Risk and Terminal Impacts Cyber war is likely – states have the means and motive – escalates to accidental war
Brake, international affairs fellow at the Council on Foreign Relations, 15
(Benjamin, “Strategic Risks of Ambiguity in Cyberspace,” http://www.cfr.org/cybersecurity/strategic-risks-ambiguity-cyberspace/p36541)
As major powers increasingly rely on digital networks for critical services, the number of plausible network attacks, accidents, or failures that could trigger or exacerbate an international crisis will increase. The likelihood and severity of such a destabilizing event will also grow as long as norms of appropriate behavior in cyberspace are underdeveloped, timely and convincing attribution of attacks remains difficult, and the number of cyber-capable actors increases. Preparing for or responding to such a crisis is complicated by ambiguity in cyberspace, primarily regarding responsibility and intent. Ambiguity about who is responsible for a cyberattack exacerbates the risk that countries amid a geopolitical crisis will misattribute an attack, unduly retaliate or expand a crisis, or be unable to attribute an attack at all, thereby preventing or delaying a response and weakening their deterrence and credibility. Ambiguity of what is intended complicates a country’s ability to distinguish between espionage operations and activity conducted in preparation for a cyberattack. The United States has strategic interests in preventing and mitigating these risks, given its commitment to global security and overwhelming dependence on networked systems for national security missions, commerce, health care, and critical infrastructure. The longer it takes to implement preventive and mitigating steps, the greater the likelihood of unnecessary military conflict in and outside of the cyber domain. Cyberattacks are increasing in frequency, scale, sophistication, and severity of impact, including their capacity for physical destruction. China, Iran, North Korea, and Russia have demonstrated an ability to conduct destabilizing cyber activity. Such actions—whether for destructive purposes, intelligence collection, or economic espionage—are designed to evade network defenses and can involve various means of deception to thwart attribution. Recent incidents have shown that U.S. adversaries can no longer assume they will be able to conceal their identities in cyberspace, but cybersecurity experts still lack agreed-upon standards for attribution; evidence for a credible and convincing attribution can take a long time to compile; and malicious actors continue to develop new means of obscuring responsibility. Moreover, unlike many cyber operations designed to exfiltrate large amounts of data, destructive cyberattacks can be made to operate with limited communication between the malware and controller, offering fewer forensic details to establish responsibility. Even when an attacker can be identified, public attribution will remain as much a political challenge as a technical one, given that competing allegations of responsibility will likely follow any public accusation. Without corroborating signals or human intelligence—which, if it exists, officials may be reluctant or slow to disclose—computer forensic data may be incomplete or too ambiguous to convince a skeptical public. Should a major cyberattack occur over the next twelve to eighteen months, or even beyond that period if sufficient preventive and mitigating steps are not taken, public pressure to respond could outpace the time needed to credibly attribute responsibility and, if desired, build an effective coalition to support a response. Over the same time period, ambiguity regarding the intent of cyber operations will also remain a challenge, leaving policymakers uncertain about whether malware discovered on a sensitive system is designed for espionage or as a beachhead for a future attack. The United States could face several plausible crises over the next twelve to eighteen months that would be complicated by the risks of ambiguity in cyberspace. These include destructive insider threats, remote cyber operations that threaten trust in financial institutions, and cyberattacks by foreign nations or nonstate groups against critical infrastructure systems that cause widespread panic and loss of life, or similar attacks against a U.S. ally. National Security Agency (NSA) Director Admiral Michael Rogers warned in late 2014 that he expects U.S. critical infrastructure—assets essential to the function of a society and economy, such as water supply systems, electric grids, and transportation systems—to be attacked, noting that multiple foreign nations and groups already possess the ability to shut down a U.S. power grid and several others are investing in the capability. Attacks like the publicly unattributed January 2015 cyberattack that severely damaged a German steel mill suggest the ability to bring about physical destruction through cyber means may be proliferating quickly. Of particular concern would be the proliferation of these capabilities among terrorist groups, which currently possess limited technical skills but destructive intent. As the number of cyber-capable adversaries grows, so too does the number of critical targets, especially as industrial control systems move to web-based interfaces and more common operating systems and networking protocols. The implications of any crisis will depend on the current geopolitical context; the type of networks that fail; and the extent of economic damage, physical destruction, or human costs that result directly from network failure or its cascading effects on public health, communication and financial networks, and the economy. A successful cyberattack against one or more critical infrastructure systems could endanger thousands of lives, halt essential services, and cripple the U.S. economy for years. Two plausible factors that could exacerbate such a crisis are intentional and inadvertent ambiguity. Over the past two years, Iran and North Korea have appeared most willing to conduct destructive and disruptive cyberattacks against U.S. and foreign targets while attempting to conceal responsibility. Tactics have included data wipes, destruction of computer hardware, and denial-of-service attacks. Russia and China have exhibited some of the most advanced capabilities, and actors in both countries have been linked to disruptive attacks during regional tensions. Actors in South Asia and the Middle East have also conducted operations in regional conflicts that could quickly entangle U.S. interests. During a crisis involving the United