The Dogs of Web War

Jan. 1, 2008

After years of claims and counterclaims concerning the severity of national security threats in cyberspace, the picture is at last starting to become clear. Recent jousting within cyberspace has provided clues about what to expect from combat in this new domain.

For example, China has been positively identified as a source of “campaign-style” cyber attacks on Department of Defense systems. Russia, moreover, is the prime suspect in last spring’s notorious cyber assault on Estonia.

Outside the military realm, too, cyber attacks are forming a persistent threat to aerospace enterprises and other parts of the US industrial base.

More than ever before, cyberspace is on the minds of America’s top leaders. Air Force Gen. Kevin P. Chilton, the new head of US Strategic Command, said during his confirmation hearing that “attacks impacting our freedom to operate in space and cyberspace pose serious strategic threats.”

Defending the nation from cyberspace attacks is STRATCOM’s mission—but one of the big challenges is assessing the strategic threat and demarcating lines of response.

It all begins with knowing the adversary. China is at the top of most lists of nations with advanced cyber capability—and the will to use it.

Capt. Jason Simmons (l) and SSgt. Clinton Tips update anti-virus software at Barksdale AFB, La. (USAF photo by TSgt. Cecilio Ricardo)

Because of the overall tenor of military competition with China, every report of Chinese activity raises hackles. In fact, there’s been a steady level of reported skirmishing in cyberspace this decade.

Tactic No. 1 is near-constant pressure on US government systems. The goal of these attacks is to breach systems and leave behind malicious code capable of redirecting network activity or enabling access to stored data—to change it or steal it. “Cyber is all about ‘protect it or steal it,'” Lt. Gen. Robert J. Elder Jr., commander of 8th Air Force and USAF’s point man on cyber issues, said last year.

Sometimes cyber attacks take place during more traditional crises. In April 2001, the Chinese were preparing a hacker onslaught during the tense period when a US Navy EP-3 crew was held after making an emergency landing following a midair brush with a Chinese fighter. The FBI cautioned network operators in government and commercial sectors to keep up their guard.

Sure enough, in May 2001, Chinese hackers took down the White House Web site for almost three hours with a denial-of-service strike. Since then, the attacks originating from servers in China have grown in sophistication and intensity.

In 2003, a barrage of attacks from China hit Pentagon systems. The incursions were notable enough to get their own temporary code name, Titan Rain.

In February 2007, officials at Naval Network Warfare Command acknowledged that Chinese attacks had reached the level of a campaign-style, force-on-force engagement, according to Federal Computer Week.

Then, last April 26, came the first full-blown cyber assault resembling an act of war. A controversy over moving a bronze statue of a Russian soldier from the center of Tallinn, capital of Estonia, ended with a massive, coordinated assault on Estonia’s cyber institutions. Many Web sites, both commercial and government, were shut down for days in the highly wired society.

Cyber Fingerprints

Unavailable, however, was firm attribution of who was responsible for the attack on the tiny NATO ally. Some of the cyber fingerprints suggested Russian involvement, but the nature of cyber attacks made the origin hard to verify. Russia officially denied involvement, noting that Russian computers could have easily been used by hackers worldwide.

“Estonia was kind of a wake-up call,” said Marine Corps Gen. James E. Cartwright, vice chairman of the Joint Chiefs of Staff and previous head of STRATCOM. “We’ve got to make sure we have situation awareness at a scale commensurate with our equities.”

All doubt about Chinese culpability in these sorts of attacks vanished shortly after Russia’s likely assault on Estonia. Pentagon sources acknowledged that a Chinese attack broke into an unclassified e-mail system used by the Office of the Secretary of Defense in June 2007. As reported by the Financial Times, the Pentagon attributed the attacks not only to Chinese server locations but to the People’s Liberation Army itself.

President Bush addressed the issue in some depth after the reports, saying, “A lot of our systems are vulnerable to cyber attack from a variety of places.” The first question planners should ask should be “what are you doing to defend America against cyber attack? … Are you then providing expertise and technology necessary to defend?”

Bush’s remarks seemed to indicate more than a passing interest in the topic. “We understand that we’re vulnerable in some systems—some, by the way, more valuable than others,” he concluded.

