War Stories

We’ve Entered a New Age of Cyberwar

A new Times report suggests the U.S. and Russia are in a hair-trigger cyber standoff.

Main building of the Beloyarsk Nuclear Power Station.
The main building of the Beloyarsk Nuclear Power Station, as seen from the Beloyarskoye Reservoir near Zarechny, Sverdlovsk Oblast, Russia.

So the United States is hacking Russia’s power grid, just as Russia is hacking ours, in ways that are more aggressive than in the past, according to a front-page story in Sunday’s New York Times. But what does it all mean? Is this hacking really much different from what’s gone on for many years? Does it boost the chances of a cyber arms race or a cyberwar?

One thing is clear: Cyberspace is now seen by officers and officials as just another “domain” of warfare—along with air, land, sea, and space. But there’s something different and more dangerous about this domain: It takes place out of sight, its operations are so highly classified that only a few people know what’s going on there, and it creates an inherently hair-trigger situation, which could unleash war in lightning speed with no warning.

All the major cyber powers—the United States, Russia, China, Israel, France, Britain, and perhaps to some extent, Iran, Syria, and a few others—have been able to hack into one another’s “critical infrastructure” (power grids, financial systems, transportation lines, water works, etc.), which have been hooked up to computer networks for the past 25 years. From time to time, these countries have actually hacked into these things.

In one sense, these intrusions are no different from any other form of intelligence gathering. In another sense, though, they’re very different. With cyber operations, once you’ve hacked into a network, you can disrupt or disable it. Exploring a network and destroying it involve the same technology, personnel, and know-how; it takes just one step—and next to no time—to go from exploring to destroying.

It’s this instantaneity that creates a danger. If a lot of countries are inside one another’s networks, if they’re all able to shift from just-looking-around to unleashing-an-attack in no time, and if these countries are capable of launching an attack and are susceptible to receiving an attack, then this creates a hair trigger. In a crisis, one or more of these countries might launch a cyberattack, if just to preempt one of the other countries from doing it first. The very existence of the implants makes a preemptive attack more likely.

According to the Times, the U.S. and Russia have those implants—those computer codes—in place; they’re ready to turn on.

There’s another disturbing development in cyberwar: The whole enterprise has slipped out of the oversight and control of our political leaders. Last summer, President Donald Trump signed a classified directive giving U.S. Cyber Command leeway to mount cyberoffensive operations at its own initiative. Before then, such operations—even tactical operations on the battlefield—had to be personally approved by the president.

The premise of the old policy—during the Bush II and Obama administrations—was that cyberweapons were something new: Their effects were somewhat unpredictable and could spiral out of control. Now, with the new directive, these concerns seem to have vanished—though it’s not clear why.

One consequence is that Cyber Command now feels less constrained about going on the offensive. And indeed, the Times reports—and my own sources confirm—the command has stepped up cyberoffensive operations, in frequency and scale.

The Times reports that Donald Trump wasn’t even fully briefed on the hacking of Russia’s power grid, in part because officials feared that he might “countermand” the order—suggesting the hack was in place before they told Trump anything about it—and that he might tell foreign officials about it, carelessly or otherwise. Whatever the reason, Trump wasn’t fully briefed because he didn’t have to be.

The Times story was co-written by David Sanger, who in 2012 landed the scoop about Stuxnet, the joint U.S.-Israeli program that hacked into Iran’s nuclear program and destroyed thousands of centrifuges, setting back the program by at least three years. The Times published that article after Stuxnet had already been blown. This new story describes a hack that is still going on.

In response to the disclosure, Trump tweeted that the Times had committed “a virtual act of Treason.” However, at one point in his story, Sanger writes, “Officials at the National Security Council declined to comment but said they had no national security concerns about the details” of his reporting. By contrast, Sanger’s Stuxnet story sparked a vast FBI investigation, which led to the indictment and prosecution of a four-star general and vice chairman of the Joint Chiefs of Staff, who was later pardoned by Obama.

A fair inference is that senior U.S officials wanted this new story to be published—wanted the Russians and other adversaries to know what we’re doing and to calculate the damage we could inflict on their power grids and other systems if we wanted. The hope, presumably, is that the disclosure serves as a deterrent—if the Russians launch a cyberattack on our critical infrastructure, we can launch an attack on theirs.

Richard Clarke, the former cybersecurity chief in President Bill Clinton’s White House and co-author of a forthcoming book on cyberwar called The Fifth Domain, said in an email, “The Trump administration may be trying to create a situation of Mutually Assured Destruction, similar to the 1960s strategic nuclear doctrine.”

However, Clarke added, “Cyber is different in many ways.” First is the issue of what strategists call “crisis instability”—the hair-trigger situation, in which one side might launch an attack, in order to preempt the other side launching an attack. There is also the uncertainty of “attribution”—the country attacked might not know for certain who planted the malicious code and might mistakenly strike back at an innocent party, thus triggering an inadvertent war.

U.S. Cyber Command was founded in 2009. It has since grown enormously, in size, scope, mission, and—since last summer’s directive—autonomy. Cyberoffensive technology has been around for much longer still. (The NSA invented this technology, and, by charter, the same four-star general or admiral who serves as director of the NSA—currently Gen. Paul Nakasone—is also the commander of CyberCom.)

However, the strategy of cyberwarfare—offensive or defensive—is still in a primitive stage. The personnel in CyberCom are well trained in computer code but not so much in strategy or history. Just months after the dropping of the first atomic bomb, in Hiroshima, strategically minded civilians started thinking through the implications of the new weapon—whether it altered the nature of warfare and, if it did, how to deter an adversary from dropping atom bombs in future wars and whether “winning” such wars was possible. Until very recently, the details of cyberwarfare were too highly classified for civilians to spark a dialogue, and so such questions remain unanswered—and, for the most part, unasked.

Cyberwar technology has evolved far more quickly than the thinking about how to use the technology in wartime. And, with last summer’s directive taking its use out of the control and supervision of our political leaders, the decisions to use it will be made entirely by the military officers who developed the technology—and whose budgets depend, in part, on its growing prominence.

Those now making the decisions are more prone to ask, “Can we do this?” than “Should we?” And that’s a risky new world.