With the disclosure of classified information, WikiLeaks appeared to be
launching an assault on state authority (and more particularly, that of the United States,
though other governments were also identified). Confronted with WikiLeaks’s
anti-sovereignty slant, the institutions of traditional commerce soon
responded. None of the affected governments ordered any actions, but the
combination of governmental displeasure and clear public disdain for Assange
soon led a number of major Western corporations to withhold services from
WikiLeaks. Amazon.com reclaimed rented
server space that WikiLeaks had used, and PayPal and MasterCard stopped
processing donations made to WikiLeaks.[3]
What soon followed might well be described as the first cyber battle
between non-state actors. Supporters of WikiLeaks, loosely organized in a group
under the name “Anonymous” (naturally), began a series of distributed
denial-of-service (DDoS) attacks on the Web sites of major corporations that
had taken an anti-WikiLeaks stand.[4] (A DDoS attack uses many computers to flood an opponent’s server with incoming
communications, preventing legitimate efforts to connect to the server by
sucking up bandwidth.) The Web site of the Swedish prosecuting authority (who
is seeking Assange’s extradition to Sweden to face criminal charges)
was also hacked. Some of the coordination for the DDoS attacks was done through
Facebook and Twitter.[5] Meanwhile, other supporters created hundreds of mirror sites, replicating
WikiLeaks content, so that it could not be effectively shut down.[6] The hackers even adopted a military-style nomenclature, dubbing their efforts
“Operation Payback.”
When “Anonymous” attacked, the targets fought back. The major sites used
defensive cyber protocols to oppose Anonymous. Most attacks were relatively
unsuccessful-the announced attack on Amazon.com, for example, was abandoned
shortly after it began because the assault did not succeed in preventing
customers from accessing the Web site. Perhaps even more tellingly, someone (no
group has, to this author’s knowledge, publicly claimed credit) began an
offensive cyber operation against Anonymous itself. Anonymous ran its
operations through the Web site AnonOps.net, which was subject to DDoS
counterattacks that took it offline for a number of hours.[7] In short, a conflict readily recognizable as a battle between opposing forces was
waged in cyberspace almost exclusively between non-state actors.[8]
The failure of Anonymous to effectively target corporate Web sites, and
its relative vulnerability to counter-attack are likely only temporary
circumstances. Both sides will learn from this battle and approach the next one
with a greater degree of skill and a better perspective on how to achieve their
ends. Indeed, Anonymous has made quite clear that it intends to continue to
prosecute the cyberwar against, among others, the United States.
“It’s a guerrilla cyberwar-that’s what I call
it,” says Barrett Brown, 29, a self-described “propagandist” for Anonymous.[9] “It’s sort of an unconventional asymmetrical act of warfare
that we’re involved in, and we didn’t necessarily start it. I mean, this fire
has been burning.” Or, consider the manifesto posted by Anonymous, declaring
cyberspace independence from world
governments: “I
declare the global social space we are building together to be naturally
independent of the tyrannies and injustices you seek to impose on us. You have
no moral right to rule us nor do you possess any real methods of enforcement we have true reason to fear.”[10]
In advancing this agenda, the members of
Anonymous look somewhat like the anarchists of the late 19th and early 20th
centuries-albeit anarchists with a vastly greater network and far more ability
to advance their agenda through individual action.[11] But even more, they look
like the non-state insurgents the U.S.
has faced in Iraq and Afghanistan-small
groups of non-state actors using asymmetric means of warfare to destabilize and
disrupt existing political authority.
Implications for Cyberspace Conflict
The question is: How will governments respond? Are U.S.
policymaking systems nimble enough to come to grips with the asymmetric
empowerment of the Net? More profoundly, has the growth of cyberspace begun a
challenge to the hegemony of nation-states that has been the foundation for
international relations since the Peace of Westphalia? Policymakers ought to
learn at least three lessons about the state of conflict in cyberspace:
- Asymmetric warfare is here to stay. The Anonymous
challenge to large corporations and to governments worldwide is, in the end,
inherent in the structure of the Internet. That structure allows individuals and
small groups to wield power in cyberspace that is disproportionate to their
numbers. Similarly, states can use electrons to do their fighting for them
rather than sending armies into battle. States can also use non-state actors as
proxies or mimic the activities of cyber insurgents to hide a government hand
behind malicious activities. (It is suspected that China
and Russia
do precisely that.)
This description of the correlation of forces in cyberspace is, in many
ways, congruent with similar analyses of the physical world. Terrorists enabled
by asymmetric power (IEDs and box cutters) have likewise challenged traditional
state authorities. And just as Americans must learn to deal with these kinetic
insurgent challenges, so too must they respond to cyber insurgency.
