SZ: Cyberattacks make headlines almost every day. Cyberwar seems to have become the new buzzword. Have we already seen an attack that gives us a glimpse into what cyberwar would be like?
Lewis: We can estimate from some incidents what cyberwar would look like. But there really hasn't been any cyberwar. What we have seen in the last five years is that the internet has become a central part of business, politics, finance. And criminals exploit that. Most of the incidents are not an attack or war, but some sort of crime. We have seen a huge surge in crime, and that makes everyone realize that the network we depend on is so vulnerable and that if there was some war there could be some real damage.
SZ: But there have been incidents that were related to a political conflict, like the attacks on Estonia in April 2007 . . .
Lewis: There is a lot of hype about Estonia. Some people will tell you that cyberattacks brought Estonia to its knees. That's complete nonsense. It put a lot of pressure on the Estonian government, mainly because they were wondering: What's next? Is this a precursor to a Russian invasion or to a somewhat more damaging attack? It was a politically coercive action. It wasn't warfare, it wasn't an attack. This is why NATO didn't invoke Article Five, as the Estonian minister of defense told me. It was not considered as an act of war or the use of force. If these denial-of-service attacks had been extended in time and if the scope had been equivalent to a naval blockade, then maybe you'd want to say, this does rise to the level of a military action.There is some ambiguity if we pushed an Estonia-like event to an extreme, but Estonia itself was not an attack.
SZ: How about Georgia in 2008? These attacks went along with a military campaign conducted by Russian forces.
Lewis: Interestingly, it looks like the same people that engaged in the exploits against Estonia were involved again. The exploits were closely synchronized with Russian military activities, which implies a high degree of coordination with the Russian government. Georgia was a hint as to how Russia will use cyber tools in future conflicts. It was for political purposes; it was what the Russians call information warfare. It was to have a political effect; it increased the pressure on the Georgian government. But I wouldn't say that this qualifies as warfare.
SZ: In 2010, the Stuxnet virus came to light. It was apparently designed to damage Irans's nuclear program.
Lewis: Stuxnet would be the use of force, because it involved destruction. This is one of the few incidents, at best there are only two or three, that you'd call a true cyberattack. Stuxnet was the equivalent of sending a team of commandos to slip into the country and sabotage a facility. This could open the question for the Iranians: Should we regard this as an act of war? But that's a political decision. It wasn't war in itself. War is a continuous, ongoing use of force to obtain concessions from another state.
SZ: So what would constitute a cyberwar? What would it look like?
Lewis: Cyberwar as waged by states would be part of a larger military conflict. And we have been able to see in public documents what the doctrine would be for a few countries. If the US and China got into a conflict over Taiwan, the Chinese would use cyber techniques in combination with electronic warfare and anti-satellite warfare, together with missile strikes on US naval forces. They would try to disrupt the US informational advantage. The US is much more effective when it fights wars, because it has computers, satellites, networks, loads of data flowing to a commander. If you can disrupt that, you can make US forces less effective. Similarly, the US will be trying to do this to China. Disruption of command and control, increasing the fog of war — that would be the first part of cyber conflict. But states are not going to launch a pure cyberwar or a "cyber-only" conflict. Cyber weapons are not that destructive. You are not going to get a lot out of that. That's why even though Russia, China, the US, the UK, Israel, maybe France have the capability, they are no more likely to launch a real cyberattack than they are to launch a missile.
SZ: Scenarios like taking down the electrical grid, the water supply, or other critical infrastructures of an advanced industrial country are not realistic?
Lewis: We need to think of two different sets of actors: state actors and none-state actors. For a state actor, you would make the same sort of military decisions about the use of cyber techniques that you would for any other weapons. What advantage would you get from bringing down the electrical grid? And what are the risks of doing it? The risk, of course, is that it is a huge escalation. If the US and China fight in the South China Sea, it's a contained conflict. If China strikes civilian targets in the US homeland, that's a tremendous escalation and poses the risk of some kind of kinetic response on China. Militaries will think carefully before they launch that kind of attack. Plus it is hard to do, and we usually overstate the damage. I don't know why anyone would bother to strike the water supply system.
