The bloody little conflict between Russia and Georgia in August 2008 lasted just nine days, but it marked a turning point in the history of warfare. For the first time ever, the shooting was accompanied by a cyberattack.
In the opening hours of battle, unidentified hackers shut down Georgian government, media and banking Web sites. Georgian President Mikhail Saakashvili insisted that Russia was responsible for the cyberattack, and U.S. officials subsequently said he was probably right.
The timing was propitious. Just as Russian ground troops were engaging Georgian forces in combat, the Georgian government was forced to deal with malfunctioning computer systems. U.S. intelligence analysts were convinced that the actions were carefully coordinated.
The disruption was relatively minor, but an important threshold had been crossed. In announcing a cybersecurity initiative nine months later, President Obama referred back to the August events in Georgia, saying they offered "a glimpse of the future face of war."
That is now a widely held view.
America's Tech Edge: A Strength ... And A Weakness
"The next time there is a big war, it will include a cyberattack," says Richard Clarke, a former White House cybersecurity adviser and the author of a new book, "Cyber War: The Next Threat to National Security and What to Do About It."
For the United States, the prospect is especially worrisome. The entire U.S. economy depends on operations in cyberspace. If computer networks shut down, so will the country.
Indeed, in a major cyberwar scenario, the United States would be uniquely vulnerable. No military is more dependent on data networking. Unmanned aircraft send video feeds back to Earth 24/7, while soldiers on the ground are guided by GPS signals and linked via computers to other units and command posts.
Of course, the U.S. military is planning its own cyberattacks. Pentagon cyberwarriors have detailed plans to take down power, telecommunication and transportation systems just about anywhere.
There is just one problem: What if the other side strikes first? In cyberwar scenarios, pre-emptive attacks are favored, and effective retaliation can be difficult.
"We have extremely good cyberoffensive capabilities and almost nothing in the way of cyberdefense," Clarke says.
U.S. Not Ready To Fend Off Massive Cyberattack
The United States' lack of preparation for a cyberattack was highlighted in a recent exercise co-sponsored by the Bipartisan Policy Center and CNN.
The participants, playing top government roles, went through a simulation of an aggressive cyberattack. The scenario featured a cascading series of technology failures, beginning with mobile telephone networks. Internet traffic soon slowed to a crawl, and communication between financial centers came almost to a standstill.
The mock exercise, dubbed "Cyber Shockwave," was set in the White House Situation Room, with top U.S. security officials struggling to keep up with the developments.
"What do we have to do now to contain this?" asked Stephen Friedman, an economic adviser to President George W. Bush, playing the role of Treasury secretary for the purposes of the exercise.
No one had an answer.
Other former officials, including John Negroponte, the first director of National Intelligence, and Michael Chertoff, the former secretary of Homeland Security, also played key roles in the simulation. None found that their government experience prepared them for the decisions and policy actions that the cybercrisis required.
Some experts later disputed the likelihood of an attack as overwhelming and fast-moving as the one in the simulation, but they agreed it could not be ruled out. In any case, the exercise showed that the U.S. government is not prepared to deal with a massive cyberattack on its civilian infrastructure.
How To Deter? How To Retaliate?
That's not to say that no one in government had thought about the prospect of a cyberwar. In his May 2009 speech on cybersecurity, President Obama described U.S. computer networks as a "strategic national asset" and promised to "deter, prevent, detect and defend against" cyberattacks.
Secretary of State Hillary Clinton followed up that pledge in a speech in February 2010. "States, terrorists, and those who would act as their proxies, must know that the United States will protect our networks," she said.
However, Clinton did not explain what the government would do to protect those networks. A cyberstrike would come at the speed of light. Such an attack could not be stopped in midair, the way an incoming ballistic missile might be. Experts say the key to an effective cyberdefense is to establish an effective deterrent, so that countries would be dissuaded from attacking in the first place.
During the Cold War, when the United States faced the threat of a nuclear attack, U.S. administrations made clear that any strike would prompt an all-out retaliation. As a result, no one dared to make the first move.
To deter a cyberattack, however, is far more difficult. One of the gravest challenges is what experts call the "attribution problem." U.S. defense and intelligence agencies would likely have a hard time determining precisely where an attack came from and to whom it could be attributed.
In the "Cyber Shockwave" simulation, the U.S. players first concluded that the attack originated from a server in Irkutsk, Russia. But John McLaughlin, a top CIA official playing the role of CIA director in the simulation, interrupted the White House meeting to announce that his "analysts" had told him they could not confirm that the cyberattack actually came from Irkutsk.
"In fact, the prevailing theory is that these servers in Irkutsk may be only a hopping point for an attack that could be coming from somewhere else," McLaughlin said during the simulation. "We just don't know at this point."
If anything, the attribution problem is growing more complicated. Cyberwarriors can now hijack computers in other countries, working remotely through them, hopping from server to server. Because it's so hard to trace the attack to a perpetrator, direct retaliation may be impossible.
A Losing Battle
Cyberwarfare is an entirely new phenomenon, and for all its efforts to develop an offensive cybercapability, the U.S. military has yet to resolve some basic questions, such as when it would be justifiable to strike first, and how to prepare for an attack without aggravating international tensions.
"We're probably doing things on lots of networks around the world to get ready for cyberwar," says Clarke, "and yet we do not have a military strategy that has been shared with the Congress or the public. And I suspect we don't really have a military strategy at all."
For a country whose economy operates largely in cyberspace and whose military pioneered Net-centric warfare, this is a serious failing.
Lewis likes to cite the German military leaders 70 years ago who took pride in their ability to encrypt radio communication through their Enigma machines. What they did not realize, Lewis says, was that U.S. allies had cracked the Enigma code and were intercepting all those "secret" German messages.
"Unfortunately, today we've reversed the roles," says Lewis of the Center for Strategic and International Studies. "We're the people sitting there fat, dumb and happy, thinking we're getting all this advantage from our network and not realizing that our opponents are sitting in it and reaping all the benefits."
He adds, "I see this as possibly one of the gravest intelligence battles the U.S. has ever fought, and it's a battle we're currently losing."
