October is Cyber Security Month.
“I think at the moment that there’s not a significant price to pay [for cyber attacks] and so you see actors, nation states, individuals willing to do more.”  Admiral Michael Rogers, Director, National Security Agency, Commander, U.S. Cyber Command
“Until we redefine warfare in the age of information, we will continue to be viciously and dangerously attacked with no consequences for those attackers.” Lieutenant General (Retired) Michael Flynn, Former Director, Defense Intelligence Agency
NATO Secretary-General Jens Stoltenberg, during a March 2015 public statement, declared: “NATO has made clear that cyber attacks can potentially trigger an Article 5 [allied military] response.” The Secretary-General was reportedly reacting to recent Russian “hybrid” activities (cyber attacks perpetrated prior to and in conjunction with conventional military operations) in Crimea and Ukraine, but the implications of his statement are much broader. Is it possible that an adversarial cyber event could trigger the onset of a larger cyber and/or kinetic conflict? If so, what would it look like? Can such an event be identified in time for effective response? If not, is it possible that a “missed” cyber trigger in the form of a surprise cyber first strike could ultimately influence the fate of nations?
The potential for devastating cyber attacks against the United States has been the number one global threat listed within the 2013, 2014, and 2015 Worldwide Threat Assessments provided annually to Congress by the Director of National Intelligence (DNI). The DNI’s 2013 assessment followed a year of warnings, provided at unclassified venues by cabinet-level officials.
Former U.S. Secretary of Defense (SECDEF) Leon Panetta, during an interview with ABC News in May of 2012, identified examples of cyber attacks that could trigger a war. “There’s no question,” he stated, “that if a cyber attack . . . crippled our power grid in this country, took down our financial systems, took down our government systems, that that would constitute an act of war.” In a speech delivered to the Business Executives for National Security later the same year, SECDEF admitted: “We know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country. We know of specific instances where intruders have successfully gained access to these control systems.”
Former Secretary of Homeland Security Janet Napolitano, in a January 2013 speech at the Wilson Center (Washington DC), warned of a “cyber 9/11” against critical infrastructure for which we should be preparing. “There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage,” she said while noting the potential for a large-scale loss of electricity. A few days later, during a PBS interview, she admitted that “cyber threats [have] moved to a new level,” identifying Iran, Russia and China as the biggest perpetrators of cyber attacks. She specifically mentioned her concerns associated with “the nation’s core critical infrastructure” – energy, telecommunications, and banking.
It is thus evident that a cyber trigger or first strike from an adversarial perspective, is expected to be an attack on critical infrastructure. The question, however, remains – how big and how effective does such an attack have to be to trigger a response?
The Department of Homeland Security’s (DHS) Industrial Control System-Cyber Emergency Response Team (ICS-CERT), within their end-of-year (2012) statistical review, stated that 41% of the year’s reported cyber attacks were aimed at the energy sector. Indications derived from the study pointed to a change in adversarial focus to the more vulnerable aspects of infrastructure – those that would be more devastating to the public if disrupted for long periods of time. The attackers “zeroed in on computer systems run by power grid operators and natural gas pipeline companies.” Adding to the estimation of malicious intent, the 2012 statistics included “a successful attack against a key supplier of energy control systems.” Furthermore, in an announcement that was lacking in specifics, DHS confessed “that an American power station . . . was crippled for weeks by cyberattacks.”
Apparently while the ICS-CERT end of year report was being prepared, “a secret legal review” on America’s use of “cyberweapons” was held. According to a February 2013 New York Times article, the legal assessment concluded that the authority to “order a pre-emptive strike” exists within the Office of the President — provided there is “credible evidence of a [pending] major digital attack”] against U.S. equities. Executive Order 13636 Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive 21 (PPD-21) Critical Infrastructure Security and Resilience  were released on the heels of further press coverage of the “secret review.” Both were signed on February 12th (2013) – the day of President Obama’s State of the Union Address, which also contained warnings of enemy attacks against the financial sectors and the power grid.
Executive Order 13636 was not without detractors. In response to its release, Brookings published Bound to Fail: Why Cyber Security Risk Cannot Simply be ‘Managed’ Away. The authors criticized the Executive Order as insufficient because of its reliance on risk management and voluntary participation. “Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.” The same could be said for government. Mitigation against catastrophic critical infrastructure collapse – a “worst case” scenario, yet entirely achievable and desirable by adversaries  — must not depend on risk management. History tells us that worst case does happen; and in the context of conflict, worst case is usually intentional.
