Jared Cohen - The New Digital Age

Sure enough, it was revealed in June 2012 that not one but two governments were behind the deployment of the Stuxnet worm. Unnamed Obama administration officials confirmed to the New York Times journalist David E. Sanger that Stuxnet was a joint U.S. and Israeli project designed to stall and disrupt the suspected Iranian nuclear-weapons program. 5Initially green-lit under President George W. Bush, the initiative, code-named Olympic Games, was carried into the next administration and in fact accelerated by President Obama, who personally authorized successive deployments of this cyber weapon. After building the malware and testing it on functioning replicas of the Natanz plant built in the United States—and discovering that it could, in fact, cause the centrifuges to break apart—the U.S. government approved the worm for deployment. The significance of this step was not lost on American officials. 6As Michael V. Hayden, the former CIA director, told Sanger, “Previous cyberattacks had effects limited to other computers. This is the first attack of a major nature in which a cyberattack was used to effect physical destruction. Somebody crossed the Rubicon.”

When the Flame virus was discovered two years later, initial reports from security experts suggested that it was unconnected to Stuxnet; it was much larger, used a different programming language and operated differently, focusing on covert data-gathering instead of targeting centrifuges. It was also older—analysts found that Flame had been in existence for at least four years by the time they discovered it, which means it predated the Stuxnet worm. And Sanger reported that American officials denied that Flame was part of the Olympic Games project. Yet less than a month after the public revelations about these cyber weapons, security experts at Kaspersky Lab, a large Russian computer-security company with international credibility, concluded that the two teams that developed Stuxnet and Flame did, at an early stage, collaborate. They identified a particular module, known as Resource 207, in an early version of the Stuxnet worm that clearly shares code with Flame. “It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going,” a senior Kaspersky researcher explained. “The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together.”

Though Stuxnet, Flame and other cyber weapons linked to the United States and Israel are the most advanced known examples of state-led cyber attacks, other methods of cyber warfare have already been used by governments around the world. These attacks needn’t be limited to highly consequential geopolitical issues; they can be deployed to harass a disliked fellow state with equal panache. Following a diplomatic fight in 2007 over the Estonian government’s decision to remove a Russian World War II memorial in its capital, Tallinn, a mass of prominent Estonian websites, including those of banks, newspapers and government institutions, were abruptly struck down by a distributed denial of service (DDoS) attack. Estonia is often called the most wired country on Earth, because almost every daily function of the state (and nearly all of its citizens) employs online services, including e-government, e-voting, e-banking and m-parking, which allows drivers to pay for their parking with a mobile device. Yet the country that gave the world Skype suddenly found itself paralyzed due to the efforts of a group of hackers. The systems came back online, and the Estonians immediately suspected their neighbor Russia—the Estonian foreign minister, Urmas Paet, accused the Kremlin directly—but proving culpability was not possible. NATO and European Commission experts were unable to find evidence of official Russian government involvement. (The Russians, for their part, denied the charges.)

Some questions that arise—Was it an act of cyber warfare? Would it be if the Kremlin hadn’t ordered it, but gave its blessing to the hackers who executed it?—remain unanswered. In the absence of attribution, victims of cyber attacks are left with little to go on, and perpetrators can remain safe from prosecution even if suspicion is heightened. (One year after the Estonian attacks, websites for the Georgian military and government were brought down by DDoS attacks, while the country was in a dispute with, you guessed it, Russia. The following year, Russian hackers targeted the Internet providers in Kyrgyzstan, shutting down 80 percent of the country’s bandwidth for days. Some believe the attacks were intended to curb the Kyrgyz opposition party, which has a relatively large Internet presence, while others contend that the impetus was a failed investment deal, in which Russia had tried to get Kyrgyzstan to shut down the U.S. military base it hosted.)

Then there is the example of Chinese cyber attacks on Google and other American companies over the past few years. Digital corporate espionage is a rowdy subcategory of cyber warfare, a relatively new phenomenon that in the future will have a severe impact on relations between states as well as national economies. Google finds its systems under attack from unknown digital assailants frequently, which is why it spends so much time and energy building the most secure network and protections possible for Google users. In late 2009, Google detected unusual traffic within its network and began to monitor the activity. (As in most cyber attacks, it was more valuable to our cyber-security experts to temporarily leave the compromised channels open so that we could watch them, rather than shut them down immediately.) What was discovered was a highly sophisticated industrial attack on Google’s intellectual property coming from China.

Over the course of Google’s investigation, it gathered sufficient evidence to know that the Chinese government or its agents were behind the attack. Beyond the technical clues, part of the attacks involved attempts to access and monitor the Gmail accounts of Chinese human-rights activists, as well as the accounts of advocates of human rights in China based in the United States and Europe. (These attacks were largely unsuccessful.) In the end, this attack—which targeted not only Google but dozens of other publicly listed companies—was among the driving factors in Google’s decision to alter its business position in China, resulting in the shutdown of its Google China operations, the end of self-censorship of Chinese Internet content, and the redirection of all incoming searches to Google in Hong Kong.

Today, only a small number of states have the capacity to launch large-scale cyber attacks—the lack of fast networks and technical talent holds others back—but in the future there will be dozens more participating, either offensively or defensively. Many people believe that a new arms race has already begun, with the United States, China, Russia, Israel and Iran, among others, investing heavily in stockpiling technological capabilities and maintaining a competitive edge. In 2009, around the same time that the Pentagon gave the directive to establish United States Cyber Command (USCYBERCOM), then secretary of defense Robert Gates declared cyberspace to be the “fifth domain” of military operations, alongside land, sea, air and space. Perhaps in the future the military might create the equivalent of the Army’s Delta Force for cyberspace, or we could see the establishment of a department of cyber war with a new cabinet secretary. If this sounds far-fetched, think back to the creation of the Department of Homeland Security as a response to 9/11. All it takes is one big national episode to spur tremendous action and resource allocation on the part of the government. Remember, it was the United Kingdom’s experience with Irish terrorism that led to the establishment of closed-circuit television (CCTV) cameras in every corner of London, a move that was welcomed by much of the populace. Of course, some raised concerns about their every move on the streets being filmed and stored, but in moments of national emergency, the hawks always prevail over the doves. Postcrisis security measures are extremely expensive, with states having to act quickly and go the extra mile to assuage the concerns of their population. Some cyber-security experts peg the cost of the new “cyber-industrial complex” somewhere between $80 billion and $150 billion annually.