StratCom the Cyber Warrior
A new Pentagon strategy released July 13 assigns the primary duty of cyber operations to U.S. Strategic Command, with secondary missions assumed by U.S. Cyber Command, based at the National Security Agency headquarters in Fort Meade, Maryland. This “Cyberspace Operations Strategy” is more ominous than might otherwise be suspected with Defense Secretary Leon Panetta’s revelation at a news conference in mid-July that the Pentagon now considers the commercial Internet to be “another operational theater of war”—and that StratCom and Cyber Command must be ready to take on more offensive roles in combating cyber assaults.
Scare tactics were in abundance at the July announcement with the Department of Defense disclosing that a foreign agency had collected more than 20,000 documents in a cyber-assault on a U.S. military contractor this past spring. This March 2011 attack was in fact of an altogether different degree than the previously-known assaults on Lockheed Martin and RSA Security Inc. Though Panetta revealed no details, most bloggers agreed the foreign agency in question was most likely China, and that the targeted contractor had been Northrop Grumman.
The Defense Department announcements came in the aftermath of two months’ worth of assaults on government databases that morphed into online war with anonymous groups of hackers—the two best-known going by the names of “LulzSec” and, aptly enough, “Anonymous.” LulzSec, in particular, had moved from humorous assaults on PBS news sites (where it had inserted fake stories about the rap musician Tupac Shakur) to an all-out attack on CIA databases.
The impact of these individual hacker attempts to disrupt the operations of government was the subject of a workshop on cyberwarfare at the “Global Network Against Weapons and Nuclear Power in Space” annual conference in North Andover, Massachusetts this past June. Regardless of the motives inspiring these intrusions (mischief, economic gain, espionage by foreign governments, or an anarchist assault against ‘Big Brother’), these hacker attacks invariably wind up serving the interest of entities like Cyber Command and the NSA. Each new attack makes the case for even greater government encroachment on our civil liberties. Every new intrusion builds the case for government waging offensive forms of cyber-warfare to pre-emptively defend our national security. And StratCom now serves as the command center for conducting this 21st-century brand of war.
The implications of this new cyber strategy for StratCom’s already multi-faceted role and mission are huge. In locations as diverse as Pakistan and Libya, the Pentagon is touting the turn to “means short of war” to strike adversaries of the U.S. These include drone strikes, cyber attacks and deadly ‘black ops’ (covert operations) by assault teams such as “SEAL Team 6”—the group that assassinated Osama bin Laden in Abbottabad. While these ‘near war’ methods are promoted as being less deadly than soldier-led ground assaults, they can lead to collateral damage that is just as extensive as aerial bombing and other means of stand-off war. Eventually, they can escalate to global means of assault with conventional weapons (the “Prompt Global Strike” mission also under StratCom’s wing). In fact, almost every method of ‘near-war’ assault—including the outbreak of cyberwarfare that captured headlines this past month—is managed from Omaha at StratCom headquarters.
The Stuxnet Worm
Sometimes, the damage caused by cyberwar is not evident until months after the online events. Earlier this year, a small news item suggested that Iran could face the danger of a meltdown at its Bushehr nuclear power plant. Such an accident would not be the result of poor construction or an ill-trained work crew. Instead, it was a perverse ‘fringe benefit’ of a program launched by Israel with the help of U.S. cyber-forces to cripple Iran’s nuclear capabilities with a computer worm—a rogue program similar to a virus. The “Stuxnet” worm was designed to interrupt the operation of centrifuges at the Natanz uranium enrichment plant, but now has been confirmed to have spread to other Iranian nuclear facilities, including Bushehr.
Given that a major nuclear accident carries the potential to kill dozens, if not hundreds, of Iranians, it is odd that some people think of Stuxnet as a preferable alternative to an Israeli military air assault on Iranian nuclear sites. But that’s the funny thing about military capabilities that are considered ‘defensive’ by U.S. forces. Time and again—with chemical weapons, with missile defense, and now with cyber-warfare—capabilities that are considered defensive and somewhat benign are used in very offensive ways. And the long-term end result may not be that much different than a full-frontal military assault.
