It’s a scenario so far-fetched, it sounds like something out of “South Park”: Somewhere in the heart of North Korea, an elite unit of computer geeks hacks into the Pentagon’s computer network, stealing the US military’s most prized secrets.
Attacks against government and commercial Web sites that started over the Fourth of July weekend have revived fears that rogue states, like North Korea, could be beating the United States in a cyber warfare arms race. So serious is the threat that White House recently announced the creation of a “cyber security czar” position that will help coordinate policy, and Defense Secretary Robert Gates last month ordered the establishment of new military command, called US Cyber Command, placing the issue on a par with conventional warfare.
What this means for actual cyber capabilities is still unclear and no one is sure precisely what the military’s role in cyber warfare should be. In a memo ordering the creation of the new command, Secretary Gates gave planners until September to submit a blueprint. It’s a daunting task: The Air Force in 2006 stood up its own Cyber Command, only to suspend work two years later amid criticism.
Without any sort of doctrine, it’s unclear what precisely the new command will do. Undoubtedly, it will look for ways to protect computer systems against cyber attacks, and probe for possible weaknesses. But will it also develop and employ its own arsenal of offensive cyber weapons, employing hacker warriors who develop malicious worms and viruses? Mark Lewis, who served as the Air Force chief scientist when the Air Force Cyber Command was set up, said that these were the sorts of questions he encountered. How and when would cyber weapons be used? What would be the rules of engagement? “I also wonder about the responsibility that the military would be assuming with cyber weapons,” he said. “Defending civilian infrastructure against conventional attack is clearly a military mission; but is defending civilian networks also a military mission?”
One task for Cyber Command might be finding ways to trace cyber attacks to their point of origin. Major Steve Sin, a US Army officer, warned that North Korea appears to have developed an elite cyber attack unit dedicated to looking for US vulnerabilities. “Located in the heart of Northeast Asia, the proving ground for cyber-warfare (CW), computer networks of the United States Forces Korea are ripe targets for the region’s CW organizations,” he wrote.
But some experts who study cyber warfare are not sure North Korea, a country that can’t feed its own population, is such a threat. “My only issue with this report is that his sources are third and fourth parties, and conjectures in the press,” says Jeffrey Carr, a cyber intelligence expert and the principal investigator for Project Grey Goose, an investigation into the 2008 Russian cyber attacks on Georgia. “I’m not sure anybody knows whether North Korea has a strong capability or not.”
Most reports linking the attacks to North Korea cite South Korea’s intelligence service, which has its own motivations for pointing the finger at its neighbor. Unless South Korea has digital forensic evidence that it’s willing to share, it’s hard to believe there’s firm proof that North Korea was behind the recent attacks, says Christopher Bronk, a fellow at Rice University’s James A. Baker III Institute for Public Policy. “How do you tell a North Korean attack from a billion other PCs?” Bronk asks. “Thanks to strong export controls, there are not a lot of PCs that get into North, nor is there a strong Internet connection.”
Even if North Korea was not behind the more recent attacks, it’s clear that other countries — particularly China and Russia — do have sophisticated hacker communities who pose a real threat. Even when the computers can be traced back to these countries — as they often are — cyber sleuths have no way of knowing who gave the orders. That “who done it” could someday be incredibly important to Cyber Command, because if the United States did want to retaliate against a cyber aggressor, it would need to know who to target.
“What’s the rule of evidence when it comes to Cyber attack?” Project Grey Goose’s Carr asks. “It cannot be what we normally apply in American courts because you’re not going to find a public post in a Russian hacker forum written by the president of Russia: ‘Go forth and attack American or Georgian Web sites.’ It’s never going to happen.”
Of course, the basic function of the Cyber Command will remain protecting military computers. While many associate young men living in their mother’s basement with cyber security threats, there are a multitude of ways — some quite speculative — that computer systems can be hacked, compromised, or destroyed, including:
Denial of Service
Often regarded by security experts as the lowest level of attack, a denial of service usually involves saturating a network with multiple requests, overloading Web sites and blocking them to others. Such attacks are sometimes regarded as mostly an annoyance, often for propaganda purposes. In 2007, attacks on a number of government and business Web sites in Estonia were traced to Russia. Similar attacks were launched against Georgia in 2008. While the Estonia attacks were heralded by many as the world’s first country-on-country cyber war (as opposed to attacks by lone hackers), the controversy still rages over the scope/importance of the attacks, and whether it was officially sanctioned by Russian authorities.
Infiltration
(Trojan Horses, Viruses, and Worms)
A more pernicious threat than denial of service, many attacks involve inserting a malicious program into a computer network. The most infamous example, the 2004 Mydoom computer virus, infected computers worldwide. Such programs, often self-replicating, can take over computers, creating “zombie computers” controlled by hackers. While often associated with commercial fraud, such as spammers, there is increasing concern that such attacks could be used against military networks, compromising sensitive data.
