* * * * *
Consider this possibility: What if Russia's information operation targeting the 2016 presidential election was just a side show, a distraction that has drawn our attention away from more significant cyber operations. It is one thing to get people yelling at each other online, and to instigate marches and demonstrations in the streets. It is another thing altogether to derail trains loaded with lethal chemicals, contaminate the water supply in major cities, or shut down the power grid across large parts of the country.
Last Thursday, the Department of Homeland Security published a Technical Alert authored by DHS and the FBI entitled "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors." It was a notification that Russian government "cyber actors" have compromised energy, nuclear, water, aviation, and critical manufacturing facilities in the United States. The story made the front page of the New York Times – below the fold, overshadowed by the latest happenings in the Mueller investigation – and got a few quips from late night comics, and then quickly receded from the news.
In all of our yelling back and forth about what Russia did or didn't do around the 2016 presidential election – and whether it constituted an act of war or just some kind of geopolitical mischief – we may have deluded ourselves into believing that this is what is meant by cyber warfare.
Of course, we know that it isn't the extent of it. We hear Ted Koppel's warnings of the cyber apocalypse to come. We worry about the attacks on credit reporting companies, and hackers stealing our identities and selling them on the dark web. And we know that all sorts of actors, from Russia, China and Iran, to 400-pound guys sitting on their beds in New Jersey, are in on the game. Yet, somehow, as much as we understand the threats are out there, we show little concern over the extent of the risks that cyber warfare could mean to us, as evidenced by how little heed was paid to the DHS alert.
According to DHS, Russian cyber efforts accelerated in 2015 – around the same time as its information operation with respect to the election began – and they have advanced their capabilities to wreck havoc in the United States from being a theoretical risk to literally having their finger on the trigger.
“We now have evidence," observed Eric Chien, a security technology director at the digital security firm Symantec, "they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage... All that’s missing is some political motivation.”
If this sounds like something out of an action movie, it should. Ten years ago, the plot of the 2007 film Live Free or Die Hard, centered around Thomas Gabriel – played by Timothy Olyphant – a disgruntled Department of Defense software engineer who went rogue after the Joint Chiefs of Staff ignored his warnings about the vulnerability of the country's cyber infrastructure. Gabriel decides to prove his point through a cyber attack blowing up a gas pipeline network and utility plant. Of course, the eternal Die Hard hero, Bruce Willis, playing NYPD cop John McClane, thwarts Gabriel's plans and saves the day, aided – notably – by Fredrick Kaludis, aka Warlock, a seriously overweight computer hacker living in his mother's basement, probably in New Jersey.
As it turns out, movies have played a significant role in our understanding of cyber warfare. In the opening pages of Dark Territory: The Secret History of Cyber War, author Fred Kaplan tells the story of when President Ronald Reagan watched the movie War Games in June of 1983. War Games stars Matthew Broderick as David Lightman, a high school teenager who unwittingly hacks into a Pentagon mainframe computer and sets the world on a course for thermonuclear war. Broderick and his girlfriend, played by Ally Sheedy, spend the balance of the film trying to undue the havoc he has wrought.
The next day, President Reagan asked his national security staff whether what happened in the movie was plausible: Could someone hack into our defense computers and launch a nuclear war? According to Kaplan, Reagan's question took Pentagon and National Security Agency officials by surprise. The whole cyber world was in its infancy, and, apparently, it had not occurred to the best and the brightest of the military and intelligence communities that while they were developing new forms of cyber warfare to unleash upon America's enemies, our enemies might be preparing the same capabilities to unleash against us. Yes, they concluded, to their chagrin, it was plausible. The episode changed the course of America's cyber warfare efforts.
