Why cyber warfare is so
attractive to small nations
by Peter Suciu
DECEMBER 21, 2014, 11:27 AM EST
Enabled by Internet
connectivity, cyber war provides more bang for the buck than investment in
conventional weapons.
Last week news broke
that North Korea, which is believed to be responsible for a massive cyber
attack against Sony ( SNE 0.97%) , may have as many as
1,800 cyber warriors. That may seem like a large figure for the nation of 24.9
million people, especially considering that Pyongyang isn’t exactly known for
its centers of higher learning. Yet many small nation-states—even those that
are in regions that lack universities with notable computer science
programs—are finding that cyber war provides more bang for the buck than
investment in conventional weapons.
“Cyber warfare is a great alternative to
conventional weapons,” says Amy Chang, a research associate in the technology
and national security program at the Center for a New American Security. “It is
cheaper for and far more accessible to these small nation-states. It allows
these countries to pull off attacks without as much risk of getting caught and
without the repercussions when they are [caught].”
There are many reasons
why a nation-state or non-nation entity would pursue a cyber war program, and
today many countries large and small invest in cyber warfare. According to
recent intelligence studies more than 140 countries have some level of cyber
weapon development programs. In 2012 the U.S. Defense Advanced Research
Projects Agency, the research arm of the Pentagon, invested $110 million
in Plan X, a “foundational
cyber warfare program” that aims to harness computing power to wage war more
effectively. The program was only one part of DARPA’s reported $1.54 billion
cyber budget for 2013 to 2017.
Many small nations don’t have those
kinds of resources to allocate toward such projects, but experts say large
amounts of funding isn’t really necessary.
“You don’t need that much money to
invest in cyber warfare,” warns Martin Libicki, senior management scientist
with the Rand Corporation, the nonprofit global policy think tank. “It is
really a people thing, not a money thing. North Korea has a small GDP and may
only have a thousand or so specialists dedicated to cyber warfare. But it can
still accomplish big things with what it has.”
It may have taken as
long as a year for Sony’s attackers to accomplish the task, according to the
latest reports about the recent breach. For a criminal enterprise seeking
money, the effort would not have enjoyed a good return on investment. But if
the hackers were in fact from North Korea, money was likely not the objective.
“The hacking of Sony would have been a
bad investment for a criminal,” Libicki says. “For a government, it wasn’t that
bad of an effort—and it accomplished the mission, as Sony pulled the film from
theaters.”
In addition to an alternative to
conventional weapons, cyber war programs also serve as a means for small
nations to acquire another state’s advanced technology, whether for commercial
or military application.
“North Korea lacks infrastructure to
support a massive computer industry or even a computer science education
program,” Chang says. “But there is a relative value in investing in
information technology over weapons systems. It is far more economical to
invest in technology that could be used to pilfer other technology from
developed nations. Why develop advanced weapons technology when you can steal
it?”
Recent cyber attacks suggest that fewer
resources are required to wage an attack than to defend against one—which means
small nations may have more of a stomach for going on the cyber offensive than
for stopping a similar attack. In 2012 Iran’s nuclear program was reportedly
the target of a massive cyber attack believed to have been perpetrated by the
United States and Israel. Iran is believed to have responded by unleashing its
own attack against Saudi Aramco, the state-owned oil and gas company, during
which hackers destroyed data on 30,000 Aramco computers. As with the recent
Sony attack, Aramco is considered a “soft target” attack because the victim is
less likely to have the same level of computer security investment—to the tune
of hundreds of millions of dollars—as systems for a government or financial
entity.
“For good or bad, cyber attacks aren’t
[usually] directed at ‘hard’ targets,” Libicki says. “This is an extension of
terrorist attacks, which typically don’t go after a military base but go after
an embassy or other interests. It sends a message and is easier to perpetrate.”
In an Internet-connected world, the
ancient notion of barbarians at the gate—used to describe the Sack of Rome in
410 by the Visigoths after they entered the city through its Salarian Gate—has
been replaced with a far more complex concept. Online, there is a seemingly
endless number of entrances to someone’s secure infrastructure, a gate for
every authorized user and device.
“Sony is a great
example of how this sort of thing happens even though they had been warned
about it before,” says Lt. General Clarence E. McKnight Jr. (Retired), former
head of the Signal Corps and author of From Pigeons to Tweets. “There is
too much information going around the cyber world and so many ways to access
it. As the whole world gets connected, it just provides the details that make
these attacks possible.”
What’s more, an Internet-connected world
has given smaller players a communication network on a global scale with which
to coordinate such attacks. “We need to think about how these groups such as
ISIS use Twitter and other social media to communicate,” Chang says, using the
acronym for the Islamic State of Iraq and Syria. “The level of instant
communication has increased because of this technology.”
So far, such attacks do not appear to
have taken out any “hard” targets. Even the highly publicized Sony hack, which
has left the company reeling, is not significant enough to roil world markets
with catastrophic side effects. Neither was the brief shutdown of the Warsaw
stock exchange in October. Yet such nuisance attacks demonstrate that a small
player like North Korea or ISIS (which is believed to have been behind the
Warsaw attack) could have an outsized impact online relative to their resources.
“This is really
physiological warfare, and in Sony’s case people won’t go to the movies,”
McKnight says. “At this point cyber warfare is over-hyped on what it can
accomplish. But it is the only game in town for a lot of countries.”
No comments:
Post a Comment