James Clapper, the Obama administration’s director of national intelligence, is not given to slips of the tongue.
奥巴马(Obama)政府的国家情报总监詹姆斯克拉珀(James Clapper)可没有口误的习惯。
On Tuesday, largely unnoticed amid his remarks on Iran and China, the US spy chief hinted at one of the most significant debates behind the closed doors of the US security apparatus.
日前,很多人都没有注意到,在发表有关伊朗和中国的讲话时,这位美国间谍机关首脑曾就美国安全机关幕后的最重大辩论之一发出过暗示。
Cyber attacks, Mr Clapper noted, are going to get worse “until such times as we create both the substance and psychology of deterrents”.
克拉珀指出,网络攻击愈演愈烈的状况,“将持续到我们建立了实质和心理的双重威慑之际”。
Considering the vast sum the US spends on cyber capabilities — so much that many in defence circles liken it to a new Manhattan project — it is a startling admission. “The US has the most capable [cyber] offence in the world and it has zero deterrence value,” says James Lewis, senior fellow at the Center for Strategic and International Studies and project director of the Commission on Cybersecurity for the 44th Presidency.
考虑到美国用于提高网络能力的开支数额巨大——以至于防务领域的许多人将其类比成新的曼哈顿工程,上述表态是一种令人震惊的认可。美国战略与国际研究中心(Center for Strategic and International Studies)高级研究员、美国第44任总统网络安全委员会(Commission on Cybersecurity)项目主任詹姆斯刘易斯(James Lewis)表示:“美国拥有全球最强大的(网络)攻击能力,其威慑价值却为零。”
“This is where the debate is moving: some people are now saying ‘maybe we need to retaliate. Maybe we need to do something back’,” says Mr Lewis. “This is a very quiet debate — it’s not very public at all, but these are the kind of discussions the [Pentagon] is having right now.”
刘易斯表示:“这场辩论目前的进展是:部分人表示‘也许我们必须报复,也许我们必须还击’。这是一场非常安静的辩论,根本就没怎么公开化。不过,这正是(五角大楼)目前正在开展的那种讨论。”
“For years a lot of us have been repeating the line from Dr Strangelove that it doesn’t do anybody any good to be building a Doomsday machine if you don’t tell anyone about it.”
“多年来,我们中的许多人一直在重复《奇爱博士》(Dr. Strangelove)里那句台词:如果你建造一台末日机器(Doomsday machine)而不告诉任何人,那对所有人都毫无益处。”
The Russian device, in Stanley Kubrick’s satirical film masterpiece, is supposed to prevent nuclear war by acting as a perfect deterrent: it will automatically retaliate after a US strike. It fails because its existence is kept secret from Washington. With the exception of Stuxnet, a suspected US/Israeli cyber attack on Iran’s nuclear capability, aggressive western cyber activity has been limited.
在斯坦利錠布里克(Stanley Kubrick)这部讽刺电影名作中,那台俄罗斯设备本来是打算作为一种完美的威慑,起到阻止核战争的作用:该设备会在美国袭击后自动采取报复行动。然而,由于它的存在性对华盛顿保密,它并未起到这种作用。相比之下,除了Stuxnet蠕虫病毒这个例外——这种传说中美国与以色列对伊朗核设施发动的网络攻击——西方攻击性的网络活动始终是有限的。
The need for a clearer offensive posture is in part gaining popularity as many western governments come to terms with the limits of their defensive efforts to date — and the cost of boosting them further.
当众多西方国家政府认识到迄今他们在防务措施上的局限性、以及加强网络防护的成本之后,采取更明确进攻态势的必要性在一定程度上受到了人们的欢迎。
In the US, for example, just 45 per cent of government departments are covered by the National Security Agency’s “Einstein 3” security net, which automatically blocks known malware based on the US’s huge trove of malware signatures.
比如,美国只有45%的政府部门受到了美国国家安全局(NSA)“爱因斯坦3号”(Einstein 3)安全网络的保护。这种网络能够根据美国收藏的海量恶意软件签名,自动屏蔽已知的恶意软件。
To boot, national security vulnerabilities extend well beyond the traditional departments of government. And efforts to encourage greater private sector cyber defence have been mixed.
此外,国家级安全漏洞的存在范围,大大超出了传统的政府部门。而鼓励私营部门加强网络安全防护措施的努力,也始终效果不一。
In the UK, for example, where intelligence and security services have blazed a trail in fostering greater co-operation with the private sector, there are still big shortcomings. One senior British cyber security official recounts having to inform a FTSE 100 business three times over the course of as many weeks about a serious breach in their systems. Eventually he gave up. “It could ruin them,” he says, “but sometimes I think that a bit of a Darwinian lesson is needed. They’re on their own now.”
以英国为例,该国的情报和安全服务机构已经打造了一条通道,以便加强与私营部门的合作。然而,整个系统依然存在巨大短板。一位资深英国网络安全官员详细讲述了他与一家富时100(FTSE 100)成分股企业打交道的过程。他曾不得不在多周内三次就系统中的一个严重漏洞通知这家企业,最终却不得不放弃这么做。他说:“这个漏洞可能会毁了它们。但是,有时候我感到来点达尔文式的教训是必要的。如今,他们要自己承担相应后果了。”
Even as organisations’ cyber walls get higher, attackers’ ladders are getting longer and their tunnels deeper.
