• The Listener
  • North & South
  • Noted
  • RNZ

Why New Zealand must be wary about cyber warfare

Photo/Getty Images

Cyberspace is considered the fifth domain of high-tech warfare – joining land, sea, air and ­­­­space-based operations in the theatre of conflict. Victoria University’s Joe Burton analyses where the threats lie and why New Zealand must be wary.

When President Barack Obama met President Xi Jinping in Washington last September, cyber security was at the top of the agenda. What emerged from the meeting was an agreement by the United States and China not to commit “cyber theft” against each other for commercial gain and to co-operate in reining in criminal organisations using cyberspace for malicious intent.

But a much more serious issue was swept under the carpet. Both the US and China are preparing to fight wars in cyberspace and their respective national security establishments are fully invested in developing offensive cyber-attack capabilities.

Although any US-China co-operation on cyber security is welcome, the prospect of new tools of cyber warfare emerging is a looming and un­resolved menace in global politics and one that the New Zealand Government is also concerned about. The New Zealand Security Intelligence Service (SIS) recently ranked cyber attacks second in a list of six of the most serious threats to our country, and advanced cyber attacks against New Zealand’s digital networks are increasing in volume and severity.

The reality is that the extension of traditional information warfare operations to cyberspace, the growing militarisation of cyber security and the way cyber attacks are being used to support conventional military operations all present real dangers that seem to have been shunted to the sidelines of international relations.

So what is cyber warfare? It involves states using cyber attacks to disrupt, delay or destroy another state’s information communications systems and/or using malicious computer code to disrupt an adversary’s ­ability to communicate on the battlefield.

No one has died as a result of someone sending a malicious computer virus, and small arms and improvised explosive devices (IED) have cost far more lives than computer code likely ever will. Yet increasingly the US and China, and many others, are seeking to apply old principles of information warfare to the cyber domain. Contemporary cyber warfare operations are, essentially, information warfare operations.

Ever since the advent of sub­marine and subterranean telegraph cables and wireless telegraphy, countries have tried to degrade their adversaries’ ability to communicate by attacking their strategic communications systems. In World War I, both Germany and Britain were involved in systematic destruction of the other side’s commu­nications networks. In World War II, Alan Turing – widely considered the father of modern computing – led the work on breaking the German Enigma codes that was crucial to Allied success.

In the modern era, control of the information environment is crucial in conflict, particularly in the areas of intelligence operations and situational awareness – awareness of what’s happening in the ­strategic environment.

Cyber attacks can be used to degrade an enemy’s ability to communicate, meaning sophisticated encryption and authentication measures must be used to protect militaries’ communications, and their command-and-control systems. Such cyber operations are enabled by modern military strategy (network-centric warfare) and a highly technological battlefield.

The internet and advanced information and communications techno­logy have given states new mechanisms for defence as well as new points of attack. As a senior US commander in Afghanistan recently revealed, referring to the war against the ­Taliban, “I was able to use my cyber operations against my adversary with great impact. I was able to get inside his nets, infect his command-and-control and, in fact, defend myself against his almost-constant incursions to get inside my wire, to affect my operations.”

Even in Afghanistan, one of the most underdeveloped countries in the world, information warfare through cyberspace has been important. More recently, in Ukraine, Russia mounted hybrid warfare operations that revolved heavily around information warfare concepts.

As one commentator noted in The Military Balance, “It is pretty clear that Russian involvement showed the integrated use of capabilities including rapid deployment, electronic warfare, information operations, special-forces capabilities and cyberspace communications, targeted at both domestic and foreign audiences.”

The internet is clearly being used to manipulate the information environment, and this includes Islamic State in Iraq and Syria, which is using it for political, strategic and military gain. The IS “cyber caliphate” recently released hacked ­information about 1400 US personnel, including members of the Marine Corps, Nasa, the State Department, Air Force and FBI, and encouraged its supporters to conduct attacks against them (the hit list included Australians and one Kiwi). The US struck back, killing a prominent IS hacker in an airstrike in Syria in August. Intercepted electronic commu­nications point to a ­terrorist bomb almost certainly bringing down the Russian airliner over the Sinai Peninsula in Egypt on October 31. Although the Sinai affiliate of IS in Syria has claimed responsibility, agencies are still analysing IS “chatter” online as part of the process of identifying the perpetrators.