States or an ally, any one of these countries could conduct cyber operations that risk further destabilization. As the rate of operations grows, so too could the challenge of attribution, with each incident exposing tools and techniques that can be repurposed. Cyber activities that could not be promptly attributed have already appeared in several conflicts. Though most have rarely elevated beyond nuisance, others have caused significant damage or threatened escalation. In 2008, Russia-based actors launched a wave of attacks against Georgian targets, and similar malware appeared in operations against Ukraine in 2014. Japanese networks are frequently targeted, including during heightened Sino-Japanese territorial tensions and sensitive anniversaries, with origins reportedly traced to China. North Korean cyber actors are suspected of having conducted destructive operations that compromised South Korea’s national identification system—damage that may cost more than $1 billion and over a decade to repair. In 2014, U.S. officials blamed North Korea for destructive attacks against Sony Pictures Entertainment, an American subsidiary of the Japanese company Sony. North Korean officials deny the country’s role in these attacks and will likely seek to similarly obscure their hand in attacks during future crises to deter or delay a potential American or South Korean response. U.S. officials suspect Iran’s involvement in a 2012 cyberattack against two energy firms, one in Saudi Arabia and another in Qatar, that destroyed data and crippled thirty thousand computers, possibly in retaliation for alleged U.S. cyber operations, and to demonstrate an ability to conduct similar attacks against U.S. targets. U.S. financial firms subsequently suffered tens of millions of dollars in losses resulting from Iranian denial-of-service attacks launched in retaliation for economic sanctions. In 2014, Iran became the first country to carry out a destructive cyberattack on U.S. soil when it damaged the network of Las Vegas Sands after its chairman advocated a nuclear strike against the country. Due to the difficulty of determining whether certain activity is intended for espionage or preparation for an attack, cyber operations run the risk of triggering unintended escalation. Espionage malware that could be reprogrammed to gain control of networks, such as BlackEnergy, which has been discovered on critical infrastructure networks, may be viewed by victims as one update away from becoming an attack tool capable of crippling energy supplies, water-distribution and -filtration systems, or financial transactions. Security scans of networks intensified amid heightened geopolitical tensions could reveal such malware and prompt fears of an imminent attack, even if the malware was implanted for espionage purposes long before the crisis began. The difficulty of predicting a cyber operation’s effects and the interdependency of networked systems increase the risks that an operation will inadvertently spill over onto sensitive systems or cause unintended effects. One example of ambiguity and the risk of misperception is the 2010 discovery on Nasdaq servers of malware similar to a cyber tool reportedly developed by Russia’s Federal Security Service. Initial assessments maintained that the malware was capable of wiping out the entire stock exchange. Only later was it shown to be less destructive, according to media accounts. Such ambiguities during periods of heightened geopolitical tensions pose significant escalatory risks. Information security experts have raised similar concerns about other Russia-linked activity and questioned whether aspects of the activity are intended to insert offensive capabilities into critical infrastructure systems for future use. Ambiguity also arises in the case of “worms”—self-replicating malware that seeks out other computers to infect. Worms can spread so pervasively that their origin and intent can be difficult to infer from known victims. One worm, Conficker, spread to millions of computers and disrupted military communications in several European countries. Its creator and purpose remain unknown. Warning Indicators Indicators of activity with the potential to create or exacerbate an international political crisis include leadership statements of an intent to conduct or permit computer network operations against foreign networks; evidence of that intent, including research and development, budgetary allocations, or organizational changes, such as the creation of offensive cyber forces; the express or tacit acceptance of parastatal hackers; and a demonstrated capability to conduct computer network operations, including cyber-espionage and cyber operations against domestic targets. Tactical warning indicators resemble traditional conflicts, such as changes in the alert status of military units and an increase in crisis-related rhetoric. Indicators unique to cyber operations include increased efforts to probe foreign networks and an uptick of activity in online hacker forums discussing foreign targets and tools, techniques, and procedures appropriate for operations against them. Implications for U.S. Interests First, cyberattacks will eventually be part of every nation’s military strategy. The United States depends on information communications technologies for critical military and civilian services far more than its strategic rivals or potential adversaries. U.S. officials have noted an increase in computer network operations targeting state, local, and privately operated critical infrastructure, some of which have the potential to cause considerable harm to operations, assets, and personnel. Second, ambiguity in cyberspace elevates the risk that a significant cyber event amid a geopolitical crisis will be misattributed or misperceived, prompting a disproportionate response or unnecessary expansion of the conflict. Such an escalation would impair the United States’ prominent role and interest in global security and its commitment to international law. Third, U.S. officials’ ability to respond swiftly and effectively to cyberattacks is complicated by the difficulty of timely public attribution and ambiguity over what type of cyberattack would trigger a right to self-defense or security commitments to strategic partners. A failure to confidently attribute an attack or determine whether such activity constituted an attack could limit U.S. response options. Such confusion, uncertainty, and delay could weaken deterrence and the credibility of U.S. assurances, trigger a misperception of U.S. commitment, and undermine a U.S.-led coalition.
