Fraser Forum | 9.1.08
By Alan W. Dowd
In the unseen reaches of cyberspace, our enemies are quietly taking the postmodern form of warfare we witnessed on September 11 to a new level: they are no longer just transnational—they are non-national, hiding and attacking in a world where there are no borders. They are no longer just stateless—they are place-less. And they are no longer virtually invisible—they are, well, virtual.
This is one reason why some argue that a war waged in cyberspace, with streams of code rather than bullets and bombs, can’t hurt us. They’re wrong. Just ask our friends in Estonia.
Estonia’s recent brush with cyber-warfare started not in cyberspace but in the real world, after the Estonian government decided to relocate a Soviet-era war memorial. The decision incensed Russia. What followed has been called “Cyberwar I,” “Web War I,” “a digital invasion,” and “a cyber-riot.”
In layman’s terms, cyber-savvy Russian nationalists unleashed a withering volley of “distributed denial of service” attacks that crashed Estonian websites with countless computer-generated “zombie” hits, flooded servers in Estonia with junk data, and, as the International Herald Tribune explained, overwhelmed “the routers and switches … that direct traffic on the network” (Landler and Markoff, 2007, May 28).
The cyber-salvos hit NATO ally Estonia especially hard because the tiny Baltic country is one of the most web-dependent places on Earth. In fact, the Estonian parliament considers Internet access a “fundamental human right” (Lesk, 2007). Wired magazine notes that 90% of bank transactions in what some call “e-Stonia” are carried out via the Internet (Davis, 2007, Aug. 21).
The attacks, which lasted for about three weeks in the spring of 2007, crippled Estonia’s communications infrastructure. They targeted newspapers, the mobile-phone network, the country’s 911 equivalent, and the country’s largest bank, costing the country millions of euros (Bright, 2007, May 17). In addition, key government web sites were attacked, including those of the president, prime minister, parliament, foreign ministry, and Federal Electoral Committee.
“It turned out to be a national security situation,” Estonian defense minister Jaak Aaviksoo concluded afterwards. Although he conceded that Estonia was “not able to prove direct state links,” he was quick to note that some of the attacks were traced to Russian government offices (Landler and Markoff, 2007, May 28).
“Cyber-attacks are a form of offensive action that can paralyze, weaken, harm a nation-state,” Estonian President Toomas Hendrik Ilves said. “This might be a test run for something bigger and larger,” he ominously added, “just like the Germans tested out Stuka bombers in 1936 in Spain” (Radio Free Europe/Radio Liberty).
If the Russian government was involved in the attacks, it would seem to qualify as an act of war. In fact, high-level Russian military officials have argued that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there [are] casualties or not” (Hildreth, 2001).
Even if it was renegade cyber-nationalists, as Moscow still claims, then this amounts to terrorism or piracy, and Russia is obligated to punish those responsible. Either way, Moscow must police its corner of cyberspace. After all, whether or not Russia was behind this cyber-war, Estonia thought so, and this opened the door to far graver consequences: an Estonian request that NATO invoke Article V of the North Atlantic Treaty, which could have led to an old-fashioned war.
Estonia isn’t the only country to come under cyber-assault.
NATO reports that all of its member states have weathered cyber attacks of some kind in recent years (Blakely and Richards). In the late 1990s, for instance, Chinese cyber-attacks defaced web sites of several American agencies, and Washington uncovered hundreds of attempts by China to penetrate computer networks at American nuclear laboratories (CNN).
In 2005, Canada’s Communications Security Establishment, which provides signals intelligence and protects information infrastructure,was hit by what it called “sophisticated intrusions” into government computer systems (CTV).
Around the same time as Estonia’s cyber-siege, several German government ministries, including the chancellery and foreign ministry, were breached. German officials blame China for the massive attacks. Hans Elmar Remberg of Germany’s Office for the Protection of the Constitution pointedly used the phrase “Chinese cyberwar” in describing the attacks (Deutsche Welle, 2007, Oct. 23).
Whereas the attacks on Estonia were presumably intended to test Western defenses and intimidate the tiny Baltic nation, the Chinese attacks were aimed at stealing Western technology. “Across the world,” according to Remberg, “the People’s Republic of China is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their technological gaps as quickly as possible” (Deutsche Welle, 2007, Oct. 23).
