The Best Defense Against Cybersecurity Threats Is a Good Offense

Know thine enemy. It's a basic principle, but what if there's no way to identify your enemy? How do you strike a target you can't find? How do you wage a war with weapons you've never used on the battleground?

These are just a few of the questions facing the Army's Communications-Electronics Research, Development and Engineering Center (CERDEC).

Although there's much discussion about defending the nation's critical infrastructure from cyberattacks — especially in light of the May release of the "International Strategy for Cyberspace," in which the United States reserves the right to use military force in response to a cyberattack — CERDEC's Intelligence and Information Warfare Directorate (I2WD) is focused on an area that few know much about: offensive cyberwarfare.

In fact, when asked if the nation is a leader in the field, I2WD Offensive Information Operations Branch Chief Giorgio Bertoli pauses: "I'm not sure I even know the answer to that question. This is a very young domain. As an Army, we're still learning what can and can't be done."

I2WD's work is part of a broad U.S. mission to strengthen the military's offensive cyberwarfare capability. In 2009, Howard Schmidt stepped in as the White House's first cybersecurity coordinator.

In 2010, the Defense Department created the U.S. Cyber Command, headed by National Security Agency Director Gen. Keith B. Alexander, to serve as an umbrella for cyberoperations through the branches of the military. Soon after, DOD recognized cyberspace as a new domain of warfare, along with land, air, sea and space.

It's a mission shared around the world. There are 36 countries, ranging from Mexico to China, preparing for military cyberconflicts, according to a May report by the Center for Strategic and International Studies.

"They're all doing it," says James Andrew Lewis, director and senior fellow at CSIS and the project director for the Commission on Cybersecurity for the 44th Presidency. "It's like airplanes in 1914. They seemed pretty exotic, but 10 years later, any nation with a serious military needed to have planes."

There are few specifics Bertoli can provide about his work because so much of it is classified. But the primary goal of cyberwarfare, he explains, is to provide warfighters with a nonkinetic means of striking enemies without permanently destroying infrastructure. The second goal is to disrupt, deny and degrade enemy operations and prevent them from strategizing and communicating.

His team, which consists of 20 government engineers and support contractors, uses software-defined radio, electronic warfare, signals intelligence and other technologies to help build what the Army refers to as its future force.

"Just like a handgun versus a Howitzer," he says, "there's a whole spectrum of tools."

What Is Offensive Cyberwarfare?

There are two categories of offensive cyberwarfare. The first is tactical: disrupting your opponent's command and control to erode informational and technological advantage. It's the fog of war that creates uncertainty and confusion in military operations, Lewis explains.

For instance, you could hack into a Blue Force Tracker system and replace the blue dots (signifying allies) with red dots (indicating enemy troops). "It can have a crippling effect on your opponent," Lewis says.

He cites some real-world examples, including a 2007 air raid by Israel, which hacked into Syrian military systems to make it appear as though its airspace was clear, and Russia's 2008 distributed denial of service attack on Georgian government websites.

The second category of offensive cyberwarfare is strategic: striking targets on your opponent's homeland. The sole example of strategic offensive cyberwarfare, Lewis says, is Stuxnet, the 2009 worm that targeted Supervisory Control And Data Acquisition (SCADA) systems, including ones that monitor and operate Iranian nuclear facilities.

Both types of cyberwarfare are rare. "In the media, everything and its dog is called a cyberattack, so people freak out," Lewis says. "But really, the threshold is very high. There are a very limited number of incidents that could constitute an attack."

The high-profile commercial attacks on businesses such as Google, Sony and Lockheed Martin are criminal and damaging — they're a virulent new form of economic espionage — but they're not warfare, Lewis contends.

"We aren't going to launch a missile at China for hacking into Google," he adds. "If we could tone down the rhetoric a little bit, it would be a lot easier to get a handle on it."

There are economic disruptions and those that constitute cyberconflicts, defense analysts say, but to get to cyberwar, you have to be two political actors locked in a struggle.

An Elusive Target

A notebook computer and an Internet connection — that's all that's needed to launch a cyberattack. Your opponent can decompose your attack and even try to strike back, but you can switch to another computer on a different network.

