The Changing Face of Cyber Conflict
Much of what the U.S. military is doing to prepare for conflict in cyberspace is misguided. We are, in effect, preparing to fight the last war against the last enemy. We conceive of the conflict as involving a contest between peer nation-states—the U.S. and China, for example. What we are systematically missing is something we can characterize as the democratization of conflict in cyberspace. We are seeing a sea-change in the capability of non-state actors, ad hoc groups and even individuals, allowing them to compete on an almost level playing field with nation-states, and to do significant damage to our national security interests. If we do not re-conceptualize how we think about cyber security, policy, and conflict, we are in danger of missing the boat.
Snowden, and after
Consider the following question: what or who has been the most significant cause of damage (through cyber means) to the national security in recent years? By any absolute measure, one suspects that the most likely answer is: Edward Snowden, a single individual who, through his own activities, or perhaps with a small cadre of a few fellow travelers, caused immense damage to American national security interests. Think of what has happened since 2013 by virtue of Snowden’s activities. We have have suffered major diplomatic difficulties. There is a significant amount of anger at the United States among our allies and friends in Europe at what they perceive to be American spying against their own national security interests. They knew that we did it, but now that it is out in the open, they can no longer deny it, and they are annoyed.
Even worse, the disclosures have given China and Russia the opportunity to create a perception of false equivalence, if you will, between the nature of what they are doing, which is widespread rampant economic espionage, and what the United States has been engaged in, which by and large has been more traditional national security intelligence activities. Edward Snowden’s actions have also disclosed intelligence sources and methods, to the detriment of the United States. As result, we have already seen terrorist groups and other governments change their communication activities, so that we are no longer as readily able to intercept their communications and understand their plans. China, for example, was alerted to a particularly significant penetration of one of their cyber systems as a result of the Snowden leaks—a penetration that, presumably, has since been terminated. That amounts to major damage to the national security interests of the United States.
And then, of course, there is the domestic political uproar. Last year, an amendment to completely defund portions of the NSA’s intelligence activity programs failed by only 12 votes in the House of Representatives just before the August recess; the vote was 217 to 205. Just a few weeks ago, Congress passed—and the President signed into law—the USA Freedom Act, significantly curtailing the intelligence collection activities of the NSA. When, in the course of American history, has a vote to essentially close down a portion of our national security apparatus come that close to success, much less succeeded?
The foregoing highlights the scope of the damage that Snowden has done, and done as essentially an independent actor. Indeed, in a rather unguarded moment, Snowden admitted that he actually took the job at Booz Allen Hamilton for the purpose of collecting classified information with an eye toward eventually disclosing it.(1) That demonstrates the damage to national security interests that a single individual, or a small group of actors, can do. They are not affiliated with any nation-state, except perhaps after the fact. They have no sovereign interest that we can address or talk to. They are, in essence, a combination of political activism, ideology, criminality, and an adherence to some form of an anarcho-libertarianism—combined with what appears to be a great deal of narcissism.
Thus, when we look at cyber conflict and threats to national security, we should not focus exclusively on other national opponents. Rather, our cyber strategy needs to account for the “democratization” of conflict, because the tools and weapons of attack are now widely available throughout the globe and the use of force (since information is a tool of force) is no longer the exclusive province of nation-states.
In this light, I would argue that we are in the midst of what Thomas Kuhn would call a paradigm shift.(2) It is a shift that is empowering individuals to act with force in ways that were beyond our conception a few short years ago. To see one example of that paradigm shift in practice, it is useful to reflect on what we might call the “WikiLeaks War” from 2010.
With the disclosure of classified information from American sources like Chelsea Manning, information clearinghouse WikiLeaks appeared to be launching an assault on state authority (and more particularly, on that of the United States, although other governments were also identified). Confronted with WikiLeaks’ anti-sovereign slant, the institutions of traditional commerce soon responded. There is no evidence to suggest that any of the governments affected ordered any actions, but the combination of governmental displeasure and clear public disdain for Wikileaks founder Julian Assange soon led a number of major Western corporations (MasterCard, PayPal, and Amazon, to name three) to withhold their services from the organization. Amazon reclaimed rented server space that WikiLeaks had used and the two financial institutions stopped processing donations made to the group.