就算是机构的网络安全围墙修得更高,攻击者的云梯也在加长,他们打的地道也在加深。
“The increasing sophistication of malware tools, the deep pockets of states using them and the proliferation of organised criminal gangs in this sector make it increasingly difficult to grasp just how serious the issues are,” says Stuart Poole-Robb, a former military intelligence official and now chief executive of the business intelligence group KCS.
原军事情报官员、现担任企业情报集团KCS首席执行官的斯图亚特渠尔-罗布(Stuart Poole-Robb)表示:“恶意软件工具越来越复杂,使用这些工具的政府财力雄厚以及有组织犯罪团伙在该领域的扩散,这让人们越来越难以明白这个问题有多么严重。”
In 2014, the average so-called “advanced persistent threat” attack lasted 205 days before being detected, according to the digital security vendor FireEye. The countries most targeted in 2015 were the US, South Korea, Japan, Canada, the UK and Germany. And few in western cyber defence circles have any hesitation in identifying the principal culprits: Russia and China, with Iran fast catching up.
数字安全供应商FireEye的数据显示,2014年,所谓的“高级持续性威胁”普通攻击在被发现前持续了205天。2015年最容易遭受攻击的国家是美国、韩国、日本、加拿大、英国和德国。西方网络防务圈的人们几乎毫不犹豫就能指出罪魁祸首:俄罗斯和中国,伊朗也在迅速赶上。
“I would say it’s pretty brazen really. We are being hit by the Russians more or less every day,” says one Nato military cyber defence specialist.
北约(Nato)一位军事网络防务专家表示:“我得说,这真的相当无耻。我们每天多多少少都会遭到俄罗斯人的攻击。”
Others are even more explicit. “We are talking about the largest loss of IP [intellectual property] in the history of the world with China,” says a senior US intelligence official.
其他人甚至讲得更为直白。一位美国高级情报官员表示:“我们正在与中国谈论世界历史上规模前所未有的知识产权损失。”
“People say that it’s not war unless territory is lost or things like that. But what you’ve got is certain actors who are very willing to exploit our dependency on the web to achieve their political objectives,” says Ewan Lawson, senior fellow at the UK’s Royal United Services Institute and former cyber warfare officer of the UK’s Joint Forces Command.
曾担任英国联合部队司令部网络战争军官、现任英国皇家联合军种研究院(Royal United Services Institute)高级研究员的尤安劳森(Ewan Lawson)表示:“人们说,如果不是领土沦丧或者诸如此类的事情,那就不是战争。但你得到的是,某些参与者非常愿意利用我们对网络的依赖来实现他们的政治目的。”
“We could turn the lights off anywhere we wanted to,” says a senior British official with close knowledge of the UK’s offensive capabilities. “But we’re not about to. Part of the problem is in working out what the effects of that would be. And how an adversary would respond. Nobody wants an actual war.”
一位极为了解英国防务能力的英国高级官员表示:“我们可以随心所欲地关灯,但我们不会这么做。问题的一部分在于弄清楚这样做的后果将是什么。对手将会如何应对。没有人想要真正的战争。”
The problem is perhaps the extent to which western governments have been slow to realise the extent the cyber domain has changed the notion of warfare itself. Russia’s current military doctrine, for example, envisages future conflicts in which war is never truly declared: instead aggression moves along a sliding scale.
问题或许是,西方各国政府过于迟缓地认识到,网络领域极大地改变了战争本身的概念。例如,俄罗斯当前的军事学说设想,在未来的冲突中永远不会真正宣战,相反,攻击规模会越来越小。
Russia’s aggressive actions in cyber space are all carefully designed to fall short of warranting any kind of serious military or aggressive response.
俄罗斯在网络世界中的攻击行为全都是精心设计的,不会引起任何类型的重大军事或攻击回应。
One of Moscow’s new favoured tactics is to arm crime syndicates with sophisticated hacking tools and malware and subcontract them to undertake operations against adversaries or to mount so-called “false flag” attacks to muddy the water around attribution, says a senior US military cyber command officer.
美国网络司令部的一位高级军官表示,莫斯科新近青睐的战术之一是,为犯罪集团提供复杂的黑客工具和恶意软件,并让他们打击对手或者发起所谓的“伪旗”攻击,故意混淆攻击的源头。
“The Russians and the Chinese and the Iranians are deliberately looking to avoid the tripwires in the current international system,” says Mr Lewis. “After the cold war the west defined a game of international security where oddly enough we would tend to win. Well, these guys are playing a different game altogether now.
刘易斯表示:“俄罗斯人、中国人和伊朗人刻意寻求绕开当前国际体系中的防护措施。在冷战结束后,西方定义了国际安全游戏——非常古怪的是,我们往往会赢得这场游戏。哦,这些家伙现在在玩一个完全不同的游戏。”
“We’re lining up on the football field. And they are outside the stadium.”
“我们在球场上列队,而他们在球馆外面。”