The United States is at war and America’s critical infrastructure faces the danger of destruction of Pearl Harbor proportions. This is the sentiment that U.S. Defense Secretary Leon Panetta shared with business leaders in his speech to the Business Executives for National Security on October 12, 2012. Secretary Panetta warned that a cyber-attack against utility, transport systems, and financial services could be as damaging as the September 11 attacks. At the same time, he assured that the U.S. government is serious about strengthening the nation’s defensive and offensive cyber capabilities, and urged the private sector to support future national legislation for operations in cyberspace. Panetta’s warning strongly echoes themes discussed in Richard A. Clarke and Robert Knake’s 2010 book “Cyber War: The Next Threat to National Security and What to do About It.” Clarke, a former cybersecurity tsar who served three presidents as an advisor on national security issues, and Robert Knake, an international affairs fellow at the Council on Foreign Relations, provided a picture of Pearl Harbor-level cyber-attack two years before Secretary Panetta’s October 2012 speech. Given the discovery of sophisticated new cyber weapons such as Stuxnet and the Flame, the current state of debate over cybersecurity legislation, and the new rules of engagement in cyberspace, the book is even more relevant today than it was in 2010.
Main Points
The book focuses on cyber threats from nation states rather than from cyber criminals, cyber terrorists, or “hacktivists.” Clarke and Knake define cyber war as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.” In the authors’ point of view, cyber war is real, global, and capable of occurring at the speed of light. Most importantly, the authors believe that cyber war has already begun, and that nations are preparing the cyber battlefield. Although existence of cyber weapons like Stuxnet was not known to the authors when the book was published, Clarke and Knake predicted that the U.S. and several other countries possess cyber-attack capabilities that could devastate a modern state. The authors explain that many of the systems that private citizens and governments rely upon (banking system, electric grids, air and rail transportation, the Internet networks etc.) could be successfully targeted and quickly destroyed or rendered inoperable. The authors argue that cyber war represents a greater threat to the security of the United States than to any other nation, because of the U.S.’s disproportionate and overwhelming dependency upon cyberspace. They warn that the U.S. is not adequately prepared for a potential cyber-attack from a nation state that possesses advanced capabilities for a cyber-attack, such as China, Russia, and even North Korea. They conclude that most future wars will include concerted wielding of both kinetic and cyber weapons.
Beyond these warnings, Clarke and Knake provide practical and theoretical prescriptions for improved national and international cybersecurity. They reason that the U.S. does not need to dominate the cyberspace domain since the U.S. already possesses the best offensive cyberspace capabilities. In contrast, they stress that the U.S. needs to create a cyberspace strategy that creates better defensive capabilities for America’s critical infrastructure. In short, the authors believe that the U.S.’s offensive prowess cannot make up for the weakness of its defensive position and conclude that the U.S. could suffer from self-deterrence unless it reduces its vulnerabilities to cyber-attack. Furthermore, according to the authors, defending the U.S. from the cyber-attacks should be the first goal of cyber war strategy. They argue that the lack of a credible cyber defense strategy could cause escalation of a cyber-conflict into a kinetic conventional war.
Critical Assessment
Cyber War is a highly readable book that is increasingly relevant to today’s national security environment. The authors emphasize that the book is neither a technical, nor a military document, and accordingly, they simplify many technical details for the sake of streamlining and increasing the accessibility of their narrative. They make credible assessments about the inherent insecurity of the SCADA (Supervisory Control and Data Acquisition) systems that are part of the U.S. strategic infrastructure and of the Internet as a whole. The authors paint a picture of deficiency in the cyber-security of America’s critical infrastructure, which includes but is not limited to power grids and train, air-control, and financial system networks.
Clarke and Knake provide a number of hypothetical scenarios of major cyber-attacks on the U.S., including descriptions of how orchestrated triggering of dormant logic bombs and malware attacks could cause massive damage. They warn of collapsed air-traffic control, railroad disruptions and derailments, hacked and disrupted financial systems, exploded pipelines, and major blackouts across the large portion of the country. What the authors call “cyber Pearl Harbor” is an almost apocalyptic scenario: cities are cold, dark, and running out of food, ATMs and banks are not functional. Plane and train accidents and pipeline explosions in suburban areas cause scores of human casualties. They conclude that such a major cyber-attack is not only possible, but may not be punishable since the U.S. might not be able to correctly attribute the attack to any country or government.
The book’s greatest shortcoming is that it lacks footnotes, endnotes, and an index. Consequently, the credibility of some of the facts and statements is difficult to confirm. Though the authors may be correct in their assertions, the lack of sources does not establish the credibility of the authors’ claims and statements. Indeed, while the authors are engaging and skilled story tellers, at times, their warnings about the dangers of cyber-war border on fear mongering, such as their argument that the vulnerabilities of the internet may even turn copy machines, printers, and shredders into cyber-weapons that could be used by hackers and other cyber-attackers.
