Alexander Klimburg’s book The Darkening Web offers a comprehensive overview of the attempts by nations to gain advantage and control on the unseen fields of cyber engagement. He starts with a technical review of the architecture of the internet, and then he proceeds to the legal conventions that apply to modern warfare. Next, he discusses the strategic problems attached to an imbalance of offensive approaches over defensive ones, and then he moves on to the great conflicts going on today.
The opening sentence of the book lets readers know, in five words, what they’re in for. Klimburg warns, “Everything is ambiguous in cyberspace.” The engagements are covert, and the reporting is fragmentary or deeply classified. The rules of engagement aren’t yet written, so it’s unclear how or whether the international conventions of warfare apply. There are no banned weapons, which means there are no limits on the research in cyber weapons.
Klimburg details the “powerful tensions in U.S. cyber: between the offensive and the defensive missions in cyberspace, on the one hand, and the logical (that is, code) and the psychological aspects of cyber conflicts, on the other.” Information warfare differs from cyberwarfare. The former might use misinformation to inflict psychological damage while the latter could plant or launch malware to shut down infrastructure or banking systems.
THE 36-YEAR WAR
Klimburg dates the first cyberattack to 1981-1982 with a Russian KGB program that came to be known as the “Farewell Dossier.” The Soviets were attempting to steal hardware-embedded software, an ICS (industrial control system) from a Canadian company. The CIA reprogrammed the software and allowed the KGB to steal the device. When the Soviets installed the ICS, they were unaware that it now had an embedded logic bomb and the timer was set. A report from a National Security Council member describes how the ICS was installed in a Soviet pipeline, and when it triggered, it reset pump pressures and caused “the most monumental non-nuclear explosion and fire ever seen from space.” The Air Force chief of intelligence reported a three-kiloton event.
Today, Klimburg estimates that the U.S. government likely spends more money on cybersecurity-related tasks, including espionage, than the rest of the world put together. Probably $26 billion-$30 billion a year. That compares, he says, to the entire defense budget of Germany. The result of the expenditures is that the United States is “without peer in its capacity to exert hard power in cyberspace.”
But the other costs of global network dominance are the vulnerabilities that follow when you “set the dial between offense and defensive all the way to offensive and leave it there.” Defenses suffer from neglect, including even companies like Lockheed Martin, which have had their systems repeatedly hacked, along with every large federal institution from the IRS to the White House. The U.S. just doesn’t do national security very well. Klimburg cites a McAfee-commissioned poll that puts the U.S. in the third tier of countries, ranking U.S. cybersecurity behind Israel and a number of European countries.
AN EVOLVING NATIONAL POLICY
The first national-level cybersecurity policy was in the Presidential Decision Directive 63 signed by President Clinton in 1998. It focused on the need to protect America’s critical infrastructures within the context of a public-private partnership. A major incentive for the policy might have been a military exercise the year before, called Eligible Receiver. The Pentagon Joint Chiefs decided to allow the National Security Agency and Department of Defense hackers free rein to “wage unrestricted cyber war against the U.S.” The results included the discovery that the U.S. power grid “had been frighteningly easy to take over and that the deployability of the U.S. Pacific forces had been seriously curtailed.” Twenty years later, the scale of information gathering, computing power, and the size of networks have reached major proportions, and even old-fashioned methods like man-in-the-middle attacks, viruses, worms, keystroke trackers, and logic bombs have proportionately increased in power. If you factor in the prospects for quantum computing and then add the advances in deep learning for machines of war, what once was daunting now seems almost apocalyptic.