Passive and patchy cyber defense is no longer enough to thwart major cyber attacks. “We won’t succeed in preventing a cyber attack through improved defenses alone.” Reliance on cyber security professionals to locate, identify, and keep up with cyber threats is an increasingly expensive and “unsustainable” option. Additionally, cyber defense models can’t catch everything. The threat to the energy sector alone can be seen in the level of support provided by ICS-CERT, which, as reported in their Year In Review for 2014, was more than double that of the previous year. Also, the report noted with “great concern” the ICS-CERT response to “multiple newly discovered cyber campaigns that had been ongoing for several years.”
Detection of imminent threat cannot depend on the chance finding of ongoing “cyber campaigns.” As former SECDEF Panetta said, “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President.” If the “secret legal review” did indeed examine and acknowledge that the President had such authority, is the United States now well protected in the cyber realm?
Some might say yes. In January 2015, President Obama imposed new sanctions on North Korea as a result of the “hack” on Sony Pictures after vowing: “We will respond proportionately and in a space, time and manner that we choose.” He later signed an Executive Order, authorizing sanctions on those “responsible for or complicit in malicious cyber-enabled activities” that can pose “significant threat to the national security, foreign policy, economic health, or financial stability of the United States.”
Others might disagree. In addition to the 2014 discoveries of long-term malware insertions, cumulative attacks and delayed attribution continue to be a problem. The DNI’s testimony for the 2015 Worldwide Threat Assessment  included this admonition:
“The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation. Additionally, even when a cyber attack can be attributed to a specific actor, the forensic attribution often requires a significant amount of time to complete. Long delays between the cyber attack and determination of attribution likewise reinforce a permissive environment.”
Lieutenant General Flynn’s comment (at the beginning of this article) about hackers being encouraged because there are “no consequences” reveals similar frustration.
Although increases in cyber intrusions have been noted in open-source for years, little (to the public’s knowledge) has been done offensively in the cyber or physical realms by the West (with the possible exception of Stuxnet). Even with the most recent revelations of data theft, the public remains unaware of the extent to which any counterattack has been attempted.
From hacker groups like “Anonymous” to actors (officially recognized or not) of nation-states, cyber attackers have been waging unofficial cyberwar at rising levels across the network. There has, however, been no definitive “line in the sand” – a point at which response is assured.
It is understood that regardless of attacker intent, there can be unintended consequences of adverse activities, especially if attacks have been sequential and cumulative. Unpredictability in adversarial attack modes and capabilities is something that must always be considered. Similarly, a consequence of response is the possibility of introducing or reacting to an event that might trigger a larger, less controlled cyber conflict – one that could lead to a full-scale kinetic war. This is no doubt a possibility that the White House is trying to avoid.
Yet, the process of verifying a Presidential pre-emptive authority against impending cyber attacks would also indicate an understanding that a “worst case” cyber scenario has been considered, if not yet conceived, by potential adversaries. As indicated by SECDEF Panetta, an attack against the electric grid,  if well-coordinated and sufficiently resourced, could have catastrophic effects on the population. Long-term regional or national power-outages might mean large numbers lost to malnutrition, disease, and chaos. A year without power could result in the death of over two-thirds of the population within the affected area. Such an attack is worthy of being labeled a trigger event in what would probably be a “cyber first strike.”
Counterattack under this type of scenario would be difficult and probably too late to be relevant. Similar to the “not fully successful” 2008 Russian invasion of Georgia,a cyber first strike is intended to leave victims vulnerable for a kinetic follow-on attack. Theoretically, a successful cyber first strike would leave a nation without hope of allied assistance and ultimately, unable to maintain sovereignty.
The leaders of NATO have reason to be concerned. The U.S. is already seeing adversaries in its critical infrastructure. These infiltrators have been allowed the opportunity to test their capabilities with the mere realization that sanctions may eventually be applied.
Cyber triggers have already been “missed.” What’s next? Will sanctions be applied? Will pre-emptive action be taken? Or will the enemies’ cyber first strike (or cyber “take down”) spell the demise of U.S. national sovereignty in an inevitable – albeit short — cyber war?
Ms. Ayers was a speaker at The Mackenzie Institute’s recent conference on “Resilient Critical Infrastructure & Cyber Security”. This article was originally published in the first edition of The Mackenzie Institute magazine “Security Matters”. Please click here to view the magazine.