In a commentary piece for InformationWeek, Mathew J. Schwartz examines just what cyber warfare means. He writes that military agencies worldwide are right in the middle of figuring out the tactics and capabilities that will be critical in any future cyber war. So far, any conflicts are playing out behind the scenes, with only the rare accusation or public request for technology giving a glimpse into what offensive attacks between countries might look like.
Even what counts as “cyber warfare” remains an open question. Many cite as the first-known example of such operations the distributed denial-of-service (DDoS) takedowns and hijacking of government and business websites in the country of Georgia in 2008, at the same time as Russian military operations on the ground.
But there’s scant proof that the Russian government launched or sponsored online attacks against Georgia, according to many security experts, including Robert David Graham, CEO of Errata Security. “There’s no evidence the cyber attacks were by the Russian government, or that they were anything more than normal ‘citizen hacktivism,'” he said in a blog post. It’s notable that this supposed first-ever cyber war served no clear military purpose. Attackers compromised informational government websites, not critical infrastructure systems or military networks.
To be fair, even the would-be practitioners of cyber warfare—namely, the U.S. military—are themselves soliciting input on what offensive computer system attacks might look like, either on their own or in conjunction with physical operations and kinetic attacks.
Last year, for example, the Defense Advanced Research Projects Agency issued a call to tech vendors for “cyberspace warfare operations” capabilities, as part of what Darpa dubs Plan X. Darpa seeks a broad range of capabilities, from a scripted counterresponse to a cyber attack to IT infrastructure that could be hardened to withstand attacks.
Similarly, the Air Force Life Cycle Management Center last year called on contractors to submit concept papers for “cyberspace warfare operations” capabilities, including “cyberspace warfare attack” and “cyberspace warfare support.”
Capabilities on the Air Force wish list include “employing unique characteristics resulting in the adversary entering conflicts in a degraded state.” In other words, why blow up an enemy’s tank if you can instead somehow infect and kill the tank’s electrical system?
Who else is bolstering their cyber war capabilities? Iran is a strong candidate, and in April 2012, the VP of the American Foreign Policy Council, Ilan Berman, told a U.S. House committee that Iran has been boosting its cyber warfare resources in the wake of online attacks against the country. The attacks include Stuxnet, malware blamed in 2010 for trying to attack power plant infrastructure. U.S. officials have accused the Iranian government of sponsoring DDoS attacks against U.S. banks. China has reportedly mobilized its own cyber army, and Russia last year launched a recruitment drive to find the country’s best hacking minds, seeking people versed in “methods and means of bypassing antivirus software, firewalls, as well as in security tools of operating systems,” the newspaper Pravda reported.
But while governments don’t face the same legal problems that companies do when considering offensive attacks, they do face the same major intelligence challenge: accurately tracing an attack’s true origin, a process known as attribution. While small-time cybercriminals may leave tracks, government-backed professionals will go to great lengths to hide what they’re doing—or perhaps, pin blame on another enemy.