Abraham Kaplan wasn’t addressing national security, but what he wrote in 1964 is broadly applicable and still fresh today:
I call it the law of the instrument, and it may be formulated as follows: Give a small boy a hammer, and he will find that everything he encounters needs pounding.
Transposed to adulthood, that principle might go some distance toward explaining certain mysteries in the story reported by John Markoff, David E. Sanger and Thom Shanker in Tuesday’s New York Times, titled, “In Digital Combat, U.S. Finds No Easy Deterrent.”
The story describes a recent exercise involving “top Pentagon leaders” that simulated their response to “a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks” — with “dispiriting” results:
The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
Thus, we are told, the pursuit of cyber-deterrence has yet to bear fruit.
But Why Deterrence?
A number of points are left unexplained, but let’s consider just two. First, are intrusions into computer systems really capable of shutting down a wide variety of critical physical systems? And second, if this is so, why is a deterrence strategy the preferred response?
If hackers could bring the nation to its knees at any time, one wonders why it hasn’t happened. It’s not as if America wants for unscrupulous, highly motivated, and fairly computer-savvy enemies. We shouldn’t dismiss the idea, since there has long been concern about the potential vulnerabilities of SCADA systems, although this seems more like an “insider” than a “hacker” problem. Regardless, let’s assume for the sake of argument that this is a serious ongoing problem.
So why would the threat of retaliation be the preferred form of protection for the national infrastructure? Even if an attack on the electrical grid could be attributed with high confidence — and the chances of that sound pretty dim — what if the the hacker turned out to be a terrorist, a criminal for hire, or perhaps an amateur bent on mischief on a grand scale? Do we respond by turning out the lights in the perpetrator’s country of residence? I’m guessing not, especially if it’s Canada — or America, for that matter.
But even more basically, if you were a government official, and your best experts told you that a serious national vulnerability existed, wouldn’t your first thought be, “How do we fix that?” If a serious threat exists to computerized control systems linked to critical infrastructure, then some equally serious effort ought to go into securing them, even if that means isolating them from the Internet, just to be safe. Even if that means seeking a new grant of regulatory power. This is a national security matter, right?
Don’t get me wrong; I’m not averse to the idea of deterrence! But hammers are for driving nails, and this problem looks like a bunch of bolts, nuts, and washers.
For further reading: why the “cyber threat” mostly involves espionage — and poisoning relations between major powers.
Ironic considering that the internet was originally conceived as a method of emergency communication during a real war.
For a really good look at the idea of “cyberdeterrence” — see “Cyberdeterrence and Cyberwar” by Martin C. Libnicki available for download at the RAND site.
Short preview — there may be no such thing for several really good reasons.
I see that Libnicki’s report is already cited.
I had the same problem with that report that Josh is having with the NYT article: why deterrence for cyberwarfare? And, if some of these things are such dangers, why haven’t they been tried already? Or have they been tried and failed?
Seems like in this case, the best offense is a good defense, to turn the saying around.
The concept of deterrence really worked for the two-player MAD game. But once you get outside that, it makes less and less sense.
This reminds me of problems surrounding some of the electronic voting machines were having with viruses a few years ago. What were they doing hooked up to the internet in the first place?
I think that part of the problem is that many of the decision makers who deal with cyber-warfare have only a vague knowledge of how networks and the Internet actually work. The result is that everyone ends up using analogies (“digital Pearl Harbor,” etc.) to understand the issue, but that don’t reflect the details of the underlying reality.
Movies and TV probably don’t help here either, since according to them (e.g. – the last Die Hard movie) computers are magical boxes that can control everything in the entire world.
Before the joint chiefs and generals jump to their guns, they should know that United States already has the ultimate deterrence in cyberwarfare. All they need to do is to order ICANN to pull the plug on domain names such as .cn or .tw, if they are sure where the attack originates. There is really no need to make virtual wars real.
“If hackers could bring the nation to its knees at any time, one wonders why it hasn’t happened.”
An interesting question. During the 5-day war of August 2008, Russia (apparently) shut down some Georgian government Web sites with “denial of service” attacks. Do you or your readers know whether there were any more serious attacks of the kind discussed here? It was certainly an opportunity to test that sort of thing.
If they were really worried about critical infrastructure they’d remove the hardware from the internet and set aside some dark fiber for a isolated dedicated network. It would be cheaper and less intrusive on civil liberties. And probably more secure. Which makes me think that ‘securing’ critical infrastructure is not the real reason for this new foray into a police state.
