The cyber jungle

The information superhighway is getting crowded, and there are bandits around.

For a revealing look at the immense river of digital data that the world has generated in recent years, see the April 1 issue of Science magazine. Two researchers have attempted to estimate the global capacity to store, communicate and compute information. They found that, between 1986 and 2007, general-purpose computing capacity grew at an annual rate of 58 percent, telecommunications at 28 percent, and stored information at 23 percent. There’s also a pie chart showing that 80 percent of communications in 1986 were fixed analog — those wonderful old land-line phones!—while in 2007 global communications were 97 percent digital. The research article is complex, but chock-full of other measurements about the data onslaught.

Great benefits and some new hazards have come from this digital revolution. The upside is the immense upswing in communication, creativity, discovery and productivity. We take more photographs, read more news, search for more info, listen to more music and watch more videos with less effort than ever before in human history. Scientists can probe genomes and distant planets with tools never before available to mankind.

The hazard is that, on some days, the information superhighway looks like the road from Benghazi to Tripoli. The Stuxnet worm showed just now nasty things can become. In its annual internet security threat report,  Symantec says that Stuxnet and another attack mechanism, Hydraq, were last year’s standout malware. Hydraq was attempting to steal intellectual property from major corporations; Stuxnet was apparently designed to disrupt Iran’s nuclear enrichment process. According to Symantec, both will, unfortunately, be useful in teaching programmers how to do it again. Overall, Symantec says it recorded over 3 billion malware attacks last year.

Nations are starting to wake up to this new battlefield, too. There’s an interesting series of essays in the Spring edition of Strategic Studies Quarterly, which is published out of the Air University at Maxwell Air Force Base, on the implications of cyber conflict. In one piece [pdf], Christopher Bronk imagines the use of cyberwar by China in the year 2020. This is a clever and fascinating exercise in futurology. In another article [pdf], Chris C. Demchak and Peter Dombrowski argue that the global cyber battlefields are already being fortified. While we like to think of the internet as a borderless space, they report otherwise:

Today we are seeing the beginnings of the border-making process across the world’s nations. From the Chinese intent to create their own controlled internal Internet, to increasingly controlled access to the Internet in less-democratic states, to the rise of Internet filters and rules in Western democracies, states are establishing the bounds of their sovereign control in the virtual world in the name of security and economic sustainability…

The consensus among states changed after Stuxnet. If such malicious software can take down whole energy systems at once, states have no choice but to respond if they are to protect their own governmental and military operations and uphold their responsibility to protect citizens and corporations. The Stuxnet method and its success thus changed the notion of vulnerability across increasingly internetted societies and critical infrastructures. The days of cyber spying through software backdoors or betrayals by trusted insiders, vandalism, or even theft had suddenly evolved into the demonstrated ability to deliver a potentially killing blow without being anywhere near the target. Forcing nuclear centrifuges to oscillate out of control from an unknown and remote location suggests that future innovations might be able to destroy or disrupt other critical infrastructures upon which modern societies depend.

In earlier decades, nuclear, chemical and biological weapons, as well as conventional arms, have been subject to arms control treaties that attempted to limit the creation of the weapons and their use. The treaties weren’t perfect: some were violated, some were weak and lacked enforcement. A good question that needs to be debated today is whether it is possible or desirable to create arms control agreements to limit cyber conflict. As I pointed out in a recent article in FP, cyber conflict exists in a shadowy, unaccountable world, not easily limited by treaties.

Elisabeth Fischer, writing for army-technology.com, has asked a series of experts on whether the time has come for rules of cyber warfare like those that govern conventional warfare. She found a lot of conflicting views. 

In January, Karl Frederick Rauscher and Andrey Korotkov led a Russian-American study by the East-West Institute on whether the Geneva and Hague Conventions could be adapted to cyber space.  The study pointed out that so-called critical infrastructure — things that are necessary for the basic welfare of civilian populations — are often quite difficult to separate from other facilities when it comes to cyberspace. An attack on a power grid or computer network could take down both hospitals as well as military targets. Can these be separated in a cyber conflict? Questions like that are still unanswered.

Another plunge into the legal issues around cyberwar is offered in Strategic Studies Quarterly by Prof. Charles J. Dunlap Jr., of Duke University. He argues [pdf] that the tenets of the law of armed conflict are “sufficient” to address most of the important issues of cyber war. The problem is not so much law, he says, as the inherent uncertainty of war and targeting.

The fog of war exists in cyberspace too.