How powerful are the cyber warfare capabilities of various governments

Factual Questions
1

I’m going to assume the US, China, Russia, Israel all have powerful cyberwarfare divisions. but I’ve also heard North Korea has a very powerful one too. I have no idea if they are in the same league as the world powers, but I don’t know.

Is cyber warfare like convention warfare in the sense that there are obvious divisions (ie the official military of Iraq can’t and couldn’t stand up to the official military of the US, the US military destroyed them in a few weeks during both times. This was the official military though, not the insurgency that followed), or is it more like chemical weapons in the sense that after a moderate investment a third world nation is in the same league as the US or China?

2

I’m not a cyberwarrior, but as a regular programmer that needs to at least have some familiarity with writing secure code, I can offer some thoughts.

  1. The difference between individual coders can be massively different. One guy can write the same amount of code as ten other regular programmers, and end up with a program that runs a thousand times more efficiently and effectively than anything the ten would ever come up with. And that seems largely to be an issue of how the individual’s brain works than any form of education could hope to resolve. So even if you have only one guy, if it’s the right guy, you still might beat out an opponent who has more resources than you. I assume that this is true for mathematicians as well.

  2. On the other hand, as the number of personnel grows, the law of large numbers will take over and the overall output of your team will approach the average. So, more is generally going to be better.

  3. A lot of security has nothing to do with how smart your mathematicians/programmers are. Most cybersecurity comes down to social engineering. Scams, getting your people hired by the enemy, seducing them, dropping thumbdrives in the parking lot around the target’s offices, etc. I’d venture that the sort of mind which is adept at coming up with these sorts of social games is, similarly, only trainable to a limited extent. Some people will just naturally kick ass at it. But, in general, the more people you have, the more people you have.

  4. Attacking requires a lot of processing power and thick network pipes. In the US, for example, the NSA can probably go to IBM and get custom hardware made which is not only using the best technology, but also purpose-built for the sorts of tasks that the NSA needs from it. They can buy these machines in bulk. They have thick pipes out to every other country on Earth and a lot of information passes through the US, since a lot of companies (Facebook, Twitter, Goggle, etc.) are here. North Korea is going to have generic, third hand hardware, and not much of it. Their network infrastructure isn’t going to be particular robust and (I would bet) is down part of the time. Not much information passes through the country.

  5. Even if you might never come up with some particular hack, scam, etc. if left to yourself, if you’re aware of its existence, that still gives you a leg up on someone who doesn’t. So, education and organization experience do come into play. An organization which has existed longer and has had lots of members is going to have a larger toolkit to use, and more people with access to that toolkit.

  6. A lot of information that agencies get is shared from other countries. Having a lot of friendly countries in your network is going to greatly expand your information base. And since a lot of cybersecurity relies on the human element, rather than the math element, getting a lot of good intel is going to help your cyberwarriors.

  7. Nutrition, as you grow up, is going to affect how smart you are. Similarly, access to a lot of information to deal with, as you grow up, is going to affect how smart you are. A nation of people who grew up with poor nutrition and not much mental stimulus is going to have, on average, worse performing recruits than a country with better nutrition and a lot of exposure to a lot of things.

So, on the whole, bigger is better and more lengthily established is also better.

A new, startup organization might get lucky if they have some particularly clever recruits and happen to get the right thing at the right time, but really they’re really not going to have comparable to output to a larger nation.

However…

  1. The target of a lot of countries isn’t other countries, it’s corporations (so that they can perform intellectual theft and try to stay up-to-date on modern technologies). And so they might have a pretty good success rate since, in a battle between North Korea and Sony, NK is clearly going to have more and better security specialists.

Still, it would probably make more sense for a smaller cybersecurity force to concentrate on protecting their own, rather than attacking others. I’d venture to guess that North Korea’s group works harder on protecting their drug and arms trades than they do trying to find out what the US military is doing on any particular day.

3

This is still very much unexplored territory and there are no good answers on this. A part of it is because the concept of “cyber war” is still undefined. Another part is that each of the countries mentioned here are unlikely to publish their actual capabilities.

China is well known to be the world leader in cyber-espionage. The problem is that their hacking mostly has to do with stealing trade secrets and technical data. Whether they could actually damage a country’s infrastructure remains to be seen.

North Korea’s ability to inflict harm is rather dubious. They are widely credited with damaging Sony’s data a few years back, after which their entire internet went dark in an attack many believe was a reprisal from the US. Sony was, undoubtedly, a large and well-financed company but we don’t know whether that translates into an ability to do actual damage to military or civil infrastructure.

Russia has been credited with damaging the infrastructure of some of its neighbor states, but like China it is more concerned with espionage. Where and when a state crosses the line between cyber espionage into cyber warfare is still a matter of some debate. Russia has also published doctrine saying they intend to react to cyber-attacks with physical violence, which is a first as far as I know.

The US is generally believed to have a rather poor cyber warfare capability. Part of this is because its dominance in other arenas has given it the luxury of neglecting cyber-war and cyber-espionage. The US innovates, whereas China steals. Regardless, the US has deployed viruses in wartime situations against military and civilian targets, and is widely believed to be responsible for the Stuxnet attack, which was incredibly sophisticated. So in some ways, very sophisticated and in others, not so much.

