Interview with Jason Healey

'A Fierce Domain' is the first book of its kind – a comprehensive and accessible history of cyber conflict. Since its publication several months ago, it was welcomed by a very broad readership – from students of military history to academics and policymakers worldwide. The book reaches back to the major conflicts that have brought about a new notion of cyberspace as a battlefield, where the powers-that-be constantly vie for superiority. It deconstructs some popular myths about cyber conflict and shows very clearly that the increasingly frequent cyberspace disruptions and intrusions by 'malicious actors' have gone beyond the well-known technological problems.

The book begins with a general historical analysis of cyber conflict and an explanation of why it is important for us today. It then delves into ten case studies of the most famous (or should I say 'notorious'?) cyber confrontations of the last 25 years, starting with the earliest known cyber conflict, the so-called 'Cuckoo's Egg Case' of 1986, in which the KGB paid German hackers to steal some important military data from the USA. In subsequent chapters, it covers more recent cyber attacks, including those on Estonia (2007) and Georgia (2008) and – for the first time – names their true perpetrators. Importantly, the history of cyber conflict in the book is analysed not just from the American, but also from the British and Japanese perspectives.

Says General Michael Hayden, former director of the USA National Security Agency: 'I've often complained that, while we could always use better technology or more trained people, the biggest impediment to effective cyber defence in the Unites States was our failure to settle on the 'big ideas' – those macro-thoughts of law, policy and doctrine that should guide our cyber behavior. 'A Fierce Domain' takes a giant step to meet this need by carefully – and entertainingly – laying out where we have already been on this journey. It turns out that we have a cyber history after all, a history we can now put to work to guide our thinking and our future actions.'

I met Jason Healey at the 5th International Conference on Cyber Conflict, recently held in Tallinn, Estonia, where he was promoting his book and was also one of the speakers.

Q Where did you interest in cyber issues begin?

A I grew up in Rhode Island and joined the US Air force at the age of 17. I then went to the US Air Force Academy – the air force equivalent of West Point – to become a fighter pilot. I soon realised, however, that I would never be a good pilot but could be pretty good at thinking and intelligence...

Q Why did you think you wouldn't be a good pilot?

A Oh well, you have peers and you can see what they do, so you guess that your talents lie in a different direction.

Q What happened next in your career?

A I went into signals intelligence, which means listening to the other person's communications, breaking 'their codes and trying to make'sure they don't do the same. But even at that stage I was being drawn to cyber and information warfare, and in 1998'I took my first job in the field at the Pentagon. There we were able to set up the first cyber-war-fighting unit in the world – a joint taskforce of computer network defence. That experience proved very useful in writing 'A Fierce Domain'.

Q What do you do now? Besides putting together books on cyber history...

A I run a cyber programme called 'cyber state craft initiative' at the Atlantic Council. The Atlantic Council is a Washington DC national security think-tank that focuses on solving global issues in partnership with Europe. We chose the name 'cyber state craft' because we don't get involved in cyber security as such, we are not looking at technologies. What we are looking at are traditional security, national security and international relations – the time-tested ways of solving problems. We are trying to understand how these methods help us in cyber space.

Q How technology-rooted are you?

A I have a Masters in information security and came out of signals intelligence, so that has rooted me very well. But most of my writing is not looking at the technology and at how we use technology. Rather, it is on how to use leverage from outside technology to allow us to look at problems that have been partly caused by technology.

Q Let's come back to cyber history. What sort of history are we talking about?

A In many countries, and particularly in the USA, the first reaction to cyber is that it is all new, if ever-changing. But given my own background I knew that wasn't the case. Certain issues portrayed as brand-new were actually the same things that we were discussing 15 years ago or earlier. I may not be a historian per se, but I enjoy reading history – this is how you learn, from the experience of the people that have come before you. Likewise, if you want to know about technology, you look back at what, say, Thomas Edison did, and you learn from that. So we decided that we needed to get these old cyber stories out, and we chose 1986 as the starting year.

Q You mean the year of the'so-called 'Cuckoo's Egg Case'?

A Before I come to that, let me explain. Even prior to 1986, we had signals intelligence, cyber electronic warfare, cyber crime, computer security and what not, but they hadn't come together to be an area where nations or states were really competing, the area that had dynamics of its own. And that dynamics of cyber conflict is still almost the same today. Even though the technologies have become more lethal, faster and much more interesting, you could still look at the 1986 'Cuckoo's Egg Case' and and see a lot of similarities.

Q So 1986 is when it all began?

A Yes, you can say that. I won't'go into details: it's all in the book. The essence of it was as follows. In 1986, Cliff Stroll, an astronomer-turned-sleuth working at Lawrence Berkeley National Laboratories, managed to track down some hackers trying to steal secret documents on Star Wars – Reagan's defence force, designed to shoot down Russian missiles. The US government and the FBI didn't care, so he had to investigate on his own and found out that the hackers were from Germany but were selling the information they got to the Soviet KGB. And so, you have the first cyber espionage case in the US.

