<p>On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyber attack aimed at paralysing the nation’s power grids, its communications systems or its financial networks. <br /><br />The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond - especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.<br /><br />What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked, the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland. <br /><br />After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued with Chinese assertions that critics were trying to ‘denigrate China’ and that the US was pursuing ‘hegemonic domination’ in cyberspace. <br /><br />Comprehensive effort<br /><br />So far, despite millions of dollars spent on studies, that quest has failed. Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyber attacks would not be ignored, drawing on the language of nuclear deterrence. <br /><br />Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyber attack on the US would justify a pre-emptive American cyberattack — something the president would have to authorise. In an extreme case — evidence that an adversary was about to launch an attack intended to shut down power stations across America -- some officials argue that the right response might be a military strike. <br /><br />When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack - a battle unlike any they had engaged in.<br /><br />Participants in the Pentagon war game emerged with a worrisome realisation. Because the internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defence Department’s advanced capabilities may not be brought to bear short of a presidential order.<br /><br />The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate. <br /><br />“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen Kevin P Chilton, in charge of the military’s strategic command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”<br /><br />But first you would have to figure out who was behind the attack. Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a ‘Trojan horse’ — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. <br />China’s denials, American officials say, are one reason that President Barack Obama has said nothing in public about the attacks - a notable silence, given that he has made cybersecurity a central part of national security strategy. <br /><br />American targets<br /><br />Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” Others are less convinced. “The US is widely recognised to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A Lewis, director of the Centre for Strategic and International Studies programme. In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation.<br /><br />But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cell phone networks, neutralising its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.<br /><br />So part of the problem is to calibrate a response to the severity of the attack. Many in the military, led by Gen Chilton of the strategic command and Gen James E Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the US to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation. <br /><br />That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government. <br /><br /></p>
<p>On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyber attack aimed at paralysing the nation’s power grids, its communications systems or its financial networks. <br /><br />The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond - especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.<br /><br />What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked, the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland. <br /><br />After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued with Chinese assertions that critics were trying to ‘denigrate China’ and that the US was pursuing ‘hegemonic domination’ in cyberspace. <br /><br />Comprehensive effort<br /><br />So far, despite millions of dollars spent on studies, that quest has failed. Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyber attacks would not be ignored, drawing on the language of nuclear deterrence. <br /><br />Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyber attack on the US would justify a pre-emptive American cyberattack — something the president would have to authorise. In an extreme case — evidence that an adversary was about to launch an attack intended to shut down power stations across America -- some officials argue that the right response might be a military strike. <br /><br />When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack - a battle unlike any they had engaged in.<br /><br />Participants in the Pentagon war game emerged with a worrisome realisation. Because the internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defence Department’s advanced capabilities may not be brought to bear short of a presidential order.<br /><br />The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate. <br /><br />“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen Kevin P Chilton, in charge of the military’s strategic command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”<br /><br />But first you would have to figure out who was behind the attack. Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a ‘Trojan horse’ — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. <br />China’s denials, American officials say, are one reason that President Barack Obama has said nothing in public about the attacks - a notable silence, given that he has made cybersecurity a central part of national security strategy. <br /><br />American targets<br /><br />Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” Others are less convinced. “The US is widely recognised to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A Lewis, director of the Centre for Strategic and International Studies programme. In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation.<br /><br />But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cell phone networks, neutralising its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.<br /><br />So part of the problem is to calibrate a response to the severity of the attack. Many in the military, led by Gen Chilton of the strategic command and Gen James E Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the US to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation. <br /><br />That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government. <br /><br /></p>