CSIS has developed a new online tool for tracking major cyberattacks around the world. The website is as helpful as it is sobering.
Starting with the December 2015 cyberattack on Ukraine’s utility sector and working its way backwards, the interactive site catalogues hundreds of cyberattacks, data breaches and other malicious cyber-events dating to April 2000.
When observed in one long stream of images and data, the breadth, depth and accelerating growth of this uniquely 21st-century threat all come into focus. Large-scale cyberattacks targeting U.S. citizens, interests, and infrastructure are happening so frequently that it’s nearly impossible to keep track of the onslaught. The most recent of these came last summer, when China penetrated the Office of Personnel Management (OPM) and compromised the personal, financial and employment history of 21.5 million Americans. U.S. officials describe it as perhaps “the most devastating cyberattack in our nation’s history.”
To date, cyberattacks targeting the U.S. have not been crippling, but they have been costly:
- Cyberattacks cost the average American company $15.4 million annually. A CSIS studyestimates the annual global cost of malicious cyber-activity at between $375 billion and $575 billion. “That’s our future disappearing in front of us,” says Gen. Keith Alexander, former head of U.S. Cyber Command (CYBERCOM).
- In 2013, the U.S. government notified more than 3,000 companies—many of them defense contractors—that their networks had been compromised.
- Some 431 million people around the world are victimized by cyberattacks annually, including one in four American adults.
Much of the cyber-onslaught emanates from China. Alexander calls China’s cyber-siege of the United States “the largest transfer of wealth in history.” According to a study conducted for the U.S.-China Economic and Security Review Commission (USCC), China’s use of “computer network exploitation activities to support espionage has opened rich veins of previously inaccessible information that can be mined both in support of national-security concerns and, more significantly, for national economic development.” For example:
- Beijing used cyberattacks to infiltrate subcontracting firms and systems related to the F-35 Joint Strike Fighter program and C-17 transport plane program.
- Beijing exploited cyberspace to gain “full functional control over networks at the Jet Propulsion Laboratory,” according to the USCC.
- China launched “spearphishing” attacks against Westinghouse, Alcoa, Allegheny Technologies, U.S. Steel, the United Steelworkers Union, and SolarWorld.
- In 2013, information-security firm Mandiant pointed to a shadowy unit of the People’s Liberation Army (PLA) called “Unit 61398” as the source of many Chinese cyberattacks. Unit 61398 has attacked government ministries in the U.S., Europe, Japan, and other countries; penetrated computer systems at U.S. defense firms, the Pentagon, and NASA; planted computer components in the United States with Trojan horse codes; and stolen massive amounts of information. “We witnessed them stealing hundreds of terabytes of data from 141 companies,” Mandiant reported, adding, “A unit of the PLA has in fact been chartered to compromise the U.S. infrastructure and steal our intellectual property.”
There is more—and worse—to come. Alexander worries about the “transition from disruptive to destructive attacks.”
For some of America’s allies, destructive attacks have already come. In 2007, in what has been called “Web War I,” Russian cyberattacks cut off Estonia from the world—hacking the websites of the president, prime minister, parliament, and foreign ministry; crippling Estonia’s communications infrastructure; and disabling the mobile-phone network, the 911 equivalent, and the country’s largest bank. After Web War I, Ene Ergma, head of the Estonian parliament, wearily explained, “Cyberwar doesn’t make you bleed. But it can destroy everything.”
In 2012, Iran’s Shamoon computer virus destroyed 30,000 computers linked to the Saudi oil industry.
In 2013, North Korea’s “DarkSeoul” attacks wiped the master boot records of 32,000 computers at South Korea’s largest banks and broadcasting companies. “The true intention of the DarkSeoul adversaries,” according to McAfee, was “to spy on and disrupt South Korea’s military and government activities.”
In December 2015, Ukraine experienced what has been called “the first blackout caused by a cyberattack,” when eight Ukrainian utilities were hit by a malware attack emanating from Russia. The attack left 80,000 people without power—in the dead of winter. Related attacks crippled the IT network at Kiev’s main airport.
Alexander likens freedom of action in cyberspace to “freedom of the seas…in the 19th century and access to air and space in the 20th century”—and rightly so. The physical infrastructure America depends on—the electrical grid, water-treatment facilities, air-traffic control system, banking and financial systems, transportation arteries—depends on cyberspace. If America’s swath of cyberspace is at risk, those systems are at risk—and someone could throw America’s high-tech society back to pre-industrial days.