Cyber attacks cause nuclear war – accidents
Gady 15 (Franz Stefan, Associate Editor of The Diplomat, Senior Fellow with the EastWest Institute. Article quotes: James Cartwright, retired US Marine Corps General and eighth Vice Chairman of the Joint Chiefs of Staff, Greg Austin of the EastWest Institute in New York, and Pavel Sharikov of the Russian Academy of Sciences, “Could Cyber Attacks Lead to Nuclear War?”, http://thediplomat.com/2015/05/could-cyber-attacks-lead-to-nuclear-war/)
Short fuses on U.S. and Russian strategic forces have particularly increased the risk of accidental nuclear war, according to Cartwright, while ”the sophistication of the cyberthreat [to nuclear weapons] has increased exponentially.” “One-half of their [U.S. and Russian] strategic arsenals are continuously maintained on high alert. Hundreds of missiles carrying nearly 1,800 warheads are ready to fly at a moment’s notice,” a policy report compiled by a study group chaired by the retired U.S. general summarized. “At the brink of conflict, nuclear command and warning networks around the world may be besieged by electronic intruders whose onslaught degrades the coherence and rationality of nuclear decision-making,” the report further points out. The War Games-like scenario could unfold in one of the following three ways: First, sophisticated attackers from cyberspace could spoof U.S. or Russian early warning networks into reporting that nuclear missiles have been launched, which would demand immediate retaliatory strikes according to both nations’ nuclear warfare doctrines. Second, online hackers could manipulate communication systems into issuing unauthorized launch orders to missile crews. Third and last, attackers could directly hack into missile command and control systems launching the weapon or dismantling it on site ( a highly unlikely scenario). To reduce the likelihood of such an scenario ever occurring, Cartwright proposes that Moscow and Washington should adjust their nuclear war contingency plan timetables from calling for missiles to be launched within 3 to 5 minutes to 24 to 72 hours. Reducing the lead time to prepare nuclear missiles for launch would not diminish the deterrent value of the weapons, Cartwright, who headed Strategic Command from 2004 to 2007 and was vice chairman of the Joint Chiefs of Staff before retiring in 2011, emphasized. However, the Obama White House has so far rejected the idea, particularly due to the recent deterioration of U.S.-Russia relations. Also, Robert Scher, Assistant Secretary of Defense for Strategy, Plans, and Capabilities, testified in Congress this month arguing “it did not make any great sense to de-alert forces” because nuclear missiles “needed to be ready and effective and able to prosecute the mission at any point in time.” Cartwright’s credibility may have also suffered among Washington policy circles ever since he has been under investigation for leaking information about the top secret Stuxnet virus – a sophisticated cyber weapon allegedly jointly developed by Israel and the United States – to the New York Times. Nevertheless, a co-authored paper, seen in draft by The Diplomat, argues that “cyber weapons and strategies have brought us to a situation of aggravated nuclear instability that needs to be more explicitly and more openly addressed in the diplomacy of leading powers, both in private and in public.” The authors, Greg Austin of the EastWest Institute in New York (and a regular contributor to The Diplomat) and Pavel Sharikov of the Russian Academy of Sciences, have concluded that “Russia now sees U.S. plans to disrupt the command and control of its nuclear weapons as the only actual (current) threat at the strategic level of warfare.” Laura Saalman of the Asia Pacific Research Centre in Hawaii has also warned of the need to look at the impact of U.S. strategies and nuclear force posture on China in a 2014 paper titled “Prompt Global Strike: China and the Spear”.