Edward Snowden. Photo/Getty Images

Fifth domain of warfare

Such interceptions are part of the high-tech warfare that is increasingly influential in the contemporary security ­environment. Cyberspace has become the fifth domain of warfare – it joins land, sea, air and space-based operations in the theatre of conflict.

When states talk about being able to conduct “full spectrum” operations, they are referring to cyber warfare operations influencing, interacting with and enhancing land, sea, air and space operations.

Imagine a scenario in which US hackers on instruction from the US Government hack into Chinese computer systems and implant malicious software that under a specified electronic command would render Chinese internet and telecommunications networks inoperable. What if China retaliates by doing the same? This might sound fanciful but it is clearly possible.

These kinds of fears have been driving policy in some countries. When the US and Australian governments blocked Chinese telecoms company Huawei from supplying broadband infrastructure in their respective jurisdictions, that was the sort of thing they were concerned about. New Zealand ­intelligence agencies didn’t appear so ­worried – they gave a tentative green light to Huawei’s contract to provide  broadband infrastructure.

Concerns that US hardware and software sold and installed in foreign countries might enable the US to strike pre-emptively at its adversaries’ communication systems have been voiced numerous times in commentary on cyber security, including by National Security Agency (NSA) whistle­blower Edward Snowden. According to recent disclosures, the Obama administration has growing ranks of ‘‘cyber warriors’’ conducting digital penetration of foreign networks.

Such pre-emptive acts of cyber subversion against foreign networks could well be perceived and interpreted as acts of cyber warfare. Former US Deputy Defence Secretary William Lynn has acknowledged this, saying cyber operations are “just as critical to military operations as land, sea, air and space”.

Senior military officers are buying into this idea. The 2014-15 military strategies of the EU, US, Russia and China reveal that the integration of cyber tools with more conventional military instruments and platforms is regarded as a priority. The US Department of Defence cyber strategy, for example, says the US military “will enable combatant commands to plan and synchronise cyber operations with kinetic operations across all domains of military operations”. In other words, cyber offence and defence will be used alongside conventional military operations wherever they are taking place.

In October 2011, the New York Times reported that in advance of the air campaign against Colonel Muammar Gaddafi’s Libya, the US Department of Defence actively considered a barrage of cyber attacks against Libya’s surface-to-air missile capabilities and sites that would have protected allied aircraft. (This wasn’t  implemented because of concerns over congressional approval and,  importantly, fears that the US would be setting a dangerous cyber warfare precedent.)

The US’s F35 joint strike fighter will have a “cyber-pod”. Photo/Thinkstock

High-tech cyber aircraft

Perhaps the most-cited example of cyber operations being used alongside conventional military methods is the Russia-Georgia war in 2008. In that case, the Russian land and air campaign was preceded by cyber attacks against the digital networks of Georgian Government ministries and military units, sowing confusion and affecting their ability to communicate. Arguably, this gave the advancing Russian offensive a signi­ficant military advantage. The same scenario played out against Ukrainian authorities during the illegal annexation of Crimea.

These are clear examples of how cyber attacks can amplify or multiply the effects of military operations. The cyber attacks themselves weren’t violent, but they considerably increased the capacity and ability of advancing Russian forces to undertake violent military offensives.

Recent developments in advanced military capabilities show this fifth domain of warfare emerging prominently.

A “cyber-pod” is being attached to the new US F-35 – which is already likely the most advanced and capable fighter aircraft in the world. This would protect the fighter from cyber attacks and electronic jamming, but also enable it to conduct cyber attacks against hostile targets by sending electronic signals and fooling hostile radar. Popular ­Science magazine has referred to this capability as “the world’s deadliest podcast”.

Another example is in the area of drone warfare, where there have been various attempts, some successful, to hack into drones.

The Iranian regime claimed to have used a cyber attack to bring down a US high-altitude reconnaissance drone through a technique called “spoofing” in which it sent the drone the wrong coordinates and tricked the machine into thinking it was landing at its base in Afghanistan when it was really landing in Iran.

