National Security

Cyber-Gang Warfare

State-sponsored militias are coming to a server near you.

On February 11, the Washington Post reported that a forthcoming National Intelligence Estimate has concluded that the United States is the target of "massive, sustained" cyber-espionage campaigns that threaten its economic future.

The new NIE has not been publically released, so it is not clear specifically which attacks or threats it documents, but the most visible recent attack comes from a cyber-militia labeling itself Iz a-Din al-Qassam Cyber Fighters. In September of last year, this group announced that it had launched an attack on a collection of U.S. banks in retaliation for the "Innocence of the Muslims" (the video that ignited violent protests across the Middle East on September 11, 2012). Al-Qassam's attack is one of the largest and most persistent distributed denial of service (DDOS) attacks on record, dwarfing the 2007 Russian cyber-militia attack that crippled Estonia. Authorities have described al-Qassam's capabilities as military-grade and speculated about the organization's ability to disrupt the already ailing U.S. economy. This month, after nearly six months of persistent attacks, cybersecurity experts have largely concluded that al-Qassam is a front organization created to screen an Iranian cyberassault on the U.S. financial system.

Whether or not the new NIE references the al-Qassam-Iran campaign, the attack is representative of a technique countries are increasingly using to strike at the United States and other countries -- one that has so far proven nearly impossible to defend against or deter. The stratagem involves surreptitiously building autonomous citizen hacker groups and using them to deflect responsibility for attacks originating directly or indirectly from the state sponsor. While it may seem implausible that this simple technique would work, over the last decade states have regularly used it to shield a variety of aggressive acts from legal or diplomatic reprisal, and it is becoming clear that this approach to cyberwarfare is harming the U.S. economy just as the Post reported.

Although seldom discussed, state use of cyber-militias has become a significant dynamic in international relations. As the cyber revolution has matured, cyber-militias have become the key to the most lucrative piratical strategy in history. Over the last decade, a large proportion of global commerce and military infrastructure has moved into cyberspace. Commercially, the developed world has transferred a large proportion of its physical industry offshore and refocused on developing intellectual property, almost all of which is stored online; at the same time, financial transfers have moved from paper to computer networks. Militarily, the plans for major weapon systems are developed on computers, and when fielded, the weapons are controlled by chips linked directly or indirectly to cyberspace. Strategically, electric grids, gas pipelines and other critical infrastructures are now controlled from cyberspace. In recent years, states that have been able to tap into this cyber trove have substantially improved their financial and military positions.

As states have attempted to seize and manipulate the wealth and weapons stored online, the reason so many have turned to cyber-militias is that they muddle attribution. The basic problem for countries hoping to use cyberweapons for profit and influence is the same one that prevents them from using conventional weapons: Other states frown on nations that use force or fraud against their neighbors. While it is more difficult to determine the source of a cyber-raid than a conventional attack, attribution is often still possible. Even when victims cannot trace attacks using cyber-forensics, there is a good chance they can do so using more traditional methods. For states hoping to steal or destroy their opponents' online property, attribution creates a bothersome deterrent. Indeed, there are few acknowledged cases of state-backed cyber-raids against other countries.

As the cyber universe expanded, cyber-militias became a key instrument of some states' foreign policy. Throughout the 2000s, nations connected key financial, military, and civil capabilities to the Internet, creating vulnerabilities to cyberweapons. In 2007, during a dramatic diplomatic dispute between Estonia and Russia, Russian cyber-militias launched a denial of service attack on Estonia that paralyzed the nation's banking system and civil services. As the attack progressed, Estonia invoked Article 5 of the NATO charter -- which states that an armed attack against one member of NATO is an attack against all -- and called on the alliance for support. Russia, of course, denied responsibility -- and Estonia was unable to attribute the attack to Moscow -- but it reaped the same coercive benefits it would have if its military had launched the attack, without any of the legal or diplomatic costs. For all practical purposes, Moscow had found a way to punish Estonia without being held to account.

