President Barack Obama ran on “change we can believe in”–and he and the media will take the opportunity in this week’s State of the Union address to assess his response to the global economic crisis and rebuilding America’s health insurance system. But there’s a quiet change happening in his role as Commander-in-Chief, too–one you won’t likely hear much about in Tuesday evening’s address. Slowly, with very few observers noting it, Obama has become our first cyber-war president.
As popularly described in media and politics, “cyber war” includes discreet information gathering, prolonged economic sabotage, and pinpoint attacks against the infrastructure of rival states–through the Internet and allied technologies such as USB stick-sharing. It would be more accurate to call it the widespread-eavesdropping-surveillance-and-infrastructure-disruption-conducted-through-radically-time-and-money-saving-tools war. So … “cyber war” it is.
Although limited incidents of cyber war took place during the George W. Bush and even the Bill Clinton years, the past five years have seen an exponential growth in cyber warfare. Since at least 2009, American businesses and the government, to a degree, have been dealing with sustained electronic threats and deploying Internet weaponry against enemies abroad.
U.S. Cyber Command (CYBERCOM), the military command responsible for the bulk of America’s defensive and offensive cyberwar efforts, is receiving a 500% manpower increase. Between 2014 and 2016, the Pentagon expects to add thousands of new billets–the exact number is still unknown–to the 900 service members currently assigned to CYBERCOM. CYBERCOM is tasked with a staggering array of tasks designed to secure America’s online infrastructure; this ranges in real life from detecting and patching security holes in critical infrastructure such as banking and utilities to creating new network defenses for the military’s sprawling computer systems. Troops at CYBERCOM also engage in offensive warfare and reportedly work on both worms and cyber attacks that can be combined with traditional airstrikes or special operations missions.
The hiring increase at CYBERCOM indicates military concern over infrastructure weaknesses, outside observers say. Siobhan MacDermott, Chief Policy Officer at Czech security firm AVG, tells Fast Company that the reconfiguring was primarily defense-oriented. “We are probably talking about beefing up CYBERCOM’s defensive capability rather than offensive capability. The latter has long been the emphasis of DoD cyberwarfare planning. I’m not sure that this signals a shift in doctrine, but it may suggest an appropriately urgent awareness of vulnerability,” MacDermott says.
But neither government nor the president will win the cyber war without help from beyond its borders or the private sector. Government as an institution is often too slow, too risk-averse (and thus not innovative enough), and too responsible to its public to match tactics of attackers who often swear no official national allegiance and don’t play by any rules of engagement.
Foreign intelligence agencies and militaries also allegedly have less nervousness recruiting foreign cyber criminals to their side than the United States. Both Russia and China outsource cyber attacks to their own criminal undergrounds. In addition, Russia and China (along with Israel and Iran) have been willing to recruit former black hat hackers to their own intelligence and military services. By comparison, the United States has been far less willing to bring criminal hackers into the fold. The military is aware their cyber-war recruitment efforts have been hampered by mandatory background checks, but institutional culture at the military is unlikely to change. During the Obama administration, the United States constructed a robust information assurance recruitment scheme that funnels talented information assurance wizzes straight to the NSA after university. The NSA has even created YouTube promotional videos to steer security whizzes to Fort Meade instead of higher-paying and less bureaucratic private sector jobs.
Still, Howard Schmidt, President Obama’s former Cyber-Security Coordinator, told an audience of information security professionals and journalists at a Kaspersky Labs New York conference in January that the line between cyber war and cyber crime is blurred (as the National Intelligence Estimate seems to indicate), making U.S. government response tricky. Schmidt also claimed that unnamed foreign governments take kickbacks from the earnings of local cybercriminals targeting American corporations in a sort of quid-pro-pro for letting them operate. While Schmidt dislikes the use of the term cyber warfare–in a panel conversation with CEO Eugene Kaspersky he claimed the term is misleading–he also warned that malware is easy to militarize. Kaspersky, meanwhile, was accused of ties to the Russian government by Wired‘s Noah Schachtman in 2012. The accusations were denied, however, in a long blog post by Kaspersky.
In an October speech, outgoing Defense Secretary Leon Panetta warned of a “cyber-Pearl Harbor.” Panetta claims America’s electronic infrastructure is poorly protected and includes gaping security holes throughout the electric grid, the transportation system, financial networks, and in the federal government’s own computer networks. Although rarely publicized, cyberattacks against critical American assets–especially those in the banking sector–are commonplace. The newly released 2013 National Intelligence Estimate claims that China in particular is engaged in mass-scale cyberattacks against American interests for economic purposes, but that Russia, Israel, and France engage in hacking attacks against American corporations in much smaller amounts.
