Is America at risk from a counter-strike by Syria if it launched a military attack against Syria's chemical weapons? Yes—but not in the traditional way. A Syrian response would likely be of a different, asymmetric cyber form. And that’s a whole new way of thinking about war and contingencies.
For the past several weeks American leaders have been considering a military strike in Syria (a possibility that seems to have faded in recent days). Lurking behind the controversy and debate about whether that sort of strike would be good policy is a problem that must be driving military planners to distraction—America is no longer immune. Any decision to launch missiles at Syrian chemical weapons targets must incorporate an answer to the question—what will Syria do in response?
It used to be that when military planners considered questions like that, the answer was modest derision, at best. What, after all, could Syria (or most other countries) do to threaten America?
When, in 1998, the United States launched Tomahawk missiles into Sudan, it assuredly was worried about the diplomatic consequences of its actions. But that was all. Bombs in Sudan were not going to result in bombs falling on New York City. For that matter, even when the United States invaded Iraq in 2003, Americans could be confident that military action would be limited to the Middle East. Iraq couldn’t strike at America directly.
Likewise, when Israeli warplanes destroyed an Iraqi nuclear plant in 1981, and when they destroyed a nascent Syrian reactor in 2007, the government no doubt had to consider a number of contingencies for reactions by Iraq, Syria, and the world. They might, for example, have worried that their ally, the United States, would take retaliatory diplomatic action against them. And they might have considered whether their military action would generate a terrorist response from Syria’s allies in Lebanon.
But in none of these cases did either Israel or America need to give significant consideration to the contingency of a military response from their opponents. The disparity in military strength (along, in the case of the US, with geographic distance) made a military counterattack essentially impossible. Both countries could, in effect, strike at military targets with near impunity.
That’s not true anymore.
As it plans strikes in Syria, the Administration has to consider whether groups like the Syrian Electronic Army (S.E.A.) can execute effective cyber counterstrikes here in the United States. The S.E.A. has been described as a “collective of pro-[Bashir al-]Assad hackers and online activists” who operate with the support of the Syrian regime (if not its actual connivance). It is easy to overstate the problem and speak apocalyptically of the capabilities of the S.E.A. But it would also be unwise to dismiss them as a non-existent threat.
When they first came on the scene, the S.E.A. hacked into Twitter and Facebook accounts, so that it could publish fake news about the conflict in Syria. And it sometimes engaged in DDoS attacks on the web pages of opponents of the Syrian government. [A DDoS attack is a Distributed Denial of Service attack—it involves an automated massive flooding of a website with malicious traffic. So much that legitimate traffic is crowded out and the website is, effectively, taken off line. It’s a bit like hitting a website with a fire hose ….]. While demonstrating some capability, most experts saw these as relatively unsophisticated attacks.
In recent months, however, the S.E.A. has seemed to get better—quite a bit better. In August 2013, for example, the S.E.A. hijacked the New York Times web page. How they did it is a lesson in the new asymmetry of conflict in cyberspace.
The New York Times is displayed at a web site—one with the domain name “nytimes.com.” But, of course, computers speak in numbers, not letters and so that “domain” must be registered and associated with an internet address. Individual companies and users don’t do that themselves, they rely on other companies—domain name registrars—to make the association. And these registrars, in turn, report their addressing linkages to the broader global network. That network, using 13 root servers, keeps a global registry of domain names and associated internet addresses—one that is updated constantly. That’s the address book for the internet—“nytimes.com” becomes an internet protocol address that is a string of numbers—and it’s how your web browser knows where in cyberspace to find the New York Times online front page.
The S.E.A. got inside the process and hijacked the domain name system. It began with a sophisticated phishing email to the Times’ registrar. [A phishing email is one that has attractive “bait” in it—a bad web link for example, or a document with malicious software embedded in it.] When the registrar took the bait, S.E.A. was (apparently) able to take control of some of the registrar’s addressing functions. In effect they got the ability to change the internet address for the New York Times to a different one, an internet address that S.E.A. controlled. The registrar, not knowing that it had been hijacked, duly reported that change up the line to the global network. As that new address got propagated around the world, all of a sudden, everyone trying to reach the Times web site was directed to an S.E.A.-controlled website.
And for good measure, the S.E.A. left behind a calling card on the registrar’s blog: “Hacked By S.E.A.,” it read. “Your servers [sic] security is very weak.”
It could have been worse. The web site redirection could have gone to a malicious website that spread malware. It might even have gone to a fake Times website with phony news. Whatever the result achieved, the S.E.A.’s effort demonstrated a more sophisticated level of skill than had been previously seen. Given these skills, military planners in Cyber Command have to take seriously the S.E.A.’s threat to retaliate if the US launches a military attack on Syria. As the S.E.A. said in a recent (anonymous!) interview:
The moment the US government breaks international law by attacking the sovereign state of Syria, it has given up any rights to complain about being targeted by us or any other group around the world, as it would have lost all legitimacy. Yes, we will target all of it.
So … how did the S.E.A. get better so quickly? As with most things in the murky domain of hackers nobody quite knows for sure. But Michael Gross of Vanity Fair recently published an article that made a convincing case that the Syrian hackers were getting assistance from Iran. As Gross reports:
One Middle Eastern cyber-analyst in London has said that “there are strong indications that members of [S.E.A.] are trained by Iranian experts.” . . . At this point, there’s no solid evidence that Iran was party to [a] hack [of the Associated Press], but among the list of plausible scenarios, none is comforting. Perhaps, with Iran’s help or urging, the S.E.A. continued Qassam’s experimentation with threats on the U.S. financial system. Perhaps the S.E.A. learned from Qassam’s bank attacks and launched an independent operation on the same model. Or perhaps whoever hacked the A.P. had no financial outcome in mind at all—it was just a $136 billion aftershock. [Qassam is an Iranian-affiliated hacker group.]
What this means, for our military planners is that we are in the midst of a paradigm shift. Our conception of conflict in the cyber domain has generally reflected a traditional understanding of warfare—it has been focused on peer nation state opponents like China or Iran or even North Korea as likely adversaries. But the reality is that unstructured semi-official groups with loose affiliations to nation states can and indeed are also likely to do as much to American interests as any nation state. The S.E.A. is just the tip of the iceberg in this regard.
The new reality is one of asymmetric conflict. The hackers’ ability to compete successfully against governments is, in the end, inherent in the structure of the Internet. That structure allows single individuals (and/or small groups) to wield power in cyberspace that is disproportionate to their numbers. And, as the S.E.A. demonstrates, nations can use non-state actors as proxies or mimic the activities of cyber hackers to hide a government hand behind malicious activities—as it seems Syria and Iran may have done.
In short, American power in Syria is constrained by the possibility of a significant response from the S.E.A. And if that’s the case for Syria, all the more so for, say, military action against Iran’s nuclear program. The cyber domain is a new world and American is no longer immune.
Image via shutterstock.com