Cyberspace is your space. We all share a part of it. When one area is affected, like a bad apple, it can spread to affect many others. So far, most have been been lucky to only read the stories and see the news about outside activity affecting government and corporations. The devastation of cyber war hasn’t penetrated, but neither has the idea that it can.
Leading cyber security expert warns that the Web could one day darken due to international conflict, turning a boon to mankind into a tool for political and ideological control and domination. Stephen Budiansky reviews ‘The Darkening Web’ by Alexander Klimburg.
Alexander Klimburg thinks we are not nearly as worried as we should be about internet-borne mayhem in our increasingly interconnected world. His timing couldn’t be better. “The Internet, a fabulous artifice of human civilization largely perceived today as a domain for advancing freedoms and prosperity,” he writes in the introduction to “The Darkening Web,” “could become instead a dark web of subjugation.” He foresees a not too distant future in which cyberspace is primarily “a domain of conflict . . . threatening the overall stability and security not only of the Internet but also of our very societies.”
The cyber attacks in May and June that shut down hospitals in Britain and the United States, ATMs in Ukraine, railways in Germany, and tens of thousands of other targets around the globe were vivid illustra-tions of a concern that Mr. Klimburg, a cybersecurity researcher and senior fellow at the Atlantic Council, emphasizes throughout: that the United States government, in focusing single-mindedly on developing its own offensive cyber capability, has set off an “in-ternational arms race in cyber.” The recent attacks in fact used malicious computer code originally developed by the U.S. National Security Agency; the malware fell into the hands of rogue hackers when it was stolen and openly published last year under circumstances that are still unclear.
Like the Stuxnet virus that the NSA, CIA and Israel reportedly employed to sabotage centrifuges in Iran’s nuclear enrichment facility, the weapons used in recent attacks were crafted to penetrate the Windows operating system and exploit security flaws unknown to Microsoft at the time they were developed. Once inside a system, they can be commanded to steal data, monitor communications or engage in more disruptive attacks by disabling key functions.
In a world where these kinds of destructive attacks become the norm, Mr. Klimburg argues, it is the U.S. that has the most to lose. Or, as he more sweepingly asserts, the U.S. effort “to achieve total dominance” in offensive cyber capability “can be safely said to have totally backfired.”
Mr. Klimburg is particularly dismayed by the two-handed game that the NSA has been playing: outwardly working with technology companies to improve security for all, while secretly withholding knowledge of key weaknesses in the internet and computer software that the agency wants to exploit for its own intelligence or cyber operations. And he warns that the West’s responses to growing cyber threats run the risk of playing right into the “ambitions of authoritar-ian states,” which have long sought to control the flow of information through propaganda and censor-ship. Another recent front-page story offers a case in point: the discovery that hacking tools sold to the Mexican government by an Israeli security firm—and suppos-edly restricted to use against terrorists and criminals—had been used by the government instead to harass and spy on domestic critics.
Part of the difficulty that Western governments face in responding to these challenges is that a number of very different kinds of threats are lumped together under the catchall terms “cyber attack” or “cyber war.” Broadly speaking, Mr. Klimburg explains, there are at least three types of cyber attacks, each quite distinct.
The attacks that most resem-ble true warfare are those that aim to achieve the results that were once the sole business of bombers or commando teams armed with “kinetic” weapons: taking out an air-defense system or destroying a strategic target such as a power station, dam or command post.
A second type of attack is the natural outgrowth of the NSA’s longstanding efforts to penetrate global communications. What in the old days was done by monitor-ing radio transmissions and codebreaking is today a game of penetrating computers and swiping information at the source—a skill at which the Chinese and Russians have proved as adept as the NSA.
And then there is the nebulous but burgeoning field of propaganda and information warfare, alarm-
ingly on display during the 2016 election. An army of Russia-based human and automated attackers (“robo-trolls”) deluged the United States with pro-Trump disinforma-tion, while Russian-government controlled or sponsored groups hacked the Democratic National Committee and other U.S. targets in search of potentially embarrassing or damaging information to influence the outcome.
