Cyberwarfare

Cyberwarfare raises issues of growing national interest and concern.

Cyberwarfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace, as well as denying an adversary’s ability to do the same. Some major problems encountered with cyber attacks, in particular, are the difficulty in determining the origin and nature of the attack and in assessing the damage incurred.

A number of nations are incorporating cyberwarfare as a new part of their military doctrine. Some that have discussed the subject more openly include the United Kingdom, France, Germany, Russia, and China. Many of these are developing views toward the use of cyberwarfare that differ from those of the United States, and in some cases might represent national security threats.

Cyberterrorism is also an issue of growing national interest. Many believe terrorists plan to disrupt the Internet or critical infrastructures such as transportation, communications, or banking and finance. It does seem clear that terrorists use the Internet to conduct the business of terrorism, but on closer inspection, however, it is not clear how or whether terrorists could use violence through the Internet to achieve political objectives.

Although the U.S. government is striving to consolidate responsibility for and focus more attention on cyberwarfare issues, it is not clear how successful those efforts will be. Congress may choose to examine critically the policies, organization, and legal framework that guides executive ranch decisionmaking on issues of cyberwarfare.

Saturday, October 17, 2009

National Cybersecurity Awareness Month

http://www.dhs.gov/files/programs/gc_1158611596104.shtm


National Cybersecurity Awareness Month


October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school.

Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace.

It is Our Shared Responsibility to stay safe online.

How You Can Contribute to Cybersecurity Awareness

Here are a few steps that you can take to not only participate in National Cybersecurity Awareness Month, but also enhance cybersecurity 365 days a year:

Take Action - There are many things businesses, schools, and home users can do to practice cybersecurity during National Cybersecurity Awareness Month and beyond.

  • Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.
  • Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.
  • Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.

Endorse - Demonstrate your commitment to cybersecurity.

  • Show your organization's commitment to cybersecurity and National Cybersecurity Awareness Month by signing the online endorsement form at www.staysafeonline.org.
  • Create a section for cybersecurity on your organization's Web site. Download banners atwww.staysafeonline.org and post them on your organization's home page.
  • Add a signature block to your e-mail:
    "October is National Cybersecurity Awareness Month. Stay Safe Online! Visithttp://www.staysafeonline.org for the latest cybersecurity tips."

Educate - Find out what more you can do to secure cyberspace and how you can share this with others.

  • Participate in the National Cyber Security Alliance Cyber Security Awareness Volunteer Education (C-SAVE) Program and help educate elementary, middle, and high-school students about Internet safety and security. For more information or to download the C-Save curriculum, visit www.staysafeonline.org/content/c-save.
  • Review cybersecurity tips with your family.
  • Print and post these cybersecurity tips near your computer and network printers.
  • Use regular communications in your business—newsletters, e-mail alerts, Web sites, etc.—to increase awareness on issues like updating software processes, protecting personal identifiable information, and securing your wireless network.

For more information on Awareness Month and for additional material, please visit www.us-cert.gov and www.staysafeonline.org/ncsam.

Cybersecurity Resources

The Department partners with a number of cybersecurity organizations throughout the year to educate all citizens on the importance of implementing effective cybersecurity practices. These partnerships also make National Cybersecurity Awareness Month possible by uniting public and private sector efforts to secure cyberspace. National Cybersecurity Awareness Month materials and resources can be found at the following sites:



NATIONAL CENTER FOR CRITICAL INFORMATION PROCESSING AND STORAGE

NATIONAL CENTER FOR CRITICAL INFORMATION PROCESSING AND STORAGE

The Committee recommends $46,130,000 within Security Activities for data center development. This includes the budget request level (which includes operation and maintenance costs for the National Center for Critical Information Processing and Storage [NCCIPS] and the second data center) and an additional $22,300,000 solely to be used to support transition of Department systems to NCCIPS, to support the dual cost of operation and maintenance during the transition, and to develop a sharable common operating environment. NCCIPS is a federally owned and managed facility established to reduce Federal data center costs and to protect critical Federal information.

The Committee also includes language in the bill withholding the availability of $200,000,000 for obligation until the Department of Homeland Security submits to the Committee the report on data center transition required by Senate Report 110-84, which is to include: (1) the schedule for data transition by Department component; (2) costs required to complete the transition by fiscal year; (3) identification of items associated with the transition required to be procured and the related procurement schedule; and (4) the identification of any transition costs provided in fiscal years 2007 and 2008. The report submitted should separate these requirements and costs by data center and include fiscal year 2009 data.

Consistent with section 888 of Public Law 107-296, the Committee instructs the Department to implement the consolidation plan in a manner that shall not result in a reduction to the Coast Guard's Operations Systems Center mission or its Government-employed or contract staff levels. A general provision is included for this purpose.

HOMELAND SECURE DATA NETWORK

Included in the amount recommended by the Committee is $47,673,000, as requested in the budget, for the Homeland Secure Data Network.

ANALYSIS AND OPERATIONS

Appropriations, 2008 1$306,000,000
Budget estimate, 2009333,262,000
Committee recommendation 2320,200,000
1 Excludes a rescission of $8,700,000 pursuant to Public Law 110-161.
2 Excludes a rescission of $2,500,000.

The account supports activities to improve the analysis and sharing of threat information, including activities of the Office of Intelligence and Analysis and the Office of Operations Coordination.

COMMITTEE RECOMMENDATIONS

The Committee recommends $320,200,000 for Analysis and Operations. This is an increase of $14,200,000 from the fiscal year 2008 level and a decrease of $13,062,000 from the budget request. The details of these recommendations are included in a classified annex accompanying this report.

