IN THE MEDIA
The Cyber-War Era
Sep 26, 2016 | AIJAC staff
The potential for Israel-Australia cooperation on a new kind of threat
Last month’s Melbourne International Film Festival featured Alex Gibney’s documentary Zero Days, taking viewers deep into the world of cyber warfare through the story of Stuxnet – the infamous cyber weapon that was unleashed on the centrifuges at Iran’s secret nuclear facility in late 2008. Reportedly designed by the US and Israel, Stuxnet appears to constitute the world’s first cyber attack to inflict actual physical damage on an industrial system – the inadvertent unveiling of a “new tool in warfare” – though, as the film highlights, it is unlikely to be the last.
This new era of cyberspace has serious implications for Israel, particularly as it becomes clear that cyber attacks are proving to be Iran’s “weapon of choice”.
Meanwhile, the Australian Government has been paying increasing attention to cyber-security, with an official Australian Cyber Security Strategy released in April, and an ABC-TV “Four Corners” program on Aug. 29 highlighting a series of breaches of government computer networks by cyber attacks.
With Israel also making defence against cyber-attacks both a major priority and a growth industry, this is an obvious area for Australia-Israel cooperation.
Implications of Stuxnet
The computer worm Stuxnet – codenamed “Olympic Games” by its developers – has achieved notoriety for being the “first incident of a cyber weapon created and deployed with the intent of degrading, disrupting, and destroying a specific information system.” Traversing the barrier between the cyber world and real life, the code – seemingly introduced by an infected USB – instructed the centrifuges at Iran’s Natanz facility to spin out of control and self-destruct, all the while ensuring its computer screens displayed no sign of abnormal activity. This worked: indeed, confusion about the centrifuge problem resulted in the dismissal of several Iranian nuclear engineers believed to be incompetent. The Stuxnet operation would have remained clandestine if not for a programming error which spread the virus globally on the Internet, leading to its detection by cyber security experts in mid-2010.
The Obama Administration estimates that Stuxnet destroyed one-fifth of Iran’s centrifuges, causing a delay of 18 months to two years. Thus, while it did not succeed in derailing Iran’s nuclear program, Stuxnet demonstrated the way in which cyber weapons can be used to achieve a military goal without needing concrete information about the target nor physical access.
In the 21st century, cyberspace has emerged as a “domain of strategic importance”. This is due to the fact that, in modern societies like ours, technology serves to govern every aspect of daily life – from communication to automation to critical infrastructure to military command-and-control, resulting in a pervasive reliance on networks that makes us highly vulnerable to a range of cyber threats. These threats can present themselves in the form of cyber crimes, cyber espionage, modest disruptions such as distributed denial-of-service (DDoS) attacks and large-scale cyber assaults that result in the physical destruction of structures, systems or human life.
Whilst no universal definition of “cyber-attack” exists, the term can broadly be taken to refer to the execution of malware that “uses and targets computers, networks or other technologies for malevolent, destructive or disruptive purposes.” Cyber-attacks can be either political or criminal, however this article focuses solely on those that have a distinctly political motivation – those enacted against states to gain a strategic, diplomatic or military advantage. The term “cyber-weapon” has also yet to be defined, though this can generally be understood to refer to any offensive cyber capability or technique that carries out warfare through cyber means. Like the terminology used to describe it, cyberspace is a murky and ambiguous realm that lacks established laws and norms to govern behaviour. For instance, despite the fact that NATO recently declared cyber to be a military domain (adding it to the traditional domains of land, sea and air), there has been no resolution as to how cyber-attacks should be handled at a policy level. Andrew Davies of the Australian Strategic Policy Institute (ASPI) suggests that “cyber warfare hasn’t yet been fully integrated into strategic thinking.” Indeed, the constant confusion surrounding cyber-operations makes it difficult for nations to both deter cyber-attacks and to respond effectively.
Defending and deterring against cyber attack is difficult for a number of reasons. Firstly, there is the attribution problem. Cyberspace, by its very nature, favours anonymity, and is uniquely characterised by the ability to wage attacks without clear attribution of responsibility, heavily advantaging the offence. Deterrence strategy relies upon an aggressor being convinced that it will be identified and punished accordingly; it is impossible to retaliate against an adversary that is unknown. In turn, this makes it challenging to create a credible deterrent threat.
French expert Guy-Philippe Goldstein notes:
“Potential aggressors can claim ‘plausible deniability’ [for attacks] and neutralise the international audience, reducing the margins of manoeuvre for the defender.”