The low cost of cyberweapons and offensive advantage opens the door to rogue nations or even nonstate actors that wouldn't normally have the opportunity to attack a world power. Having offensive tools at the ready can serve as a deterrent to these potential attackers.

Unlike kinetic warfare, in which one weapon potentially can thwart multiple enemies — "a bullet is a bullet," Bertoli notes — cyber­­warfare typically requires a family of tools. For instance, what works on one particular waveform or network may not work on another.

"So now you have this huge toolbox. How do you manage that? How do you train somebody to be proficient in them?" ­Bertoli asks. It would be akin to teaching soldiers to use a different gun for each enemy. His team at CERDEC is working to create a common look and feel for cybertools so they're easy to learn, and to develop a common framework so developers don't have to start from scratch with each weapon.

Another challenge comes from the nature of technology. "The turnover rate is very high," Bertoli says, "so keeping pace with the cybertechnology landscape is very challenging."

Some hurdles his team faces aren't technical. There are several policy questions. The International Strategy for Cyberspace provides an overview for the United States and its allies — a vision for norms and expectations on the Internet.

"But there's still a lot of detail that's missing in terms of what you can and can't do," Bertoli says. The branches of the military are each working on adding specificity to the strategy based on their expertise.

One of the biggest challenges in cyberwarfare is attribution.

"If someone's shooting at you, you want to shoot back," he says. "But that's difficult to do in the cyberworld." Just because you can identify the IP address of your attacker doesn't mean you know who it is or where he's located. There are teams throughout the government working on tools to better identify attackers, Bertoli says.

Outside the Lab

Another major obstacle is the fact that cybertools are difficult to test in a real-world environment. As any developer knows, what works in theory doesn't always work in practice.

"It is very difficult to replicate the modern cyberspace environment in a realistic fashion," Bertoli says.

Like other cyberteams in the government, CERDEC relies heavily on its laboratories, which simulate physical and virtual battlefields. "A lot of the work is building these environments," he says.

At the end of the day, though, "We don't know how much we can do, because we haven't done it," says Martin Libicki, author of the 2007 book Conquest in Cyberspace: National Security and Information Warfare.

Bertoli agrees. Yet he and his team continue to build cybertools in case the day arrives when the United States must use them.

"You can't be complacent in this domain," he says. Unlike nuclear weapons, which can sit unused for years, cyberweapons must be continuously updated. "It's a constant race to keep pace."

Is a Cyberwar Imminent?

The nations that have the capabilities to launch serious cyberattacks, including China, Russia or the United States, have little incentive to do so.

China undoubtedly engages in "good old-fashioned espionage," says Martin Libicki, author of the 2007 book Conquest in Cyberspace: National Security and Information Warfare. But it has too much at stake in the U.S. economy to launch an attack.

"How much of their prosperity depends on Americans buying their goods?" Libicki poses. "They're not a country that would turn out our lights anytime soon."

Because cyberwarfare is inexpensive, however, the barrier to entry is low, and many worry about nations such as North Korea building their capacity. "That's a place where the great leader can wake up in a bad mood and decide to do something like this," says James Andrew Lewis, director and senior fellow at the Center for Strategic and International Studies.

Cyberwarfare, for that matter, isn't limited to governments. Nonstate actors will likely emerge, says Gregory J. Rattray, partner at the Delta Risk cybersecurity consulting group and former director of cybersecurity on the National Security Council staff. A fundamentalist group could wage a guer­rilla war by disrupting financial services, transportation or other economic and social activities.

Although the United States has strong cybercapabilities, it is also more vulnerable to attack, Rattray says. It relies heavily on its cyberinfrastructure, whereas many of the U.S. enemies' militaries aren't nearly as reliant on cyberspace.

Espionage plays a big role in offensive cyberwarfare because the ability to carry out an attack depends on knowing more about your targets than they know. Otherwise, they'd fix their vulnerabilities, Libicki explains.

That's why so many of the United States' offensive operations are classified. They rely on the element of surprise, Lewis says. "A lot of these exploits only work once."