Air Force Lt. Gen. Daniel P. Leaf, deputy commander at US Pacific Command, told the Washington Times in November 2007 that computer attacks were a growing problem. “We’re very concerned about that—for the information that may be contained on [the networks] or for the activities we conduct that are command and control and situation awareness related,” he said.

The attacks are of interest not for their fleeting effects—but for what they suggest about adversary intent, evolving capabilities, and the potential for debilitating breaches.

“China has put a lot of resources into this business,” said Elder. Communist China’s public doctrine calls for dominating the five domains of air, land, sea, space, and the electromagnetic spectrum. Although “they’re the only nation that’s been quite that blatant,” Elder said, “they’re not our only peer adversary.”

Chinese cyber attacks also have a second goal: industrial espionage, with attempts made to access corporate databases. That tactic has been around 20 years or more, since early users of the Advanced Research Projects Agency Network (ARPAnet) first noticed Soviet operatives logging into the network from overseas sites to trawl file directories of the university and think-tank nodes.

China’s attacks were not unlike the so-called Moonlight Maze incursions emanating from Russia. In the late 1990s, a band of Russian hackers was alleged to have stolen research and development secrets from commercial and government sites in the US and resold them.

Targeted e-mail attacks have become more and more alluring. In late 2006 and 2007, a common technique was to e-mail false news updates, such as one attack that offered news on a missile shootdown in Iraq.

On Aug. 21, 2007, e-mail attacks originating in China targeted 28 defense contractor sites in the United States. In this case, defense contractors were tempted with an attachment purporting to discuss engine modifications for the Pioneer unmanned aerial vehicle.

According to the FBI, the e-mail text contained an actual presentation that had embedded a malicious code known as “Poison Ivy.”

The FBI soon traced the attack to Internet Protocol address 218.106.252.77—which turned out to belong to CNC Group-BJ, CNC Group Beijing Province Network.

While the FBI reported that this intrusion was not successful, experts still shook their heads at the rapid morphing of these offshore probes.

Capt. Danny Stout, a USAF air liaison officer deployed with the Army’s 82nd Airborne Division, contacts F-16s flying overhead, above the mountains of Afghanistan. (USAF photo by SSgt. Russell Wicke)

All of this is creating a level of frustration. As Cartwright characterized it, “The probing of our networks, day in, day out, has gotten to a point where it’s so egregious it actually cries and demands that we take some kind of action.”

The first priority for the Pentagon is to protect the sophisticated suite of warfighting capabilities provided by the Air Force. Much of that depends directly on cyberspace.

“When we talk about cyber defense, we’re not just talking about trying to fit some kind of better virus protection on a computer,” said Elder. “We’re talking about protecting this ability to do these interdependent joint operations.”

By this definition, cyberspace is at the heart of expeditionary and global operations. “You have to realize we can go to any part of the world and we can start doing operations immediately because we can stand up the communications, the command and control systems, situation awareness systems, that we need to be able to do that,” he explained.

Elder predicted that American (and, specifically, Air Force) capabilities will step up, and in fact, they already have. An important distinction is that the cyber realm is not just the Internet—it is the use of the electromagnetic spectrum. In this realm, battles are waging constantly. “This is not something we will do next year or the year after that,” said Elder. “This is stuff we’re doing now.”

He noted last fall that ongoing cyber missions include defeating remotely triggered IEDs in Iraq, conducting electronic warfare operations, halting terrorist use of the Global Positioning System and satellite communications, and preventing jamming.

“We have peer competitors right now in terms of dealing with computer network attacks through computer network exploitation,” Elder said. He also let it be known that the US—and specifically, USAF—was committed to dominance in cyberspace. “I believe that we’re going to be able to ratchet up our capability,” he said, by harnessing the intellect and the technological might of the nation. “We’re going to go way ahead.”

The Air Force has recently taken bold action in this regard. In 2005, it elevated cyberspace to a level on par with air and space, when cyberspace was added to USAF’s mission statement.

Rules of Engagement

Elder himself oversaw the service’s cyberwar capabilities during the time when the mission was being reinforced by the creation of a new Cyber Command, the Air Force’s 10th major command.

