By Zak Doffman
The most serious cyber warfare threats facing the West come from China and Russia, that much is undebatable, with Iran and North Korea a step or two behind. Those CRINK nation states occupy most of the strategic mindshare within the defense and intelligence agencies charged with keeping us safe. But now Lt.-Gen Vincent Stewart, former deputy chief of U.S. Cyber Command and director of the Pentagon’s Defense Intelligence Agency, has warned that we need to urgently broaden our thinking.
Get started on your Homeland Security degree at American Military University.
Much of the cyber threat focused on military, critical infrastructure and commercial targets in the West is developed by so-called Advanced Persistent Threat (APT) groups allied with and funded by nation state agencies, but not embedded within them. We have seen these often arms-length entities double-hat their activities, conducting likely state-mandated operations while freelancing for personal gain as well.
With this in mind, Stewart has warned that if al-Qaeda or ISIS were able to purchase cyberattack capabilities or even services from such a group then swathes of critical infrastructure could be at risk. Russia and China have such capabilities, but play the balance between impact and implications—causing damage but stopping short of prompting devastating repercussions. Terror groups have no such constraints and often operate at the margins of their capabilities.
While in Israel for a counter-terror conference, Stewart talked with the Jerusalem Post, warning that Israel and the West are vulnerable to the cyber equivalent of a “dirty bomb.” In Stewart’s view, the West continues to underestimate the potential that such an attack might take place and its impact. There is so much focus on Russia, China, Iran and North Korea that we are missing the obvious.
Stewart singled out power grids as a particular danger, and one can only imagine the war-gaming and theorizing around such an attack within Cyber Command during his tenure. “Losing power for an extended period of time,” he warned, “is not just about inconvenience,” with hospitals and cold supply chains at particular risk. We have seen attacks on power companies and assets from both East and West. It has become something of a frontline.
Stewart did acknowledge that Russia remains the most likely perpetrator of a broad scale attack, “viewing itself as a global power” and “Putin believing he is almost the czar.” As such, the limited deployment of cyber weapons by the U.S. was a cause for concern—an overly conservative attitude of the past. “Russia will not back off unless we stand up and show we are willing to fight back,” which presents that retaliation dilemma. “So which is it? Push back and risk ultimate escalation or deescalate?”
As I’ve written before, there has been a sea-change in cyber conflict this year, driven by a combination of escalating tensions with Iran in the Gulf, an increasingly expeditionary Russia and the technology Cold War emerging with China. And this extends to state-sponsored attacks on civilian targets. Iran, for example, understands that retaliation against the U.S. military in the cyber domain might be akin to throwing rocks at a tank, but it can hit the vast and under-protected U.S. corporate sector at will. Two weeks after U.S. Cyber Command hit Iran’s command and control structure, came its warning that an Iranian-led hack was targeting the millions of unpatched Microsoft Outlook systems.
“When people ask me what keeps you up at night,” Lt. Gen. Robert Ashley, the current director of the Defense Intelligence Agency, told a cyber conference in Aspen earlier this year, “that is kind of the thing that keeps me up at night.”
We now have both hybrid warfare, where cyber is a furtive layer of activity that is ever-present as well as a level of integration between cyber and physical conflict we have not seen before. An attack in one sphere, retaliation in the other. “We are no longer going to clean up on aisle five,” Stewart explained, referring to the persistent engagement that has become the new hallmark of cyber warfare. “We are going to give you things to think about. We have to respond. It doesn’t need to be high end. Just enough to say that we are on the playing field.”
And while the former Cyber Command deputy chief’s warning about cyber terrorism might take the headlines, his message is actually more directed at everyday, here and now adversaries—especially Russia. These state actors “cannot operate anymore with impunity—there is a cost.” This has become the new reality, and it grows ever more complex, as recent announcements around information and media warfare added to more traditional systems warfare clearly illustrates.
In the past, Stewart told the Post, fear of consequence resulted in hesitation to act. Again, the fear of what might have been unleashed kept cyber weapons in check. We have moved past that now. Stewart credited the integration of traditional defense and cyber operations with changing the Pentagon’s thinking. Pretty much a reverse of the thinking of old, military strategists concluding that not acting might be worse.
“This past September,” reported the New Yorker, “DOD issued a strategic plan that not only confirmed the existence of cyber weapons but declared its commitment to using them ‘to advance U.S. interests’ and ‘defend forward’. The cyberattack on Iran in June was a manifestation of this new, more aggressive approach.”
We are in new and dangerous territory. These latest comments show, above all else, that we don’t yet fully understand the implications of this new environment but we had better learn fast.