The Evolution of Cyber Warfare - Council on Foreign Relations http://www.cfr.org/publication/15577/evolution_of_cyber_warfare.

html

Home > By Publication Type > Backgrounders > The Evolution Of Cyber Warfare

Backgrounder

The Evolution of Cyber Warfare

Author: Greg Bruno, Staff Writer

February 27, 2008

1. Introduction
2. Cyber Warfare: The New Frontier
3. U.S. Cyber Warfare on the Offensive
4. Cyber-Warfare Tactics
5. Patching the Holes
6. Measuring the Threat

Introduction
In the spring of 2007, when Estonian authorities moved a monument to the Red Army from the center of its capital city,
Tallinn, to the outskirts of town, a diplomatic row erupted with neighboring Russia. Estonian nationalists regard the
army as occupiers and oppressors, a sentiment that dates to the long period of Soviet rule following the Second World
War, when the Soviet Union absorbed all three Baltic states. Ethnic Russians, who make up about a quarter of Estonia’s
1.3 million people, were nonetheless incensed by the statue’s treatment and took to the streets in protest. Estonia later
blamed Moscow for orchestrating the unrest; order was restored only after U.S. and European diplomatic interventions.
But the story of the “Bronze Statue” did not end there. Days after the riots the computerized infrastructure of Estonia’s
high-tech government began to fray, victimized by what experts in cybersecurity termed a coordinated “denial of
service” attack. A flood of bogus requests for information from computers around the world conspired to cripple
(Wired) the websites of Estonian banks, media outlets, and ministries for days. Estonia denounced the attacks as an
unprovoked act of aggression from a regional foe (though experts still disagree on who perpetrated it—Moscow has
denied any knowledge). Experts in cybersecurity went one step further: They called it the future of warfare.

Cyber Warfare: The New Frontier

The attack on Estonia’s “paperless government” (BBC) was one of the most publicized hacks in recent computing
history. But it wasn’t the first case of cyber espionage, nor the most egregious. It’s the “tip of the iceberg of the quantity
and quality of attacks that are going on,” says O. Sami Saydjari, president of the Cyber Defense Agency, a security
consultant, and a former Pentagon computer security expert. Israel, India, Pakistan, and the United States have all been
accused of launching similar attacks on adversaries.

China, however, may be the most active. Washington has accused the Chinese of hacking into government computer
networks at the U.S. Departments of State, Commerce, and Defense—in some instances making off with data. But
accusations of Chinese cyber-meddling reached a crescendo in June 2007, when, according to the Financial Times,
hackers broke into a Pentagon network that serves the Office of the Secretary of Defense, briefly shutting it down.
Chinese electronic espionage has also been suspected against British companies (Rolls Royce is one example), as well as

1 of 4 5/24/2010 12:33 PM
The Evolution of Cyber Warfare - Council on Foreign Relations http://www.cfr.org/publication/15577/evolution_of_cyber_warfare.html

government agencies in France, Germany, South Korea, and Taiwan. “Chinese capabilities in this area have evolved
from defending networks from attack to offensive operations against adversary networks,” Deputy Undersecretary for
Defense Richard P. Lawless told (PDF) a House committee in June 2007. China, like Russia, denies the accusations.
Both countries argue any attacks originating from IP addresses inside their countries have been directed by rogue
citizens, not their governments. Western targets, however, continue to accuse the Chinese of ratcheting up their cyber
attack capabilities.

U.S. Cyber Warfare on the Offensive

The United States, of course, is no innocent bystander. William M. Arkin, a defense analyst who writes the Early
Warning blog for the Washington Post, says “our ability to penetrate into enemy computer networks, our ability to
exploit communication networks, to manipulate digital information, is real,” but little is known about the precise nature
of Washington’s offensive capabilities. Some details, however, have leaked. For instance, in March 2004 the Pentagon
announced the formation of an Information Operations team—the Network Attack Support Staff—to streamline the
military’s cyber attack capabilities (PDF). The aim, senior military officials said at the time, was to create an “interface
between the combatant commanders and the intelligence community.”

