Читать книгу Bitskrieg - John Arquilla - Страница 10

The German philosopher of war, Carl von Clausewitz, described armed conflict as “a true chameleon” whose three base elements are “primordial violence . . . the play of chance,” and, ultimately, its “subordination as an instrument of policy.”¹ He had no way of knowing, some two centuries ago, how prescient his notion of the chameleon-like character of warfare would prove to be in its Information-Age incarnation. Echoing Clausewitz, strategist Martin Libicki has described cyber conflict as a “mosaic of forms” ranging across the various modes of military operations, and having significant psychological, social, political, and economic aspects as well. As to Clausewitz’s element of primordial violence, Libicki has contended that cyberwarfare slips the bonds of traditional thinking about armed conflict. Of its many manifestations, he has argued, “None of this requires mass, just guile.”² This poses some very major challenges to those who would defend against cyber attacks, given that the lack of requirement for mass means that small nations, networks of hackers, even super-empowered smart individuals unmoored from any Clausewitzian notion of a guiding policy, can wage a variety of forms of warfare – operating from virtually anywhere, striking at virtually any targets.

Cyber attackers, whoever and wherever they are, can opt to disrupt the information systems upon which armed forces’ operations increasingly depend – on land, at sea, in the air, even in orbit – or take aim at the control systems that run power, water, and other infrastructures in countries around the world. This mode of attack can also foster crime, enabling the theft of valuable data – including cutting-edge intellectual property – from commercial enterprises, the locking-up of information systems whose restoration can then be held for ransom, or simply the exploitation or sale of stolen identities. The democratic discourse can easily be targeted as well, allowing a whole new incarnation of political warfare to emerge in place of classical propaganda – as demonstrated in the 2016 presidential election in the United States,³ but which can be employed to disrupt free societies anywhere in the world. And for those attackers of a more purely nihilistic bent, controlled or stolen identities can be conscripted into huge “zombie” armies deployed to mount distributed denial-of-service (DDoS) attacks aimed at overwhelming the basic ability to operate of the targeted systems – institutional, commercial, or individual. When billions of household appliances, smartphones, and embedded systems (including implanted locator chips in pets) that constitute the Internet of Things (IoT) are added as potential “recruits” for cyber attackers’ robot networks (“botnets”), the offensive potential of cyberwarfare seems close to limitless.

And all this takes, as Libicki has sagely observed, is guile. Thus, it seems that, aside from providing a strong affirmation of Clausewitz’s general point about conflict having chameleon-like properties, the many faces of cyberwar undermine his three base elements. There is no need to commit acts of overarching violence, or even for a connection to higher-level policy, when, for example, millions of “smart refrigerators,” designed to send their owners an email when they need milk, can be hacked, controlled, and ordered to overwhelm their targets with millions of emails. As to chance, the vast range of targets available to cyber attackers – who often remain hidden behind a veil of anonymity, a “virtual sanctuary” – suggests that luck is a much less included factor. This undermining of Clausewitz’s base elements leads to a serious challenge to his firmly held belief that “defense is a stronger form of fighting than attack.”⁴ This was certainly the case in his time, when defense-in-depth defeated Napoleon in Russia, and later saw the Duke of Wellington’s “thin red line” decimate the Grande Armée at Waterloo. A century later, the costly failed offensives on the Western Front in World War I affirmed the wisdom of Clausewitz. And even the brief period of Blitzkrieg’s success in World War II gave way, from El Alamein to Stalingrad to the Battle of the Bulge, before stout defenses. But, two centuries since Clausewitz, the rise of cyberwar is now upending his unwavering belief in defense dominance. Instead, offense rules.

To date, the best-known manifestations of cyberwar have emerged in the personal and commercial realms. Hundreds of millions of people around the world have had their privacy compromised, either by direct hacks or by having their information stolen from insurance, financial, retail, social media, and government databases. With regard to ostensibly “secure” government databases, even these have proved porous. The most notorious incident was acknowledged by the US Office of Personnel Management in June 2015. Of this intrusion, in which hackers accessed sensitive personal information, the President of the American Federation of Government Employees, James Cox, asserted “all 2.1 million current federal employees and an additional 2 million federal retirees and former employees” were affected.⁵ (My own classified personnel file was among those hacked.) As the matter was investigated further, the estimated number of persons affected quintupled, to more than 20 million, according to Congressional testimony of the then-Director of the Federal Bureau of Investigation, James Comey, given just a month later.⁶ But even this staggering breach paled in comparison with the revelation in May 2019 that nearly 900 million sensitive financial records had been hacked from the database of the First American Title Company.⁷

