Cyber Warfare and Militarization
CYSE 495
Professor Karahan
December 10, 2021
War has typically been fought through physical forms, such as guns, fists, swords, tank or jets, and even bombs. As with everything in the world, however, the last fifteen to twenty years the military has been developing ways to militarize the use of technology. With the advancement within the technological field comes the touchy subject of how militarized the cyber space can become. The cyber space has many different possibilities for ways to attack corporations, communications, military weaponry and vehicles, etc. A cyber attack is classified as “an attack on a system through the internet to obtain information, bring hard or loss to whomever being attacked, whether that loss be in profits, and someone or an organizations reputation” (Gomez p. 54). There is a variety of cyber attacks but some of the most common types are man in the middle attacks, a denial-of-service attack, brute force, phishing attacks, social engineering, and malware attacks (Barnard-wills and Ashenden, 2012). Malware was the first noted cyber attack that was militarized in the past twenty years (Gomez p. 54).
The increasing frequency of offensive cyberspace operations (OCOs) directed toward states/countries, particularly the disclosure of Stuxnet in 2010 that appears to have been aimed at disrupting Iran’s nuclear development program, has prompted a reassessment of state behavior in cyberspace. In the years since, states have gradually militarized cyberspace through the establishments of various programs that have framed this as “a new domain of warfare” (Gomez p. 54). This attack is monumental since it showed that physical damage could be done through the cyber atmosphere. Consequently, the nature of these events assigns responsibility for responding to a state’s civil defense and military apparatus (Cavelty 2012, Barnard-wills and Ashenden, 2012). Furthermore, the increasing number of suspected state or state-sponsored OCOs are believed to have accelerated the militarization of cyberspace with the adoption of military doctrines specific to this domain, the emergence of national cyber strategies, and the establishment of military units responsible for conducting warfare in cyberspace (Cavelty 2013; Luiijf and Besseling 2013; Ottis 2009; Nye 2014; Young 2009; Barnard-wills and Ashenden 2012). Cyber space is not just at risk for being militarized, it is already in the process of being militarized. With that being stated, we know throughout history that advancement within any field, especially technology, has had no limits. In a dissertation titled, Technogeopolitics of Militarization and Security in Cyberspace, 2009, Dorothy Denning, stated that “there was a breakdown on different cyber attacks that could be coordinated, and they are placed under a category labeled tools and tactics” (Rutgers the State University of New Jersey and Yannakogeorgos p. 150). The breakdown of these tools and tactics that Dorothy Denning discusses are eavesdropping and packet sniffing, tampering or data diddling, snooping and downloading, spoofing, jamming or flooding, injecting malicious code, exploiting flaws in design, implementation or operation, and cracking passwords, codes, and keys (Rutgers the State University of New Jersey and Yannakogeorgos p. 150). Eavesdropping and packet sniffing is typically used to obtain user IDs and passwords, and this is done by a hacker dropping in during the data packets enroute to their destination without altering any information throughout the process (Rutgers the State University of New Jersey and Yannakogeorgos p. 150). Tampering or data diddling are defined, according to Denning, as the “unauthorized modifications to software stored on a system, including file deletions (Rutgers the State University of New Jersey and Yannakogeorgos p. 150)”. Snooping and downloading is not the normal type of attack that captures or takes information, it obtains access to files and folders on a computer and can browse through any information on the system without detection or restriction (Rutgers the State University of New Jersey and Yannakogeorgos p.150). The files or any information may be downloading through flash drive if there is anything of interest on there. The only way for this attack to occur, it would need to be done through physical contact with the device. A spoofing attack is an attack where the identity of the attacker is falsified through the OSI layers, the falsified identity can be a user, device, or website (Rutgers the State University of New Jersey and Yannakogeorgos p. 150). An example for spoofing would be someone who makes an attack on a system but falsifies where the attack came from. Jamming or flooding is an attack method used to disable or tie up a systems resource. Injecting a malicious code can range from small annoyances to complicated