“ Our information infrastructure Arkin, who has reported on cybersecurity issues for over two decades, says the U.S.
…increasingly is being targeted military also has technologies capable of penetrating and jamming enemy networks,
for exploitation and potentially
including the classified “Suter” system of airborne technology. According to Aviation
for disruption or destruction by a
growing array of state and Week, Suter has been integrated into unmanned aircraft and “allows users to invade
non-state adversaries.” communications networks, see what enemy sensors see, and even take over as systems
–Director of National administrator so sensors can be manipulated into positions so that approaching
Intelligence Michael McConnell
aircraft can’t be seen.” Some speculate the Israeli military used the capability during
its air raid on a Syrian construction site in September 2007. The United States made use of nascent capabilities in the
1999 Kosovo War (MSNBC.com), and built on those lessons in Iraq (Wired).

Cyber-Warfare Tactics
Other cyber tactics are less sophisticated. The attack that temporarily brought down Estonian networks began with a
flood of bogus messages targeting government servers, called a “denial of service” attack. The approach harnesses
“botnets”—massive networks of interconnected computers—to bombard targeted networks with information requests
while masking the location of the primary attacker. James Lewis, a security expert with the Center for Strategic and
International Studies (CSIS), says hackers in the Estonia example likely took control of tens of thousands of computers
around the world without the knowledge of their owners and directed them at the government’s servers. The result, he
says, was a relatively minor attack that was nearly impossible to trace (PDF).

Another technique is the use of “malware,” “spyware,” and other malicious programs imbedded into computer systems
to steal information without user knowledge. The software is designed to hide undetected and siphon information from
its host—everything from secrets stored on personal computers to Pentagon military mainframes. A December 2007
analysis of U.S. Air Force cyber vulnerabilities (PDF) notes much of the Pentagon’s operating systems are off-the-shelf
components manufactured overseas, due to cheaper costs. But pinching pennies has potentially opened U.S. military
networks to intrusion. “Foreign countries could place hidden components inside the computers, making the computers
vulnerable for attack and/or spying,” the analysis concludes.

Less common but far more worrisome are cyber attacks aimed at critical “Our ability to penetrate into
enemy computer networks, our
infrastructure—like nuclear-power-plant control systems, banks, or subways. In
ability to exploit communication
March 2007 the Department of Energy’s Idaho Lab conducted an experiment to
networks, to manipulate digital
determine whether a power plant could be compromised by hacking alone. The information, is real.”
result—a smoking, self-combusting diesel generator incapacitated by nothing more –Defense Analyst William M.
than keystrokes—sent shivers (CNN) through the private sector. The worries were Arkin

2 of 4 5/24/2010 12:33 PM
The Evolution of Cyber Warfare - Council on Foreign Relations http://www.cfr.org/publication/15577/evolution_of_cyber_warfare.html

apparently well-founded. In January 2008 a CIA analyst told U.S. utilities that hackers had succeeded in infiltrating
electric companies in undisclosed locations outside the United States and, it at least one instance, shut off power to
multiple cities. The hackers then demanded money (AP). “The [U.S.] government is scrambling to try and protect its
own systems, to try and check the Chinese from reading government email,” says economist Scott Borg, director of the
U.S. Cyber Consequences Unit, a nonprofit research institute that studies cyber threats. “But the focus probably needs to
be critical infrastructure. That’s what we need to defend.”

Patching the Holes

On paper the U.S. government appears to agree. For over a decade government-sanctioned studies have delved into the
subject; the Pentagon published a report on “Information Warfare-Defense” (PDF) in 1996, when public use of the
Internet was still in its infancy. Saydjari says all of these studies reached the same conclusion: “The threat and
vulnerabilities to our national infrastructure is serious, it’s getting worse, and it’s getting worse at an increasingly fast
rate.” But only recently has the concern been a constant focus of attention for the security and intelligence communities.
Part of the attention deficit lies with the difficulty in defining the cyber threat. A 2006 Air Force task force termed
cyberspace “a warfighting domain bounded by the electromagnetic spectrum,” but air force officials acknowledge “a full
understanding of the domain is years away.”