As to the theft of intellectual property and other types of exploitative or disruptive cyber attacks aimed at commercial enterprises, these cause more than 1 trillion dollars ($US) in damages each year. University research centers are also targeted as, according to one tactful report, they “haven’t historically been as attentive to security as they should be.”⁸ While the ransoming of locked-up information currently accounts for less than 1% of annual losses, this mode of attack is growing at a steep rate.⁹ Often, such theft and extortion aim at serving causes beyond just enrichment of the malefactors. In the case of North Korea’s cyber crimes, the United Nations has reported that the roughly $2 billion gained as of mid-2019, by attacks on banks and crypto-currency (e.g., Bitcoin, Ethereum, Ripple) exchanges, has been used to support its nuclear weapons program.¹⁰ This illicit form of fundraising lies somewhere between theft and statecraft. Call it “strategic crime.” Much as, in the sixteenth century, Queen Elizabeth I tacitly encouraged her piratical “sea dogs” to prey upon maritime commerce to help fill Britain’s coffers. Strategic crime has long played a role in statecraft via this form of naval irregular warfare.¹¹

Clearly, when it comes to the abovementioned modes of cyber attack, offense is currently quite dominant. And, as George Quester’s seminal study of stability and instability of the international system notes, when the apparent risks and costs of taking the offensive are low, conflicts of all sorts are more likely to proliferate.¹² They may be small-scale, individually, but their cumulative effects are large – and growing – as opposed to the more purely military realm, in which the patterns of development and diffusion are less apparent. So much so that, to some analysts, the emergence of militarized cyberwar seems highly unlikely.¹³

Cyber attacks in armed conflicts have had a lower profile, but there are some troubling examples – most provided by Russia. In 2008, when Russian troops and Ossetian irregulars invaded Georgia, the defenders’ information systems and links to higher commands were compromised by cyber attacks on their communications. Panic-inducing mass messaging aimed at people’s phones and computers in areas where the Russians were advancing put large, disruptive refugee flows onto the roads, clogging them when Georgian military units were trying to move into blocking positions. All this helped Russia to win a lop-sided victory in five days.¹⁴

More recently, two other aspects of cyberwar have come to the fore in the conflict in Ukraine between government forces and separatists in Donetsk, with the latter supported not only by Russian irregulars – “little green men,” so named for the lack of identifying patches on their uniforms – but also by bits and bytes at the tactical and strategic levels. In the field, Ukrainian artillery units were for some time victimized by hacks into their soldiers’ cellphone apps that were being used to speed up the process of calling in supporting fire. Russian-friendly hackers helped to geo-locate artillery batteries by this means, and brought down counter-battery fire upon them. The result: diminution of Ukrainian artillery effectiveness, although the precise extent of losses incurred remains a matter of some debate.¹⁵

At a more strategic level, the Russo-Ukrainian conflict has also featured a number of troubling attacks. The first came on Ukraine’s electrical power grid infrastructure in December 2015, when 30 substations in the Ivano-Frankivsk oblast were shut down as hackers took over their highly automated system control and data acquisition (SCADA) equipment. Nearly a quarter of a million Ukrainians were affected by this hack, which has been attributed to “Sandworm,” a Russian army cyber-warrior unit. These same hackers are believed to have masterminded the extensive cyber attacks on Ukrainian finance, government, and (once again) power companies in June 2017.

Ostensibly, this latter operation aimed at freezing data, whose unlocking was then held for ransom. But the attacks, which did some collateral damage in other countries, were more likely intended simply to impose costly disruptions – and perhaps to serve as launching pads for covert insertions of malicious software designed to act as virtual “sleeper cells,” waiting for their activation at some later date. Overall, the costs inflicted by these 2017 attacks exceeded $10 billion, according to the estimate of Tom Bossert, then a senior Trump Administration cybersecurity official.¹⁶ These uses of cyberwar as a means of “strategic attack” are highly concerning, especially the demonstration that SCADA systems – in wide and increasing use throughout the world – are vulnerable to being taken over.

Russian cyber operations in Georgia and Ukraine should be seen as among the first “capability tests” that have provided glimpses of what future cyberwars may look like. Just as the Spanish Civil War (1936–9) foreshadowed the kinds of actions – from tank maneuvers in the field to the aerial bombardment of cities – that were to characterize much of the fighting in World War II under the rubric of Blitzkrieg,¹⁷ so too have recent Russian uses of the various modes of cyberwar in Georgia and Ukraine provided a glimpse of the next “face of battle”: Bitskrieg.

