By Toomas Hendrik Ilves (Berlin Policy Journal),
The digital era, with all of its benefits, has profoundly changed the security environment of liberal democracies. We face potential destruction of national infrastructures and militaries in ways unimaginable a quarter century ago. Even the electoral process in a number of democracies has come under severe threat, with attempts to alter outcomes in a number of elections in the past two years. The response should be a new “Cyber NATO,” a coalition of liberal democracies that better meets the ubiquity of threats. This will be difficult to achieve, yet the alternatives are worse.
Threats can affect anyone. Only one Russian cyber operation, APT28 or “Fancy Bear,” has attacked servers of ministries, political parties, and candidates in the US, Germany, the Netherlands Sweden, Ukraine, Italy, and France and indeed even the servers of the International Association of Athletics Federations responsible for anti-doping monitoring. Military communications have also been targeted. Yet APT28 is but one of numerous groups from Russia alone. Nor is Russia the only authoritarian government seeking to increase its advantage through cyber operations. It is also clear that Iran has carried out its own offensive cyber operations. Chinese, primarily groups affiliated with the People’s Liberation Army, have targeted militaries as well as intellectual property in companies the world over.
In other words, the digital age also has ushered in an era of new security threats, perhaps imaginable but not seen until the past decade. Governments, meanwhile, have been slow to respond; multilateral organizations such as NATO and the EU have been slower. Meanwhile international organizations such as the UN have failed even to broker a treaty arrangement to prevent the use of digital weapons.
From Blocking to Hacking
Virtually every history of what is now known as “cyber war” or “cyber warfare” begins with an account of an attack on Estonia ten years ago. In 2007, the country’s governmental, banking, and news media servers were paralyzed with “distributed denial-of-service” or DDOS attacks. People’s access to virtually all major online and digitally-based services was blocked.
Cyber attacks have a far longer history of course, but until then, they were generally carried out for espionage, not to create damage to adversaries or make a political point. This case was different: it was overt and public. It was digital warfare, described by the theoretician of war, Carl Paul von Clausewitz, as “the continuation of policy by other means,” meant as punishment for the Estonian government’s decision to move a Soviet-era statue from the center of the capital.
Since 2007, overt cyber warfare and the continuation of policy by other means has proliferated and in ever more virulent form: attacks blanking out regions preceding bombing in conflict zones with DDOS attacks (Georgia, 2008); crashing electrical grids (Ukraine 2016, 2017); private companies (Sony 2015); hacking into parliaments (the Bundestag 2015 and 2106); political think tanks and parties before major elections (the Democratic and Republican National Committees 2015-16), presidential campaigns (Hillary Clinton 2016, Emmanuel Macron, 2017), government ministries (Dutch ministries, Italy’s Foreign office 2016-17, the U.S. Departments of State and Defense).
In one especially egregious case, records of 23 million employees of the US Federal government were stolen in what is known as the “Office of Personnel Management hack.” Recent testimony and leaks in the US report attempts by a foreign power to delete or alter voter data in 21 (or possibly 39 states) before the US presidential elections. These represent merely the attacks admitted to by the victims, not those unreported.
Shutting Down A Country
A decade ago, the idea of a major cyber attack was strictly hypothetical. Indeed NATO was originally skeptical about the attack on Estonia in 2007. Since the recognition of politically motivated DDOS attacks and their paralyzing impact, the focus of cyber security has shifted to more elaborate possibilities: the use of malware to shut down or blow up critical infrastructure, including electricity and communication networks, water supplies, and even traffic light systems in major cities. This goes beyond DDOS and requires “hacking,” as we know the term―breaking into servers or a computer system, not merely blocking access as in DDOS. Indeed the vulnerability of critical infrastructure became a primary concern of governments and the private sector.
These kinds of cyber attacks could mean shutting down a country, or its military, rendering it unable to oppose a conventional attack. In 2010 the Stuxnet worm, which spun Iranian plutonium-enriching centrifuges out of control, warned us of the power of cyber to do serious damage to physical systems. Leon Panetta, US Secretary of Defense from 2011 to 2013, warned in 2012 of the potential of a “cyber Pearl Harbor.” Subsequent events such as the shutting down of a Ukrainian power plant in 2016 and again this year through cyber operations showed that such concerns were hardly unwarranted.
At the same time it is worth noting that one can do considerable damage to national security and the private sector without disabling infrastructure; the hack of Sony and of the Office of Personnel Management in which the records of up to 23 million past and present federal employees are good examples of an extremely dangerous breach that endangers a country’s national security or its commerce.
From these examples, we can see that “cyber attacks” as a term is a catch-all, spanning a range of activities from attacks that can destroy a nation’s critical infrastructure on the extreme side to subtler attacks: hacking politicians, leaking compromising information, and jeopardizing election integrity.