, January 15, 2011, http://
www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html.
13 Myriam Dunn Cavelty and Manuel Suter, Public-Private Partnerships are
no Silver Bullet: An Expanded Governance Model For Critical Infrastructure
Protection, International Journal of Critical Infrastructure Protection 2, no. 4
(2009): 179-87.
102
103
Introduction
The first motion picture ever screened before an audience was produced
by the Lumiere brothers in 1895. It showed a train entering a station,
seemingly moving toward the viewers in the hall. The spectators, who
were convinced that the train was approaching them, screamed in panic
and fled the building. During the first movie ever shown, it seemed to the
spectators that what they were seeing was reality.1
Cyber terrorism is a field in which reality and science fiction are sometimes
intertwined. If we examine one of the key concepts in cyberspace namely,
dealing with terrorist threats we find that the rationale underlying the
concept (which emerged after the formative events at the beginning of
the twenty-first century, such as the Y2K bug and the September 11, 2001,
terrorist attacks) is that the world appears to be at the peak of a process
that belongs to the post-modern and post-technology era, an era with
no defensible borders, in which countries are vulnerable to invasion via
information, ideas, people, and materials in short, an open world. In
this world the threat of terrorism takes a new form: a terrorist in a remote,
faraway basement has the potential ability to cause damage that completely
changes the balance of power by penetrating important security or economic
systems in each and every country in the world and accessing sensitive
information, or even by causing the destruction of vital systems.2
Can the reality of September 11, 2001 when a terrorist organization
that had planned an attack for two years, including by taking pilot training
Dr. Gabi Siboni is a senior research fellow and the head of the INSS Cyber Warfare
Program. Daniel Cohen is the coordinator of the Cyber Warfare Program at INSS.
Aviv Rotbart is a doctoral student in the Department of Computer Science at Tel
Aviv University.
This article was first published in Military and Strategic Affairs 5, no. 3 (2013): 3-29.
105
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
106
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Non-state
organization with
political motives
Deliberate or
indiscriminate
attack on civilians
in cyberspace
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Analysis of Capabilities
Cyberspace contributes to the enhancement of knowledge and acquisition
of capabilities. In addition, technology is useful in creating an anonymous
communications network.3 Similarly, cyberspace serves as a platform for
expanding the circle of partners for terrorist activity. In contrast to the
recruitment of terrorist operatives in the physical world, in cyberspace it is
possible to substantially enlarge the pool of participants in an activity, even
if they are often deceived into acting as partners by terrorist organizations
using the guise of an attack on the establishment. This phenomenon is
illustrated by the attacks by hackers against Israeli targets on April 7, 2013,4
when some of the attackers received guidance concerning the methods and
targets for the attack from camouflaged Internet sites. The exploitation
of young peoples anti-establishment sentiments and general feelings
against the West or Israel makes it possible to expand the pool of operatives
substantially and creates a significant mass that facilitates cyber terror
operations. For example, it has been asserted that during Operation Pillar
of Defense over one hundred million cyber attacks against Israeli sites
were documented,5 and that during the campaign and the attacks there
were quite a few operatives who followed developments through guidance
apparently provided by Iran and its satellites.6
On the one hand, the array of capabilities and means at the disposal
of terrorist organizations in cyberspace is limited because of its strong
correlation with technological accessibility, which is usually within the
purview of countries with advanced technological capabilities and companies
with significant technological capabilities. On the other hand, access to
the free market facilitates trade in cybernetic weapons and information
of value for an attack. One helpful factor in assembling these capabilities
is countries that support terrorism and seek to use proxies in order to
conceal their identity as the initiator of an attack against a specific target.
In addition, the terrorist organization must train experts and accumulate
knowledge about ways of collecting information, attack methods, and
108
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
109
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
110
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
111
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Technological Capabilities
The decentralized character of the Internet makes trade in cyber weaponry
easy. Indeed, many hackers and traders are exploiting these advantages and
offering cyber tools and cyberspace attack services to anyone who seeks
them. A varied and very sophisticated market in cyber products trading for
a variety of purposes has thus emerged, with a range of prices varying from
a few dollars for a simple one-time denial of service attack to thousands of
dollars for the use of unfamiliar vulnerabilities and the capabilities to enable
an attacker to maneuver his way into the most protected computer system.