- Current capabilities of non-state actors are weak but
improving. The current capabilities of organized non-state
actors in cyberspace are relatively modest. While DDoS attacks can be a
significant annoyance, they are not an existential threat. This state of
affairs is unlikely to hold for long. As the recent Stuxnet computer virus
demonstrates,[12] significant real-world effects can already be achieved by sophisticated cyber actors.
It is only a matter of time until less sophisticated non-state actors achieve
the same capability. - Attribution is always a challenge. Determining the origin of an attack can be
problematic. Sending a message from a digital device to a provider is akin to
mailing a letter. The service provider acts as an electronic carrier that sends
the message through routers and servers which deliver the message to the
targeted computer. The “attacking” computers may have been hijacked and be under
the control of a server in another country. An attacker may disguise its
locations by circuitous routing or masking the message’s source identification,
similar to fudging a letter’s return address and postmark. A cyber insurgent may
strike several countries, multiple Internet service providers, and various telecommunications
linkages, all subject to varying legal requirements and reporting standards, which
makes tracing the source extremely difficult.
Overcoming these difficulties by technical means alone is a vexing
problem-and an unnecessary one. The U.S.
government should use all techniques
in its arsenal to exploit the weaknesses of America’s enemies.
Counterinsurgency
v. Cyber Insurgency
The problem of dealing with non-state actors like Anonymous resembles, in
structure, the problem of dealing with a non-state insurgency on the ground in Iraq or Afghanistan,
or with a state-sponsored proxy like the Iranian-backed Shia groups in Iraq. There
are, of course, significant differences between the two domains. In the “kinetic”
world, the goal of an insurgency is often the overthrow of an existing
government. As the U.S. Army’s Counterinsurgency Field Manual puts it: “Joint
doctrine defines an insurgency as an organized movement aimed at the
overthrow of a constituted government through the use of subversion and armed
conflict. An insurgency is an organized, protracted politico-military struggle
designed to weaken the control and legitimacy of an established government,
occupying power, or other political authority while increasing insurgent
control.”[13] WikiLeaks-like insurgents seem to have a different aim-“independence” from
government. That independence is premised on weakening political authority over
the cyber domain. While the goals may be different, conceptually the challenges
pose many of the same problems-how to isolate fringe actors from the general
populace and deny them support and refuge and, most of all, the freedom to
attack at the time and place of their choosing.
In the past 10 years, the United
States has devoted significant resources to
the development of a counterinsurgency strategy for combating non-traditional
warfare opponents on the ground. COIN requires a complex mix of offensive,
defensive, and sustainment operations. In the context of a land-based
operation, U.S. doctrine has had to consider a range of issues, including
integrating military and civilian activity; collecting intelligence; building
up host nation security services; maintaining essential services in-country;
strengthening local governance; conducting offensive military operations; and fostering economic development. Each counterinsurgency campaign is
different and the building blocks will vary, but these and other aspects will
all play a critical role.
Elements of a
Cyber Insurgency Strategy
The U.S.
government has yet to develop an equivalent COIN strategy for cyberspace. The
American strategy must be much more expansive than treating cyber threats as
primarily a technical challenge. Concepts that might find their way into a
cyber insurgency approach to battling bad actors online include:
Collecting Intelligence. Dealing with cyber insurgents requires human intelligence (HUMINT) on
the operation of non-state actors in cyberspace. Rather than concentrating on
technical intelligence, “human intelligence” focuses on information collected
by human sources (such as through conversations and interrogations). HUMINT can
provide all kinds of information on the cyber insurgents, not only the
technical means of attack, but motivations, relationships, and
finances-identifying weaknesses and vulnerabilities in their network that might
not be available from merely deconstructing malicious software or looking
through the files of an Internet service provider. Indeed, HUMINT and related
intelligence tools may be the only means to positively attribute the source of
an attack-one of the most critical tasks in combating cyber insurgents. Current
U.S.
strategies give short shrift to the critical role of a more comprehensive
intelligence effort for cybersecurity. President Obama’s National Security
Strategy, for example, defines the mission of “securing cyberspace” exclusively
in terms of designing “more secure technology” and investing in “cutting-edge
research and development.”[14] The strategy includes no discussion of the role of intelligence in
cybersecurity.
