The Spoked Wheel's Cyberwarfare Q&a

The Spoked Wheel’s Cyberwarfare Q&A cyberwarfare, politics, technology Questions by Artur Matos Alves, Researcher Answers by Armando Marques Guedes, Professor, Faculdade de Direito, Universidade Nova de Lisboa (Lisbon) and author of several books on international relations, political science and defence (mainly in Portuguese; you can find a few of them here).

This Q&A aims to question the current state of cyberwarfare in international relations and its impact both in military doctrine and the way we perceive information and communication technologies – and the political implications of that. The challenge was graciously accepted by Prof. Armando Marques Guedes, coming to life in a series of questions and answers rather longer than the typical blog post. Of course, the discussion easily branches out to social networks, collaboration and surveillance, and some of the trends of contemporary politics. The text has been updated several times, enriched with new insights and intel.

What would be your over-arching definition of cyberwarfare? I am not sure defining what in fact is a fast moving target would be too prudent. One may, however, easily circumscribe the notion of cyberwarfare, so that we all know what we are talking about, or at least what we are referring to. There seem to be two possible approaches to such a circumscription, one ‘tighter’ and another, a looser, more inclusive, one. Let me begin with the tighter approach, the one that isolates a more limitative cluster. That would go something like this: cyberwarfare alludes to those aspects of conduct in war in which digital media are both instruments and targets. This, of course, is a very restrictive circumscription, you will note, as it excludes, for instance, things such as ‘conventional’ (in the

1

sense of non-digital) attacks on digital equipments or infrastructures, or the use of, say, computers, for attacks on ‘conventional’ targets. For the sake of clarity in objectdefinition, even if this means designing a rather reductionist straitjacket, I would normally prefer to reserve the term cyberwarfare to those actions and activities in which digital paraphernalia are present, simultaneously, as targets and as resources – even if and when the final aims of this type of warfare stand well outside such domains, as does perhaps happen in the large majority of cases. A looser, more inclusive circumscription, which I would tend to favor as a mere means of allusion, includes all strikes that involve digital media, either as subjects or as objects. This looser use tags a far more evanescent cluster of activities and actions, of course. All in all, I prefer the tighter, earlier usage, as it neatly allows us to know precisely what it is we are conversing about. However, since the boundaries between digitally produced ‘reality’ and analogical one are shifting quickly and unpredictably, I think it is sensible to also retain the mode of circumscription that I called the looser one – even if only as a general indicative term of allusion: it offers us useful semantic slack, which minimizes the risk that we may soon have to forego the term ‘cyberwarfare’ altogether as well as the risk of reifying it. ‘Cyberwarfare’ is far more than a mere instrumental thing, comparable to, say, ‘gun warfare’, or ‘tank warfare’; it is closer to things like ‘psychwarfare’, or even ‘armed combat’. But all in all I tend to prefer steering clear of definitions, for which I see fewer benefits than disadvantages.

Companies in all areas now rely heavily on ICT, not to mention states and other organizations. This has lead to a deep perception of the dangers of pervasive networks. What countries and/or organizations do you see as being in the forefront of cyber security and cyberwarfare? Can we even point out the main threats at this time, given all the speculation about Russia, China, North Korea?

2

I would certainly place those three at the top of my list. But I would also include non-State entities here, both in what concerns cyber attacks and cyber security. Entities like alQaeda may try for that (they did try to go for bioterrorism) as might Hamas (a few of them died, not that long ago, when their bio weapon – the bubonic plague, it is believed – accidentally killed them). For cyber security, I would bet on the US, Germany, the UK, Japan, Brazil, Russia, China, and anonymous hacker geeks wikiing their way upwards on open source software development.

