The de­struc­tive threat of cy­ber­war­fare

Cecil Whig - - OPINION - Ge­orge Will

— There is a con­sen­sus that ag­gres­sion by one na­tion against an­other is a se­ri­ous mat­ter, but there is no com­pa­ra­ble con­sen­sus about what con­sti­tutes ag­gres­sion. Wag­ing ag­gres­sive war was one charge against Nazi lead­ers at the 1946 Nurem­berg war crimes tri­als, but 70 years later it is un­clear that ag­gres­sion, prop­erly un­der­stood, must in­volve war, as com­monly un­der­stood. Or that war, in to­day’s con­text of novel de­struc­tive ca­pa­bil­i­ties, must in­volve “the use of armed force,” which the Rome Statute of the In­ter­na­tional Crim­i­nal Court says is con­sti­tu­tive of an “act of ag­gres­sion.”

Cy­ber­skills can serve es-

WASH­ING­TON

pi­o­nage — the sur­rep­ti­tious ac­qui­si­tion of in­for­ma­tion — which is older than na­tions and not an act of war. Rel­a­tively el­e­men­tary cy­ber­at­tacks against an en­emy’s com­mand-and-con­trol ca­pa­bil­i­ties dur­ing war was a facet of U.S. ef­forts in Op­er­a­tion Desert Storm in 1991, in the Balkans in 1999 and against in­sur­gents — hack­ing their emails — dur­ing the “surge” in Iraq. In 2007, Is­rael’s cy­ber­war­fare unit dis­rupted Syr­ian radar as Is­raeli jets de­stroyed an un­fin­ished nu­clear re­ac­tor in Syria. But how should we cat­e­go­rize cy­ber­skills em­ployed not to ac­quire in­for­ma­tion, and not to sup­ple­ment mil­i­tary force, but to dam­age an­other na­tion’s phys­i­cal in­fras­truc­ture?

In World War II, the United States and its al­lies sent fleets of bombers over Ger­many to de­stroy im­por­tant el­e­ments of its phys­i­cal in­fras­truc­ture — steel mills, ball bear­ing plants, etc. Bombers were, how­ever, un­nec­es­sary when the United States and Is­rael wanted to de­stroy some cen­trifuges cru­cial to Iran’s nu­clear weapons pro­gram. They used the Stuxnet com­puter “worm” to ac­cel­er­ate or slow pro­cesses at Iran’s Natanz ura­nium-en­rich­ment fa­cil­ity, dam­ag­ing or even frag­ment­ing cen­trifuges nec­es­sary for pro­duc­ing weapons-grade ma­te­rial. Ac­cord­ing to Slate mag­a­zine colum­nist Fred Ka­plan, by early 2010, ap­prox­i­mately 2,000 of 8,700 “were dam­aged be­yond re­pair,” and even af­ter the Ira­ni­ans later learned what was hap­pen­ing, an­other 1,000 of the then­re­main­ing 5,000 “were taken out of com­mis­sion.”

For fas­ci­nat­ing de­tails on the episodes men­tioned above, and to un­der­stand how deeply we have drifted into legally and po­lit­i­cally un­charted wa­ters, read Ka­plan’s new book, “Dark Ter­ri­tory: The Se­cret His­tory of Cy­ber War.” Three of its lessons are that cy­ber­war re­sem­bles war, much of it is very se­cret and every­thing es­sen­tial to the func­tion­ing of mod­ern so­ci­ety is vul­ner­a­ble.

The things con­trolled by or through com­put­ers in­clude not just mil­i­tary as­sets (com­mand-and-con­trol sys­tems, the guid­ance mech­a­nisms of smart mu­ni­tions, etc.) but also hos­pi­tals, elec­tric power grids, wa­ter works, the valves of dams and the fi­nan­cial trans­ac­tions of banks. And, Ka­plan notes, un­like nu­clear weapons or the bal­lis­tic mis­siles to de­liver them, cy­ber­weapons do not re­quire large-scale in­dus­trial projects or con­cen­tra­tions of sci­en­tists with scarce skills. All that is needed to par­a­lyze a com­plex so­ci­ety and panic its pop­u­la­tion is “a room­ful of com­put­ers and a small corps of peo­ple trained to use them.”

Clearly the United States needs a cy­berde­ter­rent ca­pac­ity — the abil­ity to do unto ad­ver­saries any­thing they might try to do unto us. One prob­lem, how­ever, is that it can be dif­fi­cult to prove the source of a cy­ber­at­tack, such as that which Vladimir Putin did not ac­knowl­edge launch­ing, but al­most cer­tainly did launch, in 2007 to pun­ish Es­to­nia for an­noy­ing Rus­sia.

To ap­pre­ci­ate how com­puter key­strokes can do dam­age com­pa­ra­ble to a sus­tained air cam­paign us­ing high ex­plo­sives, con­sider what hap­pened in 1995 in the pri­vate sec­tor. Bar­ings, founded in 1762, was Bri­tain’s old­est mer­chant bank, hav­ing weath­ered the Napoleonic wars and two world wars, and its clients in­cluded Queen El­iz­a­beth. One of its young traders, Nick Lee­son, in the bank’s Sin­ga­pore of­fice, was so skill­ful at nav­i­gat­ing the de­riv­a­tives mar­kets that at one point he pro­duced 10 per­cent of the bank’s prof­its. In­ad­e­quately su­per­vised, he cre­ated a se­cret Bar­ings ac- count from which he made risky bets, in­clud­ing a huge one on Ja­pan’s stock mar­ket ris­ing. He did not, how­ever, an­tic­i­pate the Kobe earth­quake. Ja­pan’s stock mar­ket plunged, caus­ing enor­mous losses in Lee­son’s ac­count that Bar­ings could not cover. The bank quickly col­lapsed and was bought by a Dutch com­pany for one Bri­tish pound.

If one rogue trader’s recklessness, mo­ti­vated by mere avarice, can qui­etly and quickly annihilate a ven­er­a­ble in­sti­tu­tion, imag­ine what havoc can be wrought by bat­tal­ions of mil­i­ta­rized cy­ber­war­riors im­pla­ca­bly im­ple­ment­ing a na­tion’s de­struc­tive agenda. It is long past time for ur­gent pub­lic dis­cus­sion of the many new mean­ings that can be given to Shake­speare’s “Cry ‘Havoc!’ and let slip the dogs of war.”

Ge­orge Will is a syn­di­cated colum­nist. Con­tact him at georgewill@wash­post.com.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.