The more disappointing deficiency in “The Darkening Web” is the failure to engage the in-escapable trade-offs that all of these challenges pose. Mr. Klimburg asserts that “to keep the Internet free, we need to keep Internet governance free” and insists that any move toward government regulation falls into a “trap” that Russia and China will eagerly exploit to clamp down further on their own citizens’ free use of the internet. Yet as the security expert Bruce Schneier has argued, only by setting regulatory standards for software security is there now a prayer of keeping up with the threat. Large companies like Apple and Microsoft have done a creditable job deploying quick patches as new threats emerge: Microsoft issued a patch as soon as the NSA hacking tools were pub-lished, and the computers affected in recent attacks were ones whose users hadn’t bothered to install the update.
But the explosion of the “Internet of Things”—everything from camcorders to cars to ther-mostats—has led to a deluge of shoddy and vulnerable code from companies too small to afford investing in security updates, or even to care. According to one recent estimate Mr. Klimburg cites, there are already 25 billion devices connected to the internet, more than three for every human being on the planet. This ever-expanding vulnerability, Mr. Schneier has argued, can only be addressed through a regulatory body that deals with security across the entire internet.
While insisting that the U.S. ought to devote far more resources to cyber defense and deemphasize what he sees as its no-win pursuit of an offensive dominance that has accelerated the “militarization” of cyberspace, Mr. Klimburg acknowl-edges a fundamental asymmetry at work. The U.S. is especially vulnerable to hackers given its ubiquitous embrace of technology. And the nature of the game virtually ensures that offense will always dominate: it is simply much easier and cheaper to create malicious code than to develop effective counters to it. He quotes Chris Inglis, the former NSA deputy director, who wryly observed that if cyber war were soccer, the score would be 462 to 456 after the first 20 minutes. He also quotes two “truisms” of cyber security: “that the majority of attacks could be avoided by taking basic defense measures,” notably by updating software immediately, but “that a dedicated attacker will always get in, no matter what.”
In places, Mr. Klimburg con-cedes the moral ambiguities of the situation, noting for example that the best hackers make the best security professionals. But he never comes to grips with the fundamental question of whether there is any practical alternative to the U.S. maintaining an overwhelming offensive cyber capability—at least when it comes to deterring state actors from carrying out the most threatening attacks, those aiming to wreak physical havoc on factories, pipelines, electric grids and other vital infrastructure. If “a dedicated attacker will always get in,” the situation is very analogous to nuclear warfare: Only the threat of massive retaliation can deter an attack in the first place. Of course, that assumes that one knows who the attacker is, and the author is skeptical of recent NSA hints that it has solved the problem of “attribution,” tracing an attack to its source.
tightrope of competing goals more astutely recognize that everything is a matter of degree. Michael Hayden, the former NSA director, has suggested that American policy must balance defense and offense on a case-by-case basis and has hinted that the NSA is keeping to itself knowledge of only the small number of software vulnera-bilities that it is confident are beyond the means of anyone but the United States government to exploit. In that, the situation is no different from the challenge that NSA cryptologists faced through-out the Cold War, when they struggled to fine-tune the balance between codemaking and code-breaking in the hope that Ameri-ca’s allies would be equipped with codes secure enough to keep everyone in the world from cracking them—except for the NSA.
Mr. Klimburg effectively outlines the dangers we face but, when it comes to solutions, offers little more than abstractions about international governance mecha-nisms. And he does not even mention what Mr. Schneier posits as, ultimately, the only real way out: If we truly wish to keep our devices safe from attackers out to take over what is becoming a single world-wide robot, we need to start unplugging things from the far-too-ubiquitous web.
Mr. Budiansky’s latest book is “Code Warriors: NSA’s Codebreakers and the Secret Intelligence War Against the Soviet Union.”