DHS INTELLIGENCE EXPENDITURE PLAN

No later than 60 days after the date of enactment of this act, the Secretary shall submit a fiscal year 2009 expenditure plan for the Office of Intelligence and Analysis [I&A], including balances carried forward from prior years, that includes the following: (1) fiscal year 2009 expenditures and staffing allotted for each program, as identified in the March 2008 expenditure plan submitted to the Committee, as compared to each of years 2007 and 2008; (2) all funded versus on-board positions, including Federal full-time equivalents [FTE], contractors, and reimbursable and non-reimbursable detailees; (3) an explanation for maintaining contract staff in lieu of Government FTE; (4) a plan, including dates or timeframes for achieving key milestones, to reduce the office's reliance on contract staff in lieu of Federal FTE; (5) funding, by object classification, including a comparison to fiscal years 2007 and 2008; and (6) the number of I&A funded employees supporting organizations outside I&A and within DHS.

STATE AND LOCAL FUSION CENTERS

The Committee directs the Department's Chief Intelligence Officer to continue quarterly updates to the Committees on Appropriations that detail progress in placing DHS intelligence professionals in State and local fusion centers. These reports shall include: the qualification criteria used by DHS to decide where and how to place DHS intelligence analysts and related technology; total Federal expenditures to support each center to date and during the most recent quarter of the current fiscal year, in the same categorization as materials submitted to the Committees on Appropriations on March 23, 2007; the location of each fusion center, including identification of those with DHS personnel, both operational and planned; the schedule for operational stand-up of planned fusion centers and their locations; the number of DHS-funded employees located at each fusion center, including details on whether the employees are contract or government staff; the privacy protection policies of each center, including the number of facility personnel trained in Federal privacy, civil rights, and civil liberties laws and standards; and the number of local law enforcement agents at each center approved or pending approval to receive and review classified intelligence information.

U.S. Homeland Security 1,000 cybersecurity experts

U.S. Homeland Security wants to hire 1,000 cybersecurity experts

Dept. of Homeland Security needs experts needed to fill out vast network protection goals
By Michael Cooney , Network World , 10/01/2009The Department of Homeland Security is looking to hire 1,000 cybersecurity professionals in the next three years according to the agency’s secretary Janet Napolitano.

The department now has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation’s cyber infrastructure, systems and networks, she said.

NetworkWorld Extra: 12 changes that would give US cybersecurity a much needed kick in the pants

“This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation’s defenses against cyber threats,” Napolitano stated. DHS his the focal point for the security of cyberspace -- including analysis, warning, information sharing, vulnerability reduction, mitigation, and recovery efforts for public and private critical infrastructure information systems.

The hiring authority, which results from a collaborative effort between DHS, the Office of Personnel Management and the Office of Management and Budget, lets DHS staff up to 1,000 positions over three years across all DHS agencies to fulfill critical cybersecurity roles—including cyber risk and strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering.

The need for DHS to bolster its security realm is a hot topic. A Government Accountability Office report this year said that while DHS established the National Cyber Security Division to be responsible for leading national day-today cybersecurity efforts that has not enabled DHS to become the national focal point for security as envisioned.

The GAO said the Defense Department and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions.

The cybersecurity jobs announcement comes on the same day that the FBI said fraudsters are targeting social networking sites with increased frequency and users need to take precautions, the FBI warned.

The FBI said fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected, the FBI stated.

Meanwhile legislators are trying to encourage cooperation among universities and businesses to develop technology needed to carry out a strategic government effort to fight cyber attacks.

A US House subcommittee is recommending a bill that calls for a university-industry task force to coordinate joint cybersecurity research and development projects between business and academia. The Cybersecurity Research and Development Amendments Act of 2009 was approved recently by the House Committee on Science and Technology's Research and Science Education Subcommittee.

The legislation would set up a scholarship program that pays college bills for students who study in fields related to cybersecurity. They would also get summer internships in the federal government. In return the students would agree to work as cybersecurity professionals within the federal government for a period equal to the number of years they received scholarships. If there aren't any jobs there, they would work for state or local governments in the same capacity or teach cybersecurity courses.

Department of Homeland Security on Lookout for IT Security Pros

Department of Homeland Security on Lookout for IT Security Pros

By: Brian Prince

The Department of Homeland Security has gotten the OK to hire as many as 1,000 new IT pros during the next three years to bolster cyber-security.

DHS Secretary Janet Napolitano made the announcement Oct. 1 during remarks tied to the start of National Cybersecurity Awareness Month. The new hiring authority is the result of a collaborative effort between DHS, the Office of Personnel Management, and the Office of Management and Budget.

"Effective cyber-security requires all partners—individuals, communities, government entities and the private sector—to work together to protect our networks and strengthen our cyber-resiliency," Napolitano said. "This new hiring authority will enable DHS to recruit the best cyber-analysts, developers and engineers in the world to serve their country by leading the nation's defenses against cyber-threats."

The list of positions to be filled covers areas such as cyber-risk and strategic analysis, cyber-incident response, and vulnerability detection and assessment.

The need to hire more security pros has been noted by others, such as in a report from the Partnership for Public Service and consulting company Booz Allen Hamilton released in July. In that report, the authors outlined a number of problems involved in recruiting and hiring cyber-security pros, as well as strategies for resolving the problems.

President Obama declared May 29 that his administration was making cyber-security a national priority. As part of that effort, the president authorized a 60-day assessment of the government's cyber-security. In addition, he announced the creation of the position of national cyber-coordinator, but it has not yet been filled.

Napolitano emphasized the importance of partnerships between the public and private sectors in protecting the country's cyber-infrastructure. DHS officials said they do not anticipate needing to fill all 1,000 slots.

