Cyber Warfare: A Prominent Threat to the World’s Infrastructure

Mark Stanislav mark.stanislav@gmail.com Abstract
The landscape of information security is changing rapidly. The old age of cyber-threat was generally a consolidated fear of those in general industry and the random government agency. In these modern times however, information security is now running in-parallel for the resources of governments around the world. The thought-model of what “hackers” are is shifting from that of a general nuisance into large components of a country’s intelligence, counter-intelligence, and in a sense, infantry. Where the focus of international, government-backed attacks may have been previously done for information gathering or to make a statement, there is increasing focus on where and when the first “real” attack will be committed. An attack that will stand alone, instilling fear into the minds of all civilians that their reliance on technology could be their largest downfall. A consideration is to be made then: what does the impact of cyber warfare really mean to a country that is under attack?

There is a new soldier. The battlefield is binary. In a world where a nuclear weapon can do less damage to a country than a flip of a single bit, technology has certainly created a challenge that was never intended by the founders of the Internet. When ARPANET was funded by The Advanced Research Projects Agency (ARPA), much of the intention was to help the military find a better footing within the quickly evolving computer-age. Roughly 40 years later, a U.S. government funded project has spanned the world, and even space. At a time when there are ‘Tweets’ coming from the space shuttle Atlantis, it doesn’t take much technical intuition to understand that we are all connected -- perhaps too much. Looking back at history, national security was often created through strategic geographical separations. The bodies of water that surround the United States have been a pinnacle of our security since the beginning. In the past 40 years, the thought of nuclear attacks with Intercontinental Ballistic Missiles (ICBM) have kept many a diplomat in talks to try and find peace rather than ending millions of lives in a single flash. Today a reality of not only our dependence on technology, but also its threat, concerns those knowledgeable about the subject. Information security is rarely associated with the potential of mass casualties, failed economies, or millions of displaced civilians. The information of a country, government, or people, is not just what they shopped for online and what their credit card number is. The real information is where is the greatest flaw in the water purification system? What piece of code needs to be changed to shutdown the entire power grid of a nation? How can an economy collapse with a rogue command through a NYSE switch? Information security is not an aside: it has the highest potential, to do the most damage, with the least threat of casualty to the attacking entity.

Cyber warriors stand to be the new Patton. A generation where the person who knows the intricacies of a 30-year-old telecommunications system may just be a national hero and international villain. The description of hacker is quickly transforming from the geeky kid in your high school to highly-trained, closely guarded students of information security. According to “The Journal of International Security Affairs”, the Chinese People’s Liberation Army (PLA) had already organized their first Cyber Warfare units as early as 2003. A terrifying aspect to this already worrisome notion is that due to how the Chinese government demands transparency from many major vendors (such as our own Microsoft) they may have knowledge of software that our government does not. A vulnerability may be discovered by cyber units of the PLA long before any American is even able to contemplate the potential for an issue. For a foreign government to know intricacies of software used by hundreds of millions of computers internationally, a single flaw discovered by one government could be responsible for launching the world’s largest attack of critical infrastructure in a single day. The consideration of a Microsoft Office exploit, for example, could provide a quiet breach from the office of a CEO of a major electrical computer into poorly protected internal infrastructure. Network intrusions such as the operation ‘Titan Rain’ by the Chinese from 2003 to 2005 on U.S. and European allies of the U.S. help to exemplify the real desires by other governments to learn our secrets and find vulnerability in our infrastructure. Cyber warfare has begun in places other than China though. Estonia was notably attacked in 2007 with banks, ministries, and their parliament as targets. From those attacks, the United States will permanently have a computer crime expert based in Estonia to help with their efforts to prevent and defend against such attacks in the future. Battle lines are being drawn, allies are

being assembled. In these regards, Cyber warfare is no different from other wars,. In fact, one major area where cyber warfare is generally separated from the threat of “real war” is the idea that no deaths will result from a person sitting at a computer, typing a few commands. The horrific truth of the matter is that the Internet may be of the the world’s greatest technological contributions, but much as was the development of nuclear technology, may one day up-end our very security and safety. In 1998, during the conflict in Kosovo, the United States successfully hacked Serbian air traffic control systems. The attacks were so successful that the United States actually had to restrain from essentially endangering the lives of all civilians across the area. Technology has certainly come a long way in 10 years and we are also more interconnected than ever before. In a “60 Minutes” piece this year, retired Admiral Mike McConnell proposed the question to his interviewer, “Can you imagine your life without electric power?”. The blackouts of 2003 in the United States showed how quickly infrastructure can affect the daily lives of citizens. If that incident could be controlled and executed in tandem with a physical attack on the United States, chaos would ensue and we would be in a nearly helpless position. Admiral McConnell also brought to light that in 2007 he considered that the United States had, what he called, a “digital Pearl Harbor”. Terabytes of information was allegedly downloaded by an unknown entity from all of our major governmental agencies. While traditional warfare has a quickly identifiable attacker and obvious result, cyber warfare can be harder to judge. We may be getting attacked right now and might not know until all of our infrastructure is compromised and the kill-switch has been put into place. A signal sent to a dam that misrepresents water or pressure levels could be all it takes to kill thousands of Americans.