What followed might well be described as the first cyber battle between non-state actors. Supporters of WikiLeaks, loosely organized in a group under the name “Anonymous” (naturally), began a series of distributed denial-of-service (DDoS) attacks on the websites of those major corporations they thought had taken an anti-WikiLeaks stand, in order to flood and prevent legitimate access to them. The website of the Swedish prosecuting authority (which was seeking Mr. Assange’s extradition to Sweden to face criminal charges) was also hacked. Some of the coordination for the DDoS attacks was done through social media, such as Facebook or Twitter. Meanwhile, other supporters created hundreds of mirror sites, replicating WikiLeaks content, so that it effectively could not be shut down. The hackers even adopted a military-style nomenclature, dubbing their efforts “Operation Payback.”
When Anonymous attacked, the other side fought back. The major sites used defensive cyber protocols to oppose Anonymous. Most attacks were relatively unsuccessful. The announced attack on Amazon, for example, was abandoned shortly after it began because the assault was ineffective. Perhaps even more tellingly, someone (no group has, to my knowledge, publicly claimed credit) began an offensive cyber operation against Anonymous itself. Anonymous ran its operations through a website, AnonOps.net, and that website was subject to DDoS counterattacks that took it offline for a number of hours. In short, a conflict readily recognizable as a battle between competing forces took place in cyberspace, waged almost exclusively between non-state actors.
The failure of Anonymous to effectively target corporate websites and its relative vulnerability to counterattack are, likely, only temporary circumstances. Anonymous (and its opponents) will learn from this battle and approach the next one with a greater degree of skill and a better perspective on how to achieve their ends. Indeed, many of their more recent attacks—such as the effort to shut down the Vatican website—show a great deal of additional sophistication and effectiveness.
Moreover, Anonymous has demonstrated that, even with its limited capacity, it can do significant damage to individuals and companies. When Aaron Barr, the corporate head of a security firm, HB Gary, announced that his firm was investigating the identity of Anonymous participants, the group retaliated. Its members hacked the HB Gary network (itself a significantly embarrassing development for a cybersecurity company) and took possession of internal emails that, in turn, suggested that HB Gary was engaged in some questionable business practices. As a result, Barr was forced to resign his post—exactly the type of individual consequence that is sure to deter an effective counterinsurgent response.
More to the point, Anonymous has made quite clear that it intends to continue to prosecute the cyberwar against, among others, the United States. “It’s a guerrilla cyberwar—that’s what I call it,” according to Barrett Brown, a self-described senior strategist and “propagandist” for Anonymous. “It’s sort of an unconventional asymmetrical act of warfare that we’re involved in, and we didn’t necessarily start it. I mean, this fire has been burning.”(3) Or, consider the manifesto posted by Anonymous, declaring cyberspace independence from world governments: “I declare the global social space we are building together to be naturally independent of the tyrannies and injustices you seek to impose on us. You have no moral right to rule us nor do you possess any real methods of enforcement we have true reason to fear.”(4) In February 2012, Anonymous went still further, formally declaring “war” against the United States and calling on its citizens to rise and revolt.
Indeed, in many ways, Anonymous conducts itself in the same manner that an opposing military organization might. Also in February 2012, for example, it was disclosed that Anonymous had hacked into a telephone conversation between the FBI and Scotland Yard, the subject of which was the development of a legal case against the group. That sort of tactic—intercepting the enemy’s communications—is exactly the type of tactic an insurgency might use. And by disclosing the capability, Anonymous has successfully sown uncertainty about how much else it might be intercepting.