And the cyber-attacks continue in 2008. In a repeat of the attacks on Estonia, the summer of 2008 saw cyber-soldiers—again, most likely Russians—launch waves of attacks against public and private infrastructure in the former Soviet republics of Lithuania and Georgia.
All of this invites an intriguing but worrisome question: are we witnessing the early phases of “WWWI”?
Responding to threats
Whatever its name, military officials across the West are taking the threat seriously.
NATO dispatched specialists to Estonia after last year’s one-sided web war, in order to carry out a battle-damage assessment. In mid-2008, NATO opened a CooperativeCyberDefenseCenter in Tallinn, Estonia.According to General James Mattis, NATO’s Supreme Allied Commander for Transformation, the new center “will help NATO defy and successfully counter the threats in this area” (NATO, 2008).
Allocating assets to the defense of cyber-space comes not a moment too soon. Consider the Pentagon’s 2008 report on China’s military power, which notes that Beijing is positioning itself to use cyber-capabilities to wage “non-contact warfare” to target “communications and logistics nodes … financial infrastructure and information operations” (US DoD, 2008).
In 2007, the Pentagon quoted China’s own strategy papers to warn that Beijing’s goal is “to weaken the enemy side’s information superiority” and ultimately field a force capable of “winning informatized wars by the mid-21st century” (US DoD, 2007).
That same year, perhaps foreshadowing its future capabilities, the Chinese military hacked into the computer system that serves the US Office of Secretary of Defense, forcing the Pentagon to disable the system (Agence France Presse, 2007, Sep. 3).
If that’s the bad news, the worse news is that America’s cyber-capabilities are not nearly as strong as they need to be (Cartwright, 2007), which, in a world knitted together by the World Wide Web, inevitably impacts America’s closest allies. An Estonia-style attack on the United States would wreak havoc on not only America’s military, financial, communications, and utilities infrastructure, but also on Canadian and other allied infrastructure. It pays to recall that there are no borders in cyberspace.
We don’t have to imagine the impact a massive power-grid failure would have. As an example of where the cyber-world overlaps with the real world, consider the chaos that followed the East Coast blackout in 2003. As the British Broadcasting Corporation (2003, Aug. 15) reported at the time, New York, Detroit, Ottawa, and Toronto went dark; there was looting in Ottawa; nine nuclear reactors were knocked offline; six major airports were shut down; hospitals and prisons lost power; cellular towers failed—and none of this was the result of a malicious attack.
One can understand why United States General James Cartwright, vice chairman of the Joint Chiefs, calls cyberspace “the nervous system of our country”—and why Washington is moving on several fronts to protect it:
- The United States is setting up a Cyberspace Command.
- The US Air Force is teaming with industry to develop cyber-weapons that “disrupt, deny, degrade or deceive an adversary’s information system” (Brewin, 2007, Oct. 24).
- The United States Department of Homeland Security is fielding what the International Herald Tribune cleverly calls an “information highway patrol,” including some 2,000 personnel (2007).
- The United States government, in partnership with Canada and other allies, has implemented at least two massive cyber-defense/cyber-response exercises under the codename “Cyber Storm.” Held in March 2008, Cyber Storm II included 40 private-sector firms, 18 American government agencies, nine US states, and five international partners—the United States, Canada, Australia, New Zealand, and the United Kingdom (US Department of Homeland Security, 2008).
To protect their overlapping pieces of cyberspace, the US, Canada and their closest allies must deepen cooperation in the cyber realm through regular exercises like this and self-standing frameworks. Toward that end, Estonia recently invited Canada to join NATO’s CyberDefenseCenter (Estonian Embassy).
It is an irony befitting a Greek tragedy that one of the things that makes the West so powerful—our mastery of new technologies and our capacity to incorporate them into our political systems, economies, and armed forces—also makes us more vulnerable to a crippling attack in cyberspace.
“Cyberwar doesn’t make you bleed,” as Ene Ergma, the speaker of the Estonian parliament, told Wired (Davis, 2007, Aug. 21). “But it can destroy everything.”
That helps explain why General Cartwright (2007) argues that it’s time to “apply the principles of warfare to the cyber domain.” That means cyber-attacks must be deterred and, if necessary, answered in kind.
“The defense of the nation,” Cartwright grimly concludes, “is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests.”