The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.
After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued on Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.
These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the Cold-war era strategy of threatening nuclear retaliation.
So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.
But Clinton did not say how the US would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.
There is, in fact, an intense debate inside and outside the government about what the US can credibly threaten. One alternative could be a diplomatic démarche, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.
Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorise. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.
“We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,” said Joseph Nye, a professor at the Kennedy School at Harvard. “It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.”
Fighting Shadows
When the Pentagon summoned its top regional commanders for meetings with President Obama on January 11, the war game prepared showed a simulated cyberattack.
And the participants emerged with a worrisome realisation. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country, say, freeze its credit markets, without ever taking aim at a government installation or a military network, meaning that the Defence Department’s advanced capabilities may not be brought to bear short of a presidential order.
“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”
William J Lynn III, the deputy Defence Secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.
Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.
“A fortress mentality will not work in cyber,” he said. The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not work.
“We are looking beyond just the pure military might as the solution to every deterrence problem,” said General Kevin P Chilton, in charge of the military’s Strategic Command, which defends military computer networks. “You could deter a country with some economic moves, for example.”
But first you would have to figure out who was behind the attack. “You have to be quite careful about attributions and accusations,” said a senior administration official deeply involved in dealing with the Chinese incident with Google.
Nonetheless, the White House said in a statement that “deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” citing work in the past year to protect networks.
In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralising its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.
Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harboured groups that conduct cyberattacks could be ostracised. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.
That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of its search engine, and be left to the ones controlled by their government.
John Markoff, David E Sanger and Thom Shanker
The New York Times
Attacks
2003-2005
* A series of coordinated cyberattacks hit the US government. The attacks, known as “Titan Rain,” may have been organised by China, but there is no conclusive evidence that the government was involved.
March 29, 2009
* A vast Internet surveillance system aimed at South Asian countries is uncovered by Canadian researchers. The system, called “Ghostnet,” is largely based on Hainan Island off the coast of China, but there is no evidence that the Chinese government is involved in the espionage.
July 4, 2009
* A rash of cyberattacks hits US and South Korean targets. South Korea blames North Korea, but no evidence is forthcoming.
Counter measures
January 12, 2010
* Google announces it is prepared to withdraw from China, citing attacks from hackers based in China. The attacks were aimed at Google, along with 34 other companies or entitles, many of them located in Silicon Valley.
January 8, 2008
* President Bush approves a national security directive that formalises efforts to defend the federal government against cyberattacks.
March 2006
* The Department of Homeland Security sponsors a war game called Cyber Storm II. which simulates a large-scale cyberattack against the US, Britain, Canada, Australia and New Zealand. The study finds that such an attack could cause major damage to the global financial system.
February 9, 2000
* Melissa Hathaway, an analyst in the Office of the Director of National Intelligence, is asked to lead a study to develop a US cyber-deterrence strategy. The classified project has been completed, but has not yet been used by the Obama administration.
May 29, 2009
* The Obama administration announces the creation of the United States Cyber Command, a major new military force for the Department of Defence. The command was supposed to be operational fast October, but has been delayed by bureaucratic infighting.
December 22, 2009
* President Obama makes Howard A Schmidt the White House cyber-security coordinator.
In an address on January 21, Secretary of State Hillary Rodham Clinton called on to China to investigate the attack on Google.