In your new book about the 2008 Russia invasion of Georgia, – a work published by the Portuguese Ministry of Defense’s Institute for Higher Military Studies (IESM) – you mention that the action was «hybrid», not in the purely “combined arms” sense, which would now include cyberwarfare (would it not?) but mainly to point out the role of civilian participation. Can this be interpreted as an emerging doctrine or a contextual way to leverage cyber-anarchists or sympathizers? Maybe this cn be formulated in another way: can civil society make itself an instrument of cyberpolitics? And do you see this as an inevitable outcome of the growing virtualization of life, social relations and “hollow states” (as John Robb puts it)? To my mind, it is both of the above. Cyberwarfare makes use of spontaneous civil society compagnons de route, while it still has a way to go to become a fully-fledged doctrine in any meaningful sense. It is probably nevertheless safe to stress that a doctrine is indeed crystallizing around a pattern of forcemobilization that we would be hard put to not recognize as growing very fast indeed, and this the world over. The “hybridity” I wrote about will most certainly be there for as long as open access connectedness remains, empowering nonState actors all the way down to individuals – and perhaps beyond, to fashions, moods and states of mind. It is not quite a political because

difficult to see how and why this is so. Technology, for long time, tended to favour the consolidation of hierarchies. Modern technology, instead, largely of its low cost and very low cost-steepness, appears

3

to favor political decentralization by virtually universalizing empowerment. However, States and other ‘nodal’ hierarchical systems, on the other hand, no matter how much they are being “hollowed”, to use John Robb’s expression, do not seem to me to be about to disappear; although threatened they will surely be capable of putting up a long effective fight for survival. In this very strong sense – and if new technological developments do not ‘des-invent’ such grass-roots forcegathering propensities, and of course they will not – hybridity of the sort that one witnesses today in cyberwarfare (or even in plain participation in non-military political movements) is here to stay. ‘Digital citizenship’, as it has been called, is bound to intensify its expression in war, thus blurring even further the already less-than-neat traditional distinction between peaceful political mobilization and its many more agonistic variants – and it does so by rendering them all into manifestations of a more basic form of what I would be tempted to call ‘assymetrical resistance’ to effective hierarchical power. Is this all inevitable? I would say no, as I do not see how we may convincingly defend any form of technological determinism; but I surely am of the opinion we are into grassroots empowerment for the long haul. Let me go back a second, here. I guess that what I am saying underlines the fact that I am unsure about the contrast between ‘combined arms’ hybridity and civilian-military hybridity. These are really two sides of one and the same coin, nowadays. Many of the coordinates of our classical political landscapes – of the very topography of politics, really – are undergoing non-trivial changes. Such profound changes are often sensed by all of us, albeit often inchoately. This is a deep reconfiguration that we must learn to understand. For the moment, we do not, not fully. Perhaps most interesting is the fact that the tactical entrance into scene of digital media blatantly rapidly acquires important strategic dimensions in a contemporary world embedded in an as far-reaching Information Revolution as the one we are living in.

Give us an idea of how contemporary cyberwarfare attacks take place, what is involved in them, what the

4

reaction is and what the effects are to such digital forms of aggression. In the case of the so-called “Five-Day War”, the Russian invasion (quickly followed by a dismemberment) of Georgia, there were successive waves of attacks launched – and waved around before, during and after the August 2008 invasion – on servers in Georgia. I shall go here for further details – now set within the general framework of Moscow’s novel form of affirmation in its internal space and in what it deems to be its crucial ‘near abroad’. In fairly general terms, here is how things went. As the official report on the topic by the Georgian Government, Russian Invasion of Georgia – Russian Cyberwar on Georgia explains it, “[t]he Russian invasion of Georgia was preceded by a cyber attack on Georgia’s Internet facilities. A large number of Georgia’s Internet servers were seized and placed under external control from late Thursday, 7 August, whereas Russia’s invasion of Georgia officially commenced on Friday, 8 August. Also, much of Georgia’s traffic and access was taken under unauthorized external control at the same time that this first large scale attack occurred”. There were various targeted sites, all very well chosen – as if the objective was to hinder the communicational and internal and external coordination capacities of the Georgian State and its allies: “36 important web sites were identified as targets for hackers, including the US and UK Embassies in Tbilisi, Georgian Parliament, Georgian Supreme Court, Ministry of Foreign Affairs, various news agencies and other media resources, the Central Election Commission, and many others”. Well, then, and who launched these attacks? Interestingly, strikes came from various different sources and flowed in a sort of curious decentred pattern. Allow me to quote Nick Farell here, again at some length, from his article in ITExamminer.com (October 2008): “[the hackers carried out a] kind of attack, known as a distributed denial of service attack, is aimed at making a Web site unreachable. It was first used on a large scale in 2001 to attack Microsoft [which neutralised, among countless others, such giants as Yahoo, eBay and CNN] and has been refined in terms of power and sophistication since then. The attacks are