problems. They can be as small as resetting a user’s clock to completely erasing all the data on their drive. Exploiting flaws in design, implementation or operation attacks happen due to the poor protection programs that are in place to protect against potential attacks. Hackers will look to exploit any weakness in a systems software to gain access to information such as files, accounts, or to sabotage the system or its files (Rutgers the State University of New Jersey and Yannakogeorgos p. 150). Cracking passwords can be a guessing game for an amateur or it can be a pro that uses software to decrypt a password. These types of attacks are baseline attacks that can be militarized by anyone to obtain information from individuals, companies, and other military operations from foreign countries or even our own. “In early 2008, the CIA disclosed that hackers had successfully launched cyberattacks against foreign utilities. These attacks are the outgrowth of a trend that has been building over the past decade in which hackers install computer systems that allow them to remotely control critical infrastructures, such as power, water and transportation, through the Internet. Recent years have seen the advent of wireless networks (Hansen and Nissenbaum p. 54).” This article discusses the baseline cyber-attacks that occur, but they go on to say that since the dawn of cyber space, hackers have and will continue to improve on ways to obtain information, shut down systems, achieve whatever goal they set out to obtain (Hansen and Nissenbaum p. 54). In his book, Conquest in Cyberspace, Martin Libicki offers a U.S. view that closely matches the Russian and Chinese perception. He differentiates between conquest in cyberspace and conquest of cyberspace. An example of conquest in cyberspace is an attack against a power generator. Conquest of cyberspace, in Libicki’s view, would mean taking out cyberspace as a whole. He defends this distinction by arguing “while something akin to conquest can be defined for cyberspace, cyberspace itself cannot be conquered in any conventional sense (Hansen and Nissenbaum p. 54).” Instead, he argues that there are two types of conquest that can occur: hostile and friendly. The focus of these types of conquest is on how information and information systems are used to destroy or confuse decision-makers through the manipulation of bits. “Thus, for Libicki, conquest in cyberspace is seen more as an attack against the decision-making cycle relying on computer systems in times of war but occurs in peacetime as well (Hansen and Nissenbaum p. 54).” Possibilities for cyber attacks are inevitable and can come from many different angles due to multiple variations of each type of attack. Acknowledging whether the cyber space is at risk of being militarized should be able to be answered by the fact that there are groups and laws set in place to regulate the cyber world. “More recently, the 2007 large-scale digital attacks on Estonian public and private institutions in response to the government’s removal of a World War two memorial were labeled the first war in cyberspace and NATO replied by declaring the protection of information systems a crucial component of its force transformation” (Hansen and Nissenbaum p. 54). NATO stepped in and declared anything that raises the level of concern for what is to come with the cyber world is something that needs to be dealt with. There are other organizations that are in place to ensure the safety or at the very least stay in control of critical infrastructures (Barnard-Wills and Ashenden, 2012). “Supervisory Control and Data Acquisition (SCADA) is a ubiquitous information system used worldwide to remotely control industrial and critical infrastructure. SCADA
is comprised of distributed remote access points that allow users to remotely connect to
an infrastructure linked to a particular SCADA network. The system’s direct or indirect
connections to the Internet allow for the remote monitoring of industrial and critical
infrastructure. Since nations and industries rely on these computer networks to
efficiently maintain crucial machinery, SCADA itself is a critical system that enables
countries and companies to function. Thus, attacks on such networks pose significant