The US Navy has also recently announced a tactical shift to what it calls “distributed lethality”. The strategy is partly designed to bypass Chinese cyber attacks against naval battle groups in the Pacific. Chinese A2/AD (anti-access, area denial) strategies are also well known for relying on cyber capabilities to do just that – deny access. Many US maritime platforms are carrying electronic jammers that could be used in surface-to-air combat and anti-submarine warfare against Russian and Chinese naval forces.

Some accord: Chinese President Xi Jinping talked cyber security with US President Barack Obama in September. Photo/Getty Images

The real cyber space

Can cyber attacks influence space-based communications? There have been reports that the Chinese military is putting signi­ficant effort into developing the capability to conduct offensive cyber attacks against the US global positioning satellite (GPS) system.

The US has an advantage over China in that it has its own GPS system and, in the event of a conflict with the latter, could block China’s GPS access co-ordinates out of that system, making it difficult for the Chinese armed forces to conduct operations.

However, China is developing a rival ­satellite system to keep up with this ­potential domain of warfare. It recently launched two satellites into low-orbit, which is where they will be able to do most damage if they are ever used for military purposes.

An article in Foreign Affairs claimed ­Chinese hackers recently gained access to the US National Oceanic and Atmospheric Administration (NOAA) network to disrupt data related to disaster planning and aviation that was being relayed from US satellites.

When we think about the wide range of systems that rely on satellites, including military operations but also telecommunications, the internet, the banking system and the monitoring of land, air, and maritime traffic, this is cause for concern.

A third conception of cyber warfare relates to militarisation – generally understood to be the process in which a state prepares for war. So, is the internet being used in preparation for wars and what are national militaries doing in this realm?

At a rhetorical level, cyber attacks are often framed in strategic-military terms. Leon Panetta, former CIA director and US Defence Secretary, has referred to the possibility of a “cyber Pearl Harbour”, and terms such as “weapons of mass disruption” are often heard. Simply referring to them in this way gives momentum to the process of militarisation.

In reality, some world-leading powers are investing heavily in developing not just defensive but offensive cyber security capabilities.

The Stuxnet virus, which is fairly widely acknowledged to have been developed by the US and Israel as part of an operation code-named “Olympic games”, and which was deployed against Iranian nuclear centri­fuges, is a prominent example.

The consequences of the deployment of this kind of capability shouldn’t be underestimated. It has led Iran to accelerate its own cyber security capabilities and there are fears that these types of computer viruses can be reverse-engineered. In this respect, the militarisation of cyberspace may lead to cyber arms races, the pursuit of increasingly sophisticated cyber weapons and cyber ­security ­dilemmas. Stuxnet, for instance, was discovered after it had infected ­computers in more than 60 countries.

In testimony to the US Congress, General Keith Alexander, director of the NSA and commander of US Cyber Command, further acknowledged the reality of the US cyber strategy, suggesting that, “Cyber offence requires a deep, persistent and pervasive presence on adversary networks in order to precisely deliver effects” and claiming that, “When authorised to deliver offensive cyber effects, our technolo­gical and operational superiority delivers unparalleled effects against our adversaries’ systems.”

The aforementioned cyber strategy of the US Department of Defence also argues that the US military “should be able to use cyber operations to disrupt an adversary’s command and control networks, military related critical infrastructure and weapons capabilities”.

It’s worth remembering that the develop­ment of the internet itself was heavily influenced by the US military. The Advanced Research Projects Agency Network was an early data-packet switching system, known as Arpanet. Arpa later became Darpa, which is an agency of the US Department of Defence.

The other US agency that is much better known and which has taken a prominent and controversial role in cyberspace is the NSA – housed within Defence. Intelligence agencies and national security establishments have a massive stake in the internet’s operation, and these powerful organisations have taken a much more intrusive role, particularly in the post-9/11 environment.

Offensive strategies

More generally, we are seeing militaries in many countries taking an active role in cyber defence and offence. The Wall Street Journal cites at least 29 countries as having formal military or intelligence units dedicated to offensive hacking efforts. It says 50 states have bought off-the shelf-hacking software that can be used to subvert and spy on foreign networks.