Thanks to cyberspace, this market is growing by building on the infrastructure
of social networks and forums that allow anonymous communications
between traders and buyers.16 In an interesting phenomenon, seen only
recently, these traders are leaving the web underground and stepping out
into the light. They can be found on the most popular social network of
all: Facebook.17 A blog by information security company RSA18 describes
a new situation, in which the traders offer their wares not only as goods,
but also as a complete service, including the installation of command
and control servers, training in the use of the tools, and even discounts,
bargains, and the option of buying only certain modules of the attack tool
in order to reduce the price. The growth of this market raises the question
whether and how terrorist organizations can use all the knowledge and
tools that have accumulated in the cyber crime market.
In order to answer this question, it is necessary to assess the gap between
the abundance of tools and capabilities currently offered for sale openly on
the Internet and the requirements of terrorist organizations. Todays market
for attack tools is aimed at cyber criminal organizations, mainly for purposes
of fraud, stealing funds from unwitting bank account holders, and identity
theft by collecting particulars from credit cards, bank account numbers,
identity cards and addresses, entry passwords to financial websites, and
the like. These tools are not necessarily suitable for the needs of terrorist
organizations. At the same time, many terrorist organizations might engage
in the practices of cyber criminal organizations for the sake of fundraising
to finance their main terrorist activity. The principal objective of terrorist
organizations causing substantial damage and instilling fear can be
112
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Intelligence-Guided Capability
One of the key elements in the process of planning a cyber attack is the
selection of a target or a group of targets, damage to which will create the
effect sought by the terrorist organization. Towards this end, a terrorist
entity must assemble a list of entities that constitute potential targets for
attack. Technology that provides tools facilitating the achievement of this
task is already available free of charge. For example, the Facebook and
LinkedIn social networks can be used to find employees in the computer
departments of infrastructure companies, food companies, and the like.
Taking the Israel Electric Corporation as an example, academic studies19
show that company divisions can be mapped, employees can be found in the
various departments, and those with access to the companys operational
systems can be selected, all with no great difficulty.20 If these employees
are aware of the importance of information security, and therefore cannot
be directly attacked, their families and friends can be traced through
Facebook, and the desired target can be attacked through them. Social
networks constitute an important source for espionage and collection of
business and personal information about companies and organizations,21
and terrorist organizations can easily use the information distributed
through them for their own benefit.
113
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
114
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Operational Capability
After collecting intelligence and creating or acquiring the technological
tools for an attack, the next stage for planners of cybernetic terrorism is
operational to carry out an actual attack by means of an attack vector.26
This concept refers to a chain of actions carried out by the attackers in
which each action constitutes one step on the way to the final objective,
and which usually includes complete or partial control of a computer
system or industrial control system. No stage in an attack vector can be
skipped, and in order to advance to a given step, it must be verified that
all the preceding stages have been successfully completed.
The first stage in an attack vector is usually to create access to the target.
A very common and successful method for doing this in cyberspace is called
spoofing, that is, forgery.27 There are various ways of using this method,
with their common denominator being the forging of the message senders
identity, so that the recipient will trust the content and unhesitatingly open
a link within the message. For example, it is very easy to send an e-mail
message to an employee at the Israel Electric Corporation (mentioned above),
in which the sender forges the address of a work colleague, a relative, or
another familiar person. The attackers objective in this case is to make
the receiver of the message trust the content of the message and open its
attachments or enter the internet addresses appearing in it.
The forging of e-mail is an attack method that has existed for many
years. Defensive measures have accordingly been developed against it,
but attackers have also accumulated experience. Incidents can now be
cited of completely innocent-looking e-mail messages that were tailored
to their recipients, containing information relating to them personally or
documents directly pertaining to their field of business. The addresses of
the senders in these cases were forged to appear as the address of a work
115
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
116
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
kill chain is the conducting of active operations from within the victims
computer, such as erasure, spreading of the tool, taking over the physical
devices accessible from the computer, and the like. The term Cyber Kill
Chain was chosen in order to emphasize that in order for the attacker
to succeed in carrying out a cyber attack, he must successfully complete
every milestone without being detected and without his access to the
target being blocked.