In 2008, in its war with Georgia, Russia found a more bellicose use for cyber-militias. Before and during the war, Russian cyber-militias disabled key portions of Georgia's communications systems in a way that facilitated Russian military operations. In light of its overt conventional military operations, it may seem odd that Russia used militias rather than its vastly more sophisticated state-run cyber organizations. Yet it had good reasons for doing so. In order to affect Georgia's cyber systems, militias had to attack some civilian systems in third-party states. Had the military been involved, the attacks would have violated tenets of the law of armed conflict. Instead, Russia was able to restrict Georgia's access to the outside world, while using militias to circumvent accountability.

While Russia's use of cyber-militias against small nations is interesting, from a U.S. perspective the main geostrategic relevance of cyber-militias lies elsewhere. Over the last decade, both China and Russia have nurtured militias dedicated to crime. In Russia's case, the organizations are tied to mafias loosely connected to the government through a web of corruption, graft, and indirect and intermittent ties to military and intelligence agencies. Russia's cyber-mafia operations allow organizations to coordinate criminal activity and exploit cyber-wealth around the globe in operations worth billions of dollars each year. The cost to the state is minimal, generally little more than allowing law enforcement to turn a blind eye to theft involving victims outside the country, while harshly punishing criminals that attack Russian political targets. The overall effect is to increase Russia's GNP and to provide a cloud of cyberattacks emanating from Russia and Eastern Europe large enough to obscure and create plausible deniability for state-launched cyber operations. For instance, while a number of U.S. officials, including President Obama, have denounced countries for planting logic bombs in U.S. critical infrastructure that could knock it offline, the existence of massive criminal cyber operations makes it difficult to blame Russia -- even for war-like acts like taking down an electric grid.

Like Russia, China's use of militias to conduct cyber-crime also muddies the cyber-waters and protects the government. In China, however, the connection between militias and the state is more overt. Either because it does not possess the technical capability to do so, or because it does not believe it is worth the bother, China has done a poor job of disguising the ways it empowers its militias to attack other countries. Currently, more observed attacks on U.S. commercial and military systems emanate from China than all other countries combined.

From a geostrategic perspective, the increasing use of cyber-militias is having three main effects on global politics. The first is economic. Over the last two decades, the United States and other advanced nations have outsourced much of their physical industry to developing nations while refocusing on developing intellectual property at home. Yet today, Chinese cyber penetration of firms developing intellectual property has become so pervasive that former White House advisor Richard Clarke warned that every major company in the United States has been hacked. Gen. Keith Alexander, director the National Security Agency, has called this pervasive intellectual property (IP) theft the largest illegal transfer of wealth in history.

One example of how this type of IP theft affects U.S. industry involves the F-35 stealth fighter (the most expensive military procurement program in history). According to Rep. Michael McCaul, several years ago Chinese hackers stole the plans for the F-35. Then, in November, China released video of their new J-31 stealth fighter, which appears, on the surface at least, to be a duplicate of the F-35 fighter from the stolen designs. Semi-autonomous Chinese hackers were able to radically advance a top secret program -- a skill they bring to commercial ventures as well. Chinese hackers often steal the designs for products, then build and sell them before the original U.S. designers can begin production.

It is difficult to calculate how much damage cyber IP theft is causing the U.S. economy. In a 2009 speech, President Obama warned that cyber-criminals cost the economy over a trillion dollars each year. That is more than the base U.S. and Chinese defense budgets combined. It is enough to hire 30 million Americans at median salary at a time when U.S. unemployment stands at 12 million individuals. Even if the real figure is half that, over time cyber IP theft will change the world's economic balance of power. Given the scale of the theft, it is not clear that the developed world's current economic model can succeed. While cyber-militias are not responsible for all cyber-theft, they and the systems states have set up to allow them to function are responsible for most of it.

The second geostrategic effect cyber-militias have is to empower militarily weak states in two ways. First, they provide a screen behind which states can implant malware into other states' critical military and civilian infrastructure. Second, they allow attacking states to deflect legal and diplomatic accountability. While Russia pioneered this approach during its conflict with Estonia, smaller states that cannot afford to project conventional military power have vastly more to gain from using it. For example, cyber-militias in Estonia, Latvia, Lithuania, Georgia, and Kyrgyzstan have threatened to attack infrastructure in Russia if it deploys cyber or kinetic weapons against them. While none of these states could really harm Russia with conventional weapons, a successful attack on Russia's energy infrastructure could devastate the economy and undermine the ruling party. Meanwhile, the governments in the attacking nations can plausibly, and perhaps honestly, deny involvement.