Likewise, when Deputy
Secretary of Defense William Lynn outlined the five pillars of the Department
of Defense’s cyber strategy, he emphasized the technical aspects of the threat
and neglected to address the role of intelligence. Intelligence, however, could
be crucial to identifying how to weaken the threat other than merely shutting
down its servers. Good “ground” intelligence could be the precursor to other
means at affecting the enemy (means that might range from a “naming and
shaming” campaign to an assault on his financial assets to a direct attack).
Integrating Government and Civilian
Action. As in the kinetic world, much of the U.S.
effort will require coordination between military and civilian government
assets. In cyberspace, the situation has the added layer of complexity posed by
the need to coordinate with private-sector actors. President Obama’s National
Security Strategy rightly emphasizes the importance of public-private partnerships:
“Neither government nor the private sector nor the individual citizen,” the
strategy notes, “can meet this challenge alone.[15]
When coordinated action is done well, it can have a demonstrative impact. In one
recent case, the FBI worked with companies that had been identified as being
infected with a “botnet” program called Coreflood, malicious software that
infects Microsoft Windows-based computers and is designed to steal usernames,
passwords, and financial information. According to a court affidavit filed in
the case:
In one example, the chief information security officer of a hospital healthcare
network reported that, after being notified of the Coreflood infection, a
preliminary investigation revealed that approximately 2,000 of the hospital’s 14,000
computers were infected by Coreflood. Because Coreflood had stopped running on
the infected computers, the hospital was able to focus on investigating and
repairing the damage, instead of undertaking emergency efforts to stop the loss
of data from the infected computers.[16]
The Coreflood case and cooperative public-private
activities, such as the U.S. Computer Emergency Readiness Team (US-CERT)
program, demonstrate that despite the myriad legal, cultural, and bureaucratic
obstacles, effective cooperation is possible.
For a cyber insurgency strategy to be
effective, it is critical that the U.S. develop mechanisms for
ensuring that “successes” and “best practices” are translated into a suitable
doctrine and become part of the professional development of private-sector and
public-sector leaders. Among other needs will be demands for education,
training, and experience that qualify public and private actors to be real
cyber leaders. A doctrine that addresses public-private cooperation must be a
centerpiece of that strategy. No adequate effort to address this shortfall is
currently underway.
Building
Host Nation Cybersecurity. Strengthening the capacity of friends and allies for
network security and resilience has to be an essential part of counter-cyberinsurgency.
The more that nations with common purpose and values work together, the more
that can be done to shrink the cyberspace available to cyber insurgents. In the
case of the recent Coreflood investigation, for example, in response to a
request by the U.S. for
assistance from Estonia under
the Mutual Legal Assistance Treaty between the two countries, law enforcement
authorities there advised the FBI of the seizure of several additional computer
servers believed to be “predecessors” to Coreflood command-and-control servers
in the United States.[17] Estonia has
undertaken some of the most innovative efforts to protect its nation’s
cyber-infrastructure and deal with cyber crimes and cyber attacks. Estonia
counts as a first-class cyber ally. The U.S. could use many more such
allies. Washington
needs to encourage other nations to take similar steps to enhance their
capabilities. This might be done through innovative assistance programs, such
as the proposed Security for Freedom Fund (intended to assist other countries with
their development of homeland security systems), or by cooperative agreements
that model the U.S. SAFETY Act (which provides liability protection to
companies that develop innovative new technologies).[18]
The foregoing is just a start-other questions of resilience and offensive
operations will also need to be addressed. These kinds of initiatives reflect
how all the nation’s resources should be employed in the cyber war. To win the
battle for cyberspace, cyber strategy must become much more multifaceted. The U.S. can, as it did in Iraq, wait until the need for such
a strategy is brought home by failures on the ground. Or, the U.S. can, more wisely, see the
WikiLeaks war as a wake-up call and begin the necessary doctrinal thinking now.
[1]Portions of this paper are based
on a presentation made at the Ohio
State University
Law School
symposium “Cybersecurity: Shared Risks, Shared Responsibilities” in April 2011.
Those portions will also appear as part of a longer paper: Paul Rosenzweig, “Making Good Cybersecurity Law and
Policy: How Can We Get Tasty Sausage?” I/S:
A Journal of Law and Policy for the Information Society (forthcoming 2012).
[2]Department of the Army, “Counterinsurgency,”
FM 3-24, December 2006, at http://www.fas.org/irp/doddir/army/fm3-24.pdf.
[3]Ashlee Vance,
“WikiLeaks Struggles to Stay Online After Attacks,” The New York Times,
December 3, 2010, at http://www.nytimes.com/2010/12/04/world/europe/04domain.html?_r=1&ref=world (May 18, 2011).
[4]John F.
