The art of cyberwar

Set out in a book by a former White House official called Richard Clarke, could this nightmare vision await us as the world begins to take seriously the emerging “fifth domain” of conflict — cyberwarfare? “We are some years away,” says Dr Bob Brammer, vice-president for advanced technology at the US defence giant Northrop Grumman, “but in principle, yes, it could happen.” Senior figures in Britain’s military and intelligence services warn that as Britain becomes an ever more networked society, the threat is growing. In November the head of the British Armed Forces, General Sir David Richards, said that a cyber attack could paralyse a city, with the same effect as “carpet bombing” it with conventional bombs. He added: “The UK’s trade is now so dominated by financial services that the internet is as vital to us today as shipping routes were a century ago.” Iain Lobban, the head of Britain’s electronic intelligence-gathering agency, GCHQ, has warned: “Cyberspace is contested every day, every hour, every minute, every second. I can vouch for that from the displays in our own operations centre of minute-by-minute cyber-attempts to penetrate systems around the world.”

In October, the Government announced that £650 million would be spent on countering cyberwarfare in the next four years, making it one of the few growth areas in an otherwise hollowed-out defence budget. But to date the threat of cyberwar has remained distant and, for many, somewhat unreal. Mike Maddison, an analyst at Deloitte with expertise in cyberwarfare, warns against hysteria. “There is very emotive language,” he says. “Carpet bombing is terrifying — if my Windows Outlook stops working, I’m just irritated.” For all the dramatic talk of logic bombs and cyber-offensives, is it right to call this “war” at all?

A brief history of cyberwarfare to date gives some idea of the reasons for government concern. “Web War 1” was launched against Estonia in 2007. The country’s parliament, banks, ministries and media outlets were targeted after Estonia angered Russia by removing a bronze statue commemorating Soviet war dead from central Tallinn. The result was economic damage and public panic. But while the nation from which this “clickskrieg” stemmed is easily imagined, it has never been definitely proved and the Russian Government has always denied its involvement. The ease with which the perpetrators of attacks on the internet are able to conceal their identity through proxy internet addresses and “ghost computers” is one of the defining features of cyber warfare — and it is a deeply complicating one. How do you deter an attacker with the threat of retaliation when you don’t know who or where they are? The answer is that you can’t. In its recently published Cybersecurity Strategy, the Government noted: “The low cost and largely anonymous nature of cyberspace makes it an attractive domain for use by those who seek to use cyberspace for malicious purposes. These include criminals, terrorists and states, whether for reasons of espionage, influence or even warfare.”

Russia used cyberattacks as a precursor to its conventional invasion of Georgia in 2008 — Georgian media outlets were flooded with traffic or hacked, with information altered. These attacks used a relatively simple form of internet attack weapon, the distributed denial of service, or DDoS. This involves internet hackers creating armies of “zombie computers” — known collectively as “botnets” and sometimes millions strong — by infecting them with virus software through email traffic, often spam messages. Household PCs are an easy target. Once infected, the computers still function, though they usually appear to operate slowly. Their memory can then be hijacked and used to direct thousands of email requests for information to a particular network. With thousands or millions of computers targeting one website it is swamped with traffic and ceases to function. The potential of this type of attack is evident from the recent attack by the politically motivated hacker group Anonymous, which in December sought revenge against credit card companies that refused to allow donations to the Wikileaks organisation. The attacks shut down the Mastercard and Visa websites for a period.

More complex are logic bombs. One of the earliest examples of a logic bomb pre-dates the modern internet. In June 1982, an explosion ripped through a Soviet gas pipeline in Siberia. According to an account written by a US military officer, Thomas Reed, it was “the most monumental non-nuclear explosion and fire ever seen from space”. The cause was a malfunction in a computer control system that had been stolen from a Canadian firm by Soviet agents. What the Soviet spies didn’t know was that the CIA had implanted software in the stolen system that meant that after a period of time it was programmed to suddenly and spectacularly malfunction.

Another logic bomb has thrust cyberwar to the forefront of military thinking. The Stuxnet virus became public in 2010 after it was reverse-engineered and analysed by Western internet security companies. The virus’s origin is uncertain, though its sophistication has led analysts to conclude that it must have been built by a state — the US and Israel are the prime suspects. Its target appears to have been the Iranian nuclear programme facilities at Natanz and Bushehr. It is believed that memory sticks were used to import the virus into the buildings, which are “air gapped” and not attached to the internet. Once inside, Stuxnet searched for and subverted the particular Siemens-designed Scada (supervisory control and data acquisition) software that was running the centrifuge spinning systems for enriching uranium. But the virus did not do so openly. It concealed its activity so that while centrifuges began to malfunction, instrument panels showed normal readings. The Iranian nuclear programme may have been delayed by as much as two years.

