Large-scale cyberattacks are happening so often that it’s nearly impossible to keep track of the onslaught. The most recent of these came March 20, when computers, servers and networks in South Korea were disabled by a malware attack cleverly named “DarkSeoul.” The attacks targeted South Korea’s largest banks and its main television broadcasting companies—rendering 32,000 computers inoperable and freezing economic activity for tens of thousands. What Gen. Keith Alexander, commander of U.S. Cyber Command, worries about is the enemy’s “transition from disruptive to destructive attacks.”
Indeed, cyberattacks can do far worse than simply disrupt service, disable computers or steal data; they can destroy facilities, systems and infrastructure that people depend on for life. Former Defense Secretary Leon Panetta described this sort of cyberattack as “the next Pearl Harbor.” But that may be an understatement. Pearl Harbor decimated the Pacific fleet but left America’s vast industrial, communications and utilities infrastructure untouched. But an orchestrated cyberattack could sever our transportation arteries, cripple our energy and water utilities, freeze our financial system, blind our military, and scramble our communications networks – mixing the very worst of Pearl Harbor, 9/11, the 2003 Northeast Blackout and the 2008 economic crash. A Chinese general warns that military cyberattacks “may be as serious as a nuclear bomb.”
To get a sense of how important cyberspace is to the United States, think of this invisible domain as part of the global commons, just like the sea, sky and space. Indeed, Alexander likens “freedom of action in cyberspace in the 21st century” to “freedom of the seas…in the 19th century and access to air and space in the 20th century.”
More than 100 countries have “network exploitation” capabilities. For instance, the recent attacks against South Korea likely emanated from north of the 38th Parallel. Russia launched withering cyberattacks against Estonia in 2007 and Georgia in 2008. Iranian cyberattacks against the Saudi oil industry in 2012 destroyed 30,000 computers. The U.S. and Israel targeted Iran’s nuclear program with the Stuxnet virus— a cyber-smart bomb that sabotaged the computers controlling Iran’s uranium-enrichment program.
And then there’s China. Information-security firm Mandiant reported in February that the PLA’s cyber force—“Unit 61398”—is conducting “extensive” and “harmful” computer network operations from “four large networks in Shanghai.” Unit 61398 and related units have attacked government ministries in the U.S., Europe, Japan, India, Taiwan, South Korea, Australia and dozens of other countries; penetrated computer systems at U.S. defense firms, the Pentagon, NASA and other defense-related agencies; planted computer components in the United States with Trojan horse codes that could be activated to destroy or disable real-world facilities; and stolen massive amounts of information.
Alexander has called China’s cyber-espionage “the largest transfer of wealth in history.” The Pentagon reports China’s cyber-troops are “building a picture” of “military capabilities that could be exploited during a crisis.”
The good news amidst all this worrisome news is that Washington is finally allowing the Pentagon to treat cyberspace like any other theater of operations.
Toward that end, DoD will spend some $17.5 billion on cybersecurity over next five years, and CYBERCOM will grow from 900 personnel to nearly 5,000 in the next three years.
The expansion is part of a wider effort at CYBERCOM to field three new forces for the Information Age: a “cyber national mission force” to protect computer systems and networks that serve critical infrastructure; a “cyber combat mission force” to assist regional combatant commands in conducting offensive operations; and a “cyber protection force” to defend the DoD’s networks.
“This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace,” Alexander bluntly explained during recent congressional testimony.
Related, the Pentagon is putting the finishing touches on “a defined framework for how best to respond to the plethora of cyber-threats we face,” according to Lt. Col. Damien Pickart. In other words, the Pentagon is developing rules of engagement for cyberspace.
Finally, top military planners are mapping everything in cyberspace—all the billions of computers, devices and related networks that make up this ever-growing invisible domain. Ominously dubbed “Plan X,” this DARPA research effort will ensure that the United States has “superior capabilities to rapidly plan, execute, and assess the full spectrum of military operations in cyberspace.”
All of this—the new cyber-ROEs, the phalanx of cyberwarfare units, the growing ranks and reach of CYBERCOM, the enhanced focus on the digital domain, the mapping of cyberspace—is a function of the growing likelihood that America’s enemies will use cyberspace to do far worse than simply steal from us or spam us. And it’s long overdue. As retired Gen. James Cartwright warned when he was vice chairman of the Joint Chiefs of Staff, “We lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battlespace.”
Alexander’s efforts provide every indication that the Pentagon has embraced that change.
To deter a cyber-Pearl Harbor, the next step is for policymakers to let it be known that the U.S. will make no distinction between a cyberattack on critical infrastructure and a traditional kinetic attack. It’s worth noting that Russian military officials argue that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”
James Lewis of the Center for Strategic and International Studies warns there is a risk that North Korea and other cyber-rogues could “inadvertently trip over some threshold that will be seen as the use of force or an act of war,” thus accidentally triggering war in the non-cyber domain.
That explains why some military thinkers suggest that Washington should respond in kind to the next cyberattack. Updating a phrase from Cold War parlance, retired Air Force Lt. Gen. Harry Raduege notes that certain governments “only respond to somebody that’s going to be able to launch a mutually assured disruption of them.” Cartwright has even argued that Washington may have “to do something that’s illustrative” in order to communicate U.S. seriousness.
That may be exactly what Alexander’s cyber-warriors are preparing to do.