5

usually performed by hundreds or thousands of commandeered personal computers, making a positive determination of who is behind a particular attack either difficult or impossible”. As far as we know, in the case of Georgia, the stratagem used was not, however, merely that of a ‘denial of service’: “[i]nitially, security experts assumed that the sites were felled via "distributed denial of service" (DDoS) attacks, a well-known method of assault that uses hundreds or thousands of compromised personal computers to flood a targeted site with so much junk traffic that it can no longer accommodate legitimate visitors. But investigators soon learned that attackers were instructed in the ways of a far more simple but equally effective attack strategy capable of throttling a targeted Web site using a single computer. Security researcher and Grey Goose [a consortium formed at the bequest of the US Government for the purpose of looking into the cyberattacks on Georgian targets] investigator Billy Rios said attackers disabled the sites using a built-in feature of MySQL, a software suite widely used by Web sites to manage back-end databases. The ‘benchmark’ feature in MySQL allows site administrators to test the efficiency of database queries, but last year hackers posted online instructions for exploiting the benchmark feature to inject millions of junk queries into a targeted database, such that the Web servers behind the site become so tied up with bogus instructions that they effectively cease to function”. An innovation.

And a serious one, as innovations go... Well, the problems in the case of the computer assaults against Georgian targets were not as serious as they could have been since, on one hand, many of the Georgian servers were immediately disconnected and their contents ‘migrated’ to servers overseas, and, on the other, given that many of Tbilisi’s computer systems are ‘primitive’, and consequently not online, they were not neutralised. There is much debate as to whether the attacks were coordinated by the Kremlin or whether they were spontaneous and carried out by opportunistic Russian hackers; the relatively low virulence of the attacks suggests the last of these hypotheses. What is

6

more, many of the IPs the attacks originated from belonged to North American, French, Spanish, Latin American etc. addresses. Anyhow, it should be stressed that it was the first case in which such a sustained type of malicious swarm attack occurred simultaneously with massive conventional military attacks. So, what then – in terms of its ‘political composition’, or ‘texture’, so to speak – was the detailed attack pattern followed in the Georgian case? Was there only one wellcoordinated military assault? Or was there a civil-military strike beforehand? Fascinatingly, what seems to have taken place was the progressive unfolding of a strongly hybrid action. A very clear hybridity: although the participation of ‘independent’ hackers (congregated informally in what I will term a ‘virtual civil society’) seems indisputable in the case of the cyberwar against Georgia, so too was – everything appears to so suggest – the active complicity of the Kremlin authorities. As Brian Krebs mentioned, Jeff Carr, the chief investigator of the Project Grey Goose consortium to which I have alluded, indicated that the site in which the addresses and recipes for attack were placed was suggestively named StopGeorgia.ru. The attack that was launched came up against Georgian defences but it succeeded in defeating them; and the idea that there had been a heavy degree of premeditation seems irrefutable. Let us listen to the very words of analyst Brian Krebs, in the Security Fix Weblog: “’StopGeorgia administrators also equipped recruits with directions on evading those digital roadblocks, by routing their attacks through Internet addresses in other Eastern European nations. The level of advance preparation and reconnaissance strongly suggests that Russian hackers were primed for the assault by officials within the Russian government and or military, Carr said. The fact that the StopGeorgia.ru site was up and running within hours of the ground assault -- with full target lists already vetted and with a large member population -- was evidence that this effort did not just spring up out of nowhere’, said Carr, speaking at a forum in Tysons Corner, Va., sponsored by Palantir Technologies, an In-Q-Tel funded company in Palo Alto, Calif., whose data analysis software helped Grey Goose investigators track the origins and foot soldiers involved in the cyber attack. ‘If they were planning ahead of the invasion, how did they know the invasion was

7

going to occur? The only way they could have known that is if they were told’”. So what we witnessed was a Russia State intervention, followed by a swarm of ‘private’ involvements, in a rather selforganized manner. What we saw was the formation of a digital political movement of sorts, in this case parasitical on State involvement.

