Did U.S. avoid cyberattack on Libya to avoid showing how unprepared it is for cyberwar?

White House, Pentagon debated cyberattacks on Libya, Pakistan, decides against both

Other than the picture showing what rebels swear is what's left of Muammar Qaddafi but looks more like an extra on Walking Dead, the real surprise about the war in Libya was about an attack that didn't happen.

Specifically, according to the New York Times, when Pentagon and White House talked in March about whether and how to give a little outside help to Libyan rebels, they talked about whether the first step should be a bombing campaign designed to take out Libya's anti-aircraft systems and leave control of the skies to the rebels.

Or, in keeping with the need to expose as little of the overstretched U.S. military as possible and avoid political problems at home by spending even more on wars that weren't paid for in the budget – one that the Obama administration would have started – if it would be better to give the mission to an elite group of chairborne warriors who could infiltrate the country's defense networks, hack them to the ground and get home in time for supper.

Launching a cyberattack against Libya would certainly play into the increasing emphasis the Pentagon has been putting on digital defenses and attack for the past couple of years (with little success so far, according to the GAO).

How do you say 'no' to hacking but 'yes' to bombs?

It would risk no American lives, make a point about the ability of Americans to conduct digital warfare in something other than a video game or from the wrong side of the law. And it might be effective.

Maybe not against the Libyans; some in the Pentagon worried there was not enough time to prepare a effective set of attacks.

It might have been effective against the Chinese, who allegedly continue to hack into secure U.S. networks almost at will, and against critics who complain that the Pentagon has few solid capabilities to show for the 20 years it has been responsible for the cybersecurity of the United States.

Ultimately the White House chose to send missiles and planes, rather than bits and bytes, because the risk was too great that the hack would create a precedent that would make large-scale cyberattacks against foreign nations more acceptable.

“We don’t want to be the ones who break the glass on this new kind of warfare,” said James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies to the Times.

Reuters reports today that the cyberwar debate did take place, but that it never reached the White House.

Whether the White House was ever involved, the issue came up among Pentagon planners, who made the same decision on Libya they later did when planning whether a narrowly focused attack on the network of Pakistani radar stations would be acceptable as a way to minimize the chance a phalanx of helicopters carrying Navy SEALS would be spotted on their way in-country for the raid in which they killed al Queda leader Osama Bin Laden.

That very prudent decision – made twice – shows appropriate caution about militarizing the Internet – though the old neighborhood is already so heavily web trackerized and hackerated that there is little privacy and no real security left on it.

It also ignores 10 years of almost constant attacks on U.S.-based government, military and corporate from groups of trained, formula-following, hackers working for the Chinese military, as McAfee described, without naming China, in a report code-naming five years worth of attacks on 14 countries as Operation Shady Rat.

Caution over starting cyberwar, amnesia about the one we're already in

Shady Rat, Night Dragon and other covert-sounding code words are just nicknames given to the daily routine of military hackers who routinely attack servers in foreign countries to help defend China against those it considers – dangerous thugs like the Dalai Lama and radical religious groups such as the Falun Gong, which, if not prevented by espionage and violence, would gather in public places to meditate and exercise slowly in large groups.

Secretary of State Hilary Clinton drew complaints from China after she said, in a speech about freedom on the Internet in Washington in January of 2010, that the United States was ready and able to defend its networks against all comers and carry the fight to the enemy where necessary.

She was wrong, of course.

The GAO report a couple of months ago showed pretty conclusively that the Pentagon has no large-scale or highly developed cyberwar capabilities or consistent strategy, let alone having units of experienced hackers already in the field, as the Chinese and Russians do.

U.S. offensive cyberwar capabilities are centered in the CIA and NSA, and are too focused and small in scale to meet the needs of a mass-market outfit like the Pentagon, which wouldn't hack into Sony to steal a few user names. It would hack into an entire country and take all the data (then probably print it out on paper, put it in boxes, take it out back by the Potomac and blow it up).

It's not like the U.S. military is incapable; the Israelis are reputed to have tested Stuxnet and possibly released it, but credit for building it generally is pointed back at the United States and one of the occasional pod of high-achieving covert digital spies or crackers who work in specialty units within the military or in joint operations with the CIA or NSA.

Stuxnet, if you can remember back to late 2010 when it was active and discovered to have attacked Iran's nuclear industrial complex, scared the crap out of everyone involved in digital warfare, not least because it was so targeted, so effective and (if it did come from the U.S. ) seemed as if it sprang fully formed from an otherwise low-key U.S. cyberwar force.

Cyberattacks aren't polite, but if you're dropping bombs anyway…

Deciding not to launch a network attack against a country that has been our enemy for 20 years just so as not to appear to be the first to do it seems like a flimsy excuse.

There are always covert parts of any big military operation; why wasn't the attack carried out secretly, if only to give the Pentagon's cyber-grunts some real-world practice?

It's not as if anyone would have minded that U.S. forces were trying to guess the passwords on a bunch of foreign servers. Anyone who would get angry about hacks against Libyan servers would probably be distracted by the bombs that were also being dropped on them.

The real reason for not including a cyber component to the Libyan attacks will probably come out 10 or 15 years after Obama leaves office – or maybe immediately after if there's a big scandal and a couple of staffers get good book deals.

I may be way off base because the Pentagon hasn't briefed me on its secret, highly sophisticated cyberware development projects lately. I'm willing to bet the main reason the White House said 'No' wasn't out of fear of setting a precedent.

It was out of concern that the Pentagon was willing to do the job, but wasn't ready to make a decent showing.

It would be a little embarrassing to have the world's most powerful military square it's shoulders, hitch up its belt, flex its mighty arms and fling a handful of wet noodles at the relatively primitive Libyan air-defense network.

An overt cyberattack – especially one that's particularly weak or ineffective – wouldn't give the Chinese the wrong idea about how eager we are to start a round global cyberwar.

A weak attack would give the Chinese exactly the right idea—that the U.S. military wasn't remotely prepared to fight a war in cyberspace, despite being able to blow anything, anywhere to rubble and keep the rubble bouncing for days.

China's not about to launch a military strike against the United States, just as the U.S. isn't thinking about real war with China.

Both are thinking about what the next stage of this little online contretemps is going to be, though. And our side, at least, doesn’t want to show just how bad the hand it's playing right now really is.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies