Why the Pentagon's cyberwar on Assad will be limited too.
- By Shane Harris
Shane Harris is a senior staff writer at Foreign Policy, covering intelligence and cyber security. He is the author of The Watchers: The Rise of America's Surveillance State, which chronicles the creation of a vast national security apparatus and the rise of surveillance in America. The Watchers won the New York Public Library’s Helen Bernstein Book Award for Excellence in Journalism, and the Economist named it one of the best books of 2010. Shane is the winner of the Gerald R. Ford Prize for Distinguished Reporting on National Defense. He has four times been named a finalist for the Livingston Awards for Young Journalists, which honor the best journalists in America under the age of 35. Prior to joining Foreign Policy, he was the senior writer for The Washingtonian and a staff correspondent at National Journal.
The pending U.S. military strike on Syria seems the ideal opportunity to launch a sophisticated cyberattack. President Barack Obama’s administration wants to shoot from a distance, keep American casualties near zero, and degrade the Assad regime’s command-and-control systems to the point that the regime cannot launch any more chemical attacks against rebel forces and civilians. The United States could do that with a digital strike on Syria’s telecommunications systems, its electrical grid, or other critical infrastructures the regime needs to stay alive.
But don’t bet on it. The United States and its allies will almost certainly use some form of electronic warfare to jam Syria’s military radar or confuse its air-traffic control systems. They’ll continue to snoop on the communications of Syrian President Bashar al-Assad’s regime. But tempted though the U.S. military may be to flex its cybermuscle, there are a number of reasons that a major cyberstrike would do more harm than good, experts say.
For starters, the big, obvious target is essentially off-limits. The Syrian regime relies heavily on Syria’s public telecommunications system for its command and control. Government leaders and military commanders are communicating with each other and their supporters via cell phones and Facebook, says Rafal Rohozinski, the CEO of SecDev Group, which monitors communications activity in Syria.
The problem is, the rebels are using the same systems. There are half a million more Internet and cell-phone subscribers in Syria today than there were in 2011, says Rohozinski, whose group helps supply communications technology to anti-Assad forces. The Android phone comprises 40 percent of the market today compared with 10 percent two years ago. SecDev Group has also tracked a significant increase in the use of data encryption and secure communications technology by rebels.
There is no easy way to target only government users of the telecommunications system and keep the civilians online. Everyone is using it at the same time.
And keeping access open to the rebels is precisely what the Obama administration wants to do. The State Department and other government agencies have funded several technology companies and nonprofit organizations that design technology meant to circumvent government surveillance. They’ve made encryption technologies available for download to Syrian rebel groups. In 2012, the State Department also funded a conference that brought together rebels with the makers of that circumvention technology.
The rebels depend on ubiquitous, easy-to-use, and relatively cheap technology. Why would the United States cut them off from that technology by taking out the Syrian Internet or turning off the electricity? That would only make it harder for the rebels to organize and plan attacks. And presumably, that’s what the United States wants them to do after the U.S. military weakens Syrian forces with missile attacks.
Syrians are also using cell phones and social media to organize clinics for treating the wounded and responding to government attacks. "They’re the ones who would be most affected by an outage in the system," Rohozinski says. Civilians use the Internet every day to figure out when it’s safe to leave their homes. "Is the taking down of the telecom system going to have a greater or lesser impact on the civilian side?" Rohozinski asks. That’s a calculation U.S. national security officials have to make before any cyberattack.
The United States could craft a more targeted cyberweapon aimed at disrupting government-only systems, such as military networks or non-public communications channels. And those may prove to be soft targets. In an interview with the Washington Post, a hacktivist who supports the rebels’ cause and goes by the name "Oliver Tucket" said the Syrian government’s systems are poorly defended and easily manipulated. "They’re not taking [security] seriously," Tucket told the Post, adding that the regime has "no idea what is going on in their network." Officials are using unencrypted email and even sent a message with the administrative password for a server domain that is associated with the government.
But electronic exploits are hard to come by, and the U.S. military may not want to use them in what will almost certainly be a narrow, low-stakes operation.
"There’s a limited number of shots in that [cyber]-gun," says a former Obama administration official. "And once you tip your hand about what you can do, the Syrians can patch their systems or disconnect them," the former official says. The U.S. military and intelligence community spend considerable time and effort hunting for hidden holes in other countries’ central systems. "You don’t want to waste capabilities."
There’s also a question of intelligence priorities. Any cyberattack would presumably be coordinated or led by U.S. Cyber Command. But that organization is effectively run by the National Security Agency, the government’s eavesdropping arm. And right now, U.S. intelligence appears much more interested in keeping Syrian communications networks up and running, because they’re providing useful information about chemical weapons attacks.
And then there’s the risk of blowback. Any attack of Syria — digital or otherwise — is bound to draw retaliation from pro-regime hackers like the Syrian Electronic Army. The question is how big and how sophisticated will that retaliation be. The Syrian Electronic Army has been linked to operations against U.S. websites, including media sites such as the New York Times and the Huffington Post, and against Twitter. So far, the attacks have only disrupted and defaced the sites themselves.
But pro-regime hackers are not all cyberpunks limiting their shenanigans to vandalism. They’ve shown remarkable dexterity and a penchant for aggressive tactics.
Other pro-regime hacker groups have reportedly been using much more aggressive tactics, including disturbing malware and surveillance tools through Skype and YouTube. In 2012, after the Syrian government shut down Internet service in the country, some of the few IP addresses to remain up and running were designed to trick activists into installing surveillance software on their computers.
In the past week, security experts have been buzzing about whether Syrian hacker groups are upping their game and going after American targets. After the trading halt on the Nasdaq last week, some experts began speculating that it resulted from a malicious cyberattack by Syrian groups or their allies in Iran. There’s no evidence of that. But it’s a measure of increasing anxiety about the capabilities of those groups and their willingness to launch more aggressive, higher-profile strikes against U.S. interests. Hackers in Iran are believed already to have caused massive denial-of-service attacks against American banks in late 2012.
"Cyber is a unique domain, and we have vulnerabilities there," says Paul Rosenzweig, a former Homeland Security Department official who worked on cybersecurity policy in George W. Bush’s administration. "We are about to poke in the eye a tiger who has some cyber-claws. How ferocious are they? We don’t know for sure. But if I were contemplating an offensive cyberactivity, other than taking out their radar, I’d ask, ‘Do I have the capabilities to disable any groups that might retaliate?’"
Of course, a website defacement or temporary shutdown may be a small price to pay for a strategic cyberstrike that gets the administration’s job done. And presumably, Syrian hackers or their proxies will retaliate for cruise missile strikes, anyway.
"Cyberattacks in Syria will be used in ways that haven’t been used in previous wars," predicts Micah Zenko, a national security expert and fellow at the Council on Foreign Relations. "And they might be used in ways that aren’t immediately apparent."
The U.S. intelligence community has had a long time to study up on the Syrian government and the vulnerabilities in its systems. The intelligence community may have developed a more discrete kind of offensive tactic that has never been seen before.
"I suspect that it will be in ways that we don’t quite know about," Zenko says. "To not utilize [cybercapabilities] would be really foolish." To go in with just kinetic efforts — missiles and bombs — "would be like fighting with one hand behind our back."