Five dudes are seated at a high stakes virtual poker table. Four of them desperately need to win. One of them cannot afford to lose. But they’re not all playing against each other. Four are playing together, because none of them can win alone. But none of them trust each other.
In 2015, I posted a blog entitled Cyber War’s Pearl Harbor. It was a hypothetical exercise about the possibility of a cyber-attack launched simultaneously by Russia, China and Iran. But let’s add North Korea to the table.
This year, I read a novel entitled 2034, written by retired Admiral James Stavridis and Elliot Ackerman, which posed a similar scenario that went beyond mere cyberwar. I don’t want to dwell too much on the plot and crimp their sales, but it gave credence to my 2015 post, at least in terms of anticipating that a cyber-attack might be the prelude for something much bigger; something that could easily get out of hand. It also echoed the plot of an alliance of China, Russia and Iran, in which China was the dominant cyber player.
We are now at a point that I could not have imagined in 2015, and circumstances make the potential that I hypothesized that much more possible. Recent events also should give us a taste of what a cyber war might inflict on us on a grander scale. But first, some background to the hypothesis.
The US is obviously one of the players, and unquestionably the one with the most to lose. Hence, it cannot afford to lose. The four other players are each in a tight spot, thanks in part to their own internal mismanagement, made yet worse by sanctions that the US has imposed on them as the economic arm of its war on whatever. The sanctions have not yet brought them to their knees, but they have crimped their style. In addition, their internal dilemmas motivate need for solutions to be found beyond their borders.
Iran is a quasi-client of Russia, but a bit of a wild card. North Korea is a client of China, but also a wild card. China and Russia have been dating lately, enjoying military games together. Although, if I were the Russian bear, I’d be a bit wary of the Chinese dragon. China has plenty of population in need of work, and not enough resource. Russia has plenty of resource to exploit, and not enough workers. Siberia is calling. But I digress. That’s for the future. We’re in the here-and-now.
The foursome are in tight economic boxes with populations that may not be willing to bear much more hardship, though all are well practiced in that skill. Still, patience has its limits. Other countries have revolted for less justification. So, something needs to happen to change the equation. The question is when, and how.
All four countries are known to have substantial cyber warfare chops, and to have used them steadily and progressively.
The U.S. has some pretty significant tools also. We know this because some of them have been laid bare by our adversaries. Apparently, our offensive capabilities are more impressive than our defensive capabilities. The security breaches by Edward Snowden and Chelsey Manning are further evidence of a laxity of organizational security discipline that invites actors to test the limits. What is not known, by us and possibly by our adversaries, is what other tools the US may have that have not yet been displayed, or compromised.
So, here we are, back at the virtual poker table, with the world around it steadily dissembling with internal and international fissures, creating opportunities for the bold and the desperate. While the Four Amigos may not completely trust each other, they have a common bond in the need to change the power equation for their respective purposes. And a shared capacity to do so.
* * *
One of the aspects of the novel 2034 that intrigued me was the subplot of the Chinese developing the capability to neutralize our internet, telecommunication and defense networks, particularly those integrating our military assets. This is all too credible, not only in my view, but in recent events.
- The Colonial Pipeline attack was an example of how hitting one strategic utility or infrastructure system can leverage chaos across a region.
- Attacks on hospitals is a cyber-terrorism attack that can kill, but also spread more generalized sense of vulnerability.
- Attacks on Yahoo and Facebook demonstrate the capacity to leverage one point of entity vulnerability into strategic widespread disruption.
- The Kaseya VSA ransomware attack similarly shows the power of leveraging a specific vulnerability for widespread disruption across multiple high-level client organizations. While this was a ransomware attack for fun and profit, imagine it instead as a cruise missile, the damage from which cannot be reversed quickly with a ransom payment.
- Taiwan has recently expressed concern regarding China’s near-term capability to electronically neutralize its defenses as an element of an invasion, echoing the plot of the novel 2034, but with a much shorter time horizon in mind.
Now, imagine the above bullet points, not as isolated incidents, but as elements of a coordinated, sustained effort by the Four Amigos to change the geo-political equation to their advantage. What would they have to gain, and what might they risk losing? But first, a brief meditation on our national psyche.
* * *
We in the U.S. are infatuated with technology more than informed about it. We can see its potentials, but are not particularly motivated to consider the risks. This is not unique to technology. It is found in broader elements of our national character. We tend toward optimism. We believe there is no challenge we can’t conquer, including self-inflicted wounds. Technology will bail us out of everything. Everything is disposable and replaceable. When something new and shiny comes along, discard the old, even if it has continued useful purpose. Don’t refurbish our old cities; build new ones. And so it goes. Our attitude about technology is very much grounded in this national mentality.
We built information technology with basically the same mentality. Get to market first. First mover. Gain market share, particularly in software, selling vaporware, if necessary. Work out the bugs later. The Y2K Dilemma, as I have previously written, was known back in 1975 (at least to my knowledge, and likely sooner) but not addressed until it was on the eve of the crisis. The logic then was that all the old stuff would be replaced by new stuff (like microcomputer technology and new operating systems) except it wasn’t, and the new stuff was built with the same myopia to a known risk.
