Leadership: America Legalizes Cyber War


December 18, 2011: The U.S. Congress approved a new law on December 14th that allows the Department of Defense to conduct offensive Cyber War operations in response to Cyber War attacks on the United States. That is, the U.S. military is now authorized to make war via the Internet. The new law stipulates that all the rules that apply to conventional war also apply to Cyber War. This includes the international law of armed conflict (meant to prevent war crimes and horrid behavior in general) and the U.S. War Powers Resolution (which requires a U.S. president to get permission from Congress within 90 days of entering into a war).

The U.S. Department of Defense has long advocated going on the offensive against criminal gangs and foreign governments that seek (and often succeed) to penetrate U.S. government and military Internet security, steal information, or sabotage operations. Over the past year, and without much fanfare, the Department of Defense has been making preparations to do just that.

Since the military cannot afford to pay enough to recruit qualified software and Internet engineers for this sort of work it has turned to commercial firms. There are already some out there, companies that are technically network security operations, but will also carry out offensive missions (often of questionable legality but that has always been an aspect of the corporate security business.)

Some of these firms have quietly withdrawn from the Internet security business, gone dark, and apparently turned their efforts to the more lucrative task of creating Cyber War weapons for the Pentagon. It may have been one of these firms that created, or helped create, the Stuxnet worm.

An Internet worm is a computer program that constantly tries to copy itself to other computers. Stuxnet was a worm designed, very skillfully, as a weapons grade cyber weapon. The first "real one" as Internet security experts came to call it. While released in late 2009, Stuxnet was not discovered until a year later, and engineers are still dissecting it and continue to be amazed at what a powerful Cyber War weapon it is. Stuxnet is the first live example of a first class Cyber War weapon, which means more are on the way (or sitting on someone's hard drive waiting to be deployed.)

The success of Stuxnet, and similar worms believed to be out there, may be responsible for more Internet security companies moving over to the Cyber War weapons business. The most dangerous Cyber War weapons are those that, like Stuxnet, take advantage of largely unknown Internet vulnerabilities. These allow the attacker access to many business, government, and military computers. This sort of thing is called "using high value exploits" (flaws in code that are not yet widely known). Finding these exploits is expensive and requires even more skill to use. For a long time, a major source of exploits was hackers for hire. These are skilled hackers who know they are working on the wrong side of the law, and know how to do the job, take the money, and run. This situation has developed because organized crime has discovered the Internet and the relatively easy money to be made via Internet extortion and theft.

But now commercial firms are hiring hackers and paying them good money to find and "weaponize" these exploits. It is believed that those nations that have Cyber War organizations maintain arsenals of exploits. But exploits have a short shelf-life. Nearly all exploits eventually come to the attention of the publisher that created the exploitable software and get fixed. 

However, not every user applies the "patches", so there will always be some computers out there that are still vulnerable. But that makes "zero day exploits" (discovered and used for the first time) very valuable. That's because you can use these exploits on any computer with the flawed software on it. While your average zero day exploit costs up to $100,000, or more, to discover, it is not useful for very long. Thus it is expensive to maintain an exploits arsenal, as you must keep finding new exploits to replace those which are patched into ineffectiveness.

Most of the Internet combat so far has been done under peacetime conditions. In wartime it's possible (especially for the United States) to cut off enemy countries from the Internet. Thus potential American foes want to maintain an official peacetime status, so the United States cannot use its ability to cut nations off (or nearly off) from the Internet, and remove easy access to American (and Western) targets. Thus the need to make attacks discreetly, so as to make it more difficult for an enemy to target stronger attacks against you, or threaten nuclear or conventional war.





Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close