Until recently, most information-technology- (IT-) security efforts concentrated on rogue hackers and criminal gangs. Organized military units as a cyberthreat is a new phenomenon that potentially affects not just governments but also financial institutions, utilities, communications providers, and other infrastructure providers. Today, such state-sponsored cyberwarfare groups remain relatively new, and, as such, their capabilities are limited. But the potential exists that these units could evolve into major military forces and join country defense as one of the cornerstones of warfare.
That cyberweapons have apparently already been deployed in various countries suggests that governments should not be complacent.
In early 2010, analysts discovered the computer virus Stuxnet, a worm that infected nuclear-related installations in Iran. Most experts believe that Stuxnet was created by a nation-state because it specifically targeted industrial systems not typically connected to the internet and used multiple sophisticated methods to attack computer systems and subvert real-world infrastructure. Stuxnet was not the first incident of state-to-state cyberwarfare. Many governments believe that Russia was responsible for cyberattacks on Estonia in 2007 and Georgia in 2008. Governments and companies have accused China of initiating various, mostly low-level, cyberattacks. Google (Mountain View, California) also claimed that an attempt to obtain passwords from various individuals, including senior US government officials and Chinese political activists, originated from China. Some observers also blamed a recent attack on the computer systems of the Pentagon—the United States Department of Defense headquarters in Arlington, Virgina—on Chinese hackers. Most recently, at the end of September 2011, Mitsubishi Heavy Industries (Tokyo, Japan), one of Japan's major defense contractors, revealed that it found a virus on a substantial number of servers and computers. The attack was aimed at missile, submarine, and nuclear-power-plant data. No leak was confirmed, but the Japanese defense ministry demanded an investigation.
More significant than any individual attack is the development of a new arms race as countries compete to develop cyberwarfare units. At a recent security forum in Berlin, Germany, noted security analyst Bruce Schneier, founder of Counterpane Internet Security (now BT Managed Security Solutions Group; Santa Clara, California), listed what he believes are the three biggest noncriminal cyberthreats: the establishment of "big data" by industries that trade the data of individuals, inappropriate law-enforcement regulations, and the proliferation of cyberweapons causing a destabilizing arms race.
Most cyberwarfare units purport to be primarily defensive in nature, but some are likely also developing offensive cyber weapons (some such weapons have already been deployed). One such cyberwarfare unit is China's Blue Army, which, according to reports, launched in 2009. In 2010, the US government set up the United States Cyber Command (Fort Meade, Maryland) to provide day-to-day defensive measures for military systems and prepare for "full spectrum military cyberspace operations" (www.arcyber.army.mil/org-uscc.html)—a phrase that suggests the unit also has an offensive remit. In the United Kingdom, the head of the armed forces, General Sir David Richards, has said that he hopes to set up a cyberwarfare unit and made explicit reference to developing offensive cyberwarfare capabilities. Because of the cyberattacks in both Estonia and Georgia, Russia is also likely to have cyberwarfare capabilities. If observers that suggest Israel was involved in developing the Stuxnet worm are correct, then Israel is also part of the cyber arms race. And North Korea may also have developed cyberwarfare expertise: South Korea believes that the North Korean military initiated a recent attack on a South Korean bank.
One potential implication of an increased threat of cyberwarfare is the arrival of communications networks that provide alternatives to the internet and other open communications systems. Iran is taking steps toward a national internet to disconnect Iranian cyberspace from the rest of the world. Cuba, Myanmar, and North Korea have taken similar steps. According to the New York Times, the US government is leading a global effort to deploy "shadow" internet and mobile-phone systems that populations can use to undermine repressive governments that restrict communications access. For example, the US Department of State and US Department of Defense have spent at least $50 million to create an independent cell-phone network in Afghanistan. Restricting enemies' public-communications infrastructure could also become important in the future. Recent riots in London, England, demonstrate how small hostile groups can use everyday social-media technologies to great effect to move through cities and cause disruption, beating conventional security strategies. Social media may play a growing role in more serious urban conflicts in the future.
That cyberweapons have apparently already been deployed in various countries suggests that governments should not be complacent. At the very least, governments probably should ensure that they have cyberdefenses that keep pace with cyberwarfare developments around the world. Cyberterrorism represents a kind of threat that is different from state-to-state warfare. Perhaps rightly, Stephen Fidler, former security and defense editor at the Financial Times, questions whether cyberattacks will generate the kind of images that terrorists crave. But one could conceive of a terrorist cell holding a country hostage by disabling its power or financial systems. And traditional organized crime also remains a clear threat in cyberspace: Citigroup (New York, New York) acknowledged that hackers stole $2.7 million from 3400 accounts in May 2011, just to name one example.
James Lewis, a specialist in cyberwarfare at the Center for Strategic and International Studies (Washington, DC) argues that current cyberwarfare is at about the same stage of development as airpower was in 1917 and 1918 when aircraft were in use only for small-scale raids and reconnaissance flights. If Lewis is right, could cyberwarfare one day play as much of a role in wars and conflicts as airpower does today? Certainly, the world has not seen what will develop as states start to create organized cyberwarfare units. The effort could take ten years or more to reach maturity, but the resources and organizational capabilities of military units will create—or are already creating—cyberthreats that greatly exceed the efforts of malicious individuals or criminal gangs seeking financial gain. Organized units have yet to try to launch coordinated attacks on telecommunications, power, and finance systems, and the full implications of such actions are as yet unknown. Perhaps Stuxnet is just the equivalent of a small-scale raid by World War I fighter planes. What implications will an equivalent modern air force with fighter jets and guided missiles have?