Analysis & Opinions - Wall Street Journal
Cyber Attacks Can Spark Real Wars
The U.S. and Israel are not ready for a sophisticated cyber attack from the likes of Iran and China.
For most of this year, Arab-Israeli tensions have been spilling off the streets and airwaves and onto the region's fiber optic cables. Citizen hackers on both sides have engaged in tit-for-tat raids on Israeli, Saudi and other regional computer networks. Stock exchanges, airlines, government offices and even hospitals have had their websites defaced or shut down. Credit-card numbers and personal emails have been stolen and posted on the Internet. One Israeli official has labeled the escalating cyber hostility "terrorism" and called for it to be dealt with as such.
It has not been terrorism. No one has died and, so far, nothing has blown up as a result. Indeed, most of the activity has involved the use of relatively commonplace hacker tools and techniques. This ongoing cyber "hacktivism" has, however, demonstrated three things that should cause nations to act.
First, the ease with which the hacktivists have been able to steal data and to shut down Web pages suggests that companies (and perhaps governments) in the region have not yet taken cyber security seriously. Governments in other regions (Asia, Europe, North America) have been educating, assisting and regulating companies to improve their cyber security. There has been a notable lack of such government activity in the Middle East, and that inactivity has opened the way for citizen hackers to cause the mischief we see today.
If the hackers turn their attention to disruption and destruction, as some have threatened, they are likely to find the controls for electric power grids, oil pipelines and precious water systems inadequately secured. If a hacker causes real physical damage to critical systems in that region, it could quickly involve governments retaliating against each other with both cyber and conventional weapons. Middle Eastern governments need to get their citizen hackers under control and better protect their own critical networks, or they will eventually be dragged into unwanted conflict.
Second, the Arab-Israeli hacker exchanges have demonstrated again the lack of any effective international organization to assist in preventing cyber crime and de-escalating tensions among nations in cyberspace. The Budapest Convention on Cyber Crime, which entered into force in July 2004 and has been ratified by more than 40 countries including the U.S., does require nations to assume responsibilities for any attacks that originate in their cyberspace.
But there is still no operations center that a nation can call to get another nation to stop its citizens (or servers in its country) from causing problems. Nations, if they talk at all about these cyber attacks, do so at 19th-century speed with embassies requesting assistance either in person or through a letter.
An international Cyber Risk Reduction Center could be modeled on the Nuclear Risk Reduction Center (NRRC), which I once led at the end of the Cold War. It was created in 1987 to link Washington and Moscow operation centers so the two superpowers could immediately talk with someone on the other side when there appeared to be a nuclear threat or an event that could lead to one. The success of the centers depended on the ability of the two sides to act quickly to stop their own risky activity once they learned about it from the other side.
Now Washington and Moscow are beginning to explore using their NRRC channels to discuss cyber concerns, but neither side yet has the authority or capability quickly to stop malicious cyber activity originating in their own nation. Moreover, there is no international counterpart center.
If, as happened last month, Saudi Arabia's stock market is again knocked offline by a cyber attack originating in Israel (or vice versa), the Saudis should be able to call an international center and seek assistance. Israel, as a member of the international center, should be able to act promptly to see the attack and shut it down. All of that should happen in a few hours. Implicit in such a system would be an "obligation to assist" other members of the international system and to identify and prosecute the culprits. Failure to assist should have consequences such as financial damages or even outside filtering of message traffic to search for attack programs.
The recent hacker exchange should also remind us that just as hacking could escalate to the use of conventional force in the Middle East, the reverse is also true. Bombing Iran, for example, could unleash an Iranian government cyber attack. Israelis say they could handle that, despite the recent evidence to the contrary. Unfortunately, much of the critical infrastructure in the U.S. is still not ready for a sophisticated nation-state cyber attack either.
Mr. Clarke, who served three presidents as a senior White House national security official, now serves on the board of the Middle East Institute. He is the author of "Cyber War: The Next National Security Threat and What to Do About It" (Ecco, 2010).
Analysis & Opinions - The Boston Globe
Analysis & Opinions - Foreign Policy
Analysis & Opinions - Newsweek