What that all this mean, in the sense of what does it spell from a political angle, from the perspective of the development of new forms of politics? It spells the emergence of new emergent political-military coordinates, no doubt. New coalitions appear to be emerging rather spontaneously. This is something for which we must prepare ourselves. And something on which Russia stands at the front line of innovation. If such is the case – and there is much to indicate that it indeed is – the consequences of this kind of more or less spontaneous coalition should not be disregarded. The result of such innovative forms of ‘bellicose’ intervention raises questions that are related to the old responsibility-freedom binomial, once again on stage again but in new contexts. And its presence in wars seems to be inevitable from now on. What is the significance and ultimate political reach of these interventions by a sort of ‘metastasis’ of a ‘virtual civil society’ of variable geometry, which continually forms and un-forms itself according to the specific causes that appear? Although an answer to that clearly exceeds my scope here, this is obviously a matter worth pondering rather carefully. So allow me to return to something I said earlier. Are we witnessing the rise and rise of coalitions of the spontaneously willing? In any case, new types of ‘action’ and ‘political participation’ seem to be emerging, with the format of unusual, or atypical, ‘political movements’ – clearly, not all ‘virtual communities’ are “herbivorous”...

8

With the aim of widening our scope, here, let me jump ahead a little, and talk about a political aspect of these sorts of innovations: the one which follows from the well-known and often discussed contemporary increase in surveillance politics – in this case in connection to the growing efficacy of such ‘private’ and ‘wired’ political actors. Since the technology (malware, virus, trojans, DDoS, etc.) is so widespread and ‘public’, is not there the danger that surveillance cannot keep pace with these smaller and more dynamic actors? Of course there is the possibility that surveillance and ‘negative freedom’, as Isaiah Berlin called it, fall out of step with each other; in fact, even if many of us are blissfully unaware of it, that incapacity for keeping pace is already happening. There are a couple of good reasons, at least, why that is not patent to all. One is connected to the fact that the general surveillance to which we are increasingly subjected is by no means as publicized, and recognized by us, as it undoubtedly should be. Another reason for the relative invisibility of this out-of-stepness is linked to the very fast increase in surveillance which followed 9/11 – the conjunctural surge in surveillance it spelled sort of hid its structural decrease in efficacy which took place largely as a result of our use of novel digital modalities of networked resistance. But one can easily see the incapacity of surveillance to keep pace with the decentralizing political empowerment effects of digital technologies fully at work through the refraction of the frantic and largely unsuccessful rear-guard attempts to safeguard the intellectual property laws of old. Small, modular, agile groupings slip through the fingers, as it were, of slowmoving heavy hierarchical systems. An analogy can and should be established between the frantic efforts of ‘copyright crusaders’ and the overall setting in of general surveillance. It is simply a question of not keeping pace with what you called “more dynamic actors”. It is lagging behind them and were it not for the reinforcement of surveillance following 9/11 we would all immediately see that is increasingly the case. Still, we must be aware that insidious and, in a sense, counter-intuitive modes of surveillance seem to be creeping in hand to hand with bottom-up empowerment. One clear example of this is what Anders Albrechtslund called

9

“participatory surveillance”, in an article published in late 2008: the one provided by online social networking practices. Online social networking, as Albrechtslund stressed, offers us a splendid opportunity to “rethink” the very concept of surveillance – by somehow adding to it (or at least to its more usual interpretations, as in Michel Foucault’s original notion this sort of dimension was most surely included, in his notions of “friendship”, or “love”, for example) the possibilities of voluntary forms of this participatory surveillance, ones involving mutuality, empowerment and sharing. Benevolent forms of surveillance, so to speak, in the sense of forms noninhibiting of negative freedoms. The challenge, here, is to pinpoint the “modes of subjectivity” which lead us to want to give rise to these alternative forms of surveillance.