Stuxnet was one of the first worms in history designed to attack embedded computers used in factories, instead of desktop and laptop computers used by consumers. In fact, its malicious payload was specific enough that it only caused harm when it encountered computers built by Siemens for industrial process control. Even when Siemens computers are present, Stuxnet only disrupts operations of certain kinds of pumps and motors that might be used in a uranium-enrichment plant. One analyst called this a “highly-targeted sniper type of computer attack.” So we shouldn’t expect much collateral damage, right?
It is all too common for military planners working on secret deniable assaults to minimize or ignore the danger of unintended consequences. In the case of Stuxnet’s authors (who are believed to be computer experts in Israel’s “Unit 8200” signals-intelligence agency), the focus on the design of the Iranian enrichment plant was so single-minded, programmers failed to consider how it might spread to other facilities with dangerous results.
While the primary impetus for the attack appears to have come from Israel, cables from “WikiLeaks” and internal Air Force sources suggest an important support role was played by the new Cyber Command. Since StratCom in Nebraska exercises indirect authority over Cyber Command as one of its ‘component commands,’ the development of this worm is unlikely to have taken place without the awareness—if not direction—of commanders in Omaha. A series of reports in the New York Times and Wired suggests that the Department of Energy’s Idaho National Laboratory (formerly known as INEL), also helped the team in identifying the architecture of the Siemens components used in the Iranian lab.
Waging war by computer has been an important part of U.S. doctrine since at least the early 1990s, when the disparate strategies waged in secret by the U.S. National Security Agency (NSA) were given a more public home at the Colorado organization then known as “U.S. Space Command.” For the 40 years prior to that time, NSA had been involved in highly secret efforts to disrupt the computers of foreign nations—the flip side of the public efforts to protect the computer networks of the U.S. Even after U.S. Strategic Command took over the role of cyber-warfare management from Space Command in 2002, NSA remained responsible for defining computer security for both the government’s own computers, and the larger computer networks used by private industry.
The efforts conducted in the 1990s by both Space Command and the NSA to secretly control the computer networks run by both allies and adversaries remains one of the most classified elements of U.S. cyber plans. Over the past two decades, rumors have circulated about everything from desktop computers to weapon systems being shipped to foreign nations embedded with computer chips containing rogue ‘Trojan Horse’ programs that would either make systems malfunction, report the operations of the system back to U.S. government officials, or otherwise implement secret actions that would work to the benefit of U.S. agencies. Often, however, computer ‘black operations’ were only called cyber- warfare if the computers adversely affected the operations of the military systems of adversary governments. For example, the U.S. reportedly disrupted the operations of Iraqi air-defense networks during the opening days of the “Shock and Awe” aerial assault on Iraq in March 2003—actions that clearly fit the definition of cyber-warfare.
StratCom gained control of computer attack-and-defense activities when U.S Space Command was folded into StratCom at the end of 2002. Nevertheless, the NSA remained the agency of expertise in this relationship. The command authority exercised by StratCom (which had also acquired the mission of “Intelligence, Surveillance and Reconnaissance” in 2003) was useful to the U.S. government because it established a layer of deniability for the NSA—an agency so secretive during its 60 years of existence that its three-letter designation was said to stand for “Never Say Anything” or “No Such Agency.”
When the Secretary of Defense asked StratCom in 2009 to create a dedicated sub-command for computer warfare, it was no surprise that the resulting Cyber Command would be based at NSA headquarters, or that Cyber Command’s new chief would be Gen. Keith Alexander, director of the NSA. There are two reasons why StratCom’s relationship with NSA represents a unique opportunity for the Pentagon. First, the NSA is the intelligence agency with the closest ties to the military, going back to the NSA’s founding in 1952. Most of agency’s secret electronic listening posts worldwide are staffed by uniformed military personnel, not civilians. Second, the NSA has been involved in various types of ‘dirty tricks’ throughout its history, ranging from ‘black bag jobs’ to steal codes at foreign embassies, to participation in the overthrow of governments in Australia in 1975 and Turkey in 1980. The StratCom-NSA link, realized through Cyber Command, thus becomes StratCom’s closest involvement to ‘plausibly deniable’ secret activities in the intelligence community (and most computer warfare falls under the label of deniable activity).
In theory, any computer attacks within U.S. borders that target consumers or commercial enterprises must be handled by the White House’s civilian cyber advisor. But the NSA and Cyber Command would like to change that. In a speech in Colorado Springs to the “Armed Forces Communications and Electronics Association” on February 9, Alexander said that, “I do not have the authority to stop an attack against Wall Street or industry, and that’s a gap I need to fix.” He said the NSA should be able to work on computer attack-and-defense strategies within U.S. borders involving consumers and industry.