A necessary step of any deterrence strategy also requires conveying a clear “red line” to adversaries as to what is considered unacceptable behaviour: that is, determining a threshold for punishment. When it comes to the physical invasion of another’s territory, the line is unambiguous, but this becomes hazy when one considers the broad spectrum of malicious acts that can be taken in cyberspace (noted above). As Goldstein points out, cyber-attacks “do not easily offer simple, recognisable and conspicuous characterisation in terms of thresholds.”
Complications thus arise in attempting to determine the proportional response to lower-scale cyber incidents such as hacking and cyber espionage – acts which, despite not causing direct physical destruction or loss of life (that can be conclusively determined) – can still be greatly harmful to national power. Must retaliation only occur in the cyber realm? When is it appropriate to launch a physical response or impose economic penalties?
This is an issue that faces the US Government right now, as the FBI begins its investigation to determine the perpetrator of the cyber-theft and release of documents from the Democratic National Committee, leaked in July 2016. Highly suspected to be the work of the Russian Government, if confirmed it would constitute a blatant attempt to influence the American election result. David Sanger of the New York Times writes that an American response to Russian cyber-interference “could be public or private, and it could involve sanctions, diplomatic warnings or even a counterattack.”
Australia has had its own highly public struggles with cyber security over the last few years: most recently, with the census website reportedly being the victim of cyber attacks on the night of Aug. 9. David Kalisch of the Australian Bureau of Statistics confirmed that the website was shut down in an attempt to protect the integrity of the census data in the face of four denial-of-service attacks coming from abroad. In late 2015, Peter Jennings of the ASPI suggested that China might have been behind a cyber breach of an Australian Bureau of Meteorology supercomputer, though the Chinese Foreign Ministry denies such involvement.
Meanwhile, other apparent cyber-espionage incidents in Australian in recent years include the theft of the classified blueprints of the new ASIO headquarters in Canberra in 2013, while the Prime Minister’s cyber-security adviser, Alastair MacGibbon, told the ABC that the Australian Government was subject to cyber-attacks “on a daily basis”.
Iran’s Growing Cyber Toolkit
Iran is fast becoming proficient in the cyber realm. Particularly since the discovery of the Stuxnet virus in 2010, the Iranian Government has placed a growing importance on the advancement of its cyber capabilities. Operating in cyberspace is attractive to Iran for the exact same reasons that make attacks within the domain difficult to defend against: its ambiguous and indirect nature, the plausible deniability it affords, and the lack of norms that exist to moderate behaviour.
As Michael Eisenstadt of the Washington Institute for Near East Policy explains:
“[Iran’s interest in cyber] fits well with elements of its strategic culture: a preference for ambiguity, standoff, and indirection when conducting potentially high-risk activities-enabling it to better manage this risk. Second, international cyber norms remain inchoate, providing Iran with margin for manoeuvre in this domain. Third, Iran hopes to shape these emerging cyber norms, so that its cyberspying and offensive cyber operations become a tolerated form of behaviour, much as its use of terrorism is tolerated by many members of the international community.”
Cyber also provides a means of intimidation for states that are reluctant or incapable of projecting power in the physical domain. In this way, cyber tools can be viewed as “strategic asymmetric weapons, great equalisers with the potential of levelling the battlefield between powerful nations and those less capable.” Indeed, as Elias Groll of Foreign Policy noted in August, for Iran, “malware has become a tool of statecraft”.
Iran’s development of cyber techniques began primarily as a means to suppress internal dissent and disrupt the activities of opposition groups after the 2009 Green Revolution. The reaction of the Iranian Government included attacking websites of the reform movement, deepening its cyber surveillance and imposing heavy internet censorship. Its fear of networks only intensified after the Arab Spring of 2011, during which social media was utilised as an organising tool to topple governments across the Middle East. In July 2011, Iran was suspected of hacking into the Netherlands-owned company DigiNotar, granting it access to the email messages of approximately 300,000 Iranian dissidents.
In early 2012, Iran’s Supreme Leader Ayatollah Ali Khamenei ordered the creation of a “Supreme Council of Cyberspace” charged with coordinating the nation’s cyber activities; a clear signal of the new importance afforded to cyberspace by the regime. Since then, Iran’s “Cyber Army” – supposedly consisting of 120,000 volunteer hackers – has been attributed responsibility for a number of cyber strikes against Gulf states, the US and Israel. The most destructive among these include the erasing of data on the computers of Saudi energy company Aramco and Qatari company RasGas in August 2012 (believed to constitute Iran’s response to Stuxnet), the three waves of DDoS attacks against American banks and the New York Stock Exchange in late 2012, and the cyber attack that crippled the computer operations of Sheldon Adelson’s Sands Corporation in February 2014. Presumably, the DDoS attacks were a response to new sanctions imposed upon Iran by the US Congress whereas the assault against the Sands Casino appears to be retaliation to Adelson’s comment that the US should threaten a nuclear strike against Iran during P5+1 negotiations. Iran is also suspected of waging unsuccessful cyber strikes against Israeli and Saudi power grids.