A terrorist organization seeking to attack operational systems will have
to carry out all the stages in the chain. These are advanced and complex
operations, which terrorist organizations usually do not know how to
implement by themselves. If the target is protected at a very low level, no
great technological capability will be required of the attacker in order to
create damage or achieve defacement. In most cases, however, the terrorists
will have to acquire products or services from expert hackers. In other
words, they will have to use outsourcing.
Within the offensive cyber products market, terrorists will find accessible
capabilities for a non-isolated target. In the same market, they will also
find attack products, and presumably they will likewise find products for
conducting operations on the target network (similar to the management
interface of the SpyEye29 Trojan Horse). Despite this availability, internetaccessible tools have not yet been identified for facilitating an attack on
an organizations operational systems. Access to these tools is possible in
principle,30 but the task requires large-scale personnel resources (spies,
physicists, and engineers), monetary investment (for developing an attack
tool and testing it on real equipment under laboratory conditions), and a
great deal of time in order to detect vulnerabilities and construct a successful
attack vector.
117
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Amateur Attack
This action is taken using tools that are (in most cases) known to information
security companies and are identifiable by standard protection software
programs. Defenses against these tools have been developed, and they are
therefore likely to prove effective only against unprotected targets. Such
tools are usually used only for research or gaming purposes because only
in rare cases can they be used to steal valuable information or to sabotage
protected computer networks. They have spy and sabotage capabilities,
but these are not very sophisticated.
Minor Attack
This is an attack in which not much effort has been invested. Most of
its activity consists of searching on the internet for readymade tools or
purchasing them from companies that specialize in them. Attacks of this
type do not usually succeed in causing damage to entities that are attentive
to information security (state, military, and advanced industrial entities),
but they can penetrate private computers, steal information, and sabotage
them. In most cases, these attacks are one-time events (theft of an important
file, erasing a disc drive), but they can also sometimes be part of an extensive
attack, such as the theft of a computers domain name system (DNS), which
makes it possible to monitor its activity on the internet.
The tools used in a minor attack do not include the various software
modules; they have a single inexpensive code component that carries out
all the actions of the tool. This code component is written in a way that will
not allow its capabilities to be easily altered or expanded, and it is target
oriented. Through the internet anyone can obtain this type of limitedcapability cyber weapon for a few thousand dollars at most.
This category also includes the use of botnet software agents for DDoS
attacks. Creating the network is a more complex operation, but once it is
created, it can be used for many DDoS operations. It can also be leased
to others for denial of service from various websites lacking high-level
protection against such an attack.
Medium-Level Attack
This is an attack capable of causing significant damage or carrying out
advanced spy operations at a lower cost than that of a major attack (see
below). Usually this operation does not use new, unique vulnerabilities
118
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
119
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
120
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
Major
Attack
Very good
MediumMinor
Level Attack Attack
Good
Good
Amateur
Attack
Poor
Very good
Good
Mediocre
Poor
Very good
Very good
Good
Mediocre
Very good
Very good
Good
Poor
Good
Poor
Poor
Poor
Very good
Very good
Good
Good
Poor
Mediocre
Poor
Poor
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
122
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
and implanted a bogus tweet saying that the White House had been
bombed and the US president had been injured in the attack. The immediate
consequence of this announcement was a sharp drop in the US financial
markets and the Dow Jones Industrial Average for several minutes.36 The
SEA is also suspected of an attempt to penetrate command and control
systems of water systems. For example, on May 8, 2013, an Iranian news
agency published a photograph of the irrigation system at Kibbutz Saar.37
During Operation Pillar of Defense in the Gaza Strip in 2012 and over
the ensuing months, the Israeli-Palestinian conflict inspired a group of
hackers calling itself OpIsrael to conduct attacks38 against Israeli websites
in cooperation with Anonymous. Among others, the websites of the Prime
Ministers Office, the Ministry of Defense, the Ministry of Education, the
Ministry of Environmental Protection, Israel Military Industries, the Israel
Central Bureau of Statistics, the Israel Cancer Association, the President
of Israels Office (official site), and dozens of small Israeli websites were
affected. The group declared that Israels violations of Palestinian human
rights and of international law were the reason for the attack.
