Lights flicker and then go down across the city. Frightened, people reach for the phone but find there is no dial tone. Miles away in a military base, radar screens blink off as generals try in vain to radio troops in the field.
And as confusion grows, tanks begin to move across the desert and missiles screech across the sky toward Baghdad.
The United States government is reportedly developing a cyber-warfare plan — one that establish rules for when and how the U.S. would penetrate and disrupt foreign computer systems. Taking the fight to cyberspace adds a weapon in the military’s arsenal. Some call it a new battlefield. Others say it’s a new way of fighting a very old battle.
”Cyber-warfare is another weapon in the inventory,” says Dan Woolley, a former communications and computer specialist with the U.S. Air Force and currently a vice president at SilentRunner, a network security company based in Reston, Va. ”We’re looking to reduce the level or risk that we face on the battlefield. Overload computers that handle supplies. Shut down the electric grid. Clog up military computers. Overwhelm computers at military headquarters.”
Most military and technology analysts agree that cyber-warfare, at this point in time, won’t be the only battlefield. It’s more of an add-on. Shutting down power grids or disrupting communications would give U.S. and allied soldiers an edge on the traditional battlefield.
”We’d be looking at jamming a radar site to protect missiles coming in or aircraft flying over,” says Jeff Stutzman, a former U.S. Navy Intelligence Officer, who worked on information warfare in computer network operations. ”It may not be the ends. It may be the means to the ends. We’re going to use computers to do things that are a part of the puzzle.”
And shutting down a power plant with a cyber attack could be a ‘less messy’ alternative to launching a missile at it, which could kill nearby civilians and leave people without power for years.
”Computer hacking is a softer way of doing things,” says Stutzman, who left the military a year and a half ago after 15 years in. ”I’d much rather log into somebody’s power plant and log it off than put a missile on it. It seems like a smart way to do business.”
It has been widely reported that President Bush signed a directive last summer, ordering the government to develop a cyber-warfare guidance plan. The strategic doctrine would detail when the U.S. would use cyber attacks, who would authorize it, what constitutes legitimate targets, and what kinds of attacks — Denial of Service, hacking, worms — could be used. Bush signed the order, the National Security Presidential Directive 16, last July.
”We have capabilities. We have organizations,” said Richard Clarke, Bush’s former cyber security czar, in a recent interview. ”We do not yet have an elaborated strategy, doctrine, procedures.” Clarke stepped down from the government’s top cyber security post last month.
Analysts generally agree that the U.S. is gearing up to add cyber attacks to its arsenal of weapons for a potential war with Iraq. Unlike when the military moved into Afghanistan to unseat the Taliban and weed out the core of the Al Qaeda terrorist network, the military would have many more cyber targets in Iraq. Communications. Radar. Electricity. Supply chains… they all could be targets.
The trick, say analysts, is focusing in on the specific target.
Cyber attacks have wide ramifications. If the military shuts down a country’s electrical grid, how would that affect food storage and hospitals?
”We need to be careful not to think that cyber-warfare is bloodless,” says Bob Hillery, an instructor for the SANS Institute and a former commander with the U.S. Navy. ”Thinking that way sometimes changes the way people look at it and makes them think it’s a sci-fi TV show. It’s not pretty. We shouldn’t think that any kind of war could be bloodless. That almost always backfires.”
Military strategists also need to think about how a cyber attack could spread from the intended target across the globe.
A computer network in Baghdad could easily be connected to networks in London, Madrid or New York. Cyberspace isn’t geographically exact. Unlike dropping a bomb on a battlefield that would kill the soldiers in that spot, a cyber attack could ricochet around the world if it wasn’t handled properly.
”It’s like trying to find a specific target in a crowded room without collateral damage,” says Keith A. Rhodes, chief technologist at the U.S. General Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. ”If you start unleashing the dogs of war in cyberspace, you have to understand how that could travel. If you unleash a virus or worm like the Slammer, they have a knack of spreading faster than the person who unleashed them envisioned.”
Rhodes and military pundits agree that it’s not likely that the military would unleash worms and viruses. It would be too easy for them to flood right back to U.S. shores and damage networks here, as well as around the world.
”I would think it would be a specific attack against a specific network,” Rhodes adds. ”Malicious code wouldn’t be the way I’d go first off. There are a lot of holes in a lot of systems that you cam use to take control of that system without unleashing a slash-and-burn approach of viruses and worms and Trojan horses.”
Some industry watchers worry, though, that engaging in cyber-warfare is a risky step to take for a country so heavily dependent on computer networks. An offensive attack could make the U.S. — and its maze of public and private networks — vulnerable to a backwash from the original attack or from a counterattack.
Still others say whether the U.S. fires the first cyber bomb or not, the U.S. needs to brace itself for attacks on its own systems. The kinds of attacks the U.S. military would consider making are most likely the kinds of attacks being planned against networks here.
”The biggest problem you have to worry about is that we’re more vulnerable as a country than they are,” says SilentRunner’s Woolley. ”They can launch an attack from just about anyplace. It’s a tool that allows weaker nations to offset America’s military might.”