In advancing their agenda, the members of Anonymous look somewhat like the anarchists who led movements in the late 19th and early 20th centuries, albeit anarchists with a vastly greater network and far more ability to advance their nihilistic agenda through individual action. And, like the anarchists of old, they have their own internal disputes. In 2011 another group called “Black Hat” effectively declared war on Anonymous because it disagreed with the Anonymous agenda. But even more, Anonymous and its imitators look like the non-state insurgencies we have faced in Iraq and Afghanistan—small groups of non-state actors using asymmetric means of warfare to destabilize and disrupt existing political authority.
The Sony hack
The late 2014 attack on Sony Pictures Entertainment provides an instructive case for testing the limits of our understanding of the new nature of cyber conflict, and for demonstrating that military means are not the only ones of addressing cyber intrusions.(5) Recall that the hack, conducted by a group identified as the “Guardians of Peace,” exfiltrated terabytes of data from Sony. Some of that data involved unreleased films; other data included embarrassing internal emails and proprietary information. Beyond the damage resulting from the release of confidential information, the hackers also demanded that Sony withhold from release The Interview, a movie depicting the assassination of North Korean leader Kim Jong-Un. After delaying the release for several days, Sony eventually made the movie available through several alternate outlets. The FBI (relying in part on information provided by the NSA) attributed the intrusion to North Korean government agents. Estimates of damage to Sony’s financial interests range upward of $100 million (though, of course, Sony isn’t saying).(6)
Here we have a group probably affiliated with a minor state actor, North Korea, using cyber means to degrade the economic interests of the citizens of another nation, the U.S. (Some experts, incidentally, doubt the attribution to North Korea, but for now let us provisionally accept it.) How shall we characterize this action? It had no kinetic effects, nor did it significantly affect the American economy. No matter how we view it, Sony is not really considered part of the “critical infrastructure” of the United States (although, oddly enough, in law it is characterized as such). And, so, this was not an “armed attack” triggering the laws of armed conflict. Nor was it even an act of espionage. But calling this a state-sponsored criminal act seems to trivialize its geopolitical context.
In the end, the Sony intrusion seems to reflect a new category of conflict—a quasi-instrumental action by a nation-state (or its non-state actor surrogates) that has significant non-kinetic effects on a target nation. Responses will not follow traditional military patterns. The United States, for example, has publicly announced financial sanctions against North Korea, and may very well have taken other, quiet actions in response.
What are the implications of this paradigm shift for cyber military strategy? They are profound. From Russia and China, we can expect some form of rationality in action. We can understand their motivations. For example, we know why the Chinese are stealing intellectual property: to jump-start their economy. We likewise can make some judgments about what would annoy them and what would not.
In the end they are rational actors, just as the Russians were during the decades of the Cold War. But in the cyber domain, the motivations of the actors are as diverse as the number of people who are there. There are indeed many actors, with many different motivations. Yet we can characterize them as irrational chaotic actors, unified by a disrespect for authority, for hierarchy, for structure, a dislike of it and an effort to work outside of it. In this structure, they look much more like insurgents that national military.
That means we need a new strategy for cyber counterinsurgency.(7) Three factors that should our guide cyber strategy—elements that should form the basic assumptions of a new COIN program in cyberspace. The first is that asymmetric conflict is here to stay. Non-state actors with near equal power to governmental actors are going to be the rule, not the exception, going forward. They can serve as proxies for nation-states, but they are not nation-states themselves.
Second, current non-state actor capabilities are limited. They cannot take down the electric grid in the United States currently. But that will not remain the case for very long. We have five years, ten years at the outside, before the capabilities of non-state actors become almost equivalent to those of nation-states. We have a window of opportunity to get our strategy right now, and we need to take it.
Third, attribution is the hardest part of the game. Knowing who the other side is and what their motivations are represents the most difficult challenge. Identifying actors and their motivations is not something we can fix technologically—although we can improve our “situational awareness.”
Instead of technical fixes, we need to develop cyber counterinsurgency law and policy that uses all of the techniques in our arsenal to fight this kind of new opponent. It will require not big disruptive military activity, but methods such as integrating military and civilian activities, collecting intelligence, building host nation security, and so on. It is an effort in which all the elements of national power will come into play.