However, there remains much supposition about the whole episode. “Stuxnet is an early example of what will become more common — pieces of ­malware (malicious software) designed to destroy critical equipment,” says Brammer. “They can cause significant damage and put lives at risk.” Stuxnet is a signpost to the future. One analyst wrote: “This is what nation states build if their only other option is to go to war.” But Stuxnet also highlights a flaw in such weapons, which take a large number of people many months to design. Stuxnet exploited at least three so-called “zero-day” (ie, previously unrecognised) flaws in the Microsoft Windows system. Once the flaws had been revealed they were “patched” by Microsoft. “It is a one-shot weapon,” says Dr Heinz Winter, principal engineer at Northrop Grumman’s cyberwarfare “range”, near Portsmouth. “The vulnerability would be patched, but there are so many more out there.”

Far less sophisticated than the Stuxnet virus are the sort of e-mail attacks that are directed at institutions and government bodies every day. Experts stress that cyberattack is often something of a misnomer. “It is not the right term for what we are seeing,” says Graham Wright CBE, a former deputy director of cybersecurity at the Cabinet Office. “Day-to-day it is cyber-espionage, commercial and government sponsored.” Since 2003, the United States and other countries, including Britain, have been subject to a campaign of cyber-intrusion on a massive scale, codenamed “Titan Rain” by the US Government. Apparently originating in China, thousands of attempts have been made to hack government institutions and commercial bodies. Among the companies hacked was Lockheed Martin, which has denied that plans for its new stealth jet, the F-35 Joint Strike Fighter, were stolen.

“I think the Chinese Government has been behind many, many attacks — penetrations,” said Richard Clarke, a longtime US government adviser. “Attacks sounds like they’re destroying things. They’re unauthorised penetrations. And what they’re trying to do is espionage. They engaged in massive espionage, not only in the US Government, in the US private sector as well, but also around the world.” Western analysts believe that the Chinese hackers, called “GhostNet”, form an important new facet of China’s approach to warfare, as set out in a book published in 1999 called Unrestricted Warfare. The book, written by two colonels of the People’s Liberation Army, followed China’s realisation after the Gulf War that it could not compete with the US in a straight fight. The authors noted: “The new principles of war are no longer ‘using armed force to compel the enemy to submit to one’s will’, but rather are ‘using all means, including armed force or non-armed force, military and non-military and lethal and non-lethal means to compel the enemy to accept one’s interests’.”

China, which is producing 25,000 top-flight computer programmers every year, expects to be able to win “informationised wars by the mid-21st century”. The Chinese are not alone. The US, Britain, Iran, Israel and North Korea are among other nations also exploring the potential of cyberwar for defence and attack. While cybercrime and cyber-espionage would appear to be much more prevalent on the internet than actual cyberwar, there is much overlap between them. Any cyberwar attack on a nation would involve exactly the same stealthy hacking of systems for intelligence gathering and the implanting of malicious software as cybercrime and espionage. Bob Brammer says that the first requirement is to “prepare the battlefield” , a process that would take months or years, to hack the vital infrastructure of an enemy state and implant malware. “Cybercrime is the laboratory where the malicious payloads and exploits used in cyberwarfare are developed, tested and refined,” wrote Jeffrey Carr, in Inside Cyber Warfare.

Symantec, a leading internet security company, told The Times that 53 per cent of critical infrastructure providers it surveyed across 15 countries reported that their networks had suffered what they perceived to be “politically motivated cyberattacks” in the past five years, with an average of ten such attacks at a cost of $850,000 to their business. The growth of social networking has allowed hackers to harvest information from sites such as Facebook. These “spear phishing” attacks send e-mails with apparently personally relevant information. If opened, a virus is implanted that gives the hacker access to the network where he can implant what is known as “backdoor software” to make that access permanent.

James Wootton, a former GCHQ employee who now runs the cybersecurity company Electric Cat, warns of other hacking methods. The “man in the middle” attack is one often carried out in hotels, by hackers who use laptops to pose as the official in-house wi-fi system. Those who log on might then be subject to a “Trojan horse” virus, that allows the hacker “a privileged escalation” and access to stored files. If he is able to install a route kit program, he can return at will. Another gambit is to sprinkle infected memory sticks in car parks at government or commercial institutions in the hope that curious employees will insert them into office computers. At the lower end of the market, hacker toolkits are commercially available online. At the Northrop Grumman cyber-range, Heinz Winter is a trained “ethical hacker”. The range simulates the computer systems and internet traffic of large companies and government institutions, allowing men like Winter to test their defences. He notes, a little wistfully, that anyone can now acquire relatively sophisticated hacking tools without extensive programming knowledge, selecting a “delivery system” and “payload” from online menus.