In April 2013, a group of Palestinian hackers named the Izz ad-Din
al-Qassam Cyber Fighters, identified with the military section of Hamas,
claimed responsibility for an attack on the website of American Express. The
companys website suffered an intensive DDoS attack that continued for two
hours and disrupted the use of the companys services by its customers. In
contrast to typical DDoS attacks, such as those by Anonymous, which were
based on a network of computers that were penetrated and combined into
a botnet controlled by the attacker, the Izz ad-Din al-Qassam attack used
scripts operated on penetrated network servers, a capability that allows
more bandwidth to be used in carrying out the attack.39 This event is part of
an overall trend towards the strengthening of Hamass cyber capabilities,
including through enhancing its system of intelligence collection against
the IDF and the threat of a hostile takeover of the cellular devices of military
personnel, with the devices being used to expose secrets.40
123
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
cyber attacks have been mainly against the target organizations gateway.
The main attack tools have been denial of service attacks and attacks on
a scale ranging from amateur to medium level, primarily because the
capabilities and means of terrorist organizations in cyberspace are limited.
To date they have lacked the independent scientific and technological
infrastructure necessary to develop cyber tools capable of causing significant
damage. Given that terrorist organizations lack the ability to collect high
quality intelligence for operations, the likelihood that they will carry out
a significant cyber attack appears low.
In order for a terrorist organization to operate independently and carry
out a significant attack in cyberspace, it will need a range of capabilities,
including collecting precise information about the target, its computer
networks, and its systems; purchasing or developing a suitable cyber tool;
finding a lead for penetrating an organization; camouflaging an attack tool
while taking over the system; and carrying out an attack in an unexpected
time and place and achieving significant results. It appears that independent
action by a terrorist organization without the support of a state is not selfevident. The same conclusion, however, cannot be drawn for organizations
supported and even operated by states possessing significant capabilities.
There is also the possibility of attacks by terrorist organizations through
outsourcing. A review of criminal organizations reveals that they have
made significant forward strides in recent years. The Kaspersky laboratory
recently exposed a new group of attackers, apparently commissioned by
criminal organizations or by a state for industrial espionage purposes.
This is a group of hackers named Icefog that concentrates on focused
attacks against an organizations supply chain (using a hit-and-run method),
mainly in military industries around the world.41 Another development
is the distribution of malicious codes using the crime laboratories of the
DarkNet network, which has increased access to existing codes for attack
purposes. Criminal organizations are already using the existing codes for
attacks on financial systems by duplicating them and turning them into
mutation codes.42
There is a realistic possibility that in the near future terrorist organizations
will buy attack services from mercenary hackers and use mutation codes
based on a variation of the existing codes for attacking targets. This possibility
cannot be ignored in assembling a threat reference in cyberspace for
attacks on the gateway of an organization or even against its information
124
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
125
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
126
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
127
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
against Israel and other Western countries in the cyber warfare sphere.
Developments in the criminal attack market, however, are liable to
produce significant attack capabilities. These developments, combined
with the support and guidance in intelligence and operations provided
by technological powers like Iran, could lead to dangerous activity in the
cyber field on the part of terrorist organizations. This threat, therefore,
should not be taken lightly. Even though no significant activity by terrorist
organizations in the cyber field has been observed yet, the development of
the threat in this sphere requires appropriate organization.
Notes
1 The authors would like to thank Noam K. from the National Cyber Staff and
Doron Avraham and Keren Hatkevitz, interns in the Cyber Warfare Program
at the INSS, for their assistance in preparing this article. Michal Aviad,
Documentary Film (Tel Aviv: Heidekel, 2007), p. 5.
2 For example, see Haim Pass and Dan Meridor, eds., 21st Century Battle:
Democracies Fight Terrorism, Study Forum (Jerusalem: Israel Democracy
Institute, 2006), p. 25.
3 For example, see Tor a software program that helps create anonymity on
the web. Every layer is encoded, and every station in the route folds its layer
and delivers it to the next station. This principle is called an onion router,
https://www.torproject.org.
