西方網絡戰將轉守爲攻 West eyes Dr Strangelove tactics in cyber wars

James Clapper, the Obama administration’s director of national intelligence, is not given to slips of the tongue.

奧巴馬(Obama)政府的國家情報總監詹姆斯克拉珀(James Clapper)可沒有口誤的習慣。

On Tuesday, largely unnoticed amid his remarks on Iran and China, the US spy chief hinted at one of the Most significant debates behind the closed doors of the US security apparatus.

日前，很多人都沒有注意到，在發表有關伊朗和中國的講話時，這位美國間諜機關首腦曾就美國安全機關幕後的最重大辯論之一發出過暗示。

Cyber attacks, Mr Clapper noted, are going to get worse “until such times as we create both the substance and psychology of deterrents”.

克拉珀指出，網絡攻擊愈演愈烈的狀況，“將持續到我們建立了實質和心理的雙重威懾之際”。

Considering the vast sum the US spends on cyber capabilities — so much that many in defence circles liken it to a new Manhattan project — it is a startling admission. “The US has the most capable [cyber] offence in the world and it has zero deterrence value,” says James Lewis, senior fellow at the Center for Strategic and International Studies and project director of the Commission on Cybersecurity for the 44th Presidency.

考慮到美國用於提高網絡能力的開支數額巨大——以至於防務領域的許多人將其類比成新的曼哈頓工程，上述表態是一種令人震驚的認可。美國戰略與國際研究中心(Center for Strategic and International Studies)高級研究員、美國第44任總統網絡安全委員會(Commission on Cybersecurity)項目主任詹姆斯劉易斯(James Lewis)表示：“美國擁有全球最強大的（網絡）攻擊能力，其威懾價值卻爲零。”

“This is where the debate is moving: some people are now saying ‘maybe we need to retaliate. Maybe we need to do something back’,” says Mr Lewis. “This is a very quiet debate — it’s not very public at all, but these are the kind of discussions the [Pentagon] is having right now.”

劉易斯表示：“這場辯論目前的進展是：部分人表示‘也許我們必須報復，也許我們必須還擊’。這是一場非常安靜的辯論，根本就沒怎麼公開化。不過，這正是（五角大樓）目前正在開展的那種討論。”

“For years a lot of us have been repeating the line from Dr Strangelove that it doesn’t do anybody any good to be building a Doomsday machine if you don’t tell anyone about it.”

“多年來，我們中的許多人一直在重複《奇愛博士》(Dr. Strangelove)裏那句臺詞：如果你建造一臺末日機器(Doomsday machine)而不告訴任何人，那對所有人都毫無益處。”

The Russian device, in Stanley Kubrick’s satirical film masterpiece, is supposed to prevent nuclear war by acting as a perfect deterrent: it will automatically retaliate after a US strike. It fails because its existence is kept secret from Washington. With the exception of Stuxnet, a suspected US/Israeli cyber attack on Iran’s nuclear capability, aggressive western cyber activity has been limited.

在斯坦利錠布里克(Stanley Kubrick)這部諷刺電影名作中，那臺俄羅斯設備本來是打算作爲一種完美的威懾，起到阻止核戰爭的作用：該設備會在美國襲擊後自動採取報復行動。然而，由於它的存在性對華盛頓保密，它並未起到這種作用。相比之下，除了Stuxnet蠕蟲病毒這個例外——這種傳說中美國與以色列對伊朗核設施發動的網絡攻擊——西方攻擊性的網絡活動始終是有限的。

The need for a clearer offensive posture is in part gaining popularity as many western governments come to terms with the limits of their defensive efforts to date — and the cost of boosting them further.

當衆多西方國家政府認識到迄今他們在防務措施上的侷限性、以及加強網絡防護的成本之後，採取更明確進攻態勢的必要性在一定程度上受到了人們的歡迎。

In the US, for example, just 45 per cent of government departments are covered by the National Security Agency’s “Einstein 3” security net, which automatically blocks known malware based on the US’s huge trove of malware signatures.

比如，美國只有45%的政府部門受到了美國國家安全局(NSA)“愛因斯坦3號”(Einstein 3)安全網絡的保護。這種網絡能夠根據美國收藏的海量惡意軟件簽名，自動屏蔽已知的惡意軟件。

To boot, national security vulnerabilities extend well beyond the traditional departments of government. And efforts to encourage greater private sector cyber defence have been mixed.

此外，國家級安全漏洞的存在範圍，大大超出了傳統的政府部門。而鼓勵私營部門加強網絡安全防護措施的努力，也始終效果不一。

In the UK, for example, where intelligence and security services have blazed a trail in fostering greater co-operation with the private sector, there are still big shortcomings. One senior British cyber security official recounts having to inform a FTSE 100 business three times over the course of as many weeks about a serious breach in their systems. Eventually he gave up. “It could ruin them,” he says, “but sometimes I think that a bit of a Darwinian lesson is needed. They’re on their own now.”

以英國爲例，該國的情報和安全服務機構已經打造了一條通道，以便加強與私營部門的合作。然而，整個系統依然存在巨大短板。一位資深英國網絡安全官員詳細講述了他與一家富時100(FTSE 100)成分股企業打交道的過程。他曾不得不在多周內三次就係統中的一個嚴重漏洞通知這家企業，最終卻不得不放棄這麼做。他說：“這個漏洞可能會毀了它們。但是，有時候我感到來點達爾文式的教訓是必要的。如今，他們要自己承擔相應後果了。”

Even as organisations’ cyber walls get higher, attackers’ ladders are getting longer and their tunnels deeper.

