Hollywood scriptwriters and political leaders paint vivid pictures showing the dangers of cyber-war, with degraded communications networks, equipment sabotage, and malfunctioning infrastructure. But the latest nation-state attacks appear to be aiming for the intangibles—with economic, political, and social impact. So long as the default assumption focuses on things exploding, we remain unprepared to deal with the fallout from information warfare.
The latest revelations—and indictments—about the Russian involvement with the 2016 United States presidential election highlights how digital attacks can be used against intangible targets, such as faith in social and traditional media, and confidence in the integrity of elections.
Disinformation is the latest weapon in the arsenal. The Soviets were really good at information warfare during the Cold War and the Russians today are proving to be quite adept at using the Internet to speed up the spread of false information without being obvious about their activities.
Former Defense Secretary Leon E. Panetta raised the spectre of a “cyber-Pearl Harbor,” an audacious digital attack with far-ranging consequences in the physical world, in a 2012 speech at New York’s Intrepid Sea, Air and Space Museum. “They could, for example, derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country,” Panetta said at the time.
Hybrid warfare blends conventional weapons, economic coercion, information operations, and cyber attacks.
Cyber-attacks can have physical impact, but many of them tend to be more disruptive than destructive. Malware can take production plants offline, shut down the electric grid and cause power outages, and disrupt operations by compromising safety controllers in industrial control systems. The list of recent nation-state attacks—which includes the Russians going after Yahoo and the Chinese in the breach of Office of Personnel Management—show that actors are targeting commercial networks and public infrastructure using a variety of different methods.
Or perhaps not. Organizations may still be thinking about physical damage or impact, but attackers appear to have moved on to less overt activities that can still sow confusion and cause chaos. The combination of traditional methods and digital attacks lets the attackers still maintain a degree of deniability.
“Thus far, however, cyber weapons seem to be oversold, more useful for signaling or sowing confusion than for physical destruction,” Joseph Nye, former assistant secretary of defense and current professor at Harvard University, recently wrote in a column on Project Syndicate. "More a support weapon than a means to clinch victory.”
New Attack Tactics
Nye wrote that hybrid warfare blends conventional weapons, economic coercion, information operations, and cyber attacks. That sounds a lot like what is currently happening, with different tools being used in variety of ways to spread false information. Focusing on physical damages and overt military exercises means attacks get missed. There is no sophisticated malware or breach to detect.
“[Cyberattacks] can be used to undermine more than banks, databases, and electrical grids—they can be used to fray the civic threads that hold together democracy itself,” New York Times reporter David Sanger wrote in The Perfect Weapon.
Even the attacks against the electric grid in the Ukraine, which led to hours-long blackouts, appear to be part of a larger Russian operation to make the Ukrainian government look weak and ineffective. The operation, widely believed to be the digital aspect of Russia’s (unofficial) war with Ukraine, includes flooding Ukrainian media outlets with Russian disinformation.
Cyber weapons seem to be oversold, more useful for signaling or sowing confusion than for physical destruction.
There are several steps to make the U.S. tougher and more resilient against disinformation—encouraging campaigns and parties to improve basic cyber hygiene such as encryption and two-factor authentication, and working with companies to shut down social media bots—but they depend on organizations changing their views on what an attack would look like. Just as in basic information security, organizations need to make the attacker’s work more costly than the benefits the attacker would get.
“Above all, the US must demonstrate that cyber attacks and manipulation of social media will incur costs and thus not remain the perfect weapon for warfare below the level of armed conflict,” Nye said.