June 08, 2009, 4:25 PM — NEW YORK CITY -- Imagine a situation where a powerful country wants to annex its small neighbor, so it launches a week-long campaign of cyberattacks aimed at disrupting the financial, energy, telecom and media systems of its neighbor's biggest ally. A week later, the aggressor launches a full-scale cyberwar on its neighbor that includes air and naval defenses. With its ally's defenses weakened, the neighbor agrees to become a province of the aggressor in less than a week.
This scenario is not so far-fetched, according to several experts from the National Defense University who spoke at the Cyber Infrastructure Protection Conference held here last week.
[ More from the conference: New DOS attacks threaten wireless data networks | CIOs: Your networks have already been compromised ]
The panel discussion on cyberwarfare is timely given the Obama administration's push to raise awareness and federal spending on cybersecurity initiatives. The president issued a cybersecurity plan earlier this month that includes naming a new high-level cybersecurity coordinator who reports to both the National Security Council and the National Economic Council.
President Obama has said it's clear that the cyberthreat is "one of the most serious economic and national security challenges we face as a nation. It's also clear that we're not as prepared as we should be, as a government, or as a country."
Experts from the National Defense University, the premier academic institution providing professional education to U.S. military forces, say it is critical for the private sector to realize it will be a target of future cyberwarfare.
"Our adversaries are looking for our weaknesses," says Dan Kuehl, professor of information operations at the National Defense University. "We conduct military operations that are increasingly information dependent and becoming more so. We have a global society that is increasingly dependent on critical infrastructure, and those infrastructures are increasingly interconnected in a global economy."
Kuehl points out that it's inexpensive for terrorists or hactivists to launch a cyberattack, but it's very expensive and difficult for a country such as the United States to defend its networks and systems against these threats.
"The weaker party may have a very important asymmetric advantage," Kuehl says. "And the first actor may have a very important advantage….Winning in the cyber realm may decide the course of the war."
One example of how weaker parties have an advantage in cyberwarfare is the recent terrorist attacks in Mumbai. Stuart Starr, distinguished research fellow at the National Defense University, said the attackers used Google Earth and GPS technology to locate themselves with respect to everybody else.
"They took advantage of hundreds of billions of dollars of investment by buying low-end equipment," Starr said. "These guys are getting a phenomenal benefit from taking advantage of commercial investments."
Based on conventional wisdom of these military experts, here is a list of 10 things you probably didn't know about cyberwarfare:
1. You need to win the first battle.
In conventional warfare, the country that wins the first battle doesn't necessarily win the war. Think Pearl Harbor. But with cyberwarfare, you need to win the first battle because there may not be a second. The enemy may have so wiped out your critical infrastructure through coordinated cyberattacks that you can't mount an effective defense and are forced to surrender.
2. The first battle could be over in nanoseconds.
Unlike Pearl Harbor, cyberattacks are stealthy. The enemy has already penetrated your networks, attacked your systems and stolen or manipulated your data before you realize that anything is wrong. Once you discover the cyberattack, you have to figure out who did it and why. Today, this type of computer forensics can take days or weeks. By then, you may have lost the war.
3. Cyberwarfare may involve subtle, targeted attacks rather than brute force.
Most people equate cyberwarfare with the massive denial-of-service (DoS) attacks that Russian activists aimed at Estonia in 2007. But cyberwarfare doesn't need to be waged on such a large scale. Instead of taking out the entire electric grid, a hacker could take out a substation that supports a particular air defense system. Much as we have precision-guided missiles in conventional warfare, we may have precision-guided cyberattacks.
4. The enemy's goal may be to cause chaos rather than destruction.
We tend to think about an enemy blowing up buildings or transportation systems during war. But the political objective of cyberwarfare may be to generate chaos among citizens rather than to destroy infrastructure. For example, what if an enemy launched a cyberattack against a country's financial systems and it appeared that everyone's money was gone from their banks? That kind of attack wouldn't require bombing any bank buildings to create chaos.
5. Data manipulation -- rather than data theft or destruction -- is a serious threat.
During the Persian Gulf War, a group of Dutch hackers allegedly penetrated dozens of U.S. military computer systems and offered to provide their help to Saddam Hussein. When the breaches were discovered, the military had to stop some deployments and verify that the data in their databases were accurate and hadn't been manipulated by the hackers. This incident demonstrates how misinformation inside hacked computers systems could harm a country's ability to respond to a cyberattack.
6. Private networks will be targets.
Most of our country's critical infrastructure -- energy, transportation, telecommunications and financial -- is privately owned. The companies that operate these networks need to understand that they are certain to be targeted in cyberwarfare, and they need to spend money accordingly to secure their networks, systems and data. This is one reason military experts recommend that operators of critical infrastructure engage with government officials and set up procedures and protocols before they are attacked.
7. When private sector networks are hit, the Defense Department will assume control.
There's a misconception that the owners and operators of critical infrastructure are responsible for cybersecurity. That perspective won't hold up in the face of cyberwarfare, experts predict. Just as the military is responsible for securing the airspace and ground around an electricity plant, so it is going to assume responsibility for the cybersecurity of that plant if a cyberattack should occur, they warn.
8. Private networks might be used to launch a cyberattack.
If companies don't properly secure their networks, their systems may be taken over by a botnet and used in a cyberwarfare incident. For example, two-thirds of the computers used to launch DoS attacks against Estonia were inside the United States although they were controlled by Russian hactivists, experts say. Typically, the machines used in a cyberattack are not owned by the attacker. Most companies don't realize they are vulnerable to having their network assets being used for cyberwarfare.
9. Don't ignore the insider threat.
One of the biggest vulnerabilities in networks is from insiders with legitimate access to computers and data. The same threat exists in cyberwarfare. One way this threat might occur is for the enemy to kidnap a family member of a network operator and then force the network operator to install malware. That's one reason government agencies and private companies running critical infrastructure need adequate security controls over their employees.
10. Cyberwarfare is warfare.
Looking at cyberwarfare as separate from traditional warfare is a mistake; it has to be tied to physical warfare, experts say. For example, an enemy might blow up a building on the ground that disables a satellite, which in turn disables Internet access. In a cyberwar, network attacks will likely be combined with physical attacks. So protecting against cyberwarfare needs to be considered as part of a broader military strategy.