"This is impressive and clearly an indication that DHS has won confidence in the White House to lead the federal government's cyber-security response," said Roger Thornton, CTO of Fortify Software.

Tuesday, September 29, 2009

The fog of (cyber) war


Cybermilitias, black hat hackers and other non-nation-state bad guys blur the lines on the
virtual battlefield.

Don Tennant

Analysts and strategists gathered at the Cyber Warfare 2009 conference in London last
January were grappling with some thorny problems associated with the cyberaggression
threat. One that proved particularly vexing was the matter of exactly what constitutes
cyberwarfare under international law. There's no global agreement on the definitions of
cyberwarfare or cyberterrorism, so how does a nation conform to the rule of law if it's
compelled to respond to a cyberattack?
Back in the U.S. trenches, drawing up a legal battle plan is indeed proving to be
extraordinarily complex. Those definitions are especially elusive when you consider that
no one can even be sure who the potential combatants are.
"There is some real work that needs to be done, not only in the U.S., but globally, to think
about what is a use of force or an act of war in cyberspace," says Paul Kurtz, a partner at
Good Harbor Consulting LLC in Arlington, Va., and a former senior director for critical
infrastructure protection on the White House's Homeland Security Council.
The need to establish global norms about what is acceptable behavior in cyberspace, he
says, is complicated by the fact that "the weapons are not just in the hands of nationstates.
They're essentially in everybody's hands."
Steven Chabinsky
"Laws of war would forbid targeting purely civilian infrastructure," adds Steven
Chabinsky, senior cyberadvisor to the director of national intelligence. "But terrorists, of
course, don't limit themselves by the Geneva Conventions."
Time, effort and expertise
Further fogging up the battlefield is the fact that it's nearly impossible to identify all of
the potential targets. It is possible to conduct a threat assessment, however, and there
appears to be general consensus in the cyberdefense community that the biggest threat in
terms of scale is presented by nation-states.
"Cyberattacks which seek to manipulate [an adversary's] critical infrastructures would
take more time, effort and expertise than mere data theft," says Kenneth Geers, U.S.
representative to the Cooperative Cyber Defense Centre of Excellence in Tallinn,
Estonia. "But computer network defenders should understand that time, effort and
expertise are resources that militaries and foreign intelligence services often have in
abundance."
Analysts and former intelligence officials, including Kurtz, say that, not surprisingly,
China and Russia top the list of countries with highly developed cyberwarfare
capabilities. Kurtz also named Iran and North Korea as countries with known
cyberwarfare aspirations.
While Chabinsky declined to be specific because of concerns about compromising
intelligence-gathering methods, he affirmed that the U.S. has identified "a number of
sophisticated nation-state actors who we believe have the capability to bring down
portions of our critical infrastructure." Fortunately, he added, "we don't think they have
the intent to do so, [since] our country would respond accordingly, and not necessarily
symmetrically through cyber means."
On the other hand, Kurtz notes, governments "would have more resources at their
disposal in order to disguise or bury the true source of an attack." But, he says, "It would
be a grave mistake to believe that a small, well-funded cell could not inflict very serious
damage on the information infrastructure supporting the U.S. and the global economy."
Resources and motive
Chabinsky notes that deterring or responding to cyberwarfare threats from other countries
is more in the comfort zone of national governments. "There's a lot more to worry about
should the same computer network attack capabilities exist in the hands of irrational or
otherwise unrestrained criminals or terrorists," he says.
Intelligence officials and analysts agree that so far, there's little direct threat of a
cyberattack by organized terrorist groups. "Nonstate actors such as al-Qaeda probably do
not possess the infrastructure or expertise to attempt a cyberattack that would rival the
shock value of using bullets and explosives," Geers says.
But these officials and analysts recognize that terrorist groups have the resources and
motive to fund such activity by others.
Although terrorists may not be capable of attacking our critical infrastructure themselves,
"it's less clear whether they could find a hired gun to do so," Chabinsky says. "Obviously,
terrorist groups have the intent to harm us, are aware of the potential impact of a
successful cyberattack and would find the ability to attack us from a distance quite
appealing."
According to Chabinsky, some potential "hired guns" are in an extraordinarily effective
position to cause trouble. That position is within the walls of corporate America.
"I think the primary cyber-risk to our critical infrastructure is from disgruntled employees
who have insider knowledge and access," Chabinsky says. "Insider threats can take
advantage of the most serious vulnerabilities; in fact, they can create them. Could they
sell their capabilities to a terrorist group? Certainly."
Criminal element
To make matters worse, it's not only terrorist groups that are equipped to pose this sort of
threat. In fact, they may not even be the most ominous nongovernmental source of
potential cyberdamage.
Mike Theis
"I would say that currently, organized criminal activity provides a more pervasive and
damaging threat than organized terrorists," says Mike Theis, who until recently served as
chief of cyber counterintelligence at the National Reconnaissance Office (NRO), an
agency of the U.S. Department of Defense.
That could change at any time, Theis says.
While the motives of organized terrorists and organized criminals differ, their profitgenerating
tactics are largely the same. Terrorists use cybercrime to fund their ideologyinspired
activities, and criminals do it for the sake of profit itself (see sidebar, next page).
Theis cites the infamous Russian Business Network as an example of the cybercriminals
highest on the most-wanted list, but he pointed out that it would be difficult to name any
organized crime syndicate that's not heavily engaged in electronic crime.
"Traditional organized crime has now moved to cyberspace to commit, support and
enhance their crimes," says Ira Winkler, founder and president of Internet Security
