With cyber warfare already a major component of countries’ and terrorist groups’ military efforts, it might seem surprising that the U.S. military refrained from unleashing its own cyber warfare arsenal when it had the chance.
But the Pentagon’s decision to hold back during past conflicts for fear of the potential collateral damage — revealed in a Saturday report in The New York Times — seems justified, security experts say.
In 2003, the Pentagon scrapped plans to attack Iraq’s banking system, the story said. But experts told InternetNews.com that such an attack could inflict global harm.
“Collateral damage from cyber war doesn’t mean that kids can’t get to Facebook. As an information-based society, the effects of a highly damaging cyber attack could take out the basic operational and safety-response mechanisms we all rely upon,” Rick Caccia, vice president of product marketing at ArcSight, an insider threat prevention specialist, said in an e-mail to InternetNews.com.
Part of the problem is that the attack could not be targeted like a laser-guided bomb.
“Modern networks are so complex that we just don’t understand how systems are interconnected or what the consequences can be,” Michael Gregg, president of security auditor Superior Solutions, said in an e-mail to InternetNews.com. “In many ways cyber warfare is like biological warfare. It is unknown who these agents will infect or what types of casualties your own side may take.”
Others agreed. “To prevent banks from transferring funds in and out of Iraq definitely would impact the global economy,” Randy Abrams, director of technical education at antivirus provider ESET, said in an e-mail to InternetNews.com. “I cannot envision such an attack that would be limited to government funds or would not affect most computers in Iraq.”
“Probably everything Internet in Iraq would have been disrupted and the financial fallout would have been pretty devastating to foreign companies doing business in Iraq,” he added. “I don’t think the concern was with the Iraqi civilian collateral damage, but rather with the collateral damage outside of Iraq.”
The article in The New York Times cited the fear of disabling a hospital, and experts said that worry was credible. ArcSight’s Caccia said there were other worst-case scenarios to fear as well.
“An attack on the largest banks and brokerages wipes out the databases and backups, and 50 percent of the citizenry is now ‘broke’ — they can’t buy food, they can’t buy gas, their debit cards fail and the ATMs won’t give them cash,” he said. “Remote navigation services such as GM OnStar can disable a car remotely; an attack on these systems could freeze tens of thousands of cars in motion. A wide-scale outage in the telephone systems due to cyberattack could mean no one can call the police, or the
fire department, or the ambulance.”
The good news?
The positive side of this story is that the government and the U.S. military understand the potential damage and unpredictability of cyber warfare. “It sounds like the military understands that in a cyber war, the general idea of collateral damage applies, but the military wasn’t comfortable that it understood the specific effects,” Caccia said.
The U.S. Department of Defense had not responded to an inquiry from InternetNews.com by press time.
Caccia added that President Obama understands the risks, having given cyber security a key role in his White House.
“I believe the idea presented in the President’s Cyber Policy Review in May sums it up well: The critical infrastructure of a country is not just its pipelines and roads, but also its financial systems, communications networks, etc.,” Caccia said. “That is, the private sector plus the public sector make up the critical infrastructure.”
Several commentators said that while the U.S. has refrained from engaging in cyber warfare, Russia has not, citing the incidents in Estonia and Georgia.
“I traveled to Tallinn, Estonia this past April on the second anniversary of the Russian cyber attacks against Estonia,” Richard Stiennon, chief research analyst and founder of research firm IT-Harvest, said in an e-mail
to InternetNews.com. “The attacks started on a Friday afternoon and effectively shut down the banks in Estonia and by that weekend had slowed or stopped Internet access to the rest of the world.”
Stiennon added that it’s possible that we haven’t seen the worst such attacks could do.
“One of the goals of an effective cyber war would be to induce civil panic by shutting down major services like power, gas, and water,” he said. “Emergency responders would not be able to get calls as their radio networks would be down. They could not coordinate a response to fires, accidents, or even looting.”