Hackers in China have targeted the Pentagon’s system a number of times, even stealing design secrets to the new stealth fighter. Like in other cases, linking such attacks to a government cyber warfare effort is difficult, but experts say that Chinese “hacker unions” have links to the People’s Liberation Army. “When the Chinese break into something and have a clear motive, and they said they have legions of people being trained up to do that, and exercising, trying, pushing and prodding, there’s no reason to think there’s any other explanation needed,” says Bill Woodcock, research director of the non-profit institute Packet Clearing House.
E-Bomb
While not exactly at the top of most security experts’ watch list, the potential of a weapon designed to release an electro-magnetic pulse would be more devastating for cyber security than any hacker. This electronics-frying energy pulse is usually associated with nuclear weapons, but it can also be generated by weapons specifically designed to generate such an effect. During the Cold War, the Defense Department hardened much of its military electronics against electromagnetic pulse, but civilian infrastructure was often left vulnerable.
This potential for a digital Pearl Harbor has long been a bogeyman for the Pentagon, as well as a favorite of Hollywood: In “GoldenEye,” Agent 007 must thwart a potential space-based electromagnetic pulse weapon; and in Steven Spielberg’s 2005 remake of “War of the Worlds,” the crafty aliens crippled Earth with an electromagnetic pulse, leaving meager Earthlings in the dark and more vulnerable to attack.
In recent years, policymakers have warned that countries like North Korea or China could develop weapons specifically designed to create an electromagnetic pulse, which would destroy electronic equipment, including computers. These concerns even prompted Congress to establish a commission to look into this potential doomsday threat.
Hack the Grid
Could an attack on the electricity grid leave entire cities in the dark? It’s not inconceivable, say experts, who point to an Australian man convicted in 2001 of hacking into the municipal computer system and releasing raw sewage into local waterways. That case sparked renewed concerns that the US electricity grid, which relies on antiquated software, is particularly vulnerable to hacking.
Theoretically, an attack could disrupt the power supply, or more troubling, hackers could take control of the grid, leaving entire cities in the dark. Not only is such an attack feasible, there are warnings that some hackers have already made attempts to probe weaknesses in the grid. A well-executed cyber attack could be worse than the massive blackouts of 2003, warned Joseph McClelland, director of the Office of Electric Reliability at Federal Energy Regulatory Commission. And not just civilian infrastructure could be at risk; military bases in the United States that rely on steady power could also be affected. “Damage from cyber attacks could be enormous,” he told the Senate in testimony earlier this year. “All of the electric system is potentially subject to cyber attack, including power plants, substations, transmission lines, and local distribution lines.”
Airborne Electronic Attack
Cyber attacks are usually associated with people sitting on the ground at computer terminals, but there are reports that the US Air Force, and possibly others, has explored ways of taking down an enemy’s computer system from the air. The United States reportedly used cruise missiles in the first Gulf War to spread carbon filaments to short-circuit power lines in Iraq. But even more exotic weapons may be under development. The Air Force has reportedly developed a program that could be used to take over an adversary’s computer network. The program, called Suter, involves using surveillance aircraft to monitor and then hack into network. It could be used, for example, to shoot a data stream and take control of another country’s air defense system. “You want to be able to go in and see what the enemy’s sensors see,” says Aviation Week & Space Technology reporter David A. Fulghum, who has written about the Air Force’s secretive work in this area.
Since much of this work is classified, it’s hard to say when and where it’s been used, or if the capabilities are really that sophisticated. Conflicting reports, for example, suggested that Israel may have used such technology to hack into Syria’s air defense system as part of its 2007 attack. But at least in theory, such an airborne attack on an enemy’s military network offers an enormous advantage. “If you want to turn all the radar antenna and point them in opposite directions, you can slip your aircraft through the hole in coverage,” Fulghum says. “Maybe they don’t even notice they’ve lost control of it.”
Attack the Nerve Center
Who needs exotic bombs when Stone Age tools could do the job? One easy way to attack computer networks is to physically destroy them, or cut off key connections. There’s no need for death beams, or even a desktop computer, when a sledgehammer might do. A Congressional Research Service report warns of such physical attack. It cites 9/11 as one example, noting the attacks “destroyed many important computer databases and disrupted civilian and military financial and communications systems that were linked globally.”
Short of a 9/11 scenario, this may not be the most serious form of attack, since physical infrastructure can be repaired and replaced, but it is nonetheless a threat, and perhaps more of a realistic threat than a massive E-bomb. “I don’t see too much concern over those doomsday weapons,” says cyber security expert Carr, who points to a recent case in California, when someone took an axe to a fiber optic cable. “You know more likely is a low-tech attack,” he says. “That’s much more likely to occur.”
Sharon Weinberger writes about national security and technology for Wired’s Danger Room blog.