The US Army has officially acknowledged cyber warfare as an element of strategic ­doctrine and has a dedicated cyber ­command (USCybercomm), which co-­ordinates defensive and offensive cyber security ­operations for the US military – the navy, air force, army and marines.

The Chinese military also appears to be involved in developing offensive cyber capabilities. Close links between the People’s Liberation Army (PLA) and cyber attacks have been identified and the US Justice Department recently indicted five members of the PLA on charges of cyber espionage. The Chinese have a dedicated military unit responsible for cyber operations, the ­Chinese equivalent of the USCybercomm, known as PLA Unit 61398.

Miriam Dunne Cavelty, a prominent cyber security scholar, highlights that “Chinese authorities have stated repeatedly that they consider cyber space to be a strategic domain and by mastering it they may be able to equalise the existing military imbalance between China and the US more quickly.”

The militarisation of cyberspace is not just about how states are planning to fight wars. It may also affect what they do in peacetime, including how they plan to deter cyber attacks and how they might reta­liate after a cyber attack.

Tensions heightened in Estonia in 2007 after Russian-based hackers cut the country’s internet access. Photo/Getty Images

Attack on sovereignty

Could cyber attacks ever cause a war? Are we likely to have an attack that could cause as much destruction as Pearl Harbour and propel one of the world’s great powers into a full-scale military conflict?

Two prominent cyber attacks demonstrate what’s possible. The first was conducted in 2007 by ­Russia-based hackers against Estonia, and which took down the networks of Estonian Government ministries, banks and media outlets. There was significant concern at the time that the intrusions could escalate into a much more serious crisis between Estonia, Nato (of which Estonia had been a member since 2004) and Russia. Estonian politicians said the intrusion was an attack on Estonian sovereignty. Estonian Prime Minister Andrus Ansip, for example, asked, “What’s the difference between a blockade of harbours or airports of sovereign states and the blockade of government institutions and newspaper websites?”

As a result of the cyber attacks against Estonia, Nato introduced its first policy on cyber defence early in 2008, which has regularly been updated. In September 2014, its policy was endorsed by allies to establish “that cyber defence is part of the alliance’s core task of collective defence … and that international law applies in cyberspace”.

More recently was the cyber attack on Sony Pictures in the US, allegedly by North Korean ­hackers, in response to the release of The Interview, a film with a fictitious plot to assassinate North Korean leader Kim Jong-un.

That attack showed how quickly malicious cyber activity can escalate into a serious diplomatic and ­economic crisis. Cine­ma­goers were threatened and the film’s release was cancelled, leading to a debate about free speech in the US, ­President Obama personally intervened and the US imposed sanctions on North Korea. It is also possible there was a cyber-retaliation by the US against North Korean digital ­networks that rendered them in­operable for a time.

Such examples show cyber attacks can cause threaten to escalate conflict and that measures are needed to stop this happening.

Not an island

What implications are there for New ­Zealand if we accept that cyber warfare is an increasingly salient feature of the inter­national environment? First, it’s clear our Government takes cyber security seriously. Extra resources have been made available and legal frameworks put in place, including controversial powers to detect and intercept cyber intrusions into New Zealand’s ­digital networks under the GCSB Bill, 2013. Rebecca Kitteridge, the director of the SIS, has said she is “grateful” for the extra $20 million in Government funding over four years. SIS and GCSB Minister Chris Finlayson said the money would be partly used for strengthening cyber security services for the Government and critical infrastructure organisations. Sustained investment in education and training for Government cyber security personnel will also be essential in this changing inter­national environment.

Given the way cyber threats are evolving, guarding against economic and corporate cyber espionage – which appears to be the main focus so far in New Zealand – may not be enough. The country must also take the issue seriously from a military perspective. Having sent another deployment of Kiwi armed forces to Iraq, it’s clear information security is a vital part of that operation. Our troops must be able to communicate safely and securely.

As a small state with limited resources, it would be foolish to follow the lead of other countries in developing offensive cyber security capabilities. A defensive cyber security strategy would seem the correct approach. Nevertheless, the Defence White Paper 2015 and the new National Cyber Security Strategy, both due for release by the end of the year, will probably pay heed to the growing challenge of cyber warfare. It is not an option to brush the issue under the carpet.