Back to military issues now: NATO and the US have begun to pay some attention to these dynamics. Not all action has to come from state agencies, so nontraditional players (non-state actors, even networked bored adolescents) may be disruptive. How can national and international agencies deal with this? The short answer is they cannot, not in the mid- and long term. But short term they can and they do indeed try to deal with the disruptive effect of those “dynamics”. How? Well, here goes a longer answer, in which I shall argue States are capable of doing this in two complementary ways. National and international agencies can forestall disruption by either going ‘networky’ themselves, and/or by selective counter-strikes. I don’t want to go into this in very great detail, but would nevertheless like to give a few pointers here. For the first tactical move (going network as an adaptive response, in a sort of arms race) much has been written. Look up, for example, Anne-Marie Slaughter’s work at Princeton or Yochai Benkler’s at Harvard – she on the growth of networked political, administrative and legal structures, him mostly on the latter. By doing that, States and international organizations (a) become more resilient themselves, and, (b) their increased agility sometimes allows them to disrupt the disruptors. The thing to underline here is that if, on the one hand, States and State-centered entities [and this is what ,most international

10

organizations actually are in our Westphalian world] must act contra natura in order to go networked, on the other hand they surely have the means to do that, at least temporarily, with relative ease. And it works! In order to see this clearly, let us reason by exclusion. As an example, simply ask yourself the question: if networks do indeed have such an immense set of advantages when confronting hierarchies, how come al-Qaeda terrorists, for instance, do not win clashes against them every time? The answer is simple: in spite of their comparative structural disadvantages, the raw fact is States have many more resources at their disposal than terrorist networks do. And segregating anti-network networks has often served States well – as may be seen with entities like Homeland Security, the UN, the institution of diplomacy, or the new military doctrine of “swarming”, States are even capable of generating mid- to short-lived networks when the need arises, to do work they themselves cannot directly carry out. In the second place, States can forestall immediate disruption at the hands of digitally viable ‘wired’ networks by engaging in precisely targeted selective counter-strikes. If States do this quick enough, they do manage to quite effectively slow ‘malicious’ external network-induced cascades. Here they must bring to bear their vastly superior means. This has been taking place in many fronts. In what concerns political-military disruption, NATO has not in fact acted “in the wake of the US”, it has mostly gone the other way round – interestingly, perhaps the US has a much larger comparative ascendant over other NATO member-States than any US agency connected to security and defense has over any other of the national ‘sister’ entities, with many of whom it must compete, often ferociously. In other words, NATO is often more agile than the US itself… While this is not the case across the board, that this is largely true in what concerns many general security issues cannot be doubted. Let me give you just one example among many possible ones – and it will be the reaction of NATO and the US to cyberwarfare itself. Following waves of systematic attacks of Russian origin on a huge number of Tallinn official Internet servers, NATO created a cyberwarfare ‘centre of excellence’ there. It was from whence came many of the specialists called into Georgia in August 2008, following a

11

wave of attacks launched from Russia and elsewhere in rather close synch with the invasion ordered by the Kremlin.

And what about the US? Well, allow me to quote at some length from the wonderful Amitai Etzioni Notes, and specifically from his 11th of June 2009 blog entry: “several major security threats that were largely ignored by the Bush-Cheney Administration. [Now] it is the Obama Administration that is attending to these threats, and in ways that progressive people have little reason to oppose. The threats include, first of all, the dangers posed by cyber terrorists to both the government and the private sector. Given the way U.S. computer networks are now exposed, little information—whether it concerns security or the economy— can be kept confidential. Moreover, cyber attacks can readily disrupt key elements of US infrastructure, such as air traffic. In 2008, hackers breached government computers and planted harmful software 5,499 times. Cyber spies stole information on the Defense Department’s Joint Strike Fighter. It was left to Obama to pay the proper attention that this issue commands by appointing a cyber security czar, a long overdue step in the right direction. Equally exposed is the electrical grid on which U.S. factories, offices and homes all rely. Software programs were found to have been planted in the U.S. electrical grid that could be used to disrupt the system in the future. An experiment in an Idaho demonstrated that hackers could command an electricity-producing turbine to spin in ways that would cause it to fly apart. Another security matter the previous administration did not address”. I rest my case that, if anything, the US Administration is working in the wake of NATO. And I do hope I have, in the process, given a few examples of manners in which States and international organizations can counter-act, at least temporarily and partially, network activists – by bringing to bear on them their superb organizational capabilities, acting in precise targeted manners so as to slow them down. A piecemeal activity which is condemned to fail in the long-run – unless States deeply reconfigure themselves into adaptive