In 2004, the United States government, through the Pentagon, announced the formation of an Information Operations team called “Network Attack Support Staff” which is geared towards streamlining the military cyber attack capabilities, according to the “Council of Foreign Relations”. In 2006, the United States Air Force called cyberspace, “a warfighting domain bounded by the electromagnetic spectrum”. While the phrasing is superficially technical, the message is clear: the Internet and other telecommunications networks are a proving ground for the warriors of this century. The reliance that America possesses on the Internet makes our threat greater than most countries. China’s resources are already heavily filtered as far as what is “allowed” by citizens, helping to create at least an enhanced security about their infrastructure. Mitigating risk may be the only chance we have but with our economy so heavily tied to our telecommunications infrastructure, it seems unlikely that this will occur. The U.S. government is slated to spend $9.6B on information security contracts by 2013. With funding like that, there seems to be hope that our country is taking these issues seriously. However, since so much of our infrastructure is privately owned, but government regulated, it may take longer to institute heavy-handed security policies amongst that infrastructure. For smaller, less democratic nations, telling an electrical entity to follow guidelines, “or else”, is a very real possibility. Within the United States, our freedoms and capitalism that we so passionately defend in every war is again at stake. The motivation of our government to defend its infrastructure is an obvious one, but the ability for us to do so is more complicated than would be ideal. Regulation can often be slow to be enacted. Budgeting, even with large industry, is often tight. While the full extent of our cyber offensive capabilities is not known to most, the day-to-day security that we can control is a necessary must for all involved in the IT fields.

Lt. Gen. Robert J. Elder Jr., who heads the Air Force's cyberoperations command explained in a 2008 article with MSNBC that one problem with the realm of cyber warfare is determining what constitutes an ‘act of war’. When a nation attacks our men and women on our own soil, the United States has always been quick to act. What will it then take for us to take similar action with cyber attacks? If our information is already being compromised and stolen in droves, how do we define what is ‘excessive’? An example of cyber warfare deeming military action may be as simple as disabling the power of 100,000 civilians. A direct attack on the critical infrastructure of the United States would be a undeniable sign that action must be taken. What if though, the 2003 power outage was that attack? Perhaps the government was just unaware to whom it owed retaliation to? Cyber war won’t always be as straight-forward like traditional war has been throughout the history of the world. One area of ubiquitous technology often overlooked by your average ‘computer geek’ is that of Industrial Control Systems (ICS). The ICS infrastructure of the United States represent the nuts & bolts, as it were, of everything from elevators, to amusement park rides, to our power grid. Idaho National Laboratory, a leader in ICS security, conducted ICS-related war game exercises in a controlled environment this past April. In those exercises, they showed how a successful attack could be carried-out on a chemical processing system. While the fluids leaked out in their war games was harmless, a real-world chemical biohazard could endanger thousands and inconvenience tens-of-thousands of Americans in a few short hours of work by a skilled attacker. Scale these types of attacks throughout the United States and you have a 9/11 of critical infrastructure with only a simple computer program doing damage that not even hijacked commercial planes could.

Not everyone is as convinced of these threats, though. Evgeny Morozov from the “Boston Review” wrote in mid-2009 that he felt the concerns over these threats were highly over sensationalized. His perspective, it seems, is mostly due to the fact nothing overtly scary has happened yet. That rationale works well until something does happen; then what? While the impending doom of the entire world may not rest on a single computer system, the financial loss to clean-up a cyber attack, or thousands of lives affected for long periods of time are not much different from a normal attack from any upset nation. Battles of all sizes comprise a war and the impact of each one should not be overlooked just because their scope isn’t all consuming like a nuclear attack. The real threat of cyber warfare is that we can be attacked across the U.S. from people no where near our shores, in milliseconds, rather than days or weeks. Cyber warfare may not be “the act” that pushes a country into a full conflict, but it will certainly be continually used to poke and prod at defenses that otherwise would be considered safe. Our thoughts of attacking “them” on “their” land, is no more. Even if we bring the war to another country’s borders, they can still hit us back without getting out of their chair. More so, their chair could be 10,000 miles away. You won’t find a computer hacker taking down our power grid in a spider hole, ready for surrender -- they don’t need to be anywhere near the ‘real’ conflict. President Obama stated in May, 2009 that “We've failed to invest in the security of our digital infrastructure. From now on . . . the networks and computers we depend on every day will be treated as they should be: as a strategic national asset.” With a committed statement like that, it stands to reason that the U.S. will not be letting its guard drop past what we have already achieved in our apathy to secure the very infrastructure to which we introduced to the world.