What is understood is how potentially devastating the loss of cyberspace dominance could be to U.S. interests. In his
annual threat assessment to Congress delivered in February 2008, Director of National Intelligence Michael McConnell
discussed “cyber threats” before talking about the war in Afghanistan. “Our information infrastructure …increasingly is
being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state
adversaries,” McConnell said. “We assess that nations, including Russia and China, have the technical capabilities to
target and disrupt” the United States’ information infrastructure.

“Chinese [cyber warfare]
capabilities have evolved from
defending networks from attack
to offensive operations against
adversary networks.”
–U.S. Deputy Under Secretary
for Defense Richard P. Lawless
The Pentagon, too, has acknowledged the threat to its infrastructure. The Defense
Department is considering banning nonofficial traffic (Federal Computer Week) from
its servers, and the U.S. Air Force is creating a Cyber Command to defend Pentagon
networks. “When we talk about the speed range and flexibility of air power, the thing
that enables this for us is the fact of our cyber-dominance,” Air Force Gen. Robert
Elder told United Press International.

The recent flurry of high-level pronouncements also comes amid a renewed funding commitment from Washington. In
November 2007 the Bush administration called on the National Security Agency to coordinate with the Department of
Homeland Security to protect government and civilian communication networks from hackers. The $144 million plan,
unveiled quietly in White House budget documents (PDF), aims to enhance “civilian agency cybersecurity and
strengthen defenses to combat terrorism.” In January 2008 President George W. Bush signed two presidential
directives calling for the creation of a comprehensive national cybersecurity initiative. According to an article by the
Wall Street Journal, the White House’s 2009 budget request takes the program exponentially further, with an estimated
$6 billion request to build a secretive system to protect U.S. communications networks. Details of the proposed program
remain classified, angering some civil libertarians who fear monitoring of civilian networks could infringe on privacy
rights. Rep. Bennie G. Thompson (D-MS), chairman of the House Homeland Security Committee, has called for the
program to be put on hold (PDF) until Congress can adequately review it.

Measuring the Threat

Cyber experts don’t dispute that electronic espionage is a vexing problem, or that the United States is a prime target. But
they do disagree on how pervasive such attacks are, who is behind them, and how disruptive they may prove to be.
According to a tally by the Heritage Foundation, a conservative Washington think tank, the hackers may already be
winning: In 2007 the Department of Homeland Security logged an estimated 37,000 attempted breaches of private and
government computer systems, and over 80,000 attacks on Pentagon systems. Some hacks “reduced the U.S. military’s

3 of 4 5/24/2010 12:33 PM
The Evolution of Cyber Warfare - Council on Foreign Relations http://www.cfr.org/publication/15577/evolution_of_cyber_warfare.html

operational capabilities,” the report says (PDF).

Economist Borg says the biggest threat from cyber attacks may be economic. He estimates a shutdown of electric power
to any sizable region for more than ten days would stop over 70 percent of all economic activity in that region. “If you
can do that with a pure cyber attack on only one critical infrastructure, why would you bother with any traditional
military attack?” CSIS’ Lewis takes a less alarmist view. “The U.S. is a very big set of targets, and some of our important
networks are very secure. So you could inflict damage on the U.S. but it wouldn’t be crippling or decisive,” he says. “I’ve
seen people who say a cyber attack could turn the United States into a third-world nation in a matter of minutes. That’s
silly. We have to be realistic about this.”

Weigh in on this issue by emailing CFR.org.

© Copyright 2010 by the Council on Foreign Relations. All Rights Reserved.

4 of 4 5/24/2010 12:33 PM