Defense Is Offense
In his confirmation hearings for Cyber Command before Congress, Alexander said that the purpose of Cyber Command was not “about militarizing cyberspace, but about safeguarding military assets.” Reassuring as that sounds, many of the so-called ‘defensive’ structures created by StratCom’s component commands—allegedly to avoid all-out warfare—end up being just as aggressive in practice as a first-strike military assault. A book on this very subject has just been published. Inventing Collateral Damage: Civilian Casualties, War and Empire by Stephen Rockel and Rick Halperin argues that most ‘near-war’ methods are as hazardous as the means they replace.
This is nothing new for the U.S. military. For decades, its research efforts in chemical and biological warfare were deemed to be entirely defensive in nature, until critics pointed out that the very talents required to create an effective defense against a WMD attack would be the talents that could be used to fine-tune first-strike chemical and biological weapons. The same could be said for StratCom’s oversight of the new WMD center, of its ballistic missile defense, of its drone warfare program, or of cyber war. What is claimed as a tool to defend the nation is used in practice to wage war.
In commenting on the recent cyber incursions, former StratCom Commander and current Vice Chair of the Joint Chiefs of Staff General James Cartwright bluntly stated that the U.S., in terms of its cyber-readiness, is “on a path that is too predictable—it’s purely defensive, there’s no penalty for attacking right now.” He said the Pentagon must focus on offense, including the possibility of responding to a cyber attack with military action.
Northrop Grumman’s top vice president for missile defense, Russell Anarde, a former director of plans at Air Force Space Command, echoed this all-too-common Pentagon thinking in a January 2011 media interview, when he said that “offense and defense sometimes go together.” That is certainly true in the area of Anarde’s expertise, missile defense. The weapon systems under StratCom’s oversight are touted to be missiles that are only used to defend against other missiles. Yet the sea-based missile-defense systems used by both the Bush/Cheney and Obama Administrations are carried on Aegis cruisers that sail directly into the territorial waters of nations such as North Korea and China. They are routinely used in ways to provoke international incidents, even while StratCom calls such weapons defensive.
The U.S.’s expanded drone operations in Afghanistan, Pakistan and Yemen have taken this ‘defense is offense’ strategy to an insidious new level. Armed drones, under the nominal control of StratCom alongside the CIA, allow the U.S. to minimize the use of troops and Air Force bombing operations that rely on human pilots. Some analysts assert that heavy use of drones leads to fewer civilian deaths than might be encountered with widespread, indiscriminate use of aerial bombing (though drones attacks still account for hundreds of civilian deaths per year). Yet when drones are used to target specific individuals (as they are routinely now), their alleged pinpoint accuracy raises a host of legal and ethical problems.
In a recent lawsuit, the ACLU charges that using drones to target individuals essentially performs the same functions that the outlawed CIA efforts to assassinate foreign leaders did in decades past. Drones certainly offer a sterilized way to take out small groups of troublemakers, often without risking any U.S. lives. The advantage they offer in warfare, however—flying undetected two miles above the ground, able to ‘kill without warning’—makes them susceptible to over-use and abuse. For instance, the Obama Administration has vastly expanded its drone warfare, to the point that targets who cannot even be identified by name are attacked based on what the Pentagon euphemistically calls ‘pattern of life’ behavior that looks suspicous.
Virtual Warfare; Realtime Casualties
The nominal success seen in the Stuxnet assault on Iran is likely to place cyber warfare in the same category. If the U.S. can bring down a communications network, an electrical grid, or a specific vertical industry in a foreign nation by using computer warfare, isn’t this better than a broad military assault? Yes and no. As with drone warfare, the apparently painless success of using computer attacks can make it easy to abuse such a technological advantage—producing unintended consequences. As the expansion of Stuxnet from Natanz to Bushehr shows, we should never assume a computer assault to be free of victims. During the period of the late 1990s and early 2000s, when the Clinton and Bush/Cheney Administrations were using widespread sanctions against Saddam Hussein’s government, critics of the sanctions pointed to the deaths of the very young, very elderly and infirm. Clinton’s Secretary of State Madeleine Albright notoriously called such deaths the price one needed to pay for waging a sanctions effort short of warfare.