12

networked entities with little resemblance to the old 19th Century ones we still live with; they are all around us.

Low-tech states are less vulnerable to this kind of aggression. But their strategic resources can be as high-tech as any other countries’. I’m thinking about pipelines, factories, mines, communications, etc. Is there a danger of target disruptive cyber-attacks, besides more conventional guerrilla warfare or terrorism? What would the hot-spots (countries that fit this description) be? Low-tech States are indeed in many senses less vulnerable to cyberwarfare aggressions. For instance, Georgia suffered much less than Estonia did as most Tbilisi computers (a comparatively much smaller number, anyway) are not online. This lower level dependence on computers and the Internet means low-tech States are in actual fact less prone to cascading disruption than higher-tech ones. But that is often not at all the case with their strategic resources, of course – these tend to be more carefully and often fairly efficiently protected. Many hot-spots, as you call them fit the bill of low-tech areas with vulnerable high-tech ‘connected’ strategic resources, however: Venezuela, North Korea, Iran, Azerbaijan, Kazakhstan, Pakistan (a special case, this latter instance, as US efforts have recently done much to diminish risks for those assets, namely nuclear ones) are some examples which come to mind.

On a higher plane: given the unbalance of cost and effects in CW, do you think it will become a mainstay in politics for the 21st century? A new form of “cold war” or just plain old “politics by other means”? Is there a difference? Anyway, my bet goes for staple 21st Century mainstay. I do not believe we are witnessing – or even that it is likely we shall be faced with – a new “Cold War”. The conjuncture is altered, in a deep structural sense. The

13

asymmetries, for one, are far greater now than at any time since the early 50s, at least. Complex interdependence is thicker than ever: we even call it globalization, nowadays, la mondialisation. This patterns cyberspace in a significant way and that, in turn, gives it specific political properties which come to the fore as soon as conflicts arise. But those changes hide a long-term set of continuities, ones which may perhaps be described in short-hand as follows: it does not really matter what the novel specifics properties and potential unfolding of cyberspace amount to as far as wars are concerned – for ultimately it is little more than a new dimensionalization of ‘geopolitical’ space after all, even if it blurs the boundaries between ‘normal’ and so-called virtual space. Changes will be mostly quantitative. But large quantitative alterations do turn qualitative, so the politics of conflicts in cyberspace will not be the same as old politics – so the change we are witnessing in the last decade or so will lead to a rejuvenation of politics. A multi-dimensional sort of identity layering (or an intrinsic complexity in what amounts to a multi-level production of subjectivity, if you will) is patent here that makes all the difference: one that splits feelings of ‘belonging’ and ties of loyalty too. I would not be surprised if a multi-dimensional sort of “neo-medievalism” (the term is not my own, Hedley Bull came up with it in 1977, in his The Anarchical Society) will settle down on us. My guess is that after a brief modernist spell we will go mainstream again – back to multidimensional identity construction and layered loyalties, or multi-level ones, if you prefer. We will all be many in one. New modalities of rationality will emerge. Tomorrow will not be like today.

Questions by Artur Matos Alves, Researcher Answers by Armando Marques Guedes, Professor, Faculdade de Direito, Universidade Nova de Lisboa (Lisbon) and author of several books on international relations, political science and defence (mainly in Portuguese; you can find a few of them here).

Do not use without permission. This document is subject to the Attribution-Noncommercial 3.0 Unported Creative Commons Licence.

Posted on: 2009/07/25 Update: 2009/12/05

14

15