…Cyberwarfare has thus far apparently been limited to simple hacking. When China and Taiwan have a spat, there is often a fair amount of defacing of web sites (replacing what should be on the web page with something less flattering) and denial-of-service attacks (the floods of messages that overwhelm servers and knock sites offline). In 2007 the problems of tiny Estonia seemed to be a possible case of low-level cyberwar. The Estonians had had the temerity to move a giant statue put up during the Cold War by the Soviet Red Army to honor itself. Known in Tallinn as “the only Russian solider who did not rape in 1945,” it was seen by Estonians, not as a symbol of their 1945 liberation, but as a testament to their 1945–1990 oppression and occupation. When it was moved, Estonia’s networks and web sites were assaulted with defacements and denial-of-service attacks that went on for weeks. The attacks were easily traceable to Russia, where the government said it must be private citizens doing it and added that it was incapable of doing anything to stop them. (Oh, so limited are the enforcement capabilities of the KGB’s successors under Putin.)
Cyberwarfare, however, may be grander stuff than what we saw going on in Estonia and Taiwan. A possible window into the potential of cyberwarfare may have been opened when Israel flew F-16s and F-15s into Syria in 2007. News reports indicate that Syria’s expensive Russian radar and apparently never saw the attack. Aviation Week magazine suggested that a cyberwarfare capability similar to a U.S. program known as Suter could have allowed the attackers to take over the defense’s radar screens and eliminate any indications of the attacking aircraft. It could be similar to the scene in the movie Ocean’s 11 where the hacker replaces a video feed of a vault looking nice and safe while the vault is actually in the hands of the gang. Around the same time as the Israeli attack on Syria, USA Today and CNN reported that U.S. government researchers had experimented with a way of damaging electric power generators by hacking from the internet into the internal network running the Supervisory Control and Data Acquisition (SCADA) software that controls the generator. Spin a big electric power generator at the wrong speed, and it can go crashing off its moorings and break apart.39 Theoretically, one could also try the Ocean’s 11 technique on a section of a power grid. If you could get into the grid’s SCADA system, you could perhaps send instructions to transformers and switches that would trigger a blackout, while all the while the control room’s dials would show that things were normal. But how could you get into such a network? I am tempted to say let me count the ways, but I will merely note that some power grids actually send SCADA commands via radio. Almost no utility companies use encryption or authentication on their networks, so that if you can get in, you can issue instructions. Guides to the software used on SCADA systems are not hard to get. A handful of SCADA software systems are used around the world.
In January 2008 we saw the first hints that this threat had gone from theory to reality. A CIA spokesman told an audience at a summit on SCADA security that a series of attacks had occurred against foreign utilities involving intrusions through the internet, followed by extortion demands. The CIA spokesperson said that “in at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the internet.”
….Although the extent of the problem of reliance upon insecure computer systems is beginning to be understood broadly, government has yet to act decisively to address it. The National Strategy to Secure Cyberspace, signed by the President in 2003, sat gathering dust, unimplemented for four years. The public-private partnership that created the strategy withered, largely because the private sector lost faith in its partner because of the government’s inaction.
Then as 2007 wore on, stories leaked that an intrusion into the network in Secretary of Defense Robert Gates’s own office had been traced back to China. German Chancellor Angela Merkel’s office reported her system had also been hacked by a Chinese entity. British authorities were also tracking Chinese hacking, prompting MI5 (the British Security Service) to send an advisory to the top three hundred British corporations telling them that in all probability their networks were already penetrated by China. The warning did not suggest that it was Chinese individuals, but rather the Chinese government, saying it was an “electronic attack sponsored by Chinese state organizations . . . designed to defeat best-practice IT security systems.”
Private-sector IT security experts were finding evidence of Chinese hacks everywhere, including an ingenious Trojan-horse program embedded in digital picture frames sold at electronics stores across America, such as BestBuy. When you connected the digital picture frame to your computer to download your photos, the picture frame uploaded a program into your computer that disabled antivirus programs, found all of your passwords, and sent them to China. The picture frame was, of course, made in China. The results of the investigation of the hacking into the Pentagon reportedly led Admiral Mike McConnell, the second person in the job of Director of National Intelligence, to hit the alarm bell. Rumors spread that China was well inside sensitive and classified U.S. networks, casting doubt on the Pentagon’s current and future plans based on “net centric warfare.” According to one U.S. Air Force officer, the new “Byzantine series (of attacks) tracks back to China.”
