John Wohlstetter in The Wall Street Journal defines cyberspace as the software that controls the operation of networks linking computers in the governmental and private sphere. This is incomplete, though. Cyberspace includes that, but it also includes the software running on individual computers, whether they are linked into a (the) network or are operating in isolation. Even those isolated computers, after all, are susceptible to cyber attacks, with many of them (unless they are physically disconnected from any network at all) susceptible to being hijacked into cyber attacks against other computers/networks through such means as social engineering, a process whereby hackers, or hostile governments, or terrorists, or… convince, usually through subterfuge, the human operator of those computers to load malware onto them.
Wohlstetter then identifies the People’s Republic of China’s “military’s massive continuing cyberspying” as an example of one type of cyber attacks that may be simple spying, or that may be preparation for further adventuring. People’s Liberation Army spies, he notes, have stolen “volumes of documentation on the ultra-advanced F-35 Lightning, the only fifth-generation fighter still being produced by the US,” and they’ve penetrated “every major national-security database that they can within the Pentagon and US defense companies.” But this could be just ordinary pre-battle preparation. Every general is going to investigate his enemy so as to understand as clearly as possible that enemy’s force disposition and the strengths and vulnerabilities of that enemy’s systems so as to efficiently neutralize those systems at the battle’s start.
To support these efforts, the PLA “Third Department” (among others),
which handles telecommunications, can call on 12 operation bureaus to carry out cyberattacks, and three research institutes for technical support with some 13,000 staff upon request.
The PRC isn’t alone in this sort of effort. Russia and Iran are two others who maintain major efforts in offensive cyberspace.
A necessary, but not sole, prelude to defending against a first strike is understanding the nature and depth of what’s happening in a particular incident. Siobhan Gorman and Siobhan Hughes address this in part, citing Army General Keith Alexander, Commander, US Cyber Command
When does a nuisance become a real problem and when are you prepared to step in for that? That’s the work that I think the administration is going through right now and highlighting that.
But this is the question concerning a physical problem, too—when does any incursion stop being an error, or stop being minor, and start being an act of war? And what do we do about it, and when? Do we simply defend against the incident? To we take offensive measures to encourage the attacker to not do that anymore, do we take more extensive measures to defeat outright the attacker and compel his acquiescence? When? In accordance with what criteria?
And that’s part of where a first strike starts to come into play. A cyber attack as a first strike in all likelihood won’t occur. A first strike, though, will include a decisive cyber attack. We’ve seen rehearsals of the cyber component:
- the “PLO virus,” a logic bomb designed to infect and destroy files on computers [a very early virus, its “rehearsal” aspect is in the lessons learned in managing and delivering such malware]
- 2010’s stuxnet, which damaged or destroyed hardware—high-speed centrifuges, in one case, by causing them to run too fast and burn themselves out
- 2012’s cyberassaults on the websites of many US banks
- 2012’s more destructive attack on a Saudi oil company that destroyed 30,000 computers
- the implantation of malware on computing equipment prior to sale and delivery to the target nation. For instance, I bought a laptop from an otherwise reputable major computer company; it was delivered to me directly from the factory in Shanghai—with a Trojan carefully installed.
Given the penetration of American systems by the Chinese, it’s not beyond the pale that either a) this kind of malware has infected the computing systems managing any target nation’s infrastructure—water, electricity, communications, et al.—and the target nation’s defense systems, including, but not necessarily limited to, sensor suites and communications, or b) this kind of malware is ready to be emplaced in the weeks prior to the intended first strike.
How would a first strike work, then? With the malware in place, sufficient of it could be triggered to shut down a nation’s electrical grid, its water handling and delivery systems, and its financial infrastructure. With responders deployed to deal with this—and so widely dispersed—communications then could be crippled, isolating those responders, and isolating that nation’s population from each other and from their government. Far fetched?
Russia tested a limited cyber attack against Estonia in 2007. Moreover, as Gorman and Hughes note the temptation offered by our own continued vulnerability:
US intelligence officials told a Senate hearing that the nation is vulnerable to cyberespionage, cybercrime, and outright destruction of computer networks, both from sophisticated, government-sponsored assault as well as criminal hacker groups and cyberterrorists.
“It’s hard to overemphasize its significance,” Director of National Intelligence James Clapper said, addressing members of the Senate Intelligence Committee. “These capabilities put all sectors of our country at risk—from government and private networks to critical infrastructures.”
Then, with cyber’s civil battlefield preparation in place and domestic upset rising, additional malware could be triggered to attack defense sensory and communications systems (among others), greatly disrupting, if not crippling them. This phase of the cyber preparation could functionally blind physical military units and cut off their communications with adjacent units and higher command echelons. In this environment, many of those units might not even know they’re next coming under physical attack until they start being destroyed.
This isn’t even a new strategy; it just uses modern facilities. Karl Marx and Friedrich Engels wrote about this a century and a half ago, as noted by Sigmund Neumann and Mark von Hagen in Makers of Modern Strategy:
They were fully aware that military campaigns could be lost before the first shot, that they would in fact be decided beforehand on the preliminary battlefronts of economic and psychological warfare…. To [Marx and Engels] war was fought with different means in different fields.
Modern economies expand the opportunities to be gained from a first strike. Most modern economies don’t have an industrial capacity. Modern industry either assembles components that have been manufactured in other countries or it consists of component manufacture which are then shipped to those assembling economies.
A Cyber first strike would be no worse than a Pearl Harbor? On the contrary, a properly executed first strike, as a classical combined arms assault that would include cyber warfare, could prevent us utterly from responding in any way at all, whether in cyberspace or in meat space. There may not be any opportunity to work our way through our response decision criteria.
In a modern war (now exacerbated by those modern national economies), there will be no time to recover, to build up our forces, to bring our industrial capacity to a wartime footing and production rate. We’ll fight this war with the army we have and with nothing at all, including replacement equipment and soldiers, else.
We could be left prostrate, begging for mercy. If we could get our radios and telephones to work well enough to beg.
None of this is to suggest that a first strike is imminent. But responding after the fact will be no response at all. If we’re not better prepared, though, after the fact is what will be left to us.
Update: Here’s a realtime example of a cyber attack rehearsal.
Computer networks at major South Korean banks and top TV broadcasters crashed simultaneously Wednesday, paralyzing bank machines across the country and prompting speculation of a cyberattack by North Korea.
Screens went blank at 2 p.m., the state-run Korea Information Security Agency said, and more than six hours later some systems were still down.