Advisors Group. These crime syndicates are "performing intelligence and
counterintelligence collection of their own to see what governments are doing to stop
their efforts."
Moreover, Winkler says, drug cartels, organized crime gangs and terrorist organizations
are joining forces to combat the U.S. military and law enforcement agencies. "Possibly
most important is that Russian crime gangs are heavily involved with the Taliban and al-
Qaeda in the distribution of the poppy crops they grow," he says. "They are interested in
stopping any coalition efforts to slow down the poppy distribution."
According to Chabinsky, cybercriminals have increased the scope and sophistication of
their activities beyond those of all but a few nation-states. "There's big money to be had
over the Internet, and organized crime is spending a lot of time and money to enhance
their tradecraft," he says. "Organized cybercrime concerns me not just because of the
money being stolen, but because cybercriminals are gaining the capacity to harm our
critical infrastructure and could be motivated to do so as part of an extortion scheme."
Adding to the complexity of the problem are questions about the preparedness of other
countries to combat the threat.
Cyberweapons
According to former NRO official Mike Theis, terrorists and criminals pose similar
threats with respect to illicit profit generation. The following are some examples of
activity these groups might aim to perpetrate:
• Theft of personal information that could be used for sale to the highest bidder or
on an information exchange.
• Theft of trade secrets, intellectual property or superior business processes. "It
could be something as simple as your customer list, but there is usually a lot more
of value than that," Theis says.
• Cyberhostage taking. If the contents of your entire hard drive were remotely
encrypted by a hacker, would you pay $100 to get the decryption key? Would
10,000 people like you do the same?
• Cyberblackmailing. How much would you pay to prevent your
family/customers/competitors/regulators from knowing something that was found
on your computer?
• Cyberslaving. The perpetrator installs a back door or "loader" on your machine
and sells it to the highest bidder. It would allow the buyer to install any type of
software on that machine without being detected. "The last I heard, the average
price was still about $1 per machine," Theis says. "It's not uncommon to see
machines purchased in blocks of 10,000 or more in order to launch a denial-ofservice
attack."
"So basically," Theis says, "anything that can be done in the world of brick and mortar
has some type of a cyber equivalent."
"There is reason to consider whether some nation-states lack the ability to control
organized crime within their borders, lack the resources to control criminals who
victimize people and businesses outside their borders, or suffer from corruption in which
government officials are complicit in lucrative criminal schemes," Chabinsky says.
The hacker myth
Another complicating factor is that these criminal elements are anything but cohesive
units with consistent objectives.
"One of the things that's very tricky about cyberspace is you can have criminal
organizations easily morph with hacker organizations, and you may have a cell within
that that may have a different purpose or objective than the criminal organization," Kurtz
explains. "This comes down to the essence of what makes the cybertradecraft so
complex. It's only a keystroke difference between getting inside someone's system and
shutting it down."
Indeed, the role that hackers play on the cyberwarfare stage is widely underestimated. "I
think that a big myth is that cybercrime is still about a 15-year-old kid doing Web
defacements," Chabinsky says.
In truth, the hacker element is gaining influence worldwide, and that influence is being
targeted by governments. In China, hacker groups have traditionally been motivated by
national pride, says Carl Setzer, an associate partner at Dallas-based iSight Partners Inc.,
a security research firm that monitors hacking communities in China .
The government has done a good job of channeling that pride toward its own ends, even
if government officials don't issue direct orders to hacker groups, Setzer says. Still, iSight
Partners says it has found evidence of direct interaction between large Chinese hacker
groups and the government, a relationship Setzer characterizes as "indirect control."
According to Winkler, China has a problem it has to acknowledge. "They have the
Internet so filtered that even if [cybercrime] is not supported by the Chinese government,
given the hold they have on their Internet connections, they can't claim clean hands," he
says. "For them to say, 'We aren't noticing attack traffic' is absurd."
Plausible deniability
Of course, the Chinese government is hardly alone in its aim to manipulate the role of
hackers. Theis says cyberconflicts anywhere in the world that are attributed to the efforts
of "patriotic hackers" tend to be the stuff of myth. Usually, he says, they're the "wellthought-
out efforts of nation-states with well-developed strategies and resources."
Although Theis has no doubt that patriotic hackers participate in cyberconflicts, he's
convinced that far more is ascribed to them than real-world conditions would sensibly
allow.
"To be truly effective on anything other than the smallest of scales takes strategic
planning, resourcing and practiced execution to ensure activities are focused at the right
place and time to be a force multiplier, and not wasted on the overkill of nonessential
targets or activities," Theis says. "It seems ludicrous that countries that have stated their
understanding of the importance of cyberconflict dominance and have dedicated
resources to that effort would not use them in a decisive way, but [instead] would depend
on patriotic hackers to just happen to get it right and just at the right time."
Still, governments have every reason to want to strain the limits of credibility, Theis says.
"It's a nice myth to perpetuate if you're trying to maintain plausible deniability."
Jeremy Kirk and Sumner Lemon of the IDG News Service contributed to this story.
Next: A short history of hacks, worms and cyberterror
Related Links
• Internet Warfare: Are we focusing on the wrong things?
• The fog of (cyber) war
• A short history of hacks, worms and cyberterror
• Software: The eternal battlefield in the unending cyberwars
• The grid: The new ground zero in Internet warfare
• Russia's cyber blockade of Georgia worked. Could it happen here?
• Cyberwar's first casualty: your privacy
• The Internet is down. What does that really mean?