Before scoffing at this, consider that U.S. officials worry about Chinese telecommunications firm Huawei placing a “bug, beacon, or backdoor” into critical systems that could allow for “a catastrophic and devastating domino effect…throughout our networks,” as a senior member of Congress told Foreign Policy magazine.
Former Defense Secretary Leon Panetta describes this sort of cyberattack as “the next Pearl Harbor.” But that may be an understatement. Although Pearl Harbor decimated the Pacific Fleet, it left America’s industrial, financial, communications and utilities infrastructure untouched. An orchestrated cyberattack could sever our transportation arteries, cripple our energy and water utilities, freeze our financial system, blind our military, and scramble our communications networks.
To prevent such a nightmare scenario, several nations are calling on the UN “to create norms of accepted behavior in cyberspace.” But given that two of the governments urging the UN to keep the peace in cyberspace are Russia and China—each guilty of some of the most egregious cyber-assaults to date—any UN bid for cyber-peace in our time won’t deliver much.
A more likely path to peace and security in this new frontier is to develop the assets, doctrine and resolve to deter and, if necessary, conduct cyberattacks. President Ronald Reagan might have called it “cyber-peace through cyber-strength.”
Slowly but surely, Washington is coming to realize, as Gen. James Cartwright argued in 2007, that to protect U.S. interests and assets in cyberspace, policymakers must “apply the principles of warfare to the cyber domain, as we do to sea, air and land.”
That means cyberattacks must be deterred with the credible threat of punishing retaliation and answered in kind. Cartwright has even suggested that Washington “do something that’s illustrative” in order to communicate U.S. seriousness in cyberspace. “The defense of the nation is better served by capabilities enabling us to take the fight to our adversaries,” according to Cartwright.
Toward that end, President George W. Bush committed $30 billion to strengthening government networks. Bush also authorized the “Olympic Games” operation (which included the Stuxnet computer worm) targeting computer systems that run Iran’s nuclear program. Stuxnet became the first major cyberattack “used to effect physical destruction,” as Michael Hayden, Bush’s CIA director explained. According to Ralph Langner, an expert in industrial computer systems, Stuxnet “was as effective as a military strike.” Langner compares Stuxnet to “the arrival of an F-35 into a World War I battlefield.”
The good news is that Stuxnet set back Iran’s nuclear program. The bad news, the critics warn, is that if a cyber-smart bomb like Stuxnet can be deployed against America’s enemies, it can be deployed against America’s highly networked military and civilian infrastructure. While this is a real possibility, it ignores two important realities. First, the enemy is already working on cyber-weapons and employing them against the U.S. Second, the United States develops weapons to defend itself. Sometimes this is achieved by the mere existence of a weapons system. But at other times, defending the nation depends on deploying those weapons.
Taking the baton—or mouse, as it were—from his predecessor, President Barack Obama stood up CYBERCOM. He also gave the Pentagon a green light to develop capabilities to “deceive, deny, disrupt, degrade, and destroy” enemy information systems.
In 2013, the Pentagon unveiled plans to expand CYBERCOM from 900 personnel to 5,000. The expansion is part of a wider effort at CYBERCOM to field three new forces for the Information Age: a “cyber national mission force” to protect computer systems and networks that serve critical infrastructure; a “cyber combat mission force” to assist regional combatant commands in conducting offensive operations; and a “cyber protection force” to defend Pentagon networks.
In addition, military planners are mapping cyberspace—all the billions of computers, switches, devices and networks that make up this ever-growing invisible domain. Dubbed “Plan X,” this DARPA program aims to ensure that the United States has “superior capabilities to rapidly plan, execute, and assess the full spectrum of military operations in cyberspace.”
To assist the warfighters, policymakers should let it be known that the U.S. would view a cyberattack on critical infrastructure in the same way as a traditional military attack, inviting a full military response. It’s worth noting that Russian military officials have argued that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”
These doctrinal changes are needed because of the growing likelihood that America’s enemies will use cyberspace to do far worse than simply steal from us or spam us. As Cartwright has warned, “We lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battlespace.”
Alan Dowd is a contributor to the Providence journal’s daily blog.
Photo Credit: In June 2015, twenty-eight Army, Air Force, Navy, and Marine Corps computer professionals conducted cybersecurity training at the Cyber Center of Excellence at Fort Gordon in Augusta, GA.