Military Review English Edition May-June 2014 | Page 25

FAILED CYBERDEFENSE The former U.S. Secretary of Defense Leon Panetta delivered a clear assessment of the risk for these attacks in a speech on 12 October 2012: These attacks mark a significant escalation of the cyberthreat, and they have renewed concerns about still more destructive scenarios that could unfold. For example, we know that foreign cyberactors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country. We know of specific instances where intruders have successfully gained access to these control systems. We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life.2 Even if the nation’s leadership has identified the risk, expressed concern, and started to allocate resources to improve national cyberdefense, others consider the likelihood of a cyberwar as marginal. One of the leading arguments against the possibility of future cyberwar has been the premise that such an attack would cause no long-term damage.3 This argument is based on a marginalization of cyberattacks as intermittent disruptions of client computers by crude and unsophisticated malign software that creates temporary havoc.4 The perception is that damage is limited to the attacked computer networks—not the external environment that relies on these networks. However, the concerns aired by Panetta, originating from the assessment made by the president, convey a wider, more holistic perception of potential damage beyond computer networks. In this article we present a tangible argument that cyberwar can inflict continuing damage on a targeted society beyond the actual destruction of a defending computer network. The long-term environmental consequences of a lost cyberwar and failed national cyberdefense are not well recognized. The last decade’s intense study of cybersecurity, with its focus on networks and network security, has left the risk to physical environments that rely upon cybercontrolled networks unaddressed.5 MILITARY REVIEW May-June 2014 The Concept of Cyberwar In cyberwar conflicts, state actors are seeking to force a policy change in the other party. Therefore, cyberwar should be regarded first from a strategic viewpoint and second from lower levels of abstraction. A central part in all conflict is the fear of consequences—the actual repercussions of opposition to a will that seeks to subdue. Nuclear weapons are feared because of their validated and graphically devastating effects. Cyberweapons will need to show they are catastrophic; otherwise, the threat or deterrence of those weapons evaporates. In earlier studies of cyberwar, the focus was on disruptions in technical or military capacity and the resilience to operate in a degraded environment. The potential to destroy opposing systems through digital lethality has recently been introduced.6 In these scenarios, the factual long-term damage is limited. For an adversary seeking to affect U.S. policy, current vulnerabilities in our industrial control systems are an inviting opportunity. Their targeting could have significant societal impacts—fear, uncertainty, and public pressure on political leadership if environmental damage occurs. Attacking industrial control systems to damage the environment is a grave act of war. However, as long as attribution is unknown and there is no punitive mechanism in place, the prohibitions against such acts in international law are at the attacker’s discretion to recognize. Today, there are limited options, if any, to enforce accountability for cyberattacks through international law. Environmental Effects of Cyberwar If an adversary could cause major irreversible environmental damage to the United States through cyberattacks on industrial control systems, or merely establish control over numerous systems, it could limit U.S. policy options. The threat and risk of a cyberattack would have to be considered, and it would give a minor power a force-multiplying effect in a direct conflict with the United States. The barrage of cyberattacks on the nation’s infrastructure in the last decade is a major concern for the federal government.7 These attacks have been extended to include supervisory control and data acquisition (SCADA) systems, which are a subset of industrial control systems. SCADA systems control 23