Cyber Warfare’s threat to Critical National Infrastructure

Cyber Warfare
Written By Jeffrey Bernstein
Published April 2009 in MIS-ASIA Recently, news concerning the ongoing security compromise of the North American power grid via various breaches of computing infrastructure was distributed throughout news and media outlets worldwide. While not a new problem by any means, the issue warrants attention from the international public, commercial and government sector audiences. The electronic computing environments that make up a country’s infrastructure are often taken for granted. However, a disruption to only a single live production computer system can create cascading consequences across multiple sectors. For example, a computer breach that disrupts the distribution of electrical power across a region could lead to the forced shutdown of networked communications and controls within the transportation sector. Air traffic, road traffic and rail transportation might become affected as a direct result. By extension, subsequent disruption of emergency services would also occur. Recent highly publicised cyber attacks on the republics of Estonia, Lithuania and Georgia are representative of the growing problem at hand. Because each country has a unique environment, cyber attacks will yield varying consequences from nation to nation. Georgia, for instance, was a relative latecomer to adopt Internet technologies. Because of this, the country’s population of fewer than five million saw little effect beyond service denial to many of its government Web sites. Cyber attacks have far less impact on a country such as Georgia than they might on more Internet-dependent places such as Taiwan, South Korea, Singapore or the United States where vital services including government, transportation, power and banking depend on the Internet. These increasingly frequent, sophisticated and targeted international cyber incidents involving denial of service, espionage, propaganda and information theft are driving governments to develop effective tactical and strategic cyber-warfare capabilities. While government military forces have been traditionally more equipped for warfare involving guns, tanks and missiles, almost all now recognise the need to adopt strategies to support success in this new electronic theatre of operations. Most countries, of course, deny that their cyber capabilities are involved with any of the higher-profile international cyber security events that we read about in the press almost daily. Regardless of the truth in these denials, the anonymous nature of the Internet provides plausible deniability for attack sources. Mission statement In the Americas, the current mission statement of the United States Air Force is to ‘Fly, Fight and Win...in Air, Space and Cyberspace’. Similarly, in Eastern Asia, The People’s Liberation Army (PLA) reportedly continues to mature its integrated network electronic warfare and space/counter-space capabilities. China and the US are only two of the countries included in the rapidly expanding list of nations now racing to assemble arsenals of cyber-weaponry. In fact, it is well-documented and commonly accepted by the international security community that more than 140 countries are actively
developing cyber-espionage and warfare capabilities. The common thinking for all is to facilitate increased superiority over an adversary. When it comes to the modern-day battleground, ‘bits and bytes’ now accompany the ‘bullets and bombs’ that have historically powered warfare. As multinational cyber arsenals continue to mature, international concerns over operational cyber ‘espionage’ and ‘warfare’ grow. Perhaps most vulnerable to attack are the critical infrastructure and key resources that operate within any particular country. Critical infrastructure resources support the crucial services that generally serve as the supporting foundation for any society. Cyber security protection With the majority of global vital infrastructure operated by the commercial sectors, the issue of cyber security protection is weighing heavily on both industry and government. For example, in the US, 80 per cent of critical infrastructure is owned and operated by the commercial sectors. Some critical infrastructure elements are so essential that their destruction, disruption or exploitation could have a debilitating impact on a country’s national security or economic well-being. While critical infrastructure categorisation varies from country to country, it usually includes some combination of the following sectors from industry and government; • Government services • Law enforcement, fire and emergency response • Banking and financial services • Transportation • Power including electricity, oil and gas • Public works including water and drainage • Internet, media and telecommunications • Agriculture and food supply • Health Many countries also categorise prominent public places, national monuments and high-profile events as critical infrastructure. Power and utility sectors One specific area of concern is in the power and utility sectors where Supervisory Control and Data Acquisition (SCADA) industrial control systems monitor, coordinate and control process. Within the enterprise, information technology systems typically have a lifecycle of five years or less allowing for enhancements designed to mitigate the latest known security threats. By comparison, many mission critical SCADA control systems have been in production for 15 years and sometimes longer. Unfortunately, many of these systems were originally architected with little to no concern for security. Because of this, Internet-exposed SCADA-based systems and the organisations that operate them remain highly vulnerable to Internet-borne threat. A recent article from the North America-based Council on Foreign Relations quoted a well-known economist as having estimated that a shutdown of electrical power to any sizeable region for more than 10 days would stop more than 70 per cent of all economic activity in that region. Given the
costs involved to finance a traditional military attack, is it any surprise that cyber-warfare strategies are gaining attention? Perhaps the most unique aspect of cyber-warfare is its ability to be launched from anywhere in the world. Computers that are physically located in foreign countries may also be compromised and used as a launch platform for attack making identification of any initial attack source extremely difficult. Cyber-attacks are inexpensive, easy to deliver and leave few fingerprints. Therefore, they will continue to remain a component of modern-day warfare. While countries around the world are in the process of integrating offensive and defensive cyber capabilities into their overall military strategies, the responsibility to protect high-value critical infrastructure targets will remain a significant challenge. Because of this, government and industry need to collaborate to develop protection strategies that carefully consider how a cyber war or attack could affect society and world economies.

Battlespace

Downside to the "Twitter Revolution

Dissent
Volume 56, Number 4, Fall 2009
Among the unpleasant surprises that awaited Barack Obama's administration during the post-election turmoil in Iran, the unexpected role of the Internet must have been most rankling. A few government wonks might have expected Iranians to rebel, but who could predict they would do so using Silicon Valley's favorite toys? Team Obama, never shy to tout its mastery of all things digital, was caught off guard and, at least for a moment or two, appeared ill-informed about the heady developments in Iranian cyberspace. Speaking a few days after the protests began, Secretary of State Hillary Clinton confessed that she wouldn't know "a Twitter from a tweeter, but apparently, it's very important"—referring to Twitter, a popular mix between a blogging service and a social network that enables its users to exchange brief messages of up to 140 characters in length.
http://muse.jhu.edu/login?uri=/journals/dissent/v056/56.4.morozov.pdf

GLOSSARY OF INFORMATION WARFARE TERMS

GLOSSARY

AES
Advanced Encryption Standard. The United States encryption standard that replaced the older and weaker DES standard.

