There could be a day when the United States decides to retaliate in cyberspace for a computer-based attack on its networks or infrastructure.
Normally, two nations at war would garner 24-hour news coverage, boldface headlines and Pentagon briefings. But this would be a conflict waged with “ones” and “zeros” across computer networks. The damage may be unseen, and even “fixed” within a few short hours. The public may not even realize that it’s occurring.
It’s fashionable to use the same lexicons and to make comparisons, but cyberwar is nothing like real “kinetic” war, said Martin C. Libicki, a researcher and author of a new Rand Corp. book, Cyberdeterrence and Cyberwar, which takes an in-depth look at what would have to occur for two state actors to engage in such a conflict.
“Cyberwar is not simply kinetic war in another dimension. It’s got a different set of rules, a different set of parameters, a different set of questions, a different set of answers,” he said at a Capitol Hill briefing Feb. 22.
That’s one reason why a cyberwar could play out unseen by most people. The shutting down of electrical grids would be noticed, but the manipulation of data on other systems may not immediately come to light. It took one full year for Iranian scientists to realize that the software had been compromised by the Stuxnet virus, Libicki noted.
There have only been four known acts of cyberwar, Libicki said. The denial of service attacks on Estonia in 2007 and on Georgia during its war with Russia in 2008, an Israeli attack on Syrian air defense radars in 2007, and the Stuxnet virus that was aimed at damaging Iranian centrifuges associated with its nuclear energy program.
Cyberattacks cannot be confused with cyberespionage, he noted. Nations do not go to war over spying, he said. The book examines large-scale, tit-for-tat cyber-assaults between two nations. It does not ponder the implications of an attack by terrorists because there are few opportunities for retaliation. If al-Qaida were to shut down a U.S. electrical grid, the United States could not respond in kind because the group has no infrastructure, he said.
Libicki also does not address tactical actions, or what he calls an “operational cyberwar” during a real-world conflict where an adversary may try to take down networked-enabled systems to gain an advantage on the battlefield. “In the context of a physical war, that makes a certain amount of sense,” he said.
Attribution is one of the keys to retaliating against a cyberattack, he noted. It is also one of the hardest aspects. It is difficult to know who is attacking a network. Once the identity of the attackers is verified, and if they are indeed a nation-state, then the United States must decide if retaliation is necessary.
In the event of a cyberwar, there is unlikely to be long-term damage. An attack or counter-attack can only occur if there is a vulnerability in a computer system. Vulnerabilities can be patched up quickly, or traffic can be rerouted away from the system — in most cases within hours and days. In regular warfare, the ability to hit the same target several times, known as “serial reapplication,” is a part of warfare and can be a deterrent. But once a counter-attack occurs, it tips the adversary off and subsequent attacks may not be as effective, he said.
Battle damage assessment is hard to determine. The decision to launch a counter-attack may hinge on knowing how much harm to the opponent’s system could be inflicted. That is difficult to assess, he added.
“Are the effects obvious to the public?” is a question that needs to be asked. “If the effects are not obvious to the public, you don’t lose public face by not retaliating,” he said. However, the United States could launch a counter-attack in ways that are not obvious to the opponent’s public. There needs to be a message conveyed to the leadership “about the lack of wisdom in attacking the United States in cyberspace.”
Another reason why the public may not be informed of a cyberwar is the risk that a third party could insert itself into the conflict. If the United States and China were engaged in such a war, for example, a hacker — someone sitting on a couch in a basement somewhere — or a third nation interested in seeing a prolonged conflict, could surreptitiously launch computer assaults and escalate the war.
“An exchange of cyber-attacks between states may also excite the general interest of superpatriot hackers or those who like to dogpile — particularly if the victim of the attack or the victim of retaliation, or both, are unpopular in certain circles,” Libicki wrote in the book, which was commissioned by the Air Force. The two adversaries may blame each other for the attacks, and not be aware that they are being manipulated.
A cyberwar that flies under the radar of the general public is possible, but unlikely, simply because these incidents tend to bubble to the surface despite the best efforts of the government, he said.
“There is a tendency in some communities to believe that every thing they do is covert, and no one is ever going to hear about it, and then mistakes get made,” he said.
Deterrence worked well in the nuclear age. The Soviet Union and the United States never engaged in a nuclear conflict. “The best defense is a good offense,” is one of the axioms U.S. leadership has said about thwarting a large-scale cyber-attack.
So how good is the United States? It’s cyber-offense capabilities have been largely kept out of the public eye. Libicki didn’t want to reveal much in a nonclassified setting, saying only that, “We’re really good. ... In fact, I think we’re better than anybody else. We’re also very professional about this. The state of our tradecraft is very good.”
A cyberwar is not something that keeps Libicki up at night. Like nuclear war, it is a low probability, high-consequence scenario. The number of potential adversaries that have the ability to carry out such an attack, as well as the desire to pull the trigger and risk the ire of the United States, are few, he noted.
“This is one of these cases where you have to look at defense and offense and somehow come up with a happy medium,” he said. Shoring up defenses in the nation’s electrical grids would be a good place to start, he noted. But to not have a good offense would result in “ a hollow deterrence policy,” he noted.