What are the milestones in cyber conflict history from 1986 to 2012?

We focus on eight in the book. The first is the 'Cuckoo's Egg' – we don't consider it a wake-up call, because nothing really changed in the USA after it. The other seven were wake-up calls, when senior leadership would say: 'Oh my gosh, look at what can happen in cyber space, we'd better do something...'

Take the Morris Worm. There had been viruses before, but the Morris Worm was the first to be destructive. In 1988, there were 60,000 computers on the Internet, and the Morris Worm took down 6,000 of them. As a result, the US set up the first computer emergency response team. After that, the Pentagon saw a series of intrusions called 'Solar Sunrise', when we were building up military forces to bomb Saddam Hussein. Some of the attacks were traced back to one of the few ISPs in the world that connected to Iraq. It turned out not to be Iraq but two teenage hackers in California, with an Israeli mentor, but they scared the DOD so much.

The President was briefed that we might be at cyber war with Iraq, so he put together the joint task force for computer network defence, where I worked as a systems analyst. One of the first espionage cases we dealt with was called 'Moonlight Maze' – from what's unclassified we can see that the US tracked it back to Russia, possibly to the Russian Academy of Sciences. This was in 2001. As 'Moonlight Maze' was tapering off, you started to see more Chinese espionage. So 'Moonlight Maze' was the third wake-up call, and Chinese espionage was the fourth, because it led to a lot of the changes in the system.

The fifth wake-up call was both Estonia and Georgia. The large-scale disruptive attacks against them were at least ignored, if not encouraged, by the Russian government. Then there was 'Buckshot Yankee' – another espionage case which, according to US military, came from Russia. Finally, Stuxnet is the last case in the book where we feel that the evidence points to the US and Israel attacking Iranian targets.

From what you are saying I can see a pattern of sorts. Force breeds counterforce, The Third Law of Motion. Each of these attacks triggered a step towards consolidating cyber defence. It is particularly obvious in the case of Estonia, which is now leading the world in cyber defence...

Yes, and that's how we express it too. The last chapter of the book uses about 14 different lines of evidence to look at the Estonian attacks, the Georgian attacks and Stuxnet.

Your book is one of the few published documents I've read that tries to call a spade a spade.

Yes. We name Russia, China and the US too. We have a ten-point scale of how responsible a nation can be for a cyber attack. At level 1, if you tell the country, they stop it. At level 2, they make an effort to stop it. The US and most Western democracies are generally at level one or two. It goes all the way down to level 10, when a country is conducting the cyber attacks themselves. Stuxnet was a 10 for the US because the military did it under direct orders from the President. In the case of Estonia, it seems like it was a 3 or 4 for Russia. Clearly the Kremlin was ignoring this.

But there is no legal mechanism where you can prove it 100 percent...

That's right, but the state is morally responsible, even if they're not doing it directly. It's the same level of responsibility an African warlord has for arming guerrillas.

One of the speakers at the Conference said that we are never going to achieve complete security, and that with time the world is going to become more insecure. Would you agree with this appraisal and what's the future of cyber warfare?

I think a few of the trends are quite clear: within the last few years we've seen a lot more covert cyber wars than before. That trend is becoming much more pronounced. I also think that they will become more catastrophic. So far, no one has died from a cyber attack...

But that doesn't mean no one will die in the future.

Of course. I think the more we do things such as smart grids, embedded medical devices or the Internet of Things, the more everything gets interconnected – the more we're setting things up'

In other words, the more technologically advanced we are, the more vulnerable we become...

Correct. The problem with cyber technology is that it's easy to take it down, but very hard to keep it down once we start connecting things made of steel and concrete to the Internet. I think it will continue to get worse. I also think that we will see the private sector play a larger role in the attacks.

Technology-wise, what do you think is going to happen to cyber defence in the near future?

There will be very interesting discontinuities as things change, such as cloud computing, which might change the nature of cyber conflict, depending, of course, on whether the large cloud providers have done their security well. The resilience of a system on the whole might be affected if something happens to those large providers. We're also very interested in the Internet of Things and devices such as the smart grid and embedded medical devices, because we're starting to connect these things to the Internet and worry about the security later. I really hope that we get more engineers and scientists looking at how to make these things secure not just before they get deployed, but also afterwards. *

Additional reporting by Andrei Vitaliev

Further information

• en.wikipedia.org/wiki/Strategic_Defense_Initiative
• eandt.theiet.org/news/2013/jan/cyber-death.cfm
• eandt.theiet.org/magazine/2012/09/new-era-of-safety.cfm
• eandt.theiet.org/magazine/2009/19/estonian-technologies.cfm