AFCA
Air Force Communications Agency

AFCERT
Air Force Computer Emergency Response Team

AFIWC
Air Force Information Warfare Center

AHFID
Allied High Frequency Interoperability Directory.

AIA
Air Intelligence Agency at Kelly Air Force Base.

AIS
Automated Information Systems.

ATM
Asynchronous Transfer Mode.

C2
Command and Control: Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of a mission.

C2W
Command-and-control warfare. The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. Command systems, rather than commanders, are the chief target, as in Persian Gulf War.

C3I
Command, control, communications and intelligence.

C4
Command, Control, Communications, and computers.

C4I
Command, Control, Communications, Computers, and Intelligence

DT>C4ISR

Command, control, communications, computers, intelligence, surveillance, and reconnaissance.

CARNIVORE
An FBI system to monitor email and other traffic through Internet service providers.

CCIPS
Computer Crime and Intellectual Property Section (US Department of Justice)

CNA
Computer Network Attack: Operations, via the datastream, to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.

CNE
Collateral Nature of Effects: Collateral effects are unintentional or incidental direct or indirect effects causing injury or damage to persons or objects.

COMSEC
Communications Security.

COMINT
Communications intelligence

Copernicus
The code-name under which the Navy plans to reformulate its command and control structures in response to the realization that information is a weapon. Through Copernicus warfighters will get the information that they need to make tactical decisions. The architecture of Copernicus was designed by Vice Admiral Jerry O. Tuttle.

Cracking
Illegally gaining entry to a computer or computer network in order to do harm.

CSCI
Commercial Satellite Communications Initiative.

C-SIGINT
Counter-signals intelligence


Cyberspace
The global network of interconnected computers and communication systems.

Cyberwar
A synonym for information warfare.

DARPA
Defense Advanced Research Project Agency

Data driven attack
A form of attack that is encoded in innocuous seeming data which is executed by a user or other software to implement an attack. In the case of firewalls, a data driven attack is a concern since it may get through the firewall in data form and launch an attack against a system behind the firewall.

DBK
Dominant battlefield knowledge.

Defense information infrastructure
The worldwide shared or interconnected system of computers, communications, data, applications, security, people, training, and other support structures serving a nation's military's information needs.

DES
Data Encryption Standard. The formerly popular algorithm for encrypting data. Now replaced by AES.

DIA
Defense Intelligence Agency

DII
See: Defense Information Infrastructure


DII COE
Defense Information Infrastructure Common Operating Environment

DISA
Defense Information Security Administration. Military organization charged with responsibility to provide information systems support to fighting units.

DISC4
Army, Director of Information Systems for Command, Control, Communications, and Computers

DISN
Defense Information System Network

DNS
Domain Name Service

DNS spoofing
Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.

DoD
Department of Defense.

DoS
Denial of Service. An electronic attack whose purpose is to prohibit an opponent the use of a program or an entire system.

Dumster diving
Accessing an opponent's information by examining the contents of garbage pails and recycling bins.

ECCM
Electronic Counter-Countermeasures. The use of any active of passive means to defeat hostile ECM.

ECHELON
A multinational survellance network, centered at Sugar Grove, WV, that intercepts all forms of electronic communications.

van Eck monitoring

Monitoring the activity of a computer or other electronic equipment by detecting low levels of electromagnetic emissions from the device. Named after Dr. Wim van Eck who published on the topic in 1985.

ECM
Electronic Countermeasures. The use of any active or passive system to elude, degrade or confuse hostile sensor/scanner suites and communications traffic.


EKMS
Electronic Key Management System.

ELINT
Electronic intelligence.

EMI
Electromagnetic interference.

EMP
Electromagnetic pulse. A pulse of electromagnetic energy capable of disrupting computers. Computer networks, and many forms of telecommunication equipment.

EMP/T Bomb
A device to destroy electronic networks that is similar to a HERF Gun but many times more powerful.

EMSEC
Emissions Security.

EPS
Electronic Protection System.

ETAPWG
DOD Information Assurance Education, Training, Awareness and Professionalization Working Group.

EW
Electronic warfare.

Firewall
A system or combination of systems that enforces a boundary between two or more networks, i.e., an electronic gate that limits access between networks in accordance with local security policy.

FISMA
The Federal Information Security Management Act.

GCCS
Global Command and Control System.

GCSS
Global Combat Support System.

Global information environment
A military term for cyberspace.

Hacker
A person who either breaks into systems for which they have no authorization or intentionally overstep their bounds on systems for which they do have legitimate access, i.e., an unauthorized individual who attempts to penetrate information systems; to browse, steal, or modify data; deny access or service to others; or cause damage or harm in some other way.

An alternative definition provided by a hacker in a white hat . . .a programmer who is an expert in computer security and administration. Hackers have exellent problem solving skills, and use them to get into computer systems with ease. True 'hackers' do not damage the information they find, for the only reason that they 'hack' into systems is for the challenge and 'thrill' they get from it. After 'hacking' into systems, they usually either tell the administrator, or do the security fix themselves and leave. Hackers are not limited to computer security and software, though. Hackers can be also people who modify or 'mod' computer hardware.

HERF
High Energy Radio Frequency. As in HERF gun: a device that can disrupt the normal operation of digital equipment such as computers and navigational equipment by directing HERF emissions at them.

IASE
Information Assurance Support Environment.

IBW
Intelligence-based warfare.

IEW
Intelligence and electronic warfare

IPMO
INFOSEC Program Management Office.

Information Warfare
Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries (Dr. Ivan Goldberg's definition)

INFOSEC
Information Security: Protection of classified information that is stored on computers or transmitted by radio, telephone teletype, or any other means.