Organizing to face the new threat
Cyberspace is the most distributed, dynamic domain that we know of. There are more than two-and-a-half billion people and more than a trillion things connected to the network across the globe. It changes on an hourly or daily basis. The advanced, persistent threats that are intruding on the Pentagon’s .mil computers today did not exist six months or a year ago. They are newly built for that purpose. The last thing we need is a centralized, top-down hierarchy to face a diverse, multifaceted, morphing opponent in a battle space that changes every day.
Yet that is exactly what we are doing. The “big military” complex does a lot of things well, but one of the things it does not is to turn quickly. Thus we are in the process of building, at the United States Cyber Command, a new “big cyber” to go with our “Big Army.” It is currently a sub-unified command that reports to United States Strategic Command (STRATCOM), and there are already proposals to turn it into an independent command of its own. Doing so would lock us into the old Pentagon structure of a hierarchy with lots of rules, formal reporting, acquisition requirements, and staff judge advocates who will enforce rules across the length and breadth of the organization.
In this conflict space, however, a model based on “Big Army” is the wrong one. Instead, we need a cyber force that is far more akin to those used in special operations: something that is lean, quick to react, flexible, with a flat administrative structure and elite skills.
Just look at the cyber aspects of some of the current conflicts we face. The Obama administration is currently in the midst of rethinking its strategy against the Islamic State in Syria and Iraq. But what will ISIS’s cyber response be? What might be that of the Syrian regime? The Syrian Electronic Army has already put the United States on notice that it will counterattack if U.S. troops enter Syria, while ISIS has threatened to disrupt the American economy.
Can they do so? We simply do not know. Nor do we know their likely targets. We need to—just as we need targeted weapons that can find the ISIS or Syrian Electronic Army command-and-control servers and take them out without taking offline the entire Syrian and Iraqi electric grids. None of these tools and capabilities will come about as a result of a new unified command.
We are facing a brave new world. Anonymous and their ilk are a harbinger of things to come. Power and force are being democratized, and we are not ready for it. We are in the midst of a paradigm shift from a period when nation states have a monopoly on the use of significant force to one in which the destructive potential of cyberspace is being increasingly democratized. Unless we adapt and respond, we are setting ourselves up for catastrophic failure.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company, and a Senior Advisor to The Chertoff Group. He formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security.
1. Mollie Reilly, “Edward Snowden Says He Sought Booz Allen Hamilton Job To Gather NSA Surveillance Evidence,” Huffington Post, June 24, 2013, http://www.huffingtonpost.com/2013/06/24/edward-snowden-booz-allen-hamil....
3. Michael Isikoff, “Hacker Group Vows ‘CyberWar’ on U.S. Government, Business,” MSNBC.com, March 8, 2011, http://www.msnbc.msn.com/id/41972190/ns/technology_and_science-security.
4. The manifesto was posted as a YouTube video: “Anonymous to the Governments of the World,” April 25, 2010, http://www.youtube.com/watch?v=gbqC8BnvVHQ.
5. For a useful timeline of events related to the Sony hack, see Trend Micro, “The Hack of Sony Pictures: What We Know and What You Need to Know,” December 8, 2014, http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-....
6. Estimates vary on the actual losses, ranging from a low of $15 million, to a high of over $100 million. Compare Ceclia Kang, “Sony Pictures Hack Cost the Movie Studio at Least $15 Million,” Washington Post, Feb. 4, 2015, http://www.washingtonpost.com/news/business/wp/2015/02/04/sony-pictures-... with Lisa Richwine, “Sony’s Hacking Scandal Could Cost the Company $100 Million,” Reuters, Dec. 9, 2014, http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-comp....
7. I first wrote about this in Paul Rosenzweig, “Lessons of WikiLeaks: The U.S. Needs a Counterinsurgency Strategy for Cyberspace,” Heritage Foundation, Backgrounder no. 2560, May 31, 2011, http://www.heritage.org/research/reports/2011/05/lessons-of-wikileaks-th....