True, software is highly susceptible to hacking because software and network errors are not always quickly or easily discovered. And yes, there has been a steady increase of cyber-attacks on U.S. industrial and security networks in recent years, but the lack of proven use of cyber-weapons or logic bombs in the United States does not support The authors’ assertions that logic bombs were found “all over our electric grid.” The authors do not provide reliable substantiation to support this statement. To provide backing for their cautions, the authors quote an outdated Time magazine article from 1994 that warned about the dormant logic bomb that could attack the computer system that runs the U.S.’s national air defense system or central bank. Unfortunately, they fail to deliver any evidence that logic bombs have ever been used to attack U.S. critical infrastructure. Of course, the discovery of Stuxnet in June 2010 provides a prime example of the existence of a sophisticated logic bomb that managed to destroy hundreds of centrifuges in the uranium-enrichment facility in Natanz, Iran. The existence of Stuxnet puts Clark and Knake’s assertions about dangers of logic bombs into a new perspective.
Ultimately, Clarke and Knake are at their strongest when they explain the challenges of creating a comprehensive strategy for national cybersecurity. Clarke’s government experience provides valuable insight and a unique perspective that helps the reader to understand the challenges that the federal government faces in creating such a strategy. The authors strongly criticize the government’s long-term inability and unwillingness to prescribe national strategy and standards for cybersecurity to the private sector. It is illuminating to discover that there is virtually no difference between different presidential administrations in terms of their willingness to regulate standards for network security in the private sector. The authors argue that a lack of government leadership on this front undermines any serious improvement of U.S. cyber defenses. Furthermore, they point out that Chinese and Russian cyber defenses have become stronger in recent years due to their governments’ oversight and regulations of their national Internet Service Providers (ISPs). The Obama’s Administration’s efforts to formulate national cybersecurity strategy have accelerated in last two years but still fall short of some of Clark and Knake’s recommendations.
The authors’ prescriptions for how to improve the security of the U.S. cyberspace against foreign cyber-attack may be the most valuable portion of the book. Even though neither of the prescriptions provides a “silver bullet” for significant improvement of national cybersecurity, the prescriptions are a welcome balance to the cyber-doomsday scenario that the authors provide throughout the book. At the least, their technical and political proposals may serve as a good starting point for debates regarding cyber war and cybersecurity.
First, Clarke and Knake propose a Defensive Triad strategy that would use federal regulation as a tool to create cybersecurity requirements, which would include a regulated backbone of the Internet (a computer network infrastructure) and secure power grid, and an overhaul of cyber defense itself. The authors’ ideas of how to deal with the policy problem of policing Internet traffic without giving the government the power to spy on citizens could be implemented in reality. They propose that monitoring should be out of the jurisdiction of the government, and recommend that the ISPs should place deep-packet inspection systems, a computer network filtering system that examines data before it passes into the network, to monitor the backbone. ISPs should also be required to inform customers when evidence arises that their computers have been part of a botnet, a collection of internet-connected computers whose security defenses have been breached by malware and control ceded to a malicious party. ISPs should also have the authority to deny access to customers who do not respond after being notified of their computer’s vulnerability. The authors’ present a convincing argument that ISPs should be required to do more to keep the cyber “ecosystem” clean, and that the government should remain sufficiently removed from the process to protect privacy and encourage competition. There may, however, be many ethical and legal issues that could arise from such an arrangement, and it is unclear how such a policy would work in practice.
The authors’ arguments about the necessity of securing the national power grid are compelling and less controversial. It is generally accepted that power grids could be vulnerable to cyber-attack – especially if the nation implements digitalization and creation of a smart grid (a class of technology used to modernize utility electricity delivery systems) – and that federal regulations might be necessary to secure the national power grid. Private energy companies are notoriously unconcerned about the security of their networks, unless the security of the networks seriously threatens service availability and convenience for their customers and diminishes the value of their product. The authors do not provide any proposal that tackles the relatively steep price of improved security, nor do they specify what level of security would be sufficient. The price-to-security ratio will be an inevitable point of contention during private sector/government negotiations of new security standards for the U.S. critical network. Finally, I agree that federal regulations should require the electric companies to create improved security measures that would deny unauthorized access in cyberspace.
Additionally, Clarke and Knake argue that there needs to be an improvement in the security of sites that hold classified information from the government and government contractors. Security breaches from the Pentagon, Department of Defense (DOD), Lockheed Martin, Booz Allen Hamilton, and other sites could prove costly in the time of cyber war. The authors propose that the government should invest in secure defense IT systems instead of relying on open systems based on Microsoft software. They do not mention, however, what the cost of these new IT systems would be and how much more security they would provide relative to Microsoft systems. Moreover, I am hesitant to agree with the authors that more secure network systems would by themselves enough to effectively deter nations like China or Russia from attempting cyber-attacks against the U.S.
