Back when I was the Deputy Secretary of Defense, we conducted the first significant cyberwar game. The ground rules were remarkably simple. The organizers picked a small number of relatively skilled computer experts, but limited them to buying computers from commercial stores. They were not given any special software, but were allowed to use software they could download from the internet.
The war game involved this small band breaking into computers used by the Defense Department to communicate with its forces. The “attackers” broke into DoD computers relatively easily, monitored our plans, and created false and misleading information. The exercise was called Eligible Receiver, and was the first alarming evidence that we were vulnerable to cyberattack.
Editor’s note: The following essay was sent to the board of trustees of the global geopolitical thinktank, The Center for Strategic and International Studies (CSIS), and by permission of the CEO, John Hamre, we are making this important commentary available to readers of Directorship.com.
That was nearly 15 years ago. But I have to say that this summer we crossed a dangerous threshold for cyberwar. Eligible Receiver demonstrated that the Defense Department was vulnerable to cyberattack, but that was because DoD had enthusiastically embraced the new computer technology of network computing without putting in place adequate security procedures.
As the war game proceeded, we were shocked to find the “enemy” was inside our own computer system. It was a wake-up call about our vulnerability in a world that had seemed so promising and full of hope. Since that time, I have largely felt that cyberwar was remote. Instead, the two threats I saw were cyberespionage and cybercrime. Both have exploded.
We are living with aggressive cyberespionage every day. Massive amounts of intellectual property and military technology are being pilfered every day by cyberhackers breaking into commercial and government computers. And cybercrime has exploded. It has gotten so bad that we know there are criminals who “auction off” to the highest bidder hundreds of thousands of stolen credit card numbers in cyberspace auctions.
Cybercrime has become routine. This summer things took a darker turn. I know of three very large corporations that experienced damaging cyberattacks. My government friends are being careful, but they have judged that at least two of the attacks came from Iran and are in retribution for the cyber attacks we undertook to disrupt their nuclear-industrial activities.
This reflects a troubling reality about cyberwar. We may attack a government operation in another country, but they can retaliate by disrupting commercial enterprises here and in partner countries. I personally think the cyberdisruption of Iran’s covert nuclear program was a good thing. It is far better to disrupt computers than it is to attack facilities and cause collateral damage. But it has opened an entirely new dimension of nation-state conflict.
Three large and very sophisticated companies had very damaging attacks this summer–attacks not designed to extort concession payments or to embarrass corporate reputations, but designed to damage operations. There is no absolutely conclusive evidence that they came from Iran, but all indications point in that direction.
We are now in a very different world. It is a widely held principle in the law of war that innocent civilians are not a legitimate target of military attack. But there are no ground rules for cyberwar. We are now in the middle of a new kind of war where the rules are not yet clear. We are at a stage where we need to construct international norms and strengthen national defenses. It was once theoretical. It is now real.
John J. Hamre is CEO of the Center for Strategic and International Studies, and was the 26th U.S. deputy secretary of defense.