WASHINGTON — Looking ahead to the next major global conflict, the more appropriate question might be to ask whether the United States will be able to defend against a major cyberattack, rather than if one will occur.
Students of information warfare point out that physical attacks rarely, if ever, transpire any longer without a cyber component, and that assaults on digital systems such as the electrical grid or telecommunications networks are quickly becoming the face of modern combat.
“This revolution is so profound that the whole history of warfare is now going to look very different,” said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that works closely with the government to evaluate the effects of potential cyberattacks. (“It’s our job to figure out how to destroy America and its allies,” Borg says of his organization.)
“The big thing here is to get military to understand that conflict is not between men at arms anymore,” Borg said in a presentation on cyber warfare here at the USENIX security conference.”Nobody should be talking about a weapons system anymore without talking about its cybervulnerabilities.”
He added that senior government officials and Pentagon leaders need to awaken to the magnitude of damage that a targeted and well-coordinated cyber attack could inflict on the United States.
Borg, who also serves as chief economist of the Cyber Consequences Unit, has developed economic models that gauge the short and long-term effects of a major cyberattack on various elements of the nation’s digital infrastructure.
If an attacker were able to take disable a large regional electrical grid for an extended period of time, for instance, Borg estimates that the ripple effect would undermine 72 percent of economic productivity as measured by gross domestic product (GDP).
“Cyberattacks on critical infrastructures are horrendously destructive. This is like the advent of nuclear weapons. This is just a gigantic thing,” he said. “If you can do this kind of damage under a cyberattack, why would you bother with an invasion?”
Of course, Borg is not alone in his concern about the looming threat from a digital assault on critical U.S. infrastructure, though he does speak in dire terms. Military officials readily concede that their systems are under more or less constant attack from entities that run the gamut from lone-wolf hackers to terrorist organizations and outfits working in concert with foreign governments.
An effort to overhaul the U.S. policy and regulatory framework for dealing with cyberthreats is underway in Congress, with multiple competing bills expected to merge into a final piece of legislation in the Senate that could come up for a floor debate later this year.
President Obama has undertaken a top-to-bottom review of federal cybersecurity activities across the agencies and departments, and named Howard Schmidt, a longtime veteran of both government and private industry, to serve as the White House cyber coordinator.
On the military side, the Pentagon established the U.S. Cyber Command last year, an agency tasked with coordinating the military’s offensive and defensive cyber activities, organized alongside the National Security Agency.
Those steps, though preliminary, come as signs of a collective recognition across the government that cyberthreats are all too real, and indeed are only growing more severe.
“All of these things sound obvious if you’ve been working in the field, but they are utterly transforming the way we need to think about warfare,” Borg said. “This is chronic. This is ongoing. Any conflict anywhere in the world of any consequence is likely to have a cyber component.”
Borg detailed a long history of notable cyber squabbles between nations or political groups dating back to 1998, when Zapatista rebels and their sympathizers attacked websites of the Mexican government in an assault that saw ripple effects disrupt the Frankfurt stock exchange and parts of the Department of Defense. More recent and better known incidents have seen politically connected Russian organizations target the digital infrastructure in the former Soviet nations Estonia and Georgia.
Thanks to the borderless nature of the Internet and the increasing global interconnectedness of the economy, such attacks are unlikely to occur in a vacuum. Borg brims with scenarios for how an attack in one region of the world could torpedo various U.S. economic interests.
Pakistan and India have a distinguished history of sparring with cyberattacks, for instance. Borg noted that India has become a haven for outsourced business processes that now go well beyond call centers and the production of software code. Now, outsourcing firms in India are handling increasingly complex aspects of U.S. financial activity, including risk management, IT design, credit analysis and asset valuation. A major cyberattack that disrupted these activities could, Borg warned, spark a “financial panic” in the United States.
Similarly, any successful attack on systems involved with the production or supply of oil or gas would play havoc with the global market.
Borg, though adept at conceiving dark scenarios that could emerge in the wake of a cyberattack, admits that the real consequences are very likely “unforeseeable.”
As a result, he describes the state of play in global security in a way that recalls the Cold War mantra of mutually assured destruction. Only instead of nuclear weapons, the major geopolitical players are plugged into the other’s information systems to such a degree that they could plunge one another into darkness on cue.
“I think we need to assume that if our military has been doing their job and the Russian military has been doing their job and the Chinese military have been doing their job, then all three of those countries have inserted malware into each of the other’s critical infrastructure systems,” he said. “I think we need to assume that the Chinese can turn off our lights and blow our pipelines and blow up our refineries and so on, and I think we need to assume that the Russians can do the same, and I think we have to assume that we can do that to each of them.”