In late May 2009, President Barack Obama announced the creation of a new post in his administration, one focused on cyber security and the protection of America's digital assets. The "cyber czar" position, as it is now known, is expected to have a broad mandate, with a number of national security agencies reporting to the czar and ensuring that the United States is kept safe from cyber attacks, cyber terrorism, and cyber war. Indeed, the development of the position is just one of several steps that the United States and governments around the world are taking to protect themselves from digital threats.
Such threats are numerous, and include individual hackers simply interested in exploring corporate security apparatuses, to entire government divisions trying to find useful information about enemies and unfriendly governments. While the threat of cyber war is certainly real, the question on everyone's minds is whether it is as big a threat as described by the media, military, and some scientists. Furthermore, the question of how best to deal with such a threat is still an open one.
Like the definition of "war" itself, the term "cyber war" is complex, convoluted, and comes with numerous different connotations. The most basic definition is that cyber war simply entails waging war through digital, technological means. As with war itself, this includes disabling infrastructure, collecting intelligence, as well as distributing propaganda.
While the seriousness of the threat is debatable, there is no doubt that cyber war is real and has already been experienced in the past. The United States has publicly confirmed a number of cases of attempted or successful cyber espionage, where hackers have accessed sensitive information on government computers. In 1999, the FBI released information on an inquiry called "Moonlight Maze", where Russian hackers were suspected of infiltrating numerous Department of Defense computers for over a year. Another attack, this time blamed on Chinese hackers, occurred in late 2003 and 2004, and was code named "Titan Rain".
Two concerning elements are in common in both of these cases. First, both groups of hackers were able to obtain sensitive information from US government computers. Secondly, neither group was ever actually tracked down, prosecuted, or even confirmed to be either Russian or Chinese. Therein lies one of the biggest challenges of cyber war: actually knowing your enemy. Using complex routing systems and compromised computers in remote parts of the world, hackers can often hide their tracks or pretend to be someone else. With software products like Pretty Good Privacy (PGP) or TOR, even average home users are able to anonymize their browsing patterns and make it extremely difficult for law enforcement agencies to track them down. Even Google is beginning to offer privacy-enhanced services to its users.
Such anonymity can lead to a great deal of confusion. During the war in Kosovo, when the Chinese Embassy in Belgrade was accidentally bombed by NATO warplanes, a slew of hackers began to target American websites. While they were initially labelled as Chinese hackers, it was later discovered that most of the attacks originated from the United States itself and were simply routed through Chinese computers.
Cases of cyber espionage, infiltration, and intelligence collection abound, and one of the biggest projects was uncovered in March 2009 by researchers at the University of Toronto. Nicknamed "GhostNet", the project infected high value political computers in 103 countries. Targets included computers in embassies and other government offices, and hackers were able to send forged communications, as well as intercept e-mails, calendar entries, and other private data. Indeed, the hackers would be able to control the computers remotely, thus allowing them to infect new computers and also use them as proxies for other attacks, if they were so willing. As in earlier cases, evidence points to Chinese hackers as the source of these attacks, but a direct connection with the Chinese government has not been found.
It is possible that many of the attacks listed above were organized by non-governmental groups, since the collection and resale of intelligence and sensitive information (e.g. stolen credit card numbers or top secret government information) is a lucrative business. What is most concerning is how easy it is to learn how to break into computers and website accounts. For example, submitting "stealing cookies" or "SQL injection attack" to a search engine will provide a web user with information on how to steal login information from websites or deface them using web forms.
Such tutorials are viable entry points into hacking for cyber protesters, propagandists, and those with more nefarious purposes. Indeed, SQL injection attacks were used by Turkish hackers to deface the United Nations website in protest against the Israeli government, and there is evidence that similar attacks have been used to infiltrate and deface government and military websites in the US.
Cases of cyber esponiage and intelligence collection abound, but the real question is whether a diligent group of hackers can actually bring down physical infrastructure, such as the electrical grid, traffic, or hospital systems. Fortunately, outside of Hollywood movies, cyber attacks on physical infrastructure have been absent from the arsenals of cyber warriors, though such attacks are possible. In 2007, researchers at IBM's Internet Security Systems were able to demonstrate - within a week-long period - how they could break through the security of a nuclear power plant and gain control of the reactor software. While it may still be impossible to cause a nuclear meltdown, simply shutting such reactors off could cause a great deal of distress.
The closest that real-world attacks have gotten to such a Hollywood-style scenario of disabled electrical grids and non-functioning hospital systems was by disabling electronic banking services and bringing down governmental and news media websites in Estonia, in 2007. The attacks, also blamed on Russian hackers, were attributed to the relocation of the Bronze Soldier of Talinn, a Soviet-era statue. Similar attacks also took place against Georgian websites during the South Ossetia War in 2008, and were blamed on Russian nationalists.
While bringing down or vandalizing websites is inconvenient, it is unlikely to lead to government instability or civilian casualties. Many "worst case" scenarios have been explored, as was the case with IBM's exploration of nuclear reactor security, but there is little evidence to show that hackers could gain control of nuclear reactors or shut off entire electric grids.
The biggest challenge with cyber war, however, is that it is often a race against time. Software contains numerous bugs and security holes, and hackers often depend on these to infiltrate computer systems. Rather than waging war against political targets, however, stealing financial information or using computers to send unsolicited e-mails is often the action of choice among such groups.
That being said, one cannot ignore the threat of cyber war, and it is important that governments be clear and transparent with the decisions they make to secure their digital infrastructure. One of the biggest criticisms with current responses to cyber threats is that government agencies are often unsure of their jurisdictions, the legality of potential responses, or even what tools they can use to protect themselves. This exacerbates even seemingly straight forward problems: there is evidence that electronic voting machines are extremely insecure; numerous governmental websites are infected with viruses using relatively simple hacking techniques; and cases of lost personal data on hard drives, laptops, and USB keys abound. These risks leave individual citizens open to abuse as well, be it from a foreign military power, or an opportunistic programmer.
What is different about a shift from conventional wars to that of cyber wars is the power that non-state, nongovernmental actors gain by virtue of their technical expertise. Today, a technically savvy individual in any part of the world can decide to commit crimes against a foreign government's website or citizens. As an illustrative example, take the case of Gary McKinnon. McKinnon is a UK citizen fighting extradition to the US after hacking into the servers of NASA, the Department of Defense, the US Air Force, and other institutions. His motivation for the attacks was his interest in finding information on UFOs, antigravity, and related technologies.
Just as the Internet has made it easier for individuals to share information and promote their causes, so it has also increased the risk of abuse by hackers, governments, and military organizations. It is important, however, to be realistic - yes, many evil things can be done with such a technology, but one should not lose sight of all the good. With proper government policy and collaboration, the latter will be much more likely.
Wojciech Gryc is a Canadian peace activist studying in Britain as a Rhodes scholar.