New Zealand also has an opportunity as a non-permanent member of the United Nations Security Council and through our Asia-Pacific security partnerships, to push for international prohibitions on cyber warfare. We may not see a big UN-level agreement on cyber security, but we can have a role in the emergence of norms of behaviour in cyberspace through sustained engagement on the issues. Cyber warfare is already a reality, but there may be just as many opportunities for co-operation as there are for conflict.

Dr Joe Burton is a lecturer in international relations and international security at Victoria University of Wellington.

The Stuxnet computer virus targeted Iran’s nuclear facilities. Photo/Getty Images

Easy as USB

The potential for cyber attackers to cause major damage and disruption to New Zealand is real.

by Peter Griffin

Hackers exploit security weaknesses in the web browsers and operating systems we use daily, allowing them to gather data without our knowledge. Botnet attacks take control of in­secure, virus-infected com­puters to flood websites with requests for information, overloading ­servers and internet connections.

The distributed nature of the internet means attacks can come from anywhere, routed through proxy servers to mask the attackers’ identities. Ones and zeros are rearranged for the purposes of intelligence gathering, espionage and, in the most extreme cases, damaging critical infrastructure such as electricity networks and military installations.

Often the techniques employed are remarkably simple. The Stuxnet attack came to light in 2010 and involved hackers infiltrating Iran’s nuclear facilities, mani­pulating its internet-connected control systems to damage the centrifuges Iran was using to enrich uranium.

How did they get in? US security expert Ralph Langner is a world expert on Stuxnet and has examined the computer code crafted by the attackers. He found that they bypassed Iranian defences by targeting trusted engineering contractors who visited the nuclear facilities. The attackers infected the contractors’ computers with malicious and self-replicating code, and this was then unwittingly spread when the contractors plugged USB sticks into computers at the nuclear facilities. It’s an old trick for hackers, but it still works.

The Stuxnet attack, however, had the fingerprints of a sophisticated military operation. The techniques used would only have worked when coupled with the sort of knowledge a state intelligence agency could ­assemble. That’s where the tools of cyber warfare become extremely ­powerful – when the motivations and resources of world powers are factored in.

“The future is burdened by an irony,” writes Langner in his detailed report on the cyber attack on Iran’s nuclear programme. “Stuxnet started as nuclear counter-­proliferation and ended up opening the door to proliferation that is much more difficult to control – the proliferation of cyber-weapon technology.”

We haven’t heard about another Stuxnet – not yet, anyway. In the cyber-security world, they talk about an “advanced persistent threat” – attackers gaining access to a network and remaining undetected, gathering data or waiting for the right moment to do serious damage. They are no doubt out there, somewhere, waiting to send the activation codes.

We saw such disruption as early as 2007 when a war of words between Russia and Estonia over the Bronze Soldier of Tallinn, a controversial Soviet-era war memorial, ended with what has come to be known as Web War I – the first major cyber attack targeting an entire country. (See main story.)

The denial-of-service offensive on Estonian Government websites, major banks and media outlets in April 2007 temporarily took the tiny country off the internet. Direct involvement in the attack by the Russian Government was suspected  but never confirmed. It’s the same story when it comes to the “Titan Rain” attacks on US Federal agencies such as Nasa and the FBI by hackers allegedly working for the People’s Liberation Army of China.

The problem with this new form of warfare is that many of the tools of attack are also used by criminals trying to steal your identity, hacktivists mounting protests and government cyber warriors looking to harvest their enemies’ secrets.

As our critical infrastructure becomes more interconnected, with smart grids more efficiently managing our power networks and the centralisation of our transport systems, the potential to cause major damage and disruption on a national level is increasing.

The tools of cyber warfare will evolve as we increasingly adapt to cloud ­com­puting and the internet of things (IoT, the ­network of connected sensors and other devices).

But at their core those tools will continue to exploit the most basic flaws and weaknesses in computer systems – and in the humans who use them.

Follow the Listener on Twitter or Facebook.