Above all, the authors’ idea of arms control in cyberspace is certainly intriguing. They explain that arms control in cyberspace cannot be fully implemented because its effectiveness cannot be truly verified and controlled. Instead, the authors present an interesting point regarding attribution. They argue that since attribution is nearly always uncertain, the President should create a doctrine of cyber equivalency, in which cyber-attacks would be judged by their effects, not by their means. While this doctrine would not mitigate the attribution problem, it would implore all nations to have national cyberspace accountability and foster an obligation to assist in efforts to stop suspected cyber-attacks, which would make every nation responsible for preventing hostile actions originating from servers in their country. Unfortunately, Clarke and Knake are not clear about how a responsibility of each nation to police their cyberspace could or would be enforced. Moreover, this proposition would have very complex legal implications that the authors fail to address. For example, would the U.S. have a responsibility to shut down websites of political dissidents that China or Russia consider objectionable?
Cyberspace is both a virtual and physical domain, with no clear boundaries. There is no international law or doctrine governing the global cyberspace. While there are laws and doctrines that govern the land, sea, and air, it is questionable whether traditional rules of engagement could be effectively used in cyberspace. The Obama Administration’s National Cybersecurity Strategy provides general guidelines for DoD to engage in cyberspace. The essentials of current discussion on rules of engagement in cyberspace are being echoed in the book. In one of the chapters, the authors provide an example of an U.S. war-game exercise in which China would not be deterred by the U.S. to project its power in the South China Sea. This interesting hypothetical scenario emphasizes the importance of cyber defensive and offensive capabilities, and the relative asymmetry of cyber warfare. The authors conclude that the U.S. should not opt for attacking first in the event of cyber war, even if their offensive capabilities are superior to their defensive capabilities. America’s poor cyber defenses are exactly why the U.S. should not engage in a cyber war. Since there has never been a real life instance of cyber war, these calculations remain only theoretical. For example, it is unrealistic to assume that a capable adversary would refrain from attacking weakly defended U.S. targets in cyberspace merely because the U.S. did not attack first. Cyber-deterrence does not work in the way nuclear deterrence does, due to the difficulty of accurate attribution of an attack’s source. Again, there needs to be a doctrine that will establishes red-lines for when and how would the U.S. would respond to cyber-attack with offensive power – either cyber or kinetic.
Conclusion
Despite the shortcomings discussed here, Cyber War touches on an interesting and important topic that deserves to be included in any discussion about national security. Even if not all the threats discussed in the book are feasible, Clarke and Knake underscore a key point: that some of the U.S. critical infrastructure lacks proper security against cyber-attack, and the government, private companies, and other stakeholders should show initiative in efforts to improve it. The authors undoubtedly have unique insight into the level of government involvement in cyber-defense preparedness for cyber-attack. They are right about certain vulnerabilities of America’s critical infrastructure and about the improving capabilities of certain nations, such as Russia, China, and North Korea, to launch successful cyber-attacks against the U.S. and other nations, but they frequently overstate the danger of ‘cyber Pearl Harbor.’ Yes, the development of sophisticated cyber-weapons such as Stuxnet and Flame raise concerns about the potential destructive capabilities of cyber weapons, if they were used against the United States. But so far, there has been no precedent for a truly destructive cyber-attack of Pearl Harbor proportions. It is important to remember that Stuxnet was designed to target specific networks or SCADA systems and avoid collateral damage. This, of course, does not mean that a concerted attack of Stuxnet-like cyber weapons could not be employed in the future, but this type of attack would require a clear commitment of cyber-capable state actor to engage in war.
Finally, I argue that nation states may not engage in cyber war just because they have the capability to do so. There are many reasons why cyber-capable nations might not want to engage in cyber war. Cyber war is an uncharted territory with many unknown variables. A nation that is willing to engage in cyber war needs more than just the capability to launch a successful cyber-attack; it would also need a comprehensive national strategy which considers cyber war as an appropriate and viable option for advancement of national interests. Countries may, for example, use cyber-attack capabilities as part of specific military operation advancing broader national strategy. For example, nations may use cyber weapons if they decide to engage in conventional armed conflict or covert operations, or to deter other states from launching kinetic military actions against them. Therefore, Clarke and Knake are correct in asserting that the U.S. is vulnerable to cyber-attacks and that there is a vital need for national discussion concerning the security of the nation’s strategic networks. While it has become clear that the United States needs to improve its cyber defenses and overhaul its national security strategy for engagement in cyberspace, it is not certain that even these necessary efforts will effectively diminish the danger of being drawn into cyber war in the future.
David Vanca is M.A. candidate in Georgetown University’s Security Studies Program. His interests include international security, international politics, and trans-state actors in world politics.