And, just as fascist forces in Spain – including tens of thousands of German and Italian volunteers – demonstrated the synergy of armored and aerial operations brought into close coordination by radio, today Russian “volunteers” in Donetsk are proving that integrated cyber and physical operations have profound effects. Another goal of the Blitzkrieg doctrine as practiced by the Germans early in World War II was “to disrupt [the enemy’s] lines of communication.”¹⁸ The importance of gaining an information edge by disabling the opponent’s command systems was a central thesis of Heinz Guderian, a pioneer of Blitzkrieg. No surprise that he began his career as a signals officer, nor that he played a major role in the swift victory over France in 1940, which, as Karl-Heinz Frieser has observed, “caused outdated doctrines to collapse; the nature of war was revolutionized.”¹⁹ Bitskrieg, too, will likely one day cause the collapse of outdated doctrines.

Bitskrieg is also similar to its World War II-era predecessor in terms of its emphasis on, and capability for, waging political warfare. For another element of Blitzkrieg doctrine was the employment of propaganda and subversion to prepare for invasion by field forces. This practice, too, had origins in Spain’s Civil War, as fascist General Emilio Mola, whose troops were closing in on Madrid from four directions, said that his advance was aided by a covert, subversive “fifth column.”

The early German annexations of Austria and Czechoslovakia benefited tremendously from such fifth-columnist actions, as was also the case in the 1940 invasion of Norway – a daring operation whose success, in part, was due to the activities of Vidkun Quisling and other Nazi collaborators. Their effects were so substantial that, as William L. Shirer noted, the capital Oslo “fell to little more than a phantom German force dropped from the air at the local, undefended airport.” And at strategically important Narvik, the initial defending force “surrendered to the Germans without firing a shot.”²⁰ An Anglo-French force landed at Narvik later – too late, despite much hard fighting, to overturn the final result of this campaign.

In our time, we have the example of a “virtual fifth column” employed to great effect by the Russians, disrupting the Ukrainian ability to resist aggression in, and annexation of, the Crimea. At the same time, a parallel fifth column was used to spread propaganda justifying this invasion to the wider world. This approach, which included a “people’s plebiscite” – a tactic employed by the Nazis – helped to ensure that the Russian take-over would be bloodless, allowed to consolidate with neither effective internal resistance by the Ukrainian government nor international military counter-intervention. In this instance, the Russian fait accompli froze the principal Western guarantors of Ukrainian territorial integrity – per the terms of the 1994 Budapest Memorandum on Security Assurances: Britain, the United States, and France – into almost complete inaction.

But cyber-based political warfare can do far more than just provide support for invasions; it can also be used, as the Russians have done, to foment unrest and chaos in the United States and other open societies that are inherently vulnerable to the dissemination of lies cloaked as truth. Yet political warfare is not only suited to undermining democracies; it can also attack authoritarian and totalitarian rulers. In the 1980s, for example, prior to when the Internet began its rapid growth, President Ronald Reagan pursued an information strategy via radio and direct-broadcast satellite that put pressure on the Soviet Union and its control of Eastern Europe. Indeed, the argument has been advanced that his initiative played a significant role in the peaceful end of the Cold War and dissolution of the Soviet Union.²¹ Today, cyberspace-based connectivity provides even greater opportunities for striking at dictators. Social media links billions of people, a significant slice of whom live under controlling regimes. Authoritarians are aware of this, and mount efforts to monitor – sometimes to close down – access to such media. They may succeed – for a while. But advancing technology continues a major trend toward broader, easier connectivity, making it ever harder to control access. If past is prologue, even the harshest control efforts will ultimately fail. During the Second World War, John Steinbeck’s The Moon is Down, a novel of resistance, made its way in bootleg translations to virtually every occupied country, inspiring opposition to Nazi rule.²² Information diffusion today is much easier; its effects are likely to be at least as powerful and widespread. Probably much more so, for the classic theme of active resistance resonates in and from the virtual realm in ways that mobilize “the real world” – evinced in recent decades by the “color revolutions” and the Arab Spring.

Back in World War II, physical resistance featured widely varied acts of sabotage against the Nazis’ transport, communications, and arms manufacturing infrastructures – despite often quite terrible reprisals being inflicted upon innocent civilians. Perhaps the most important of the sabotage campaigns was that mounted by Norwegian resistance fighters who prevented shipping of heavy-water supplies – essential to the Nazi nuclear program – from Norway to Germany. One of the key leaders of the Nazi effort to build an atomic bomb, the physicist Kurt Diebner, confirmed that “It was the elimination of German heavy-water production in Norway that was the main factor in our failure to achieve a self-sustaining atomic reactor before the war ended.”²³ Inspiring messages, conjuring visions like the one crafted in Steinbeck’s The Moon Is Down, provided informational support that helped to catalyze and sustain such heroic acts of resistance. This was despite the strict controls the Nazis imposed on communications.