ISSO
NSA Information Systems Security Organization.

IW/C2W
Information warfare/command and control warfare.

J6
Joint Staff, Director for Command, Control, Communications, and Computers.

JC2WC
Joint Command and Control Warfare Center.

JMIC
Joint Military Intelligence College . . . located at Bolling Air Force Base close to Washington DC.

Logic bomb
Unauthorized computer code, sometimes delivered by email, which, when executed, checks for particular conditions or particular states of the system which, when satisfied, triggers the perpetration of an unauthorized, usually destructive, act.

NACIC
National Counterintelligence Center.

NAIC
National Air Intelligence Center.

NIMA
National Imagery and Mapping Agency.

NIPC
National Infrastructure Protection Center.

NRO
National Reconnaissance Office.

NSA
National Security Agency. This agency is charged with the tasks of exploiting foreign electromagnetic signals and protecting the electronic information critical to U. S. national security.

OOTW
Operations other than war.

OSINT
Open Source Intelligence: Information of potential intelligence value that is available to the general public.

OSTP
Office of Science and Technology Policy.

PCCIP
President's Commission on Critical Infrastructure Protection.

PCIPB
President’s Critical Infrastructure Protection Board

Phreaking
"Hacking" the public phone network.

PKI
Public Key Infrastructure.

PSTN
Public Switched Telecommunications Networks.

Psychological operations
Planned psychological activities in peace and war directed to enemy, friendly, and neutral audiences in order to influence attitudes and behavior affecting the achievement of political and military objectives. They include strategic psychological activities, consolidation psychological operations and battlefield psychological activities.

PSYOPS
See: Psychological operations.

REC
Radio-electronic combat.

RMA
Revolution in Military Affairs. The realization by the military that information, and information technologies must be considered as a weapon in achieving national objectives via military activity.

SIGINT
The interception and analysis of electromagnetic signals. Also, Intelligence recovered from intercepted and decoded transmissions.

Spoofing
Assuming the identity of another as in sending email under someone else's name.

TEMPEST
Military code-name for activities related to van Eck monitoring, and technology to defend against such monitoring.

Trojan horse
A seemingly harmless computer virus that turns out to be extremely destructive.

TST
Time-Sensitive Target: A target which requires immediate response because it poses (or will soon pose) a clear and present danger to friendly forces or is a highly lucrative, fleeting target of opportunity.

USSID
United States Signal Intelligence Directive

Virus
A self-replicating program that is hidden in another piece of computer code, such as an email.

Worm
A self-replicating destructive program that stands alone and spreads itself through computer networks.

Thursday, July 16, 2009

Federal Web sites knocked out by cyber attack

Federal Web sites knocked out by cyber attack
By LOLITA C. BALDOR

Associated Press Writer WASHINGTON (AP) -- A widespread and unusually resilient computer attack that began July 4 knocked out the Web sites of several government agencies, including some that are responsible for fighting cyber crime, The Associated Press has learned.

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, according to officials inside and outside the government. Some of the sites were still experiencing problems Tuesday evening. Cyber attacks on South Korea government and private sites also may be linked, officials there said.

U.S. officials refused to publicly discuss details of the cyber attack. But Amy Kudwa, spokeswoman for the Homeland Security Department, said the agency's U.S. Computer Emergency Readiness Team issued a notice to federal departments and other partner organizations about the problems and "advised them of steps to take to help mitigate against such attacks."

The U.S., she said, sees attacks on its networks every day, and measures have been put in place to minimize the impact on federal Web sites.

It was not clear whether other federal government sites also were attacked.

Others familiar with the U.S. outage, which is called a denial of service attack, said that the fact that the government Web sites were still being affected three days after it began signaled an unusually lengthy and sophisticated attack. The officials spoke on condition of anonymity because they were not authorized to speak on the matter.

Web sites of major South Korean government agencies, banks and Internet sites also were paralyzed in a suspected cyber attack Tuesday. An initial investigation found that many personal computers were infected with a virus ordering them to visit major official Web sites in South Korea and the U.S. at the same time, Korea Information Security Agency official Shin Hwa-su said.

The South Korean sites included the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and top Internet portal Naver. They went down or had access problems since late Tuesday, said Ahn Jeong-eun, a spokeswoman at the Korea Information Security Agency.

Kudwa had no comment on the South Korean attacks.

Two government officials acknowledged that the Treasury and Secret Service sites were brought down, and said the agencies were working with their Internet service provider to resolve the problem.

Ben Rushlo, director of Internet technologies at Keynote Systems, called it a "massive outage" and said problems with the Transportation Department site began Saturday and continued until Monday, while the FTC site was down Sunday and Monday.

Keynote Systems is a mobile and Web site monitoring company based in San Mateo, Calif. The company publishes data detailing outages on Web sites, including 40 government sites it watches.

According to Rushlo, the Transportation Web site was "100 percent down" for two days, so that no Internet users could get through to it. The FTC site, meanwhile, started to come back online late Sunday, but even on Tuesday Internet users still were unable to get to the site 70 percent of the time.

"This is very strange. You don't see this," he said. "Having something 100 percent down for a 24-hour-plus period is a pretty significant event."

He added that, "The fact that it lasted for so long and that it was so significant in its ability to bring the site down says something about the site's ability to fend off (an attack) or about the severity of the attack."

Denial of service attacks against Web sites are not uncommon, and are usually caused when sites are deluged with Internet traffic so as to effectively take them off-line. Mounting such an attack can be relatively easy using widely available hacking programs, and they can be made far more serious if hackers infect and use thousands of computers tied together into "botnets."

