Could a new Code War be just a few clicks away?

Cyberwarfare between nation states has escalated – are we inching closer to e-mageddon, asks DAVIN O'DWYER

As a rule, newspapers prefer to write the headlines rather than be the subject of them. However, when the New York Times recently revealed it had been the target of a sophisticated cyberattack emanating from China over the course of four months last year, it positioned itself at the heart of a global power struggle. This war is being played out between hackers operating on behalf of rival nation states. The threat might be largely invisible to most of us, but the era of cyber-espionage is already upon us. The question now being asked is whether that means an age of cyberwarfare is imminent.

The attack on the New York Times came as it was preparing to publish a story last October about how the relatives of Wen Jiabao, China’s prime minister, had accumulated a multi-billion dollar fortune. After the admission, other media organisations also claimed to have been the victims of Chinese cyberattacks, including the Washington Post, the Wall Street Journal, Bloomberg and even Twitter.

This follows a pattern of Chinese-based cyberattacks on western targets. Most famously, in early 2010, Google revealed that it and more than 20 other leading US corporations had suffered a wave of attacks originating from China.

Since then the threat has become endemic. According to some estimates, 2012 was the busiest year on record for cyberattacks. Last September, five US banks were targeted by the largest denial-of-service attack in history, believed to have originated from Iran, while the US department of homeland security has also revealed that an unnamed US power station was recently crippled for weeks by cyberattacks.

The increased threat is prompting a strong response: outgoing US secretary of defence Leon Panetta hasn’t been mincing his words, warning that “it is very possible the next Pearl Harbour could be a cyber attack. That is something we have to worry about and protect against.” The Pentagon is planning to increase staffing levels at its Cyber Command to nearly 5,000 cybersecurity experts from a “mere” 900 now.

US president Barack Obama is also formulating an executive order to overcome the stalling of the Cybersecurity Act of 2012 in the Senate last year, which was to ensure the security of critical national infrastructure. Last November, he signed a directive on “cyber operations”, defining rules of engagement. A few days ago, the New York Times published a leaked “secret legal review on the use of America’s growing arsenal of cyberweapons”, which “concluded that President Obama has the broad power to order a pre-emptive strike”.

Obama has already employed this power. In 2010, he authorised Operation Olympic Games, a joint operation with Israel that deployed the Stuxnet worm against Iranian nuclear facilities, which damaged the centrifuges used at the Natanz nuclear plant. At the very least, the operation set a dangerous precedent, ensuring Obama will find it difficult to reprimand other nations for cyberespionage and cyberattacks.

But can something as nebulous as “cyberwarfare” develop into the real thing? According to journalist Misha Glenny, an expert in cybercrime and the author of the book Dark Market, about the world of criminal hackers, cyberwarfare has no antecedents from which to reliably predict how things might unfold.

“My theory of cyber-espionage and cyber warfare is that this is an inherently pre-emptive form of conflict,” he says. “That is, if you look at nuclear, you know what your assets are, you know how many warheads you’ve got, you know the delivery systems, you know where they’re targeted, and your enemy knows the same thing. It’s very clear what the balance of power is. The difference about cyber is that your assets are the initially intangible vulnerabilities of your opponent or potential opponent. In order to undertake cyberespionage, and in order to be prepared for cyberwarfare, you have to explore the vulnerabilities of your opponent.”

This makes it extremely difficult to draw up any international regulatory framework for the use of cyberweapons, even if countries such as China and Russia were willing to abide by them. “It is entirely up to individual state structures as to what they do,” says Glenny. “Without regulation, without clear limits, states tend to do whatever they can.”

Moreover, as cybersecurity expert Thomas Rid points out, “offensive capabilities in cyber security don’t translate easily into defensive capabilities”. An arsenal of cyberweapons, then, is not simultaneously both an offensive threat and a defensive deterrent the way an arsenal of nuclear weapons is. Rid is highly sceptical that outright cyberwarfare will ever happen, suggesting cyberattacks are only really suited to espionage and sabotage.

Glenny offers another form of consolation. “Will the US and China pull the trigger against each other? Very unlikely, and that is because in economic terms, the Chinese and the Americans are entirely interdependent – one falls, and the other falls with it. You have to look at it not in terms of are we on the verge of it, but are the political conditions ripe for this to happen?”