SZ: But wouldn't it have disruptive effects on the daily lives of people, cause panic, and seriously weaken a nation?
Lewis: There are thousands of targets in the US and you would have to hit each one to have a true damaging effect. There is at least 3000 power plants in the US. We have a vulnerability in how we transmit power, that I think we are trying to fix. You can compare it to strategic bombing: What we know about strategic bombing is that it was a failure. Nations, industrial nations in particular, are resilient. People are inventive. If you blow up a bridge, the next day they will have put logs across the river. In real warfare you have to hit multiple targets many times over an extended period to cause true damage to the nation's military capability. Cyberattacks are not going to do that.
SZ: Traditional military defense and deterrence are based on the assumption that you are able to detect where a weapon was launched. In the case of cyberattacks, wouldn't you simply see the electrical grid going down without having a clue who attacked you?
Lewis: Right now, I think that is not the case. There is only a few countries who can do that. So there is a limited set. And people overestimate the difficulty of attribution. It is not that there is a hundred percent anonymity in the attack. A few years ago the general in charge of US offensive cyber capabilities told me they could almost immediately attribute an incident in a third of the cases. So what you are saying to the attacker is: "You are playing Russian roulette with a revolver that has three chambers, how do you feel about it?" Since that, other military officials have told me that our ability to attribute is much higher. This creates uncertainty for the attacker. I might get away with it, but the US might figure it out. It is the same as you would send in a squad of saboteurs. You can cut the labels out of their clothes and change the fillings in their teeth so that if they are caught, nobody knows where they are from. How comfortable do you feel that your ploy is going to work? That is what it comes down to. But attribution is usually overstated as a problem.
SZ: That might deter China or Russia. But what about adversaries that are seeking an asymmetric advantage, or non-state actors like terrorist networks?
Lewis: That's the real dilemma. Right now, only large states have true attack capabilities, and they have deliberate processes for deciding when to use them. But what we are seeing is the proliferation of capabilities to countries that are less stable, like Iran or North Korea, and to non-state actors. What happens when anarchists have the ability to launch cyberattacks? They will not be deterred. So if we don't get our defenses in order, we are looking forward to a messy few years. Think of Anonymous. What can they do? They can deface somebody's website. But what if they could turn off the lights in a city for a day or two? That would go beyond irritating.
SZ: What does that imply for the cyber defense of modern industrial countries? What capabilities have to be developed?
Lewis: It means that you need to have at least three levels of capabilities. You need some military and intelligence capability to be able to convey to potential foreign opponents that you have the ability to respond, to inflict some penalty for an attack. You also need strong law enforcement. We don't have that right now, because nations are not willing to cooperate. Better law enforcement internationally would reduce the risk of cyber attacks. And finally, you need some kind of homeland security approach which is the hardening of critical infrastructures. We know that companies will not do this adequately on their own. So you need some way to regulate critical infrastructure sectors to make them meet minimal standards for cyber security.
SZ: Cyber attacks usually exploit vulnerabilities of networks or flaws built into software. For any defense, you need to detect these flaws and vulnerabilities - something that is also needed for developing offensive capabilities. If you know about a loophole, you can either decide to close it. Or you decide not to close it to be able to use it for offensive purposes in the future. How can you solve this dilemma?
Lewis: It's true that letting the offense inform defensive actions makes it easier to defend. It's not essential, but it does make it easier. This issue of do you tell or do you keep it a secret comes up routinely. There has to be a political process within the government to make that decision. The US has usually come out on the side that it's better to close the vulnerability and to share the information rather than to preserve the attack capability. And some of that is frankly just arrogance as we always assume we will be able to come up with something else. But you don't leave it purely to the military or intelligence agencies. You have to have political oversight at the ministerial and cabinet, at the chancellor level that makes that decision.
SZ: What about the protection of privacy rights? How does that interfere with the need to make the Net more secure?
