Kinetic warfare, a term that seems to have roots with former Secretary of Defense Donald Rumsfeld (see article), is the kind of war we are most familiar with – bombs, guns, bullets, poison gas. I don’t think it is going anywhere any time soon, but what is clear is that cyber warfare is likely to play a much more important role over the short and long term.
There are a number of reasons for this, in my opinion.
Lets look at traditional kinetic warfare first:
- Massing an army takes time, is expensive and has bad PR value when citizen’s children die or come home with physical and psychological problems. It is also expensive long term as the country has to care for those veterans. If the country doesn’t do a good job of that, there is more bad PR (look at the mess our veterans health care system is in).
- Building traditional weapons systems is very expensive. Look at our F-35 fighter as a example; we have spent tens of billions of dollars on it so far.
- If you mass an army and build weapons, it costs a huge amount to keep that capability working – just look at our defense budget.
- It is hard to do this secretly.
These comments are not meant to detract from what we are doing; it just points out that maintaining a kinetic warfare capability is neither cheap nor easy.
Cyber Warfare: A Closer Look
Now lets look at cyber warfare, the alternative to kinetic warfare.
- Training cyber warriors is also hard, but hackers rarely die or come home from cyberwar with missing body parts. The long term care costs are much lower because of these reasons.
- The hacking tools are mostly free; the rest are really cheap compared to a fighter aircraft or even a bomb.
- The operational cost is also low. Hackers can go home at night and sleep in their own beds.
- It is much easier to hide. Hackers look like any other white collar worker in an office.
That said, the threat of your enemy’s airplanes dropping bombs on your country – either conventional or nuclear – is a pretty strong deterrent, which is why it isn’t going anywhere anytime soon.
But lets look at cyber warfare.
Cyber Warfare: Demonstrations and Examples
We saw the Russians knock out the power in Ukraine twice during 2015 and 2016. These attacks were mostly designed to get people’s attention as opposed to doing horrible damage, but turning off the power in the middle of the winter when the temperature is below zero will get your attention.
The U.S. Department of Energy’s Idaho National Laboratories demonstrated their ability to remotely cause a generator to blow itself up. Here's the video evidence:
Video linkTo be fully honest, they did add some theatrics to get Congress attention (which failed), but the failure of the generator is very real.
And cyber warfare isn’t new. Under then President Ronald Reagan, the CIA got the Russians to use some American SCADA software (that runs the valves and controls for a gas pipeline in this case) which caused an explosion in Siberia that was so big that it could be seen from space (see article).
Recent Developments
Britain’s Defense Secretary Gavin Williamson, in a recent interview with the Telegraph, said that the Russians were researching the UK’s critical national infrastructure and how it connects to the continental power supplies with a view to creating panic and chaos.
To be fair, I am sure that this is EXACTLY what every other country’s intelligence agencies are doing. If they are not, they are missing something.
There is a step between understanding how to execute a cyber attack and actually executing one, but if you are the head of a country’s military and you have to make a choice as to whether to deploy troops, drop bombs or blow up a pipeline or electric grid, you want to have all available options.
Of course Russia is denying this, but I wouldn’t expect anything else and the denial is meaningless.
Congress has been been effectively sticking its collective head in the sand when it comes to cyber warfare – meaning not spending anywhere near enough money to prevent it. In part this is due to the fact that almost all gas and electric utilities in the U.S. are privately owned. Most water and sewer utilities are municipally owned, but owned by one of thousands of local utility districts. All but a few telephone and Internet utilities are privately owned. Just to be clear, when I say private, I mean non-government. Many of these are publicly traded companies, owned by investors.
Almost all of these utilities have to go to regulators to raise their prices and raising prices is considered consumer unfriendly. Spending money on non-revenue generating activities isn’t popular with investors either. UNTIL, of course, some utility gets taking out by hackers. Then all hell will break loose.
These utilities are doing small things to help protect themselves. After 9/11, we saw many utilities erect fences around their facilities. That is probably useful but unlikely to stop a determined attacker and a fence won’t stop a cyber attack.
The government is trying to play this threat down because they don’t want people to panic. Panic is not good for politician’s careers.
Hopefully, however, people are beginning to realize that it may well be easier to turn off the lights, heat and water to a country and politically more palatable at home than a conventional war.
One thing that our Homeland Security folks are working on is trying to figure out how to respond. For example, in the U.S. there are tens of millions of transformers that help distribute power. Most of the largest ones are unique and not built in the U.S. It could take a year to get a replacement shipped from overseas. What Homeland Security is trying to figure out is if an attacker figures out how to damage or destroy a bunch of these, how can we keep the power working while new transformers are built. Similarly, if a gas pipeline is destroyed and the distribution network for gas is interrupted – as we have seen by non attack based failures – gas prices skyrocket, shortages appear, rationing is needed, etc. How can we deal with that.
There is no short term answer to these problems and it will take a lot of work, but we better get to work on it because the Russians are and likely so are the Chinese and others.
Just saying!
Information for this post came from the Telegraph.
Mitch Tanenbaum is partner and technical director at CyberCecurity, a full-service cyber risk consulting service provider. Read more CyberCecurity blogs here.
