Mutually assured destruction in cyberspace
By Victor Mallet
Published: August 20 2008
The Financial Times
The crisis in Georgia has not only stoked fears of a belligerent Russia. It has also served as a reminder that a new style of warfare – potentially as devastating as those that terrified previous generations – is almost upon us: cyberwar.
Before Russia invaded Georgia, co-ordinated attacks were launched against Georgian government websites, leaving internet servers overloaded and disabled.
This was not the first or the most damaging attack in cyberspace on a sovereign nation by agents suspected of working for another, although it is believed to be the first to coincide with an actual war. Russia was also blamed for a 2007 cyber-assault on Estonia, which asked Nato for help.
However, neither Russian computer interference with its neighbours nor Georgian retaliation should overshadow the greater danger to peace posed by a possible cyberwar pitting China against the west.
As early as 2003, China tested the vulnerability of US military computer networks in a sophisticated operation called "Titan Rain" by the US. In 2007, China hacked into a Pentagon network serving the office of Robert Gates, defence secretary.
China has also launched probing and/or espionage attacks on the UK, Germany, France and Taiwan. "America's vulnerability to cyber-attacks is a critical threat to national security," wrote John Tkacik, senior research fellow at the Asian Studies Center of the Heritage Foundation, in a report this year on the Chinese cyber-threat.
Even allowing for the conservative bent of the Heritage Foundation and possible exaggeration of the China menace, the list of security breaches in Mr Tkacik's paper makes worrying reading for US policymakers. This is particularly so because the US and China have the two biggest populations of internet users – China, with 220m, says it has overtaken the US – and because the US and China will be each other's biggest strategic rival in the future.
Aside from the inflammatory propaganda wars waged by millions of internet users in all international conflicts, the threat to peace from US-China rivalry in cyberspace is significant for two reasons.
First, the US expects to maintain overwhelming military dominance in the Pacific and around the world for at least a generation, but only because of its technological lead and its ability to "see" and control the battlefield electronically from space and from the air. China's recently proved ability to shoot down satellites in orbit and its fast-growing information technology skills erode the US advantage, giving Beijing the chance to wage "asymmetric" warfare using relatively cheap IT capabilities.
Second, planners assume that future wars will involve cyber-attacks to cripple the enemy's entire society by disabling electricity, communications and banking networks.
As luck would have it, Georgia is one of the world's least internet- dependent countries, and the result of this latest cyber-attack was inconvenience not power cuts or financial chaos. That would not necessarily be the case with either China or the US, although opinions are divided about the vulnerability of modern economies to cyberwar.
"I think that the US and China have an ability to shut down each other's societies on the internet today," the far from hawkish Bill Owens, a former vice-chairman of the US joints chiefs of staff who has sought to improve US-China military ties, told the Asia Society in Hong Kong in June. "Cyber-attack by a nation is very different from cyber-attack by a hacker."
The US is now scrambling to counter the cyberwar threat. Admiral Owens, now Asia chief executive of private equity group AEA, is co-chairing a US study into the technological, policymaking, legal and ethical implications of cyber-warfare.
Michael Chertoff, US homeland security secretary, has outlined plans for a "Manhattan project" for IT security involving the sharing of information between government and the private sector. A big and successful attack online, he said, "would have cascading effects across the country and across the world".
It is tempting to dismiss such words as scaremongering. One needs only to recall the false alarm over the supposedly chaos-inducing Y2K bug at the turn of the century, or to point to the immediate physical dangers of nuclear, biological and chemical warfare and the old-fashioned bombs dropped on Georgia.
But the dangers of cyberwar are real, and are made greater by the almost total absence of national policy guidelines or relevant international laws and treaties. There is no agreement, for example, on whether a cyber-attack counts as an act of war, and not even enough experience to know whether a massive attack by one country on another could backfire – for example, by crippling the attacking country itself or one of its allies in another part of the world.
So great are the risks that the nuclear doctrine of mutually assured destruction is already being mentioned as a template for an international understanding, prompting Admiral Owens to recommend an agreement on "no first use of cyber-attack". Such a deal would doubtless take many years of negotiations, but Georgia and Estonia – and doubtless other cyber-conflicts to come – will show it is worth doing.
Copyright The Financial Times Limited 2008