In the wake of the network intrusion that embarrassed Sony and put corporations across the nation on alert, it’s clearer than ever that the U.S. is embroiled, willingly or not, in cyberwar.
But aside from having imposed economic sanctions on North Korea, Washington has not declared any further official response to the Sony Pictures hack.
While President Barack Obama in his State of the Union address this month proposed an update to cybersecurity laws to strengthen protections, the U.S. Department of Defense (DOD) has been building and training one of the most formidable state-sanctioned hacking groups in the world: its Cyber Command. Since 2009 the Pentagon has been role-playing what cyberattacks against U.S. systems could look like and how to respond.
“We train units using realistic scenarios, including force-on-force exercises against a simulated adversary on a closed, virtual exercise network,” said DOD spokeswoman Lt. Col. Valerie Henderson.
She said Cyber Command is “working to improve the quality and capacity of individual and unit training as we build out the 133 teams [with more than 6,000 people] of the Cyber Mission Force over the next two years.” The commander is Michael S. Rogers, who is also the director of the National Security Agency.
Located in Fort Meade, Maryland, Cyber Command is the hub for military cyberwar, synchronizing operations and resources with other agencies. According to Henderson, the command is “complementary to the authorities and capabilities of the Department of Homeland Security, Department of Justice and the Intelligence Community.”
But the president and the DOD face questions from lawmakers who want to know how the U.S. will launch cyberoffensives and what actions by hackers or other nations would provoke those offensives.
Although traditional acts of war use physical, or kinetic, violence to disrupt an enemy, attacks pursued from a computer keyboard can be just as effective as ballistics.
“[A] targeted cyberstrike on an electric or nuclear power plant could cause just as much damage as a kinetic attack,” said former CIA security researcher John Pirc. He added that such an attack could skirt the risk of hitting the wrong targets and minimize collateral damage.
The American public had little if any exposure to bona fide cyberattacks by its military on other nations’ industrial control system infrastructures until the summer of 2010, when the Stuxnet virus, which destroyed about one-fifth of Iran’s uranium enrichment centrifuges, was discovered.
Although no U.S. official ever claimed responsibility for the debilitating hack, security experts and the media implicated Israel and the U.S. as prime suspects. James “Hoss” Cartwright, a former vice chairman of the joint chiefs of staff, was the chief strategic architect of Stuxnet, which George W. Bush’s administration code-named Olympic Games.
Edward Snowden, the former National Security Agency contractor, explained in a recent video for PBS that “the NSA and its sister agencies are attacking the critical infrastructure of the Internet to try to take ownership of it. They hack the routers that connect nations to the Internet itself.” David Sanger of The New York Times reported earlier this month that the NSA found its way into North Korean servers by 2010.
Last year the Department of Justice ramped up its agenda to criminalize hackers employed by foreign countries’ militaries. In May 2014 the FBI filed charges of cyberespionage against five Chinese military hackers, all of whom the U.S. can’t fully prosecute because of the lack of an extradition treaty with China.
A cyberattack’s power often lies in its unknown origin, and claiming responsibility for an attack can thwart its usefulness while providing enemies and other hackers a justification to retaliate. As a result, U.S. cyberwar is shrouded in mystery and often carried out via proxy. Rather than engage directly with adversaries, the U.S. often turns a blind eye to hacks carried out by third parties.
Two weeks ago, vigilante hackers of the group Anonymous digitally targeted Al-Qaeda and ISIL in response to the groups’ support for the shooting at the French satirical publication Charlie Hebdo. Ultimately, Anonymous launched denial of service attacks, shutting down websites it attributed to Islamic militant groups while campaigning to censor jihadists’ social media accounts.
On Jan. 13, the White House proposed improvements to the intelligence community’s sharing programs that would boost collaboration between the government and the private sector. Intelligence officials insist that these programs, which rely heavily on hiring private contractors, are necessary to intercept and prevent attacks.
However, former FBI cyberinformant Hector “Sabu” Monsegur said the public sector’s reliance on contractors is destabilizing, as security companies must bribe hackers in order to obtain knowledge about the unprotected parts of their information infrastructure.
“You could list any major country, and they’re all involved in this kind of research,” he said. “Snowden proved [the U.S.] is in the middle of it. You may find out that a famous hacker gets arrested and his encrypted laptop full of a thousand vulnerabilities gets confiscated and all of his hacks are still sitting there.” Where those vulnerabilities end up, he said, makes all the difference in securing networks around the world.
Preparing for digital combat
Never before has a U.S. commander-in-chief delivered the traditional State of the Union address before Congress in the wake of cyberattacks attributed so directly to the government of another nation.
“I urge Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft and protect our children’s information,” Obama said in his address. “If we don’t act, we’ll leave our nation and our economy vulnerable.”
While Obama won’t publicly choreograph digital offensives, Pirc expects presidents to give “the order of cyberstrikes in the future.”
In mid-January the House Foreign Affairs Committee held a hearing to assess North Korea’s cyber and nuclear threat levels. Rep. Ted Yoho, R-Fla., asked, “What constitutes a cyberattack, and at what point do we deem it an act of war? How many people need to maybe die from it, or how much damage needs to happen to a country? Right now I see just a big gray area. Nobody’s willing to commit.”
The DOD is still developing a “training environment that the U.S. Cyber Command and the Cyber Mission Force needs to achieve and sustain military readiness in cyberspace,” Henderson said.
“The Internet is both an operational domain for the military and populated with billions of people conducting their lives and business,” said a U.S. military expert in cyberwarfare who requested anonymity because of the sensitivity of the issue. “A massive attack could bring many unintended consequences and is not something to be undertaken lightly.”
“Leaders will likely consider the risks and benefits of using a nonkinetic tool like cyberoperations versus a kinetic strike, like an airstrike,” he said. “Depending on context, they could choose to do either or both.”
Obama implored lawmakers to codify a plan that could be used to counter digital threats that could “shut down our networks, steal our trade secrets or invade the privacy of American families.”
As the U.S. ponders whether to launch attacks, pre-emptive or otherwise, other nations’ cybermilitias and hacker groups continue to plot against critical U.S. infrastructure. The Pentagon estimated in 2013 that its systems face about 10 million intrusion attempts daily.
Setting the stage for U.S. foreign policy in 2015, Obama and Congress seem to agree that the threat of a “cyber Pearl Harbor,” cited by former Defense Secretary Leon Panetta, grows more imminent by the day.