In a similar vein, Iran's current campaign against U.S. banks has the potential to inflict much greater costs than the Iranian military could extract in a conventional war. If Iran is willing and able to replicate in the United States a scaled-up version of North Korea's successful May 2011 three-day takedown of South Korea's largest bank, the cost would be on par with a small war. If it took down the U.S. electric grid, the costs could outstrip the trillion dollars the United States has spent in Iraq and Afghanistan. Whether or not Iran or other weak states are willing and able to inflict this type of damage on large states, their ability to do so increases their geopolitical influence. If the current Iranian attack on the United States eventually demonstrates the ability of a small state to cause, with impunity, significant harm to a large state, it will empower Iran and, by extension, other small states with offensive cyber-militias.

The third way cyber-militias affect geopolitics follows from the second, and is particularly worrisome. In order to empower cyber-militias, states must facilitate their ability to obtain cyberweapons and create institutions that reduce evidence of state control. Because reducing evidence of state control generally requires reducing actual state control, militias usually have some real level of autonomy. In an earlier age, when the worst damage cyber-militias could do involved defacing webpages and conducting minor denial of service attacks, this had limited implications for international security. In the post-Stuxnet era, however, it is conceivable that organized and empowered non-state actors could damage nuclear power plants, air traffic control systems, gas pipelines, banking systems, or electric grids.

Whether current-day militias could carry out such attacks is questionable -- though a 2008 National Journal article argued that various blackouts in the United States were caused by Chinese cyber-militias -- but with the rapid proliferation of cyber-weapons, they will likely have such a capability in the near future. The likelihood that a country's militia might attempt to autonomously carry out a massive life-threatening attack during an emotionally intense future crisis is a risk state-sponsors must accept when they deploy militias. How the United States, Russia, or other major powers might react to such an attack is anybody's guess.

This state use of militias is not historically unique. In the 16th century, England made extensive use of semi-autonomous pirates to raid Spanish seagoing commerce and colonial port cities. English piracy served the dual purpose of weakening a hegemonic opponent while enhancing England's national wealth. Like modern cyber-militia states, the British were able to plausibly deny they were behind the attacks while they bled their opponent nearly to death. The problem was, the attacks caused deep tensions between the two powers and led to two decades of ruinous military competition. In the end, England was forced to capture and execute its own pirates, international commerce was set back 20 years, and both the English and Spanish governments were bankrupted. Let's hope we can resolve the threat from cyber-militias before they do quite so much damage.

Sean Gallup/Getty Images

National Security

Neocons vs. Realists Is So 2008

Your guide to the new foreign policy divide.

President Obama may not say so explicitly in his State of the Union address, but his administration's foreign policy is poised to shift significantly in his second term. The shift is the result of an ongoing debate between two camps that I call "restrainers" and "shapers." Restrainers and shapers sharply disagree about the threats to the United States and this leads to very different views about how to engage the world -- and it may well lead to a division within the Democratic Party.

Restrainers see a crumbling infrastructure, the budget deficit, a subpar education system, and a sluggish economy as much more threatening than events elsewhere in the world. Democrats of this stripe call for "nation-building at home," to use President Obama's phrase, and want to prioritize these tasks at the expense of international commitments, which they see as a drain or a distraction. Republicans have their restrainers too. They eschew the notion of an activist government but also want to concentrate on the domestic tasks of reducing the deficit and restoring growth.

The shapers have a starkly different view. They agree that domestic challenges are important -- and should be the subject of a strong domestic policy agenda -- but they don't believe international difficulties are on the wane. The U.S. economy is in a slump largely because of a crisis prone international economic order. A new foreign economic policy that advances new free trade agreements and a more stable international structure is crucial but thus far lacking. On security, the United States is a global power and detrimental developments in the Middle East, East Asia, or Europe will severely damage U.S. interests. For instance, war between China and Japan would likely spark a new economic crisis and create the conditions for decades of instability in a crucial region. Any notion that the United States can take a sabbatical to tend to the home front is mistaken, the shapers argue.

Diverging accounts of the challenges to American power lead to different approaches to foreign policy. Restrainers want to find ways to limit America's exposure to international events. Shapers want to find ways to influence them.