就算是機構的網絡安全圍牆修得更高，攻擊者的雲梯也在加長，他們打的地道也在加深。

“The increasing sophistication of malware tools, the deep pockets of states using them and the proliferation of organised criminal gangs in this sector make it increasingly difficult to grasp just how serious the issues are,” says Stuart Poole-Robb, a former military intelligence official and now chief executive of the business intelligence group KCS.

原軍事情報官員、現擔任企業情報集團KCS首席執行官的斯圖亞特渠爾-羅布(Stuart Poole-Robb)表示：“惡意軟件工具越來越複雜，使用這些工具的政府財力雄厚以及有組織犯罪團伙在該領域的擴散，這讓人們越來越難以明白這個問題有多麼嚴重。”

In 2014, the average so-called “advanced persistent threat” attack lasted 205 days before being detected, according to the digital security vendor FireEye. The countries most targeted in 2015 were the US, South Korea, Japan, Canada, the UK and Germany. And few in western cyber defence circles have any hesitation in identifying the principal culprits: Russia and China, with Iran fast catching up.

數字安全供應商FireEye的數據顯示，2014年，所謂的“高級持續性威脅”普通攻擊在被發現前持續了205天。2015年最容易遭受攻擊的國家是美國、韓國、日本、加拿大、英國和德國。西方網絡防務圈的人們幾乎毫不猶豫就能指出罪魁禍首：俄羅斯和中國，伊朗也在迅速趕上。

“I would say it’s pretty brazen really. We are being hit by the Russians more or less every day,” says one Nato military cyber defence specialist.

北約(Nato)一位軍事網絡防務專家表示：“我得說，這真的相當無恥。我們每天多多少少都會遭到俄羅斯人的攻擊。”

Others are even more explicit. “We are talking about the largest loss of IP [intellectual property] in the history of the world with China,” says a senior US intelligence official.

其他人甚至講得更爲直白。一位美國高級情報官員表示：“我們正在與中國談論世界歷史上規模前所未有的知識產權損失。”

“People say that it’s not war unless territory is lost or things like that. But what you’ve got is certain actors who are very willing to exploit our dependency on the web to achieve their political objectives,” says Ewan Lawson, senior fellow at the UK’s Royal United Services Institute and former cyber warfare officer of the UK’s Joint Forces Command.

曾擔任英國聯合部隊司令部網絡戰爭軍官、現任英國皇家聯合軍種研究院(Royal United Services Institute)高級研究員的尤安勞森(Ewan Lawson)表示：“人們說，如果不是領土淪喪或者諸如此類的事情，那就不是戰爭。但你得到的是，某些參與者非常願意利用我們對網絡的依賴來實現他們的政治目的。”

“We could turn the lights off anywhere we wanted to,” says a senior British official with close knowledge of the UK’s offensive capabilities. “But we’re not about to. Part of the problem is in working out what the effects of that would be. And how an adversary would respond. Nobody wants an actual war.”

一位極爲了解英國防務能力的英國高級官員表示：“我們可以隨心所欲地關燈，但我們不會這麼做。問題的一部分在於弄清楚這樣做的後果將是什麼。對手將會如何應對。沒有人想要真正的戰爭。”

The problem is perhaps the extent to which western governments have been slow to realise the extent the cyber domain has changed the notion of warfare itself. Russia’s current military doctrine, for example, envisages future conflicts in which war is never truly declared: instead aggression moves along a sliding scale.

問題或許是，西方各國政府過於遲緩地認識到，網絡領域極大地改變了戰爭本身的概念。例如，俄羅斯當前的軍事學說設想，在未來的衝突中永遠不會真正宣戰，相反，攻擊規模會越來越小。

Russia’s aggressive actions in cyber space are all carefully designed to fall short of warranting any kind of serious military or aggressive response.

俄羅斯在網絡世界中的攻擊行爲全都是精心設計的，不會引起任何類型的重大軍事或攻擊迴應。

One of Moscow’s new favoured tactics is to arm crime syndicates with sophisticated hacking tools and malware and subcontract them to undertake operations against adversaries or to mount so-called “false flag” attacks to muddy the water around attribution, says a senior US military cyber command officer.

美國網絡司令部的一位高級軍官表示，莫斯科新近青睞的戰術之一是，爲犯罪集團提供複雜的黑客工具和惡意軟件，並讓他們打擊對手或者發起所謂的“僞旗”攻擊，故意混淆攻擊的源頭。

“The Russians and the Chinese and the Iranians are deliberately looking to avoid the tripwires in the current international system,” says Mr Lewis. “After the cold war the west defined a game of international security where oddly enough we would tend to win. Well, these guys are playing a different game altogether now.

劉易斯表示：“俄羅斯人、中國人和伊朗人刻意尋求繞開當前國際體系中的防護措施。在冷戰結束後，西方定義了國際安全遊戲——非常古怪的是，我們往往會贏得這場遊戲。哦，這些傢伙現在在玩一個完全不同的遊戲。”

“We’re lining up on the football field. And they are outside the stadium.”

“我們在球場上列隊，而他們在球館外面。”