Weighing risks of civilian harm in cyberwarfare
New York Times
Posted online: Aug 06, 2009 at 2212 hrs
John Markoff & Thom Shanker
It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the US invaded Iraq. He would have no money for war supplies. No money to pay troops. “We knew we could pull it off—we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.
But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the US.
Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.
While the Bush administration seriously studied computer-network attacks, the Obama administration is the first to elevate cybersecurity—both defending American computer networks and attacking those of adversaries—to the level of a White House director, whose appointment is expected in coming weeks.
But senior White House officials remain so concerned about the risks of unintended harm to civilians and damage to civilian infrastructure in an attack on computer networks that they decline any official comment on the topic. And senior Defence Department officials and military officers directly involved in planning for the Pentagon’s new “cyber command” acknowledge that the risk of collateral damage is one of their chief concerns.
“We are deeply concerned about the second- and third-order effects of certain types of computer network operations, as well as about laws of war that require attacks be proportional to the threat,” said one senior officer. This officer, who like others spoke on the condition of anonymity because of the classified nature of the work, also acknowledged that these concerns had restrained the military from carrying out a number of proposed missions. “In some ways, we are self-deterred today, because we really haven’t answered that yet in the world of cyber,” the officer said.
In interviews over recent weeks, a number of current and retired White House officials, Pentagon civilians and military officers disclosed details of classified missions—some only considered and some put into action—that illustrate why this issue is so difficult.
Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to degrade Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.
Besides blowing up cell-phone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite-phone and cell-phone coverage to Iraq to alert them to possible jamming and ask their assistance in turning off certain channels.
Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cell-phone and satellite-telephone systems. That limited damage was deemed acceptable by the Bush administration.
Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.
These missions, which remain highly classified, are being scrutinised today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on Newsmax.com, a news Web site, in 2003.
The government concerns evoke those at the dawn of the nuclear era, when questions of military effectiveness, legality and morality were raised about radiation spreading to civilians far beyond any zone of combat.
“If you don’t know the consequences of a counterstrike against innocent third parties, it makes it very difficult to authorise one,” said James Lewis, a cyberwarfare specialist at the Centre for Strategic and International Studies in Washington. But some military strategists argue that these uncertainties have led to excess caution on the part of Pentagon planners.
“Policymakers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic”—conventional—“weapons,” said John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, California. “The cyberwarriors are held back by extremely restrictive rules of engagement.”
Despite analogies that have been drawn between biological weapons and cyberweapons, Arquilla argues that “cyberweapons are disruptive and not destructive.”
That view is challenged by some legal and technical experts.
“It’s virtually certain that there will be unintended consequences,” said Herbert Lin, a senior scientist at the National Research Council and author of a recent report on offensive cyberwarfare. “If you don’t know what a computer you attack is doing, you could do something bad.”
It’s an interesting thing to ponder just how much havoc could be wreaked by attacking an infrastructure in a cyber war. Now, if you think about the “homeland”, (yeah, I hate that term since it was apropriated by the previous administration) has most of its infrastructure in private companies hands AND is very interconnected. Attack one, you may have collateral damage that will cause a more far reaching affect.
Lets look at it this way.. The US is very connected… Iraq in 2003 was not “that” connected to really have much collateral damage. Sure, Intelsat had issues, but it was no biggie. So, what would happen if our infrastructure were attacked en masse? I could foresee a lot of “fire sale” images ala Die Hard really, but, the reality is somewhere less grim. We would be inconvenienced really, and that’s about it, unless, the attack in the cyber world were in tandem with physical attacks.
Just as the operations mentioned in the article the real whammy is in the physical destruction of systems and infrastructure, not only from a cyber stance but real ruin. THIS is what the government really fears. Take out the eyes and ears as well as the C&C and we’re fucked. Just as 9/11 was all the more crazy because the towers held key comm’s infrastructure for the city, this type of attack would leave us unable to communicate, control, and give orders.
So, with all the talk of cyber war, just where are we really?
Well, I have said it before and I will say it again. Our security posture as a nation is “teh suck” for the most part. This is why the “Cyber Tsar” (another term I am hating for it’s misuse) is so important as well as their function to get this country to perform the “due diligence” where our network and infrastructure security posture is concerned.
And you can see how well that’s going huh…
Here’s the bottom line:
1) Have supplies ready in case our infrastructure is taken down in spots or as a whole; Food, Water, etc.
2) Prepare for being without power. If I were an aggressor, the first thing I would hit other than COMMS would be power. So, get the genni’s out or have solar
3) Have your own COMM’s systems like HAM or CB that can be SIMPLEX or dare I say it, even have your own repeater
4) Don’t Panic: If there is an attack of this nature, the only time I would really worry is if the bombs start falling or massive amounts of people start coming down with a raging hemorrhagic fever… Or Zombies start banging on the door…
5) If by chance this all is brought on by a nuclear detonation in the atmo… Well, unless you have shielded equipment, you’re pretty much back to stone knives and bear skins… So adapt… There’s nothing you can do.
Lets just hope it doesn’t come to that….
So there you have it… Unless we get our collective shit together, its possible that we could have a real situation on our hands… Those in the know will be better off…. Of course we are all gonna be saved by smart meters and cloud computing! So no worries!