Media reports claim that the US is secretly claiming the right to launch pre-emptive cyberattacks in "credible threat" scenarios, in the wake of the attacks on US media outlets. But how credible are those threats?
The damage done by cyberattacks is not always immediately apparent, even after they have been carried out. Many were surprised when the New York Times, the Wall Street Journal and the Washington Post announced recently that they had been hit for over four months by cyberattacks, in part coming from China. Perhaps more alarmingly, the US Department of Homeland Security said that one power station had been knocked out for weeks by a cyberattack, though it declined to say which.
The US has of course launched a number of digital onslaughts of its own, most notably on Iran's nuclear enrichment facilities. And that attack was not risk-free, as the so-called Stuxnet virus injected into Iranian systems ended up being leaked onto the Internet and copied millions of times.
A number of security firms and analysts have warned that cyber warfare will escalate in 2013, with some warning that it could be only a matter of time before a cyberweapon takes lives like any other weapon would. "Nation-state attackers will target critical infrastructure networks such as power grids at unprecedented scale in 2013," predicted Chiranjeev Bordoloi, CEO of US security company Top Patch, speaking to CNN. "These types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life."
"A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11," Defense Secretary Leon Panetta said last October. "Such a destructive cyber terrorist attack could paralyze the nation."
That view appeared to be confirmed by a report in the New York Times on Sunday (03.02.2013), which indicated that the arsenal of cyber weapons now at the disposal of the US and other nation-states is larger than most suspect. "There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done," one official told the paper on condition of anonymity.
Defining rules of cyber engagement
That begs many questions - such as: who is able to order such attacks, and under what circumstances? According to the officials quoted in the New York Times, the answer to the first question is pretty clear - only the president. "There are very, very few instances in cyberoperations in which the decision will be made at a level below the president," the official said, and "automatic retaliation" for a cyberattack on the US has also been ruled out.
But the answer to the second question - the definition of when an attack may be carried out - remains deliberately vague. Panetta drew an ambiguous red line - once again invoking a "cyber 9/11" - but a secret legal review seen by the New York Times suggests that President Barack Obama has the power to order a pre-emptive strike, if the US has credible evidence of an imminent digital attack.
"It's not a surprise that the US wants to claim these powers," said Dave Clemente, research associate at the British Chatham House think tank. "However all the government sources cited so far have been anonymous, so it's difficult to know exactly why everyone's decided to speak of it at this moment. It's possible that it could be a well-timed leak to coincide with recent stories about hacking in the New York Times and the Washington Post and elsewhere, as an argument for more government action in this space."
It is all part of a decade-long effort to define the rules of engagement in a war where the weapons seem to be developing so rapidly that few even know what they can do. The Pentagon, along with many western defense ministries and departments, have created new cyber warfare divisions in recent years, and while defense cuts remain de rigueur, this is one military budget that is likely to expand.
But not every security analyst is convinced that cyberattacks present the apocalyptic dangers suggested by the US government. "I think it's been exaggerated," said Clemente. "We've not had very many examples to work from, in terms of what a very bad scenario might look like. It's all hypothetical. And the US government has chosen to release very, very little evidence to support these strong statements."
"There is more risk out there, but we don't understand it very well," he added. "These government announcements or anonymous leaks do follow a fairly well-established pattern of talking up various kinds of threats. And this isn't unique to cyberspace - we've seen this on and off over the course of the last 12 years. They don't mention the name of this power plant [that was supposedly attacked] or its location or anything more than 'this happened.' We're expected to take that at face value, and that's increasingly hard to do."
Nor is it at all clear that a successful cyberattack on the power grid, would have the devastating effect suggested by Panetta and others. As Clemente points out, there have been massive accidental power outages before, as in 2003, when almost 50 million people were without electricity for 48 hours. "And it wasn't a 9/11," he said. "There wasn't anarchy, there weren't riots or massive crime waves. People behaved quite sensibly. These are useful examples to look to when we talk about apocalyptic scenarios."
"A lot of things are possible - for example, switching off the power of a whole country - that is possible," Sandro Gaycken, computer science researcher at the Free University of Berlin and author of a 2012 book on Cyberwar, told DW. "But the question is whether someone would actually do it, because it's extremely time-consuming and costly and risky. So it's not really clear who would do that and with what motivation."
Not that there are no increasing threats. "Attacks on financial markets, manipulating them to earn money, which are hardly talked about much, are already taking on virulent features," said Gaycken. "Also chemical attacks, gas explosions - it depends a lot on the technologies. Causing airplane crashes would also be relatively easy. Airplanes nowadays are all quite dependent on networks through basis stations, and they have very different security standards, and constantly communicate their data. And once you're in there, and you know your way around, it's relatively easy to bring systems down."
Clemente points out that the precedent set by the Stuxnet virus against Iran, which was released onto the Internet, was potentially dangerous. "Of course it gives people ideas - they can dissect it and figure out how it worked and use similar things elsewhere," he said. "But also I think it shows this contradiction between US advocacy of Internet freedom and transparency, and this use of what can be called a cyberweapon. And it will look very hypocritical."