Lewis: People are reasonably concerned about that because the most effective cyber security techniques are intrusive. You have to look at traffic to find the patterns of malicious activity. And, of course, when you do that, the immediate reaction from many people is: "Well, you say you are only looking at my traffic for malware. How do I know that you are not also reading the contents of it?" That's a fair question. So you need to think about oversight, you need to think about transparency, you need to think about how you reassure people that this is just being done for cyber security and not for some more intrusive purposes. And that turns out to be really hard to do, in part because government agencies have a bad track record. What it comes down to though is: Do your citizens trust you? And how you build that trust is the question.
SZ: Do you feel that there is adequate and effective oversight for these kind of activities in western countries, be it the US, the UK, or Germany?
Lewis: Probably, in each case, the answer is no. For the following reason: One of the dilemmas that we have in the general discussion of cyber security is that people don't realize the close link to signals intelligence. The most sensitive kind of technical intelligence is directly related to cyber security and every one of these three nations, and also France, China, and Russia treat signals intelligence as the holiest of holies, something that you do not talk about in public. So we have to find a way to be a little more comfortable about talking on subjects that once were considered taboo. And that is the hard part. You can't understand cyber security if you don't understand signals intelligence. But of course, as soon as you say that, immediately someone stamps "top secret" on it. So now we need to find a way to be a little more open so we can reassure the public that there are oversights and controls that reduce the risk to privacy and civil liberties.
SZ: I think it is a reasonable assumption to say that these concerns are not being taken as serious in China or in Russia as they are in the US or Europe. Does that put us in a defensive or even losing position towards these countries?
Lewis: We are in a disadvantage. That's a bigger political debate. And putting aside Russia, China is still a Leninist state, although they endorse capitalism. They don't have elections, they don't have public debates, they don't have privacy groups. The same is largely true in Russia. Authoritarian regimes have an immediate advantage. The argument has always been, in the long run democracy will win out. And I hope they will be right.
SZ: Do you think the benefits of a relatively free net outweigh the problems?
Lewis: The dilemma is a common one in statistics. You look at past experience and use that to predict the future. So in every case in the last century, democracy has managed to outwit authoritarianism. And we assume from that, because demovcracies were able to do it in the 20th century, they'll be able to do it again in 2012. But I don't know. Authoritarian regimes have become much more refined and nimble. This is not the Soviet Union.
SZ: One suggestion for a way how to deal with that problem is that we need something like a code of conduct for states, a limitation of capabilities like the arms control treaties achieved in the case of nuclear weapons. Can that work for cyber weapons that can be developed in secret?
Lewis: People have a neuralgic reaction when you say arms control. But there is the idea of norms, something more of a proliferation model where likeminded nations agree on what the right behavior is for responsible states. That would be a useful thing. What is it that we expect states to do in cyber space. How is it we expect them to think about warfare? How do they apply the existing laws of armed conflict? These would all be positive steps because they would begin to bound the range of cyber conflict and they would reduce the risk of miscalculation and uncertainty. What I worry about: some will do something and the target will misinterpret it as an act of war and that will lead to some military conflict. If we reduce uncertainty, if we can reduce misperception, it would be more stable. It would be good to do that soon, but a recent conference in London on that subject got us off to a bad start in some ways. There is an old mythology of the internet, about how it is wonderful and free and the source of innovation. It is largely nonsense - China does not have an open and free interent but it has grown faster than any other country for thirty years in a row. Unfortunately, if people believe in nonsense, we do nonsensical things.
SZ: So what would be your suggestion?
Lewis: I think we need to take a step back and say, the mythology, the ideology that led to the creation of that technology no longer works for what has become a global infrastructure. We have to rethink it. That's true of every of these new technologies. Think of the first people that would fly airplanes and the romanticism of flight. Now flying is anything but romantic, right? But it is safe, it's reliable. You show up, you get on a plane and you get off at the other end. And that wasn't alway true in the pioneering days. Think of seafaring, where in the past, you would make up your will before going on a a merchant ship. And over time, governments extended rules and standards into maritime things. Finance, if you sent your money overseas you never knew if you would see it again. Now we have a global financial system, built on rules and cooperation among companies and governments. What was appropriate for the pioneering stage is no longer right, and we need to rethink that. But we haven't gotten very far.