Iranian cyber attacks against Israeli infrastructure targets have increased during times of conflict such as the Israel-Gaza war of 2014, albeit to no avail thus far. However, the regime has sought to transfer its cyber knowledge to both Hezbollah and Hamas, priming the former to be its “cyberspace proxy” just like it often acts as its irregular warfare proxy. As Michael Eisenstadt notes, Iran’s cyber toolkit “has evolved from a low-tech means of lashing out at its enemies to a pillar of its national security concept.”
Israel: Cyber Risks and Opportunities
Israeli Prime Minister Binyamin Netanyahu has listed cyber-attack as comprising “one of the four main threats to Israel.” It is no surprise, therefore, that the Israeli military places a high priority on developing its cyber capabilities to ensure it remains one step ahead of its adversaries.
The cyber realm thus presents both risks and opportunities for Israel. On the one hand, it must defend against countless cyber threats: Israel is one of the primary targets of global cyber-attacks with an estimated 1,000 occurring each minute of 2012 and over one million per day throughout the Israel-Gaza war of 2014. On the other, Israel has become a world leader in cyber research and development: its policies on cyber defence are “trend setting” while – as Stuxnet clearly indicates – its offensive capabilities are highly advanced.
As a nation highly dependent on modern technology, cyber-readiness is central to Israeli defence planning, from both an offensive and defensive standpoint. The Israeli Defence Force (IDF) considers cyberspace a potential battleground, as cyber warfare rapidly becomes a legitimate tool of statecraft. The Stuxnet operation signifies that Israel “sometimes views the cyber realm as an alternative to conventional warfare as a means to achieving its goals” and it reportedly has used its cyber capabilities to support its military operations – as per the 2007 airstrike on a Syrian nuclear facility. Supposedly, Israel was able to fly over Syrian airspace and bomb the facility without being picked up by Syria’s radar system as it had tricked the system to believe that everything was operating as usual (a similar tactic used by Stuxnet). Rather than shutting down Syria’s air defences, which would have alerted Syria to the attack, Israel used its cyber tools to temporarily reprogram them.
Yet despite its technological head-start, the IDF remains concerned that other states – such as Iran – will soon catch up in terms of capabilities, thereby eroding Israel’s cyber advantage, or, in the very least, become able to infiltrate its defences.
Matthew Cohen, Charles Freilich and Gabi Siboni explain:
“The IDF is concerned that enemies will be able to penetrate, disrupt, take control of and even use military communications networks against Israel, especially during hostilities. Moreover, every major IDF weapon – including submarines, missiles, aircraft and radar – has electronic components that are vulnerable to attack.”
In response to these challenges, in mid-2015 the IDF announced its plans to create a unified Cyber Command within two years. The Cyber Command will integrate the military’s defensive and offensive cyber capabilities and enhance the IDF’s operational effectiveness in the cyber domain.
As James Lewis noted back in 2014, cyberspace in the Middle East was set to “become an arena for covert struggle”.
Meanwhile, Australia-Israel technological cooperation in this field is growing. Indeed, the Australia-Israel Chamber of Commerce hosted its first Annual Cyber Summit in Brisbane on Aug. 15. This follows the first Israel-Australia Cyber Dialogue in late July (hosted by the Israel Trade Commission and the Australian Cyber Security Growth Centre) which brought together leaders from Australian and Israeli cyber industries, and the visit to Israel by an Australian cyber security trade delegation back in May. The benefits of cooperation are evident: in 2015, Israel exported an estimated US$3.5 billion worth of cyber products and services – capturing 5% of the world’s cyber market.
The Future of Cyberwar
Zero Days describes the Stuxnet operation as constituting “a revolution in the threat landscape”. Indeed, it stands today as the first known cyber weapon to cross the barrier between cyberspace and the physical world. The film reveals, however, that Stuxnet was only one aspect of the US cyber plan – anonymous NSA and CIA sources describe the development of Nitro Zeus, a large-scale cyber weapon with the capacity to disable much of Iran’s infrastructure in the event of a full-blown war.
The release of Stuxnet may have taken cyber warfare to a whole new level, but Zero Days leaves us with the distinct feeling that it is only the beginning.