The US Defense Science Board report of 2013 states that “in a perfect world, DOD operational systems would be able to tell a commander when and if they were compromised, whether the system is still usable in full or degraded mode, identify alternatives to aid the commander in completing the mission, and finally provide the ability to restore the system to a known, trusted state. Today’s technology does not allow that level of fidelity and understanding of systems.” The report brings out that, systems such as automated intrusion detection, automated patch management, status data from each network, and regular network audits are currently unavailable. A cyber-attack against critical national infrastructure could therefore have a cascading effect upon economy, society, and government in ways difficult to understand, model or predict.
In cyber warfare, it has been claimed that opponents can distract, disrupt, and demoralize a nation by skilful use of cyber tools, timing, surprise, and an adversary’s specific vulnerabilities. These vulnerabilities are not restricted to military targets; the ability to attack civilian targets such, as public utilities or financial sector can be far more dangerous and subsequently more effective, at discouraging and deterring potential adversaries because of its immediate social and political effects.Theoretically at least, an adversary may not need kinetic weapons to render a nation incapable of defending itself. On the other hand, it has not been feasible to assess the real cyber warfare capabilities of nations because these have never been used in large scale war-fighting resulting in serious damage or led to a full scale war between nations.
It is reasonable to presume that current tools of war would continue to be utilized for achieving military objectives simply because cyber-attack in its current form exists as a one time gambit, since cyber weapons are transient and last only until the breaches are plugged. There is no doubt that delay and denial can be achieved to a large extent but whether that would lead to a victory on ground is a fact yet to be seen.
It has been brought out, as per a Mandiant Consulting report, that the mean time an intruder remained in the victim’s system undetected was 205 days in 2014 and 146 days in 2015. This highlights the use of cyber warfare to remain undetected in a system to prepare for a strike by infiltration, location of weak spots and leave cyber weapons for a preemptive strike to destroy networks and information systems.
Pure military planning and countermeasures would not be able to play a critical role in cyber security because of the civilian nature of cyberspace and the predominantly non-military nature of the nebulous attacker. Much of the cyber expertise and resources required to defend information infrastructure are located outside of military establishments. Creating a credible cyber capability is less about technology than finding the right people and skill sets, which can be difficult for militaries.
Realm of Cyber Attacks
Some examples that highlight the distinct types of cyber attacks as relevant to national security are in order now. These are cited to highlight the extent of cyber reach from dedicated attacks on strategic assets to tactical military operations to criminal activities like ransom.
One is the well-known Stuxnet strike, which required tremendous amount of resources, brainpower, and planning time. It falls under the one time gambit with major nations already on guard against similar strikes on their critical strategic facilities.
In 2009, the Conficker worm infected civil and defence establishments of many nations, for example, the UK DOD reported large-scale infection of its major computer systems including ships, submarines, and establishments of Royal Navy. The French Naval computer network ‘Intramar’ was infected, the network had to be quarantined, and air operations suspended. The German Army also reported infection of over a hundred of its computers. Conficker sought out flaws in Windows OS software and propagated by forming a botnet, it was very difficult to weed it out because it used a combination of many advanced malware techniques. It became the largest known computer worm infection by afflicting millions of computers in over 190 countries.
There was a cyber-attack in December 2015 against energy distribution companies in Ukraine, which led to massive power outages and affected huge civilian population. This achieved high visibility while using an old Trojan BlackEnergy and other malware to shut down critical systems and wiping out data.
In February 2016, the Hollywood Presbyterian Medical Center in Los Angeles, California was the victim of a cyber attack that encrypted its electronic data rendering its systems unusable for over a week. The hospital was forced to operate with no access to its computer systems and even had to move some patients to other hospitals. Staff relied on fax machines and telephones to keep hospital operations moving. The hospital regained access to its data only after paying a fee of 40 bitcoin (approximately USD 17,000) to the attackers. In March 2016, Methodist Hospital in Henderson, Kentucky, experienced a similar attack and declared a “state of emergency” being unable to access patient files. Methodist Hospital was able to restore their system from data backups and did not pay the attackers. Since 2014, the CryptoLocker ransom ware alone has allowed cyber criminals to collect over $100 million.
While illustrating the wide ambit under which cyber-attacks take place and the enormous cyber space that requires protection, the above examples also highlight the inevitable ease of threat to civilian space. Cyber war, if unleashed in entirety, could encompass strategic, tactical, financial, social, and psychological space among others. It would thus be waged beyond a traditional military war on the borders.
An area of immediate concern for the military is Autonomous systems; for a system to be autonomous, it must have the capability to independently compose and select among different courses of action to accomplish goals based on its knowledge and understanding of the environment.
Autonomous decision-making resides in software replete with branching logic and tables of variables and parameters, which together, model the mission to be accomplished, the environment in which it must be executed, and the conditions that are relevant. The more complex the mission and the more diverse the environment, the more extensive and complex is the software. Autonomous systems also have organic sensors, a considerable amount of stored information, and optional communication for some supervisory functions, along with a capability to receive and implement over-the-air updates. These systems present an ideal target for the adversary. Thus, more the capabilities, more the software, and hence greater the vulnerability. To weed out the intruder in complex software and eradicate vulnerabilities which may or may not have been introduced by the attacker would require validation and verification, which may not be humanly possible in the time available.
It is evident that the amount of data and the speeds at which processing is required in case of cyber-defence is not feasible for human beings to carry it out. Conventional algorithms also cannot tackle dynamically changing data during a cyber-attack. As it appears today, effective cyber-defence would only be provided by real-time flexible Artificial Intelligence systems with learning capability. This in simple terms requires using Artificial Intelligence systems at practically every stage of military operations.
As of penning this article, a code of Mirai malware was released by a hacker, which has resulted in the largest ever DDos attack across countries. Mirai malware is used to create botnets that infect Internet of Things devices connected to the internet. It is said that about 1.0 to 1.5 million devices have been infected so far with numbers rising every second.
Nations have to think differently if cyber-attacks are to be defended against effectively. During an international conference on Electronic Warfare in Kuala Lumpur recently, delegates weresurprised to note that the Indian Government had been following a policy of segregating internet-connected computers from those that carried important information. Much of the software being developed for cyber-defence is being sent over the web from India albeit under IPR of different nations. Time is ripe for India to harness and synergies both cyber-attack and cyber-defence capabilities.