threats to human and national security (Barnard-Wills and Ashenden, 2012).” The issue with why it is considered to be a risk or at risk is because understanding the cyber world and all the ways that it can be utilized for harm are complex. There is a ton of uncertainty and risk associated with how to handle cyber security and potential for the militarization of it. “This includes current cyber security policy developments in both the United Kingdom and United States and the explicit tensions in this area. It then proposes the use of governmentality theory and discourse analysis to better understand the construction of the problems of virtual space and the implicit tensions subsumed in the dominant discourse of cyber security. This approach is applied to the dominant discourse, identifying the dominant construction of virtual space as ungovernable, unknowable, problematically visible, vulnerable, inevitably threatening, and inhabited by a range of hostile and threatening actors. The article concludes with the implications of these findings (Rutgers the State University of New Jersey and Yannakogeorgos p. 150).” The cyber world lacks an accurate feedback loop of quantifiable results and has limited measure of effectiveness and no chain of events that culminates at a decisive moment (Kallberg & Cook, 2021).” The reason that the cyber space is so misunderstood is because the results of hacking attempts have yielded little results, meaning not enough results to notice all the damage that has been during an attack. The past twenty years is just the beginning to what is to come as technology, and hacker’s progress. “A defender is in a stronger position to measure the effectiveness of the defenses because of the ability to implement frameworks to assess operational stability, level of degraded operations, and where and how internal defensive measures have been engaged. The defending actor can see their own networks and get at least a crude understanding of the impact from the cyber engagement. The measurement of effectiveness problem is most challenging in offensive cyber operations or any aggressive cyber interchange where the outbound engagement will face the inability to properly assess impact and effectiveness” (Kallberg & Cook, 2012). We are in the digital age and companies that set up software to protect themselves from potential cyber threats, also have their own employees try to find the weaknesses within their security. The problem with militarizing it would lie with the individual or people that are trying to protect an asset due to the unexpected possibilities of potential threats. “In reality, cyber-attacks would be over before leadership could identify and understand the strategic landscape. If the attacks were not premeditated, but relied on harvesting vulnerabilities in an ongoing conflict, the time frames in which larger, future engagements could occur limit (or in the worst case, nullify) the orchestration of a cyber defense” (Kallberg & Cook, 2012). “Rapidly executed cyber-attacks — especially those that are well prepared, organized, and premeditated — eliminate the ability to mount a cyber defense, because the short time available for decision making restricts decisions to the tactical level” (Kallberg & Cook, 2012).The militarization of the cyber space is going to take time to become a dominating risk, due to the complexity of seeing the results of the attacks and also not having the correct preparation for defense tactics. However, as the past twenty years have shown us, the potential for future cyber warfare is growing. “Engagements in a militarized domain are likely to utilize routing and attack vectors that supports anonymity and hinders accurate accountability or delays determining the actual digital locale of attacker. There are several tools and techniques available [14] and the tools are expanding in ability and accessibility. The conventional way to preserve anonymity by proxy servers, utilizing delay tolerant networks [15], TOR packages, and Onion networks do not require any major investment. These techniques are available even for unsophisticated actors. An advanced offensive cyber attacker has in his reach numerous options to ensure that traceability in undermined and the highest level of a defender’s ability to determine who the attacker is becomes a plausible certainty” (Kallberg & Cook, 2012). If the cyber world is to become a more militarized risk, everything would need to be a coordinated attack.
Citations:
Barnard-Wills, David, and Debi Ashenden. “Space and Culture.” Securing Virtual Space: Cyber War, Cyber Terror, and Risk, 2012. Sage Journals, journals-sagepub-com.proxy.lib.odu.edu.
Gomez, Miguel. Global Security and Intelligence Studies. 1st ed., vol. 2, Policy Studies Organization, 2016, www.apus.edu/academic-community/journals/dl/gsis-01-02.pdf#page=43.
Hansen, Lene, and Helen Nissenbaum. Digital Disaster, Cyber Security, and the Copenhagen School. 4th ed., vol. 53, The International Studies Association, 2009.
Kallberg, J., & Cook, T. S. (n.d.). The Unfitness of Traditional Military Thinking in Cyber. IEEE Xplore. Retrieved December 5, 2021, from https://ieeexplore.ieee.org/abstract/document/7896576
Rutgers The State University of New Jersey, and Panayotis Yannakogeorgos. “Technogeopolitics of Militarization and Security in Cyberspace.” Technogeopolitics of Militarization and Security in Cyberspace, 2009, pp. 1–286. Proquest, www.proquest.com/docview/305064510?accountid=12967&pq-origsite=primo.