Restrainers believe that the United States is overcommitted in the world. They see the country as involved in a wide range of problems that have little bearing on the security of the homeland. Restrainers view the world as something that happens to the United States. U.S. efforts to shape the world are seen as likely to be counterproductive, either because the world is too complicated for the United States to calibrate its approach appropriately or because it will lead to too many new commitments. Restrainers are comfortable with the use of force as long as it entails a light footprint -- in and out. There is little appetite for the messiness associated with protracted involvements, whether that is in the use of lethal force or shaping the post-conflict environment.

Restrainers are not a monolithic group. At one end of the spectrum is the realist restraint school within the academic field of international relations. They come close to neo-isolationism. One of the leading theorists of this approach, MIT professor Barry Posen, proposes to slash U.S. alliances, including with Japan and Western Europe. Several other academics are working along similar lines (see here, here, and here). In general, they believe the world can take care of itself. The world may become a more dangerous place, but the United States has the wherewithal to insulate itself and may even take advantage of the situation. If they have a catchphrase, it's The United States can be safer in a more dangerous world, just as long as it is not too involved.

But the academic purists cannot be found in the policy community or in the administration. There, a very different type of restrainer prevails. These restrainers want to preserve America's core alliances and commitments. For that reason alone the neo-isolationist moniker does not apply to them. However, they do want to avoid new entanglements that go beyond core commitments -- hence the reluctance to get involved in Syria -- and they do intend to scale back U.S. involvement overseas. They would also like to shift the burden somewhat to America's allies -- hence the Obama administration has done less to help France in Mali than President Hollande has hoped.

Shapers believe that the United States must remain a global leader and influence developments all over the planet, particularly in the Middle East, Northeast and Southeast Asia, and Europe. They do not just want to preserve America's alliances and commitments; they want to increase them to account for the changing nature of international politics. They believe that an increasingly competitive world means that the United States will have to work harder to maintain its military and diplomatic edge. This means building new strategic partnerships in Southeast Asia, influencing events inside Syria and Libya, and strengthening military capabilities. They also want to embrace and prudently advance concepts like the Responsibility to Protect, which they see as a crucial component of a values-based foreign policy. They know America will make mistakes, but they hope to minimize them by learning from the past and they believe that the risk of error is outweighed by the risk of inaction.

The Obama administration has had elements of both sides. It has been a shaper in East Asia and a restrainer in the Middle East. Indeed, the shaping in East Asia was embraced by some restrainers who saw an opportunity to get out of the Middle East. But, the balance recently shifted in favor of the restrainers. The departure of several leading shapers, including Secretary of State Hillary Clinton, Secretary of Defense Leon Panetta, Assistant Secretary of State for East Asian and Pacific Affairs Kurt Campbell, and National Security Council Senior Director for Multilateral Affairs Samantha Power, has moved the needle in favor of those who want to do less in the world. Chuck Hagel is squarely in the camp of the restrainers. John Kerry is something of an unknown quantity -- he seems to want to engage diplomatically in the Middle East, but his attitude toward Syria and Asia is unclear.

Perhaps most important of all, President Obama seems comfortable as a restrainer. Bob Woodward has reported that Obama chose Hagel because the two share the same philosophy: "the U.S. role in the world must be carefully scaled back -- this is not a matter of choice but of facing reality; the military needs to be treated with deep skepticism; lots of strategic military and foreign policy thinking is out of date; and quagmires like Afghanistan should be avoided." Of course, this is only a second-hand report, but it is consistent with parts of the president's record.

Restraint is an idea that seems to fit the moment. Americans are tired of war and feel more constrained after the worst financial crisis since the Great Depression. However, over time, the realization will set in that staying out also shapes the world -- and probably in a way that is detrimental to America's interests. It creates a vacuum filled by others. It fuels uncertainty. And it exacerbates crises.

If President Obama does move in the direction of restraint, the next few years are likely to see the development of a Democratic critique of his foreign policy. This critique may be spearheaded by experts, including former Obama administration officials, who are seeking to shape the foreign policy platform of Hillary Clinton should she decide to run for president. Its core insight will be that the United States must continue to exert global leadership because in an interdependent world, retrenchment will not work. Welcome to the Democratic Party's new foreign policy debate.