And lashout
Tilford 12 Robert, Graduate US Army Airborne School, Ft. Benning, Georgia, "Cyber attackers could shut down the electric grid for the entire east coast" 2012, http://www.examiner.com/article/cyber-attackers-could-easily-shut-down-the-electric-grid-for-the-entire-east-coa
To make matters worse a cyber attack that can take out a civilian power grid, for example could also cripple the U.S. military. The senator notes that is that the same power grids that supply cities and towns, stores and gas stations, cell towers and heart monitors also power "every military base in our country." "Although bases would be prepared to weather a short power outage with backup diesel generators, within hours, not days, fuel supplies would run out", he said. Which means military command and control centers could go dark. Radar systems that detect air threats to our country would shut Down completely. "Communication between commanders and their troops would also go silent. And many weapons systems would be left without either fuel or electric power", said Senator Grassley. "So in a few short hours or days, the mightiest military in the world would be left scrambling to maintain base functions", he said. We contacted the Pentagon and officials confirmed the threat of a cyber attack is something very real. Top national security officials—including the Chairman of the Joint Chiefs, the Director of the National Security Agency, the Secretary of Defense, and the CIA Director— have said, "preventing a cyber attack and improving the nation~’s electric grids is among the most urgent priorities of our country" (source: Congressional Record). So how serious is the Pentagon taking all this? Enough to start, or end a war over it, for sure (see video: Pentagon declares war on cyber attacks http://www.youtube.com/watch?v=_kVQrp_D0kY%26feature=relmfu ). A cyber attack today against the US could very well be seen as an "Act of War" and could be met with a "full scale" US military response. That could include the use of "nuclear weapons", if authorized by the President.
Extinction
Guterl, executive editor – Scientific American, 11/28/’12
(Fred, “Armageddon 2.0,” Bulletin of the Atomic Scientists)
The world lived for half a century with the constant specter of nuclear war and its potentially devastating consequences. The end of the Cold War took the potency out of this Armageddon scenario, yet the existential dangers have only multiplied. Today the technologies that pose some of the biggest problems are not so much military as commercial. They come from biology, energy production, and the information sciences -- and are the very technologies that have fueled our prodigious growth as a species. They are far more seductive than nuclear weapons, and more difficult to extricate ourselves from. The technologies we worry about today form the basis of our global civilization and are essential to our survival. The mistake many of us make about the darker aspects of our high-tech civilization is in thinking that we have plenty of time to address them. We may, if we're lucky. But it's more likely that we have less time than we think. There may be a limited window of opportunity for preventing catastrophes such as pandemics, runaway climate change, and cyber attacks on national power grids. Emerging diseases. The influenza pandemic of 2009 is a case in point. Because of rising prosperity and travel, the world has grown more conducive to a destructive flu virus in recent years, many public health officials believe. Most people probably remember 2009 as a time when health officials overreacted. But in truth, the 2009 virus came from nowhere, and by the time it reached the radar screens of health officials, it was already well on its way to spreading far and wide. "H1N1 caught us all with our pants down," says flu expert Robert G. Webster of St. Jude Children's Research Hospital in Memphis, Tennessee. Before it became apparent that the virus was a mild one, health officials must have felt as if they were staring into the abyss. If the virus had been as deadly as, say, the 1918 flu virus or some more recent strains of bird flu, the result would have rivaled what the planners of the 1950s expected from a nuclear war. It would have been a "total disaster," Webster says. "You wouldn't get the gasoline for your car, you wouldn't get the electricity for your power, you wouldn't get the medicines you need. Society as we know it would fall apart." Climate change. Climate is another potentially urgent risk. It's easy to think about greenhouse gases as a long-term problem, but the current rate of change in the Arctic has alarmed more and more scientists in recent years. Tim Lenton, a climate scientist at the University of Exeter in England, has looked at climate from the standpoint of tipping points -- sudden changes that are not reflected in current climate models. We may already have reached a tipping point -- a transition to a new state in which the Arctic is ice-free during the summer months. Perhaps the most alarming of Lenton's tipping points is the Indian summer monsoon. Smoke from household fires, and soot from automobiles and buses in crowded cities, rises into the atmosphere and drifts out over the Indian Ocean, changing the atmospheric dynamics upon which the monsoon depends -- keeping much of the sun's energy from reaching the surface, and lessening the power of storms. At the same time, the buildup of greenhouse gases -- emitted mainly from developed countries in the northern