The militarization of cyberspace has been under way for more than a decade, but only in the last few years have the telltale signs appeared suggesting that the United States is erecting a new digital wing of its permanent national-security state. Three years ago, for example, came the birth of the 24th Air Force, at Lackland Air Force Base, Texas, and Robins Air Force Base, Georgia. The 24th claims to be “the newest numbered air force,” as well as “the first-ever unit designated for the sole purpose of cyberspace operations.” According to its fact sheet,
Over 5,400 men and women conduct or support 24-hour operations … including 3,339 military, 2,975 civilian, and 1,364 contractor personnel.
There is less public information about the work of these seven thousand digital warriors than about the supposedly top secret, yet hiding-in-plain-sight, lethal drone program, about which my colleague Amy Davidson recently wrote, in response to a revelatory Times story about President Obama’s personal engagement with “kill lists” of terrorist suspects.
And yet armed drones and cyber war are of a piece. They have evolved opaquely from syntheses of new technologies and military imaginations. The laws governing them are secret, as are the mechanisms of Presidential decision-making and field command.
Last week, the Times shed more light, by publishing an excerpt of David Sanger’s new book, “Confront and Conceal,” which describes a joint American-Israeli offensive cyber-attack operation in 2010 against Iran’s nuclear industry. The existence of the weapon used against Iran—a piece of malware called Stuxnet—was previously known, and there was rough knowledge of the authorship. Sanger, though, describes both—and President Obama’s hands-on role—more fully than any previous account. The attack was designed to disable Iranian centrifuges that enrich uranium. (The enriched uranium could ultimately be used to make nuclear bombs.) Cyber Command and the 24th Air Force presumably played at least a supporting role, along with the National Security Agency, although it remains unclear exactly who did what in the operation, which may be continuing.
The operation’s code name—“Olympic Games”—suggests some of the complacency and self-satisfaction among the President’s advisers. The malware was built, for example, to convince the Iranians that the sabotage of their centrifuges was a result of their own incompetence. “The intent was that the failures should make them feel they were stupid, which is what happened,” one participant boasted.
“Olympic Games” seems to be, so far as is known, the first formal offensive act of pure cyber sabotage by the United States against another country, if you do not count electronic penetrations that have preceded conventional military attacks, such as that of Iraq’s military computers before the invasion of 2003. The N.S.A. routinely penetrates foreign computer systems to collect intelligence, as do the intelligence agencies of China, Russia, and other countries. Generally, however, these operations have involved passive information collection, not sabotage. More provocatively, a cyber spy may leave behind a dormant piece of malware, to signal a warning to the targeted country or institution, or to create offensive options in the future.
The legal justifications for the covert attack on Iran’s nuclear centrifuges remains secret, but it is easy to imagine how both Presidents Bush and Obama approved the operation—it was probably sold as novel, exciting, non-lethal, covert, and effective in ways that nothing else could be. It might delay Iran’s nuclear-weapons capability by a significant number of months, to give diplomacy and sanctions more time. (Stuxnet may have achieved this goal.)
These attractions apparently were great enough to overcome the obvious downsides: “Olympic Games” will invite imitation and retaliation in kind, and it has established new and disturbing norms for state aggression on the Internet and in its side-channels. American and Israeli official action now stands available as a justification for others.
In national security as in much else, what goes around often comes around. Presidents Clinton and Bush reportedly both declined to use cyber attacks to manipulate data and drain bank accounts whose balances supported Al Qaeda and Saddam Hussein. Their reasoning was that the American economy depends to a great degree on the integrity of the international banking system; cyber sabotage would invite other states to try similar attacks; and the protective defenses of America’s own banks were weak.
The problem with “Olympic Games” is that all of these risks and vulnerabilities are still present for the United States—only here the field is nuclear and electric infrastructure.
In June, 1999, the failure of computer control systems caused a gasoline pipeline rupture in Bellingham, in Washington State; the leaking gasoline ignited into a fireball, killing three people. Why the computer control systems failed remains something of a mystery, but cyber-war specialists have cited the incident as an example of what an intruder into American industrial infrastructure might attempt.
Iran is one of two-dozen-plus countries believed to possess an explicit cyber-warfare capability, akin to America’s Cyber Command. Russia is highly effective; China is active and capable. Specialists do not rate the United States as especially dominant on offense, but the country looks strikingly weak on defense.
“Because of its greater dependence on cyber-controlled systems and its inability thus far to create national cyber defenses, the United States is currently far more vulnerable to cyber war than Russia or China,” write Richard A. Clarke and Robert K. Knake in their book, “Cyber War: The Next Threat to National Security and What to Do About It.”
America is also more at risk to attack than North Korea or Iran because those countries are, relatively speaking, off the grid. Clarke, who presciently warned about Al Qaeda while in the Clinton and Bush White Houses, therefore counsels caution about provocative offensive attacks and much greater concentration on improving American defenses.
Clarke and Sanger both compare the chaotic, poorly considered state of cyber warfare today to the wild early days of nuclear arms, when the U.S. made backpack-sized portable nuclear bombs and artillery shells and spread them out all over Western Europe, daring the Soviet Union to invade. The comparison is imperfect—but some of the differences between now and then are cause for even greater worry.
To this day, nuclear weaponry has proved to be so complicated and expensive that only states have been able to manufacture and manage bombs. In cyberspace, criminal organizations, activists such as Anonymous and other private groups, as well as the odd lone hacker, have already displayed disruptive power. Terrorist groups are surely not far behind.
The United States thought it would monopolize nuclear weaponry for a lot longer than it did; the Soviets tested their first atomic bomb just four years after Nagasaki. It already seems evident that in the future, both lethal drone technology and the ability to conduct cyber attacks will be very broadly distributed—not just among governments, but among individuals, corporations, and terrorists.
Nick Paumgarten recently wrote about the spread of drone technology, and how local law enforcement might deploy a drone for, say, a dispute about missing cattle. Some of my technology-minded colleagues at the New America Foundation recently built a small drone with a cell-phone-enabled camera in it; they buzz it around our office, peeking at people. They do not regard this as a noteworthy technical feat. When will the first private murder by a drone equipped with a swivelling automatic rifle be committed in the United States?
In the field of cyber sabotage, the barriers to entry are even lower, given the amount of mischief, phishing, theft, and vandalism that already takes place daily online.
Common sense argues for caution, especially by the President of the United States. It also argues for strong defenses, and the pursuit of global laws and norms to contain the military use of these technologies before they cause chaos and destruction.
During the nineteen-fifties, a shocking number of American generals believed that a nuclear war could be won. “Olympic Games” suggests a comparably self-aggrandizing strain among our new class of digital fighters. Here the comparison to the early nuclear era does seem apt. As a citizen, will it once again seem tempting to buy land, guns, gold, and bottled water?