Jared Cohen - The New Digital Age

Declaring virtual statehood would become an act of treason, not just in restive regions but almost everywhere. It’s simply too risky an avenue to leave open. The concept of virtual institutions alone could breathe new life into secessionist groups that have tried and failed to produce concrete outcomes through violent means, like the Basque separatists in Spain, the Abkhaz nationalists in Georgia or the Moro Islamic Liberation Front in the Philippines. One failed or unsuitable effort could also break the experiment altogether. If, for example, the lingering supporters of the Texas secession movement rallied together to launch a virtual Republic of Texas, and they were met with derision, the concept of virtual statehood might be sullied for some time. How successful these virtual statehood claims would be (what would constitute success, in the end?) remains to be seen, but the fact that this will be feasible says something significant about the diffusion of state power in the digital age.

Digital Provocation and

Cyber War

No discussion on the future of connected states would be complete without a look at the worst things they’ll do to each other: namely, launch cyber wars. Cyber warfare is not a new concept, nor are its parameters well established. Computer security experts continue to debate how great the threat is, what it looks like and what actually constitutes an act of cyber war. For our purposes, we’ll use the definition of cyber warfare offered by the former U.S. counterterrorism chief Richard Clarke: actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption. 4

Cyber attacks—including digital espionage, sabotage, infiltration and other mischief—are, as we established earlier, very difficult to trace and have the potential to inflict serious damage. Both terrorist groups and states will make use of cyber-war tactics, though governments will focus more on information-gathering than outright destruction. For states, cyber war will primarily meet intelligence objectives, even if the methods employed are similar to those used by independent actors looking to cause trouble. Stealing trade secrets, accessing classified information, infiltrating government systems, disseminating misinformation—all traditional activities of intelligence agencies—will make up the bulk of cyber attacks between states in the future. Others fundamentally disagree with us on this point, predicting instead that states will seek to destroy their enemies by heavy-handed methods like cutting off power grids remotely or crashing stock markets. In October 2012, the U.S. secretary of defense, Leon Panetta, warned, “An aggressor nation … could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” We tend to take the optimist’s perspective (at least when it comes to states) and say that such escalations, while possible, are highly unlikely, if only because the government that first starts this trend would itself become a target as well as set a precedent that even the most erratic regimes would be cautious to approach.

It’s fair to say that we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it. Right now, the government of a foreign country could be hacking into your government’s databases, crashing its servers or monitoring its conversations. To outside observers, our current stage of cyber war might seem benign (indeed, some might contend that it’s not really “war” anyway, as per the classical Clausewitzian framework of “war as a continuation of policy by other means”). Government-backed engineers might be trying to infiltrate or shut down the information systems of companies and institutions in other countries, but no one is getting killed or wounded. We’ve seen so little spillage of these cyber wars into the physical world that for civilians, a cyber attack seems more an inconvenience than a threat, like an attack of the common cold.

But those who underestimate the threat of cyber war do so at their peril. While not all the hype surrounding cyber war is justified, the risks are real. Cyber attacks are occurring with greater frequency and more precision with each passing year. The increasing entwining of our lives with digital-information systems leaves us more vulnerable with each click. And as many more countries come online in the near future, those vulnerabilities will only expand and become more complicated.

A cyber attack might be the state’s perfect weapon: powerful, customizable and anonymous. Tactics like hacking, deploying computer worms or Trojan horses and other forms of virtual espionage present states with more reach and more cover than they would have with traditional weapons or intelligence operations. The evidence trails they leave are cold, providing perpetrators with effective camouflage and severely limiting the response capability of the victims. Even if an attack could be traced back to a particular region or town, identifying the responsible parties is nearly impossible. How can a country determine an appropriate response if it can’t prove culpability? According to Craig Mundie, Microsoft’s chief research and strategy officer and a leading thinker in Internet security, the lack of attribution—one of our familiar themes—makes this a war conducted in the dark, because “it’s just much harder to know who took the shot at you.” Mundie calls cyber-espionage tactics “weapons of mass disruption.” “Their proliferation will be much faster, making this a much stealthier kind of conflict than has classically been determined as warfare,” he said.

States will do things to each other online that would be too provocative to do off-line, allowing conflicts to play out in the virtual battleground while all else remains calm. The promise of near-airtight anonymity will make cyber attacks an attractive option for countries that don’t want to appear overtly aggressive but remain committed to undermining their enemies. Until the world’s technical experts get better at determining the origin of cyber attacks and the law is able to hold perpetrators to account, many more states will join in on the activities we see today. Blocks of states that are already gaining connectivity and technical capacity, in Latin America, Southeast Asia and the Middle East, will begin launching their own cyber attacks soon, if only to test the waters. Even those who lack indigenous technical skills (e.g., local engineers and hackers) will find ways to get the tools they need.

Let’s consider a few recent examples to better illustrate the universe of cyber warfare. Perhaps the most famous is the Stuxnet worm, which was discovered in 2010 and was considered the most sophisticated piece of malware ever revealed, until a virus known as Flame, discovered in 2012, claimed that title. Designed to affect a particular type of industrial control system that ran on the Windows operating system, Stuxnet was discovered to have infiltrated the monitoring systems of Iran’s Natanz nuclear-enrichment facility, causing the centrifuges to abruptly speed up or slow down to the point of self-destruction while simultaneously disabling the alarm systems. Because the Iranian systems were not linked to the Internet, the worm must have been uploaded directly, perhaps unwittingly introduced by a Natanz employee on a USB flash drive. The vulnerabilities in the Windows systems were subsequently patched up, but not after causing some damage to the Iranian nuclear effort, as the Iranian president, Mahmoud Ahmadinejad, admitted.

Initial efforts to locate the creators of the worm were inconclusive, though most believed that its target and level of sophistication pointed to a state-backed effort. Among other reasons, security analysts unpacking the worm (their efforts made possible because Stuxnet had escaped “into the wild”—that is, beyond the Natanz plant) noticed specific references to dates and biblical stories in the code that would be highly symbolic to Israelis. (Others argued that the indicators were far too obvious, and thus false flags.) The resources involved also suggested government production: Experts thought the worm was written by as many as thirty people over several months. And it used an unprecedented number of “zero-day” exploits, malicious computer attacks exposing vulnerabilities (security holes) in computer programs that were unknown to the program’s creator (in this case, the Windows operating system) before the day of the attack, thus leaving zero days to prepare for it. The discovery of one zero-day exploit is considered a rare event—and exploited information can be sold for hundreds of thousands of dollars on the black market—so security analysts were stunned to discover that an early variant of Stuxnet took advantage of five .