At an October 2012 presentation organized by security trade publication SC Magazine, former NSA Deputy Training Director Col. Cedric Leighton told the assembled crowd that businesses needed to treat cyber attacks as a serious threat, and to be aware of developments in cyber warfare against government, military, and intelligence entities. “Awareness about what is going on around you in the IT world is critical,” Leighton said.
So if big government can’t win the win the cyber war, who can? Private companies, some of whom are funded by government capital.
America’s information assurance industry is booming, with jobs available domestically at nearly every major corporation, many smaller companies dealing with sensitive industries, and at a host of contractors and consulting services. While American companies are mum talking about it, cyber espionage, Internet-enabled theft, and snooping are a fact of life. As attacks such as the recent anti-bank Thor malware become more commonplace, the cost of cyberattacks will be passed on to customers just like Walmart and Target already factor in the cost of shoplifting.
In the looming cyber war, the definition of contractors could take on a completely different connotation from the one left with the public by private security forces Academi, Xe, and Blackwater in Mideast conflicts. The new digital security forces are on the front lines of the cyber war, both through their protection of critical private American infrastructure and through their ties to government agencies. Security outfit Mandiant recently made news for helping the New York Times repel systematic attacks by Chinese hackers, and mysterious new outfit Cylance, which launched last year, recently hired four well-known experts in power plant and energy infrastructure security. Other new firms, such as TaaSera, specialize in protecting the financial sector. In short, the need for information assurance and robust anti-hacker defenses is a growth industry spurring a ton of startups. It’s also a growth industry which is protecting America’s critical infrastructure from a staggering array of digital attacks.
Although on-the-record statements of the extent of economic hacking are hard to come by, there are indications of how various government agencies view economically motivated cyber warfare. The CIA maintains a venture capital arm, In-Q-Tel, which invests in startup companies that serve the short-term needs of the U.S. intelligence community. Alongside the usual suspects–big data firms like Cloudera and predictive analytics firms like Recorded Future–are several cybersecurity outfits. RedSeal Networks develops security assessment software for government and large corporations, Another In-Q-Tel-backed company, Tenable, handles vulnerability management projects for large and small clients while even collaboration platform Huddle receives funding to make secure communication tools for government agencies. In-Q-Tel’s Dan Geer wrote in 2010 that the CIA-linked venture capital firm’s goal in cybersecurity investments is to pursue “the absence of unmitigatable surprise.” Once again, that defensive posture shows up.
Government–and our first cyber war president–will still have active roles here. Unlike conventional military operations, acts of cyber war are frighteningly cheap. Coding malicious worms costs little more than employing a team of programmers and engineers; systematically testing the defenses of critical infrastructure in strategic countries requires only the cost of a top-notch information assurance team. Worms, malware attacks, and DdoS attacks are favored by state entities and malicious foreign hackers alike because they’re so inexpensive–which makes them commonplace. In fact, a failed cybersecurity bill in 2012 would have even had large American corporations share in the cost of cyber-war defenses. There has even been talk of a “cyberdraft” which would push security professionals into government service during wartime.
While cyber-war efforts are ongoing, they are also multipolar. Cybersecurity firms, who routinely consult with governments and corporations of all sizes, come from global backgrounds. As previously mentioned, Kaspersky is Russian. F-Secure is Finnish. Radware is Israeli. Trend Micro is Japanese. AVG is Czech. Cybersecurity firms, much like startups, require plenty of brain but limited capital to get off the ground. This makes them an especially appealing growth sector in smaller markets. For many American companies facing foreign hackers out to gather intellectual property–in other words, the companies that unintentionally serve as the trenches of cyber-war trenches–they rely on these firms to protect their systems from malware and intrusions. In one high-profile recent case, the New York Times publicly chastised Symantec when Chinese hackers infiltrated their Symantec-protected system.
For the United States, government-run, offensive cyberwarfare remains a sketchy area but one likely to come into sharper focus along with the threat. The New York Times‘ David Sanger revealed that Stuxnet was a joint American-Israeli project in mid-2012, and that the NSA saw cyberwarfare as a useful and discreet tool to prevent Iran from acquiring nuclear weapons. A second piece of malware found in Iran, Flame, was also reportedly made in Washington. Sen. John McCain has been a vociferous booster of U.S. Cyber Command getting enhanced offensive capabilities, and the Pentagon (through the military-affiliated DARPA think tank) confirmed in late 2012 that the military is researching revolutionary cyber warfare capabilities. Although media sources and cyber security companies routinely paint cyber war as a series of unrestricted attacks on American banks, the truth is that the Defense Department is deeply interested in both electronic surveillance of foreign countries and infrastructure-crippling digital attacks for use in future armed conflicts.
[Photo Mash: Joel Arbaje]
Clarification: Kaspersky formally denied Wired’s accusations last year.