Today, it is very difficult to prevent information flows, in a sustained and leakproof way, from reaching mass publics. And the same technologies that allow for “information blockades” to be evaded offer up many opportunities for engaging in active resistance as well. Thus, sabotage using explosives – still quite an available option – can now be augmented by acts of virtual disruption in the form of what I call “cybotage.” Beyond the usual denial-of-service attacks, the worms, and varieties of malicious software designed to disrupt information flows and functions, or to corrupt databases, it is also increasingly possible to employ bits and bytes that cause physical damage to important equipment. The watershed example of this kind of cybotage was the Stuxnet worm that attacked the system running Iranian centrifuges, forcing them to spin themselves at such a high rate that it led to their self-destruction. As General Michael Hayden, the former head of the National Security Agency and the Central Intelligence Agency, put the matter, “Previous cyberattacks had effects limited to other computers . . . This is the first attack of a major nature in which a cyberattack was used to effect physical destruction.”²⁴ In a way, the Stuxnet operation – widely assumed to have been conceived by the United States and Israel – was like the Norwegian commando attacks on German heavy-water facilities and supplies during World War II: both actions were aimed at slowing the progress of nascent nuclear programs.

Stuxnet destroyed those centrifuges in 2010 – though it was most likely implanted into the Iranian system years earlier, lying in wait, activated at a moment when it brought the blessing of time for negotiations in a burgeoning proliferation crisis. A preliminary arms control agreement was reached in 2013, and formalized as the “Joint Comprehensive Plan of Action” in 2015. It was adhered to until the United States withdrew from the agreement in 2018. The Iranians openly broke the terms of the agreement in 2019. But long before this break, in 2012, Tehran and/or Iranian-aligned hackers demonstrated a capacity for retaliatory cybotage, too. Shamoon, a virus that attacked the master boot records – key to mass storage and computer function – erased and irremediably overwrote key data on more than 30,000 PCs of the oil firm Saudi Aramco. A similar attack was launched soon after against the Qataris, further contributing to widespread concern about the vulnerability of a key aspect of the global oil industry to cybotage.²⁵ Needless to say, the Iranians have denied any involvement in Shamoon – much as the United States and Israel have never acknowledged any role in Stuxnet. The covert and clandestine aspect of cyberwar relies on veils of anonymity and deniability, for real, “smoking gun” evidence of actual involvement or perpetration would likely lead to escalation – perhaps even to a shooting war.

As to Stuxnet itself, even though it was carefully inserted into an Iranian system and designed for a very specific target – the programmable logic controls on particular Siemens equipment – its properties gave it a broader functionality across a range of SCADA systems. And when the worm leaked “into the wild,” perhaps spread by a technician who picked it up inadvertently (or not) on a flash drive, Stuxnet variants began to turn up. In 2011, Duqu emerged. Intended for intrusion and intelligence-gathering, it had Stuxnet-style attack properties as well. The following year, yet another variant debuted, Flame, which apparently attacked the Iranian oil industry. More recently, Triton appeared in 2017, and very quickly demonstrated a Stuxnet-like ability to disable safety systems, this time at a Saudi petrochemical plant. In the worst case, this attack could have caused an explosion leading to mass casualties and a major environmental hazard. Thankfully, it was detected before this happened; subsequent forensic investigation pointed to Triton having come from Russia. A wider search to detect this Stuxnet variant revealed that it is still spreading around the world.²⁶ Other acts of cybotage using different malware have been alleged as well – as in Venezuelan government charges that the United States attacked its infrastructure as part of a “regime change” effort. While lacking credibility, such charges frame a growing fear of an emerging “cool war.”

What makes these exploits “cool”? There are two things, I believe. First, the actions taken must be clandestine (completely hidden), covert (if detected, deniable as to the real perpetrator), or at least able to be denied for a time and in a manner that forestalls retaliatory action. Second, cool war operations should be largely limited to disruption – even costly disruption – inflicting little, oftentimes no, destruction or loss of life. These two factors characterize actions taken in the fictional conflict Frederik Pohl depicted in his 1981 novel The Cool War. He was quite prescient, a decade before the Internet took off, including such actions by covert operators as causing stock market crashes and big drops in commodity values.²⁷ Non-military forms of cyberwar considered thus far fit the category of “cool.” From strategic crime to spying, and on to cybotage, perpetrators are often able to protect their anonymity for long periods – some without ever being reliably identified or counterattacked. As Joseph Nye has observed, “retaliatory threats of punishment are less likely to be effective in cyberspace, where the identity of the attacker is uncertain; there are many unknown adversaries.”²⁸ And the fact that, to be “cool,” attacks have to disrupt much but destroy little, means the likelihood of escalation to wider war is minimized. Even so, as Pohl foresaw in his novel, a lot of small-scale disruption can lead to a virtually unlivable world.