4 Oded Yaron, Hackers Plan Cyber Attack against Israeli Targets in April,
Haaretz, March 14, 2013, http://www.haaretz.com/news/diplomacy-defense/
hackers-plan-cyber-attack-against-israeli-targets-in-april.premium-1.509214.
5 Steinitz: Military Threat against Israel has also Become a Cyber Terror
Threat, Globes, July 9, 2013, http://www.globes.co.il/news/article.
aspx?did=1000860690.
6 See the statement by Prime Minister Benjamin Netanyahu on this
subject: Netanyahu: Iran and Its Satellites Escalating Cyber Attacks
on Israel, Globes, June 9, 2013 http://www.globes.co.il/news/article.
aspx?did=1000851092.
7 This refers to any system for storing, transporting, or processing
organizational information, whether or not it is connected to the internet,
and whether or not it constitutes part of the organizations core business.
8 An organizations core operational system is the hardware on which the
organizations core processes are managed and the software used for
that purpose (whether it is a security or a civilian business organization).
Disruption or destruction of such a system can halt all or part of the
organizations activity and could cause physical damage in certain cases.
9 An industrial control system (ICS) is a tool that integrates software and
hardware components and is designed to oversee a physical production
128
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
10
11
12
13
14
15
16
17
18
19
20
21
22
23
process. The system contains sensors for monitoring the controlled process
and inspectors who control this process. The system is also likely to include
a connection to the organizations other computer networks and sometimes
also to the internet.
This type of attack is also carried out independently by activists and
anarchists, or on behalf of and guided by a terrorist organization.
Shamoon Virus Targets Energy Sector Infrastructure, BBC
News Technology, August 17, 2012, http://www.bbc.co.uk/news/
technology-19293797.
In this incident, malicious code was inserted into Aramcos computer
system, and 30,000 computers were put out of action as a result.
Ralph Langner, lecture on the subject of securing industrial control
systems, Annual Cyber Conference, Institute for National Security Studies,
September 4, 2012, http://youtube/sBsMA6Epw78.
The Disturbing World of the Deep Web, Where Contract Killers and Drug
Dealers Ply their Trade on the Internet, Daily Mail, October 11, 2013, http://
www.dailymail.co.uk/news/article-2454735/The-disturbing-world-DeepWeb-contract-killers-drug-dealers-ply-trade-internet.html.
Jesse Emspak, Why We Wont Soon See another Stuxnet Attack, Tech
News Daily, July 24, 2011, http://www.technewsdaily.com/7012-stuxnetanniversary-look-ahead.html.
Aditya K. Sood and Richard J. Enbody, Crimeware-as-a-Service A Survey
of Commoditized Crimeware in the Underground Market, International
Journal of Critical Infrastructure Protection 6, no. 1, (March 2013), http://www.
sciencedirect.com/science/article/pii/S1874548213000036.
A Facebook page offering cyber weapons for sale can be found at https://
www.facebook.com/groups/53807916899/.
Limor Kessem, Zeus FaaS Comes to a Social Network near You, RSA,
Speaking of Security, April 2013, http://blogs.rsa.com/zeus-faas-comes-to-asocial-network-near-you/.
Michael Fire, Rami Puzis, and Yuval Elovici, Organization Mining Using
Online Social Networks, arXiv:1303.3741 .
Aviad Elishar, Michael Fire, Dima Kagan, and Yuval Elovici, Homing
Socialbots: Intrusion on a Specific Organizations Employee Using
Socialbots, International Workshop on Social Network Analysis in
Applications (SNAA), August 2013.
Fernando M. Pinguelo, Bradford W. Muller, Norris McLaughlin, and P.A.
Marcus, Is Social Media a Corporate Spys Best Friend? How Social Media
Use May Expose Your Company to Cyber-Vulnerability, Bloomberg Law,
http://about.bloomberglaw.com/practitioner-contributions/is-social-mediaa-corporate-spys-best-friend/.
Internet Census 2012, Carna Botnet, http://internetcensus2012.bitbucket.
org/paper.html.
Map of SCADA systems in the world, http://goo.gl/maps/nqnan.
129
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
130
Gabi Siboni, Daniel Cohen, and Aviv Rotbart | Unraveling the Stuxnet Effect
131
134