A larger policy problem rests with calibrating cyberspace operations to a scale of legitimate action. Over the last decade, rules of engagement for kinetic military operations—like targeting a terrorist safehouse in Iraq—have become highly refined.

Theater-level rules of engagement, collateral damage estimation, and positive identification all must be observed before any strike takes place. Rules such as these keep responses proportionate to the political-military goals of an operation. It’s a framework familiar to the hundreds of thousands of US troops operating around the world today.

With cyberspace operations, that framework is not so prominent. German Chancellor Angela Merkel said recently that China “must respect a set of game rules.”

But what are those rules, and what constitutes a breach? Connecting cyberspace activities to the geographical norms of international politics is no easy task.

For centuries, most international law has depended on the concept of sovereign borders and sovereign rights of states to gauge legitimacy. Everything from the Geneva Convention to the law of armed conflict is predicated on most offenses taking place between—or within—sovereign states. Rules of war also take for granted that events occur at a physical location tracing back to a nation-state.

It is easy to tell when a state is using tanks or artillery against its neighbors or its own populace. With cyber attacks, it’s unclear when and whether the state is involved.

A NATO E-3 Airborne Warning and Control System aircraft accompanies three F-16s during a recent Link 16 airborne interoperability test mission. (USAF photo by Tom Reynolds)

Tracing attacks back to the originating Internet service provider does yield a physical location. (Cyberspace is projected from a physical infrastructure of servers, routers, and computers that have definite and sovereign physical locations.) However, cyberspace exists in a domain deemed independent of the nation-state.

What’s harder to establish is whether people conducting the attacks are hackers working on their own or at a government’s behest. If a computer remotely “occupied” by hackers traces a physical location to China, that is not necessarily evidence that China is behind the scheme. The ambiguity works both ways, however. If China is behind an attack, it has built-in deniability.

A Fundemental Question

“In this environment it’s just very difficult to tell the point of origin,” said Cartwright. “The source of the activity can be widely separated. Al Qaeda can live on a US ISP and execute from someplace else. How do we handle that?”

It boils down to a fundamental question: When does an attack in cyberspace become a de jure attack? Even in the case of Estonia, protected by NATO’s collective defense principle, the proper response to last spring’s attack was open to debate.

“If a bank or an airport is hit by a missile, it is easy to say that is an act of war,” said Madis Mikko, a spokesman for the Estonian defense ministry. “But if the same result is caused by a cyber attack, what do you call that?”

The problem applies not only to state vs. state cyber conflict but to the persistent intrusions into business networks. Cartwright noted that “most law is generated in property, and [cyberspace] doesn’t tend to respect property in the same way.”

Estonian police use tear gas and truncheons to disperse a crowd protesting the removal of a bronze statue of a Russian soldier from the center of the capital city. The clash resulted in a massive cyber attack on government and private Web sites. (AP photo)

Still undefined is the proper role for the US military. Inside the United States, legal precedent and direction limits what the military can do. According to Cartwright, “If it’s inside the US, if we’re to do anything about it, it’s got to be on dot.mil” for the military to act. Most classified military networks are self-contained and rarely subject to the same barrage of attacks carried via the Internet.

“If it’s outside that and they want the military to do anything about it, then its military support to civil authorities just like we would do with a hurricane or anything else,” he explained.

In fact, it’s the Department of Homeland Security that houses the key response teams for responding to Internet attack.

Already, however, Cartwright hinted at a greater freedom of action in the cyberspace commons. “Once you leave our shores, then the military authorities start to be present, and what we do is layer the defenses out as best we can to get the most warning, situation awareness that we can to protect our interests,” he said.

Given the constant probing, investing in survivability is a big priority. The cyber balance of power is “the most dynamic world we’ve ever seen,” said a senior STRATCOM official. Software security fixes may just last for hours.

Expect to see an impact on Air Force budgets as service leaders fund the new mission. “What we’re trying to do in ’08 and ’09 is to accelerate the programs that are tied to survivability of the Air Force portion of the global information grid,” Elder said.