The internet, as we know, was funded by DARPA and created to provide a communication network among distributed academics, contractors and government officials in the military-industrial complex. It was also intended to be a resilient network in the event of war, being decentralized and capable of sustaining attack on any of its component nodes without bringing down the system. Academia saw its broader potential and expanded its use in a positive way. Contractors saw its potential and expanded it in a commercial way.
The commercialization of the web has obviously provided many benefits to humankind around the world, but it now also poses some significant risks, not least to national security. While it was intended to expand connectivity and the transmission of knowledge, it has become a powerful tool for disinformation and cyber-tribalization.
Of particular concern, a network that was designed to be highly decentralized and resilient has become highly concentrated and a cyber-highway to massive attack and failure. It is this last aspect, as illustrated by recent trial runs of cyber disruption, which should put our leadership on high alert. They have been alert since 2010 with the creation of the Cyber Command, but not obviously effective in preventing or thwarting escalating attacks.
Nor can government do this alone. Government and the greater society depend on the private sector to do its share in protecting an economy that is increasingly dependent on and vulnerable to this technology. The private sector, obsessed with the bottom line, too often would rather gamble on avoiding the risks and costs of cyber-attack than investing in prevention through adequate security investment, training and staffing.
* * *
What we have been exposed to over the past twenty years are concerted acts of espionage by state actors gathering critical intelligence from government and commercial targets, and a series of more visible pillage by cyber-privateers, believed to be in the employ of state sponsors, but not officially linked. The cyber-privateers play an important role in strategy development. Targeting critical, but non-strategic entities, they give state sponsors a laboratory for observing how defender states respond to attacks in different scenarios.
State sponsored activity appears to be low visibility/ low impact, stealing vital information but not overtly using it as a destructive tool. Cyber-privateers elevate the visibility through their high visibility cyber-muggings which also serve as an element of cyber terrorism, making the public aware of its vulnerability, and thus more compliant to their demands in absence of any apparent institutional defense from government or private sectors.
But what would a full blown cyberattack look like? Imagine for a moment that our Four Amigos got together for a group bit-bang.
First, the players individually may have already laid the foundation for such an endeavor over recent years. The same backdoors that allowed them to gain entry and extract data may have also allowed them to plant little cyber-bots of program code; sleeper cells, if you will, waiting for their command to wake and unleash their mayhem. Sleepy security teams, lax in their defensive protocols, may have failed to detect these little intruders among the morass of code and jerry-rigged programming infrastructure that populates many complex corporate and government systems.
No doubt, the players will periodically test their backdoors to determine that they’re still available and haven’t been closed by the latest software patch. But, if that happens, they’re not too worried. Being more patient and diligent than we tend to be, they’ve built options and alternatives so that one failure doesn’t bring down the show. And besides, time’s on their side.
The important thing is that in a massive cyber-attack, they don’t have to bring down everything. They just have to poke enough holes in the right systems to cripple the society. We have previously witnessed dress rehearsals in eastern Europe. COVID19 response and the resultant supply chain disruption could serve as a proxy, but it could be much worse in a true cyber-attack.
The above scenario assumes that the Four Amigos have already laid some significant foundation in their individual activities, but it is unlikely that any of them would act alone except in extreme desperation. So what might prompt them to join forces?
I would suggest that serious desperation, coupled with a perception of a vulnerable, weakened U.S. might be a trigger for a unified effort. Imagine an attack during a particularly brutal winter, following an acrimonious election. A broad-based attack, launched with sufficient stealth to shield its source, would delay an immediate response, which would already be too late. The U.S., preoccupied, if not crippled with response to multiple domestic crises for which it is unprepared, would hesitate to launch a massive military response that it could not support logistically. It would be effectively contained on its continental island, and the Four Amigos could go about their respective business plans in their respective neighborhoods, mostly without firing a shot. Russia could send its demands to Europe; China likewise to Taiwan, Japan, and the rest of Southeast Asia, and throw South Korea as a tip to North Korea for its assistance. Iran can proceed to brutalize its neighbors into submission in the name of Allah at its considered pace.
Sound crazy? Well, so did the lightning collapse of Afghanistan, until it wasn’t. But this game has much higher stakes.
So, what might prevent this from happening? Two possibilities:
- As I noted in the beginning, the Four Amigos don’t really trust each other, and for good reason. So how does any one of them know that when it comes to pulling the trigger, they’re all in, and nobody’s holding back to let the other guy be the fall-guy? The novel 2034, illustrates this dilemma toward the end.
- A strategic cyber-attack only makes sense if it correctly assumes that a strategic nuclear attack won’t be the response. That assumes a rational assessment of risk and benefit by the U.S.
Anyone want to take bets on that?
The suspicion that we may be half-crazy isn’t a preferred or sure-fire defense, but at present it may be all that saves us.
© Copyright 2021 All rights reserved.