But as I said before, trying to parse actual capabilities out of classified programs and deliberate disinformation is not so easy.

4

I think this is sort of like… “How nasty could your wife be if you got a divorce?”

You really need to get a divorce to see what will happen. Same with this, not been “battle tested” as they say!

5

Can I get cites for your estimates on the relative capabilities of China, Russia, and the US?

6

Heginbotham, Eric. (2015) The U.S.-China military scorecard : forces, geography, and the evolving balance of power http://www.rand.org/content/dam/rand/pubs/research_reports/RR300/RR392/RAND_RR392.pdf

Schmidt, Lara. (2015) Perspective on 2015 DoD Cyber Strategy http://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT439/RAND_CT439.pdf

Shafqat, N., & Masood, A. (2016). Comparative analysis of various national cyber security strategies. International Journal of Computer Science and Information Security, 14(1), 129-136. Retrieved from http://search.proquest.com/docview/1764183576?accountid=8289

Maitra, A. K. (2015). Offensive cyber-weapons: Technical, legal, and strategic aspects. Environment Systems & Decisions, 35(1), 169-182. doi:http://dx.doi.org/10.1007/s10669-014-9520-7

Chansoria, M. (2012). DEFYING BORDERS IN FUTURE CONFLICT IN EAST ASIA: CHINESE CAPABILITIES IN THE REALM OF INFORMATION WARFARE AND CYBER SPACE. The Journal of East Asian Affairs, 26(1), 105-0_8. Retrieved from Shibboleth Authentication Request

Cilluffo, F. J., & Cardash, S. L. (2013). Cyber domain conflict in the 21st century. The Whitehead Journal of Diplomacy and International Relations, 14(1), 41-47. Retrieved from Shibboleth Authentication Request

Korns, S. W., & Kastenberg, J. E. (2009). Georgia’s cyber left hook. Parameters, 38(4), 60-76. Retrieved from Shibboleth Authentication Request

‘Turf war’ slows new U.S. cyber rules. (2012). C4ISR, , 12. Retrieved from Shibboleth Authentication Request

Helms, R., Costanza, S. E., & Johnson, N. (2012). Crouching tiger or phantom dragon? examining the discourse on global cyber-terror. Security Journal, 25(1), 57-75. doi:Crouching tiger or phantom dragon? Examining the discourse on global cyber-terror | Security Journal

Cobb, J., U.S.A.F. (2011). Centralized execution, decentralized chaos: How the air force is poised to lose a cyber war. Air & Space Power Journal, 25(2), 81-86. Retrieved from Shibboleth Authentication Request

7

Agree with much of this. I’ve attended security conferences, but by no means am a cyber warrior (although I have friends who are).

There is no doubt the US has top notch cyberwar fare capability - and they haven’t shown much of it for political and world stability reasons.

The Chinese and Russians also are very good.

Stuxnet was a joint US Israeli operation - how much of it each side contributed - I don’t know.

I am also skeptical about reports about North Korea - they get blamed for things that sometimes don’t make much sense. Super dollars used to be blamed on the Iranians and now are blamed on them - while there is some proof - and they have had access to them - there is also government reports from at least one European country that casts serious doubt on NK for this program. There is just as much evidence of connections to Ireland, the Middle East, as well as NK.

It depends on who the adversar(ies) of the country is - a place like India might have a good program, but they mainly care about Pakistan - so the tools would be tailored to each countries individual needs.

8

The US is really hard to judge. I see stuff like Stuxnet that implies technological sophistication, and I have little doubt there is a lot of technical talent there. The problem is at the organizational / policymaking level. For example, the US didn’t set up CYBERCOM until relatively late, as compared to their counterparts in the PLA. And there are huge problems with it… How do you integrate a fast-changing career field with a steep learning curve into an organization built on top-down hierarchy and twenty year careers? What does the career path for a cyber-warrior even look like? Where does the CYBERCOM mission begin and end?

One of my favorite cites, above, was one where a General got reprimanded for giving cyber-security advice to people, because his superiors thought it crossed the line into domestic activity, which is forbidden for the military. This is completely absurd when you are talking about a theater that has no geographic boundaries. China, meanwhile, doesn’t have these hang-ups. Industrial espionage and domestic information dominance are PLA missions. Period. That’s why I say they are better at it than we are, because they are not limited by any scruples or squabbling over what their cyber-apparatus is and is not allowed to do. China is focused like a laser on using cyber warfare and espionage to offset not just conventional military power but economic and technological inferiority as well. I don’t believe America has - or would even allow - the same kind of initiatives, and even we did we wouldn’t publicize it.

What I can say from experience is that the US hasn’t figured out a balance. For example, they have made great strides in military network security but, as a result, cut off functionality that is desperately needed. I can’t even do my job most of the time because the SIPRnet security managers are so backlogged and overtaxed. It’s infuriating.

9

The UK is fairly unusual in explicitly and publicly stating that it is developing offensive cyber-warfare capabilities.

Not that other countries aren’t, of course, but we seem to be treating it as more of a deterrent against attack: “hit us and we’ll hit you right back”.