The new Cyber Command will focus dedicated attention to the problem. Elder and others are working to lay the foundation for a cyberspace career path in the Air Force on a par with those for weapons systems and specialties. “We’re looking to set up a professional cadre of cyber operators, and this would be enlisted and officer,” Elder said.

Investing now in survivability should help keep down the costs of buying new technology. A prime system is the Combat Information Transport System Block 30. “This is a system that is reducing our exposure to the commercial Internet,” said Elder. “It’s providing us much greater situational awareness in terms of being able to track the traffic on our networks.”

Serious money is going to the effort. “Some things we’re trying to do with the CITS Block 30, for example, are in the range of half a billion dollars,” Elder said.

Investment will fund software tools to track vulnerabilities “before the hackers find them,” said Elder, and insulate them with database wrappers that create portals to block incursions. The Air Force is also investing in extensive database encryption—a proven technique. “It’s just much more difficult for someone to fool with your system when the data’s encrypted,” Elder said.

Yet it may take an increased sense of strategic threat to force clarification of the cyberspace mission.

Currently, there are classic divides. The intelligence community uses cyberspace in its tradecraft. Yet there is growing demand for operators to be able to exploit the same turf.

Also yet to be determined is how much traction the Air Force is getting with its commitment to cyberspace.

Creating Effects

Many acknowledge the current US cyberspace strategy is “dysfunctional”—to use Cartwright’s term from when he headed STRATCOM. But there’s been only tepid enthusiasm for the Air Force’s willingness to step up to the growing mission. Ultimately, the Air Force may be recognized as the chief force provider for cyber capabilities. Signs suggest it won’t come without a period of debate.

That debate will center first on the logic of cyberspace as a domain. To Air Force planners, the domain aspects have become self-evident. Cyberspace operations include activity to maintain the freedom to attack and freedom from attack in that domain. In fact, counterdomain operations are being defined, too.

As Elder put it, “The better your cyber is, the [more] quickly you can do decision-making, [to] create effects.” Degrading and slowing operations—especially to the point where “you can’t operate anymore”—creates what Elder termed a “counterdomain effect.”

Marine Corps Gen. James Cartwright (l) meets with USAF Lt. Gen. Robert Elder for a status brief on issues including the stand-up of Cyberspace Command. (USAF photo by SrA. Sonya Padilla)

Not all accept cyberspace as a clear-cut domain like air, space, or the sea, however. Cartwright, for one, pointed out that it all turns in part on whether cyberspace is to be treated as a truly separate and co-equal area of warfare. “That’s the huge debate,” he said. “Should this be a domain or not be a domain?”

Even as the pace of activity escalates, there’s a sense of proceeding carefully. Part of the concern rests with a reluctance to lock in poor solutions.

Cartwright urged senior leaders to recognize how much there is to learn from the younger generation. “The Joint Staff is an old staff, demographically,” he said. “So here we are, in charge of thinking our way through cyber without the 20-somethings.”

He warned against putting in place a rigid doctrine for cyberspace that might end up squashing the creative thinking that has always been a hallmark of the domain.

“If we try to use our industrial-age Napoleonic decision structures, are we disadvantaging ourselves?” asked Cartwright. He saw “a lot of cultural issues that far outreach the technical issues and the organizational constructs. What I’m most concerned about is protecting the decision space and the opportunity space of the 20-somethings.”

Then there is the issue of service roles and missions. Cartwright will watch to see how the services invested in cyberspace and follow the dollars as a way of monitoring their commitment. He said he would take particular notice if a service stopped investing somewhere to increase cash for cyberspace. “If service X says I’m giving up this class of toys, for cyber, it will be very telling about their risk equation,” he said.

But he stopped well short of handing over the cyber mantle to the Air Force. “Where we are right now, each of the services has found value,” Cartwright said. The Air Force is making investments and letting its money “speak about their risk equations. We’ve got enough time to let that play out.”

Rebecca Grant is a contributing editor of Air Force Magazine. She is president of IRIS Independent Research in Washington, D.C., and has worked for RAND, the Secretary of the Air Force, and the Chief of Staff of the Air Force. Grant is a fellow of the Eaker Institute for Aerospace Concepts, the public policy and research arm of the Air Force Association. Her most recent article, “There When it Counts,” appeared in the December 2007 issue.