hemisphere -- has a very different effect on the Indian summer monsoon: It makes it stronger. These two opposite influences make the fate of the monsoon difficult to predict and subject to instability. A small influence -- a bit more carbon dioxide in the atmosphere, and a bit more brown haze -- could have an outsize effect. The Indian monsoon, Lenton believes, could be teetering on a knife's edge, ready to change abruptly in ways that are hard to predict. What happens then? More than a billion people depend on the monsoon's rains. Other tipping points may be in play, says Lenton. The West African monsoon is potentially near a tipping point. So are Greenland's glaciers, which hold enough water to raise sea levels by more than 20 feet; and the West Antarctic Ice Sheet, which has enough ice to raise sea levels by at least 10 feet. Regional tipping points could hasten the ill effects of climate change more quickly than currently projected by the Intergovernmental Panel on Climate Change. Computer hacking. The computer industry has already made it possible for computers to handle a variety of tasks without human intervention. Autonomous computers, using techniques formerly known as artificial intelligence, have begun to exert control in virtually every sphere of our lives. Cars, for instance, can now take action to avoid collisions. To do this, a car has to make decisions: When does it take control? How much braking power should be applied, and to which wheels? And when should the car allow its reflex-challenged driver to regain control? Cars that drive themselves, currently being field tested, could hit dealer showrooms in a few years. Autonomous computers can make our lives easier and safer, but they can also make them more dangerous. A case in point is Stuxnet, the computer worm designed by the US and Israel to attack Iran's nuclear fuel program. It is a watershed in the brief history of malware -- the Jason Bourne of computer code, designed for maximum autonomy and effectiveness. Stuxnet's creators gave their program the best training possible: they stocked it with detailed technical knowledge that would come in handy for whatever situation Stuxnet could conceivably encounter. Although the software included rendezvous procedures and communication codes for reporting back to headquarters, Stuxnet was built to survive and carry out its mission even if it found itself cut off. The uranium centrifuges that Stuxnet attacked are very similar in principle to the generators that power the US electrical grid. Both are monitored and controlled by programmable-logic computer chips. Stuxnet cleverly caused the uranium centrifuges to throw themselves off-balance, inflicting enough damage to set the Iranian nuclear industry back by 18 months or more. A similar piece of malware installed on the computers that control the generators at the base of the Grand Coulee Dam would likewise cause them to shake, rattle, and roll -- and eventually explode. If Stuxnet-like malware were to insinuate itself into a few hundred power generators in the United States and attack them all at once, the damage would be enough to cause blackouts on the East and West Coasts. With such widespread destruction, it could take many months to restore power to the grid. It seems incredible that this should be so, but the worldwide capacity to manufacture generator parts is limited. Generators generally last 30 years, sometimes 50, so normally there's little need for replacements. The main demand for generators is in China, India, and other parts of rapidly developing Asia. That's where the manufacturers are -- not in the United States. Even if the United States, in crisis mode, put full diplomatic pressure on supplier nations -- or launched a military invasion to take over manufacturing facilities -- the capacity to ramp up production would be severely limited. Worldwide production currently amounts to only a few hundred generators per year. The consequences of going without power for months, across a large swath of the United States, would be devastating. Backup electrical generators in hospitals and other vulnerable facilities would have to rely on fuel that would be in high demand. Diabetics would go without their insulin; heart attack victims would not have their defibrillators; and sick people would have no place to go. Businesses would run out of inventory and extra capacity. Grocery stores would run out of food, and deliveries of all sorts would virtually cease (no gasoline for trucks and airplanes, trains would be down). As we saw with the blackouts caused by Hurricane Sandy, gas stations couldn't pump gas from their tanks, and fuel-carrying trucks wouldn't be able to fill up at refueling stations. Without power, the economy would virtually cease, and if power failed over a large enough portion of the country, simply trucking in supplies from elsewhere would not be adequate to cover the needs of hundreds of millions of people. People would start to die by the thousands, then by the tens of thousands, and eventually the millions. The loss of the power grid would put nuclear plants on backup, but how many of those systems would fail, causing meltdowns, as we saw at Fukushima? The loss in human life would quickly reach, and perhaps exceed, the worst of the Cold War nuclear-exchange scenarios. After eight to 10 days, about 72 percent of all economic activity, as measured by GDP, would shut down, according to an analysis by Scott Borg, a cybersecurity expert.
Share with your friends: |