Those interested can find the Libicki study at the link. Now I’ll have to go read it…
The information revolution is our instrument of expansion, to borrow Quigley’s terminology. It is the means by which western civilization has evaded decline after the collapse of industrial capitalism. And the internet without any control and outwith any system of regulation has inflicted significant wounds on Deng’s China and theocratic Iran.
In reaction to this success, established institutions of the state, our mamelukes and janissaries, the military and national security organs have demanded control of the net to safeguard their share of government spending. These demands have taken the form of backdoors into gmail for the sake of US antiterrorism efforts which have in turn been exploited by the PRC to compromise pro-democracy advocates that have fled mainly online, these demands have taken the form of telecommunication monitoring technology built into the phone networks which have in turn been exploited by the IRI’s security organs to monitor pro-democracy activists. Ironically it is the current vested interests of the state which are attempting to neuter the power of the net as a trans-formative agent, as an agent of the expansion of the US championed ideals of democracy and human rights.
If we wish to defeat threats against the net then let it be free. Halt all attempts to institutionalize it, end all current restraints even if that means the government cedes its ‘right’ to backdoors and recognize that when the net stops expanding due to a preponderance of external regulations than so do we. The internet will be able to defend itself without admirals, generals or undersecretaries of this or that.
Some take a more skeptical view about cyber terrorism.
The risks of cyber terrorism are far less than the benefits of the internet. To get the latest intelligence on say Iran, all the CIA needs to do is a Google search. Previously, intelligence operatives on covert operations risked being elliminated if discovered. Now, sitting in front of their PCs at 4 am, all they risk is the wrath of their wives or mothers.
The threats to an electrical grid are quite real and probably worthy of more attention than they get. As to why nobody has yet hacked and attacked a grid (and I assume here that if it had happened we’d have heard about it) I can only guess that any hackers were interested in “sexier” targets.
Tom asks why systems are hooked up to the internet in the first place? Well, for a start there is an awful lot of data that now has to flow between the plant and engineering / monitoring centres if the plant is to run well (e.g. fault investigations, trending, upgrades, etc). This tends to be done across a virtual private network, which has a degree of encryption, but I’d guess that if you know the right addresses then you could break into such a network. Some remote control is possible – even necessary: for example, I’ve started up a gas turbine power station remotely using a laptop and a cellphone because the station itself is unmanned and a hundred miles into the desert (where it connected to a convenient branch of the grid). If you DIDN’T have such remote operation then you wouldn’t be able to achieve rapid response to a sudden increase in demand, and the grid might collapse anyway.
Up to a few years ago, even if you got onto the VPN it would have been comparatively difficult to cross from the VPN onto the bus that carries control signals around a power station. And even if you managed that you might have to contend to with some uncommon control languages in order to do anything. More importantly, normal office PCs / software are necessarily different from the power station controls hardware and software. However, more and more stations are now moving to commoner software (such as MS Windows and Linux) in their control systems, and it’s only a matter of time before someone saves on capital costs and decides to use uses the Controller’s console to run office e-mail. Once this happens everything’s very open to viruses imported on USB sticks (which are the bane of my professional life in more than one country).
With regard to the grid, information and control signals are carried down the lines themselves (on PLCs = power line carriers) and also across microwave communications. “Hacking” into a PLC would probably require connecting to the power line, which is not easy unless you’re prepared to swallow a few kiloAmps at high voltage. But to a signals layman like me there’s no obvious reason why hacking the microwaves should be any more difficult than hacking into a cellphone network. Even easier would be to walk into the despatching centre with a gun (security is remarkably lax in some countries) and simply tell the guys what you want. Any well run grid has protection signals to prevent line overloads, so you’ve only got to issue those signals to a few key stations and they’ll trip – bringing the rest of the grid with them.
Of course, bringing down a grid is spectacular – and in countries where facilities like hospitals have insufficient back-up a grid collapse is also likely to kill a few people – but within a few hours to a day or so the system will be back up (assuming the hacker doesn’t maintain control). But in a war situation I imagine the enemy would want something more permanent, in which case he’s likely to look for physical damage. Since stations would be well guarded he may not get in, but I guess even a hand grenade at the right location (e.g. a remote section of a fuel line) would create a lot of problems.
The extreme case in a war would be a high-altitude nuclear explosion; the electromagnetic pulse would ruin a lot of high-voltage transformers , which would then have to be replaced. The problem is, there are only a few manufacturers in the world of such transformers, and only some dozens of the really big transformers (e.g. for large coal stations, nuclear stations, key sub-stations, etc) can be made. Consequently the grid would be down for months.
In short, although stations and grids are vulnerable to hacking attacks – if only because their primary design objective is not security – I think there are easier and more permanent ways to do the damage.
…and what if the hack attack comes from an extra-planetary source?