A decade later, in 1992, the writers of War Games collaborated on the movie Sneakers. As Kaplan tells the story, that movie created a similar ah-hah moment for the incoming director of the National Security Agency, Rear Admiral Mike McConnell. Sneakers revolves around efforts by the NSA to recover a mysterious cryptographic device that, it turns out, can hack into any computer system – the Federal Reserve Bank, air traffic control, missile defense, whatever. In a climactic moment, Cosmo, the teenage hacker-turned criminal mastermind – played by Ben Kingsley – who created the device, describes the new cyber world to his erstwhile college hacker friend, Robert Redford: "The world isn't run by weapons anymore, or energy, or money. It is run by ones and zeros, little bits of data. It's all just electrons... There's a war out there, old friend, a world war. And it's not about who's got the most bullets. It's about who controls the information: what we see and hear, how we work, what we think. It's all about the information." Admiral McConnell had been struggling to define the mission and purpose of the NSA he had been appointed to lead. When he saw the movie, he realized that Ben Kingsley had defined it for him.
In 2013, Vladimir Putin's top general, Valery Gerasimov, emphasized the elevated role of cyber warfare in the Russian strategic arsenal: "The role of non-military means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness." The Pentagon, in turn, showed its heightened concern earlier this year in a Nuclear Posture Review that proposes to expand its policy regarding appropriate first-use of nuclear weapons responses to include significant cyber attacks.
While the Pentagon's cyber warriors have offensive cyber capabilities equal to, if not greater than, Russia's, our cyber defenses are more problematic. As Mike McConnell has observed, while the lion's share of cybersecurity expertise rests with agencies of the federal government, more than 90% of the physical infrastructure of the Web is owned by private industry, making investments in adequate cyber defenses problematic. The DHA alert specifically focused on this vulnerability.
A balance of power in the cyber world is fundamentally different from a balance of power with respect to nuclear weapons. Unlike nuclear war, cyber warfare can be fought in many ways – as the 2016 election interference campaign suggests. Cyber attacks can be launched in an unlimited degree of gradations, from small air traffic control disruptions at a single airport to the destruction of the utility grid in a major city. These gradations, as well as the challenges of attribution inherent in cyber events, are particularly well-suited to Putin's purposes. The balance of power of the Soviet era was based around the doctrine of mutually-assured destruction, which meant that both sides had their finger on the button, but neither had an incentive to push it. In contrast, cyber warfare is already in active use, with myriad variations in its targets and scope. This suggests that it cannot be contained as the Pentagon imagines – other than, perhaps, with respect to catastrophic events – which begs the question: what are effective responses?“
Attribution is a critical issue, as it is essential to effective deterrence. The essence of deterrence is the certainty of consequences for proscribed behavior, but it all rests on "ascribing agency to an agent." As we have seen in events from the little green men that led Russia's incursions into Crimea and Ukraine, to the poisoning of former Russian spies Sergei Skripal and Alexander Litvinenko, Putin likes to push and prod, to test limits and gauge reactions, as he pursues his objectives, even as he denies responsibility and minimizes consequences. So, too, with respect to the election hacking, where attribution of responsibility to the Russian state has been difficult to prove, much less the determination of an appropriate response. Given these considerations, one can imagine that Vladimir Putin will have significant incentives to expand his use of cyber, and the leverage that flows from it, to achieve his strategic goals.
The brilliance of the Russian strategy – if indeed it was a strategy – of paring the attacks targeting our political institutions through social media, and those that now threaten our critical public and economic infrastructure, is that the degrading of our political infrastructure has undermined our capacity to respond to threats to our physical infrastructure. If we cannot manage civil discourse around the most mundane issues in our day-to-day politics, imagine what our discourse looms to be when we seek to ascribe blame because the lights have gone out and airports are shut down in the midst of a tit-for-tat cyber escalation.
Follow David Paul on Twitter @dpaul. He is working on a book, with a working title of "FedExit: Why Federalism is Not Just For Racists Anymore."
Artwork by Joe Dworetzky. Check out Joe's political cartooning at www.jayduret.com. Follow him on Twitter @jayduret or Instagram at @joefaces.