The Department of Homeland Security reports the number of cyber attacks on government and private networks increased from 4,095 in 2005 to 72,065 in 2008. This number will surely rise exponentially for years to come, continually dwarfing the previous year’s numbers. Where cyber attacks can go unreported forever, traditional attacks are often known immediately. While the U.S. may have not had an attack on its soil by a terrorist since 9/11, we most certainly have through the Internet.
As the challenges for our nation to secure its digital borders continue, legislation is being

thought of to give the President larger power of the Internet, a move which is both bold and controversial. In the “Cybersecurity Act of 2009”, the potential for the President to essentially deem a situation where the Internet would be essentially “disconnected” due to a serious threat has been proposed. While policy like this will surely change over the coming months, the wheels are in motion for the digital landscape of our country to change forever. The U.S. has been a leader since the beginning of the Internet in online communications and we may soon start setting the bar as to how to deal with that power and responsibility.
As with any threat, the challenge of our government and its people is to find a reasonable

balance between ensuring our continued safety and the freedoms that we all have come to expect. We all have a responsibility to protect our national infrastructure, be vigilant, and use our intellect and strategy to secure our nation. The ocean is no longer our ally, but a conduit that other nations run through via a trans-Atlantic cabling system. Our technology is not just our convenience, but an open-door to our breaker boxes and faucets. The wars are changing and so must our defenses. The coming decade will stand to define how our telecommunications may evolve for the next 50 years. Will we as a nation be ready or will we be dealt the first major blow? No matter what the case -- cyber warfare is coming and the threats are real.

References 60 Minutes. (2009, Nov 09).
Cyber War: Sabotaging the System. Retrieved November 14, 2009, from http:// www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml Bruno, G. (2008, Feb 27).
The Evolution of Cyber Warfare. Retrieved November 14, 2009, from http://www.cfr.org/ publication/15577/evolution_of_cyber_warfare.html CNN. (2009, May 13).
NASA astronaut first to 'tweet' from space. Retrieved November 14, 2009, from http:// www.cnn.com/2009/TECH/space/05/13/twitter.space/index.html Cyberwarfare. (2009, Nov 22).
In Wikipedia, the free encyclopedia. Retrieved November 14, 2009, from http:// en.wikipedia.org/wiki/Plagiarism Foxnews.com. (2009, Aug 28).
Senate Bill Would Give President Emergency Control of Internet. Retrieved November 14, 2009, from http://www.foxnews.com/politics/2009/08/28/senate-president-emergencycontrol-internet/ Germain, J. (2008, Sep 16).
The Winds of Cyber War. Retrieved November 14, 2009, from http:// www.technewsworld.com/rsstory/64494.html?wlc=1258213682&wlc=1258301146 Gromov, G. (n.d.).
Roads and Crossroads of Internet History. Chapter 1, Retrieved November 14, 2009, from http://www.netvalley.com/cgi-bin/intval/net_history.pl?chapter=1 Harris, S. (2009, Nov 14).
The Cyberwar Plan. Retrieved November 14, 2009, from http:// www.nationaljournal.com/njmagazine/cs_20091114_3145.php INPUT. (2008, September 17). Information Security Spending By The U.S. Federal Government
Will Reach $9.6 Billion By 2013. Retrieved June 2nd, 2009, from http://www.input.com/ corp/press/detail.cfm?news=1395 Jesdanun, A. (2008, Apr 07).
U.S. cyberwarfare takes the offensive. Retrieved November 14, 2009, from http:// www.msnbc.msn.com/id/23994596/ Mazanec, B. (2009).
The Art of (Cyber) War. The International Journal of Security Affairs, Volume 16. Retrieved November 14, 2009, from http://www.securityaffairs.org/issues/2009/16/mazanec.php

Morozov, E. (2009, Jul).
Cyber-Scare. Retrieved November 14, 2009, from http://bostonreview.net/BR34.4/ morozov.php Ong, J. (2009, Oct 28).
China strengthens cyber war arsenal against United States. Retrieved November 14, 2009, from http://www.ibtimes.com.au/articles/20091028/china-strengthens-cyber-war-arsenalagainst-united-states.htm Prentice, S. (n.d.).
International conference plays cyber war games. Retrieved November 14, 2009, from https://inlportal.inl.gov/portal/server.pt? open=514&objID=1269&mode=2&featurestory=DA_327137