Burns and Ravi Somaiya, “Hackers Attack Those Seen as WikiLeaks Enemies,” The
New York Times, December 8, 2010, at http://www.nytimes.com/2010/12/09/world/09wiki.html?ref=todayspaper (May 18, 2011), and Joby
Warrick and Rob Pegoraro, “WikiLeaks Avoids Shutdown as Supporters Worldwide Go
on the Offensive,” The Washington Post, December 8, 2010, at http://www.washingtonpost.com/wp-dyn/content/article/2010/12/08/AR2010120804038.html?hpid=moreheadlines (May 18, 2011).
[5]Ashlee
Vance and Miguel Helft, “Hackers Give Web Companies a Test of Free Speech,” The
New York Times, December 8, 2010, at http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1&hp (May 18, 2011).
[6]Ravi
Somaiya, “Hundreds of WikiLeaks Mirror Sites Appear,” The New York Times, December 5, 2010, at http://www.nytimes.com/2010/12/06/world/europe/06wiki.html?_r=1&ref=world (May 18, 2011).
[7]Christopher
Walker, “A Brief History of Operation Payback,” Salon.com, December 9, 2010, at http://www.salon.com/news/feature/2010/12/09/0 (May 18, 2011).
[8]The sovereign states were not, of
course, mere bystanders. Dutch police, for instance, have arrested one
suspected member of Anonymous. Tim Hwang, “WikiLeaks and the Internet’s Long
War,” The Washington Post, December
12, 2010, at http://www.washingtonpost.com/wp-dyn/content/article/2010/12/10/AR2010121007133.html (May 18, 2011). And, nobody can be certain that the counterattacks on
AnonOps.net were not state-authorized or state-initiated.
[9]Michael Isikoff, “Hacker Group
Vows ‘Cyberwar’ on US Government, Business,” MSNBC, March 8, 2011, at http://www.msnbc.msn.com/id/41972190/ns/technology_and_science-security (May 18, 2011).
[10]The manifesto was posted as a
YouTube video: “Anonymous to the Governments of the World-Web Censorship” April
25, 2010, at http://www.youtube.com/watch?v=gbqC8BnvVH (May 18, 2011).
[11]See Abe Greenwald, “The Return of
Anarchism,” Commentary, March 2011.
One possible additional point of comparison is that the 19th-century anarchists
were well known for their internal disputes. Much the same may happen to
Anonymous, as recent reports of internal divisions suggest. See “Trouble in Paradise for Hacker Group Anonymous?” Identity Theft
Assistance Center
(ITAC) Blog, March 23, 2011, at http://itacidentityblog.com/trouble-in-paradise-for-hacker-group-anonymous (May 20, 2011).
[12]The Stuxnet worm attacked and
infected a number of industrial facilities, including several nuclear
production facilities in Iran.
John
Markoff, “A Silent Attack, but Not a Subtle One,” The New York Times,
September 26, 2010, at http://www.nytimes.com/2010/09/27/technology/27virus.html?_r=1&scp=2&sq=stuxnet&st=cse (May 18, 2011). Opinions
diverge on the worm’s effectiveness and speculation runs rampant about its
origin.
[13]“Counterinsurgency,” FM 3-24, pp.
1-2.
[14]The Office of the President, “National
Security Strategy,” May 2010, p. 27.
[15]Ibid., p. 28.
[16]United States of America v. John Doe 1, John Doe
2…and John Doe 13,
U.S. District Court of Connecticut, April 23, 2011, p. 7, at http://www.wired.com/images_blogs/threatlevel/2011/04/Coreflood-47_Dec-Briana-Neumiller.pdf (May 20, 2011).
[17]Ibid.
[18]For a description of the
“Security for Freedom Fund,” see James Jay Carafano and Hal Brands, “Building a
Global Freedom Coalition with a New ‘Security for Freedom Fund,'” Heritage
Foundation Backgrounder No. 2336, February 4, 2009, at http://www.heritage.org/research/reports/2009/02/building-a-global-freedom-coalition-with-a-new-security-for-freedom-fund.
For a description of a proposal to use the SAFETY Act for international
capacity building in cybersecurity, see James Jay Carafano, Jena McNeill, and Paul Rosenzweig, “Using the SAFETY Act to Build a
Stronger U.S.-Israeli Terrorism-Fighting Partnership,” Heritage Foundation WebMemo No. 3077, December 8, 2010, at http://www.heritage.org/Research/Reports/2010/12/Using-the-SAFETY-Act-to-Build-a-Stronger-US-Israeli-Terrorism-Fighting-Partnership.