“It takes weeks of preparation but every antivirus can be overcome,” he explains. “You find which antivirus they are using, install it yourself and run your virus through the firewall, tweaking the code till you get through.” The whole process has been aided by the development of cloud computing, which allows users to rent huge computing power from hundreds or thousands of other machines. “Password cracking will take no time when you are using 1,000 computers for an hour rather than one computer for a thousand hours,” Winter says. Should one be wary of the assessments of companies that might see cyberspace defence as a potentially lucrative market in lean times? Possibly, but many analysts argue that the vulnerability of computer systems is underestimated because companies and governments do not want to admit how vulnerable they are.

The telecoms company Verizon conducted an online survey of its clients in 2008. It reported the loss of 285 million personal data records, including credit card and bank account details. Verizon claims that 96 per cent of successful hacks could be averted through good procedure and updating computer defences. In May last year there was speculation that a mysterious 30-minute collapse in prices, the “Flash Crash”, on the Chicago Mercantile Exchange was the result of a cyber-attack. An investigation concluded that automated selling machines had caused the crash, though some are unconvinced.

But there is widespread consensus that a successful hack of a major financial institution or bank is now likely. “Two things I would watch out for within the next five years are a brigade-size military unit in a regional conflict effectively losing its command and control networks to a cyberattack and the possibility of a successful attack on a major bank or credit card provider, which destroys confidence and has a huge ripple effect,” said John Bassett, an expert on cyberwarfare at the Royal United Services Institute in London. Bob Brammer believes that major breaches have occurred already, but that the need to maintain public confidence makes institutions unwilling to admit to them. Where does this leave the future of the internet? Some analysts predict that it risks becoming “Balkanised” into smaller autonomous networks — fundamentally altering its freedoms. Others argue that a legal framework for cyberwarfare needs to be established, a treaty similar to the Geneva or Hague Conventions, which would place legal limits on cyberwarfare.

In a report published in November, the influential think-tank Chatham House predicted: “Cyberwarfare and cyber-espionage are likely to become increasingly intertwined, slowly subsuming, though never completely replacing, conventional warfare.” But it is also worth remembering the potential value of cyberwarfare, a form of interstate coercion that could save lives by allowing a form of conflict in which infrastructure rather than lives are forfeited. How might history have been different if the US-led invasion of Iraq had not seen the wholesale destruction of Iraq’s infrastructure before the troops went in, but only its disablement through cyberattack? Billions of dollars and years of chaos might have been saved.

A bark worse than their bite: non-lethal weapons

New technologies that are designed not to kill

Acoustic hailing

Operated from ships, armoured vehicles or trucks, this device emits highly irritating tones that are supposed to deter or modify an individual’s behaviour. For example, the crew of USS Vella Gulf, a US Navy guided-missile cruiser, used an acoustic hailer to project sound beams at pirates in two skiffs in the Gulf of Aden, off Somalia, last year, when the warship was the flagship of the counter-piracy task force in the region. The sound wave, which is supposed to be within the hearing limits set down by the US Occupational Safety and Health Act, has a range of up to 3,000 metres.

Optical distracter

A directed energy system that fires a non-blinding laser. This device has also been developed to deter pirates from launching raids on shipping in the Gulf of Aden. BAE Systems has designed a prototype weapon which sends a laser beam over a distance of nearly two miles. A BAE official said: “The effect is similar to when a fighter pilot attacks from the direction of the sun. The glare from the laser is intense enough to make it impossible to aim weapons like AK-47s or rocket-propelled grenades, but [it] doesn’t have a permanent effect.”

The Skunk

To break up hostile crowds, the Israeli army uses an armoured truck that fires an intolerably smelly liquid. It has proved highly effective.

High-powered microwave

Vehicle-mounted, this weapon can send millimetre-wave electromagnetic energy over a range of 700 yards. The wave, which causes a burning sensation on the skin, is intended to force back hostile crowds and deter gunmen who may be using human shields while firing a weapon.

Sticky foam

In 1995, the US Navy fired sticky foam during a UN peacekeeping operation in Somalia. A gum-like adhesive substance, the foam stuck to people who were regarded as threatening. Although it had the desired effect, it proved to be painful to remove.

Electro-muscular incapacitation projectile

An upgraded version of the Taser stun gun, this 40mm munition can disable someone for up to 30 seconds. Fired from a grenade-launcher over a range of up to 200ft, it gives the human target an electric shock.

Airburst non-lethal munition

A low-velocity round that delivers a combined light and sound effect with a bright flash dazzle, a loud bang and pressure blast and heating sensations. This multisensory weapon can be fired from a grenade launcher.

Electric vehicle-stopper

A high-powered radio frequency that disrupts the functioning of a vehicle’s engine is placed at checkpoints and road blocks in order to stop suspicious vehicles, without troops having to fire on the occupants.

Windshield obscuration device

Aims a laser at the windscreen of an approaching car or truck, forcing the driver to slow or stop their vehicle and giving troops time and distance to determine whether it presents a threat.

Michael Evans