To date though, has anyone in the State Department or StratCom actually tried to calculate the collateral damage that would result from bringing down a utility network in a targeted nation by an offensive computer attack? If a Cyber Command assault were to bring down a grid and black out hospitals, schools, law enforcement and transportation services, how many people would suffer? And who would we hold accountable for such a devastating computer attack? Some nameless spooks at the NSA? StratCom’s insulated command structure?
A small scandal erupted this past February when the Associated Press reported that CIA officers who chose the wrong targets for extraordinary rendition were not fired, but instead were promoted inside the agency. This lack of accountability for deniable activities in the intelligence community is precisely what is worrisome about Cyber Command. If the Stuxnet worm spreads to any Iranian factory or energy plant with a Siemens computer, will programmers in Israel and the U.S. be penalized or promoted? Obviously, the efforts by Iran to gain nuclear power capabilities may well be hiding a real nuclear weapons effort. A Stuxnet success does indeed keep hostilities at a lower level than an Israeli Air Force assault on Natanz would.
But StratCom’s management of military efforts ‘short of war’—Missile Defense, drone attacks, and cyber war—should never be seen as victimless. The consequences of relying on such slow-motion covert war alternatives can end up being just as deadly, particularly if the quiet successes they experience permit military leaders to rely on these silent (and faceless) warfare methods too often.
The anonymity… The lack of accountability… These are also the very traits that—by definition—make cyber-hackers of all stripes so problematic. Operating the shadows as they do, it’s almost impossible to know who or what you’re dealing with. One government’s ‘terrorist’ hacker could be another government’s ‘freedom fighter.’ Certainly, activists who participated in the ‘distributed denial of service’ computer attacks against the Iranian government to protest the crackdown on dissent might be seen as merely going one step farther than those who provided Twitter or Facebook help to anti-government protesters. The same can be said for U.S.-based activists who helped protesters in Egypt, Syria, Bahrain and other nations defeat efforts by their governments to initiate ‘kill switches’ on Internet services.
But in early June, front-page reports in the New York Times revealed that Cyber Command was financing efforts in other nations to defeat governments’ kill-switch technologies and keep pirate Internet services open, even as the U.S. government was working on its own kill-switch technology for use within the U.S.—a perfect example of ‘the Cyber Command giveth, and the Cyber Command taketh away.’ All of which raises the question of whether U.S. citizens involved in helping protesters in developing nations create Internet ‘route-arounds’ are unwittingly doing the bidding of Cyber Command?
The ethical issues become even more profound when private citizens engage in outright computer assault. Many alleged assaults on U.S. and NATO computers from the Jemin computer center in China have been shown to come from private hackers in China who are very nationalist and want China to adopt a much more aggressive policy against the U.S. Similarly, many of the hacker wars of early summer involved groups of different persuasions who claimed they were ‘helping’ U.S. interests or attacking unfair U.S. practices. Imagine how black ops within Cyber Command could exploit these battles in the mists of cyberspace. In fact, Cyber Command may have played a significant role in the online battles between LulzSec and Anonymous.
With the advent of space- and cyber-warfare, the face of warfighting has altered forever. The Pentagon and the State Department project force nowadays in ways far beyond deploying ground troops in Afghanistan, menacing the world with nuclear weapons of mass destruction and deploying a Missile Offense system in Europe and Asia. Even as you read this, StratCom’s spy satellites are tracking potential targets for assassination and simulating (and maybe conducting) cyber attacks on prospective enemies—all in the name of “Providing Global Security for America” and preserving our status on the world’s military superpower.
A whole host of strategic, legal and ethical questions about what StratCom is now doing urgently need to be addressed:
- Constitutional questions over executive branch authority in launching an offensive cyber attack...
- Legal questions over the cyber encroachment on our civil liberties and privacy rights...
- Questions of international law over preemptive cyber attacks or ‘killing without warning’—be it a drone strike on an unsuspecting target or a hospitalized child on a respirator when a cyber assault takes down the grid… and
- Strategic questions over the unintended consequences resulting from the methods of ‘near-war’…
All of which have yet to be discussed in public.
A dangerous new era in the history of warfare is now going unfolding all around us. And it’s got an Omaha, Nebraska electronic signature.