For instance, last summer, in the weeks leading up to the war between Russia and Georgia, Georgian government and corporate Web sites began to see "denial of service" attacks. The Kremlin denied involvement, but a group of independent Western computer experts traced domain names and Web site registration data to conclude that the Russian security and military intelligence agencies were involved.

Documenting cyber attacks against government sites is difficult, and depends heavily on how agencies characterize an incident and how successful or damaging it is.

Government officials routinely say their computers are probed millions of times a day, with many of those being scans that don't trigger any problems. In a June report, the congressional Government Accountability Office said federal agencies reported more than 16,000 threats or incidents last year, roughly three times the amount in 2007. Most of those involved unauthorized access to the system, violations of computer use policies or investigations into potentially harmful incidents.

The Homeland Security Department, meanwhile, says there were 5,499 known breaches of U.S. government computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006.

Electricity Grid in U.S. Penetrated By Spies

Electricity Grid in U.S. Penetrated By Spies (Updated)

Spies from China and have hacked into a U.S. power grid. Experts fear a future cyber scare. From the Wall Street Journal:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.

This is not the first accusation of cyber-spying this year. From Telegraph:

The US government is however convinced China is endeavouring to overtake the US as the dominant force in cyberspace. Researchers at the University of Toronto recently revealed the presence of GhostNet, a global cyber-spy network run from China that has infiltrated 103 countries and infected dozens of computers every month.

The ten-month investigation by the Munk Centre for International Studies in Toronto started as an investigation into interference with computers on computers belonging to the Dalai Lama, the exiled Tibetan leader, and his supporters. It found that the Chinese had in many cases successfully searched computers, tapped into emails and turned on web cameras and microphones to record conversations within range.

Update: China has denied any role in the power grid hack. From Wall Street Journal:

“The intrusion doesn’t exist at all,” Chinese Foreign Ministry spokeswoman Jiang Yu said at a regular press conference. “We hope that the concerned media will prudently deal with some groundless remarks, especially those concerning accusations against China.”

“I have also noticed that the U.S. White House had denied the media reports,” she said.

A report in the state-run China Daily cited Chinese experts who rejected the so-called “China threat” theory and tied it to the financial crisis.

Cyber-Scare: President Obama called cyber-security

JULY/AUGUST 2009
Cyber-Scare
The exaggerated fears over digital warfare by Evgeny Morozov
http://s.wsj.net/public/resources/images/NA-AW949_CYBERu_F_20090407182454.jpg
The age of cyber-warfare has arrived. That, at any rate, is the message we are now hearing from a broad range of journalists, policy analysts, and government officials. Introducing a comprehensive White House report on cyber-security released at the end of May, President Obama called cyber-security “one of the most serious economic and national security challenges we face as a nation.” His words echo a flurry of gloomy think-tank reports. The Defense Science Board, a federal advisory group, recently warned that “cyber-warfare is here to stay,” and that it will “encompass not only military attacks but also civilian commercial systems.” And “Securing Cyberspace for the 44th President,” prepared by the Center for Strategic and International Studies, suggests that cyber-security is as great a concern as “weapons of mass destruction or global jihad.”

Unfortunately, these reports are usually richer in vivid metaphor—with fears of “digital Pearl Harbors” and “cyber-Katrinas”—than in factual foundation.

Consider a frequently quoted CIA claim about using the Internet to cause widespread power outages. It derives from a public presentation by a senior CIA cyber-security analyst in early 2008. Here is what he said:

We have information, from multiple regions outside the United States, of cyber-intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber-attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.

So “there is information” that cyber-attacks “ have been used.” When? Why? By whom? And have the attacks caused any power outages? The CIA may have some classified information, but very little that is unclassified suggests that such cyber-intrusions have occurred.

Or consider an April 2009 Wall Street Journal article entitled “Electricity Grid in U.S. Penetrated By Spies.” The article quotes no attributable sources for its starkest claims about cyber-spying, names no utility companies as victims of intrusions, and mentions just one real cyber-attack, which occurred in Australia in 2000 and was conducted by a disgruntled employee rather than an external hacker.

It is alarming that so many people have accepted the White House’s assertions about cyber-security as a key national security problem without demanding further evidence. Have we learned nothing from the WMD debacle? The administration’s claims could lead to policies with serious, long-term, troubling consequences for network openness and personal privacy.

Cyber-security fears have had, it should be said, one unambiguous effect: they have fueled a growing cyber-security market, which, according to some projections, will grow twice as fast as the rest of the IT industry. Boeing, Raytheon, and Lockheed Martin, among others, have formed new business units to tap increased spending to protect U.S. government computers from cyber-attacks. Moreover, many former government officials have made smooth transitions from national cyber-security policy to the lucrative worlds of consulting and punditry. Speaking at a recent conference in Washington, D.C., Amit Yoran—a former cyber-security czar in the Bush administration and currently the C.E.O. of NetWitness, a cyber-security start-up—has called hacking a national security threat, adding that “cyber-9/11 has happened over the last ten years, but it’s happened slowly, so we don’t see it.” One way for the government to protect itself from this cyber-9/11 may be to purchase NetWitness’s numerous software applications, aimed at addressing both “state and non-state sponsored cyber threats.”

From a national security perspective, cyber-attacks matter in two ways. First, because the back-end infrastructure underlying our economy (national and global) is now digitized, it is subject to new risks. Fifty years ago it would have been hard—perhaps impossible, short of nuclear attack—to destroy a significant chunk of the U.S. economy in a matter of seconds; today all it takes is figuring out a way to briefly disable the computer systems that run Visa, MasterCard, and American Express. Fortunately, such massive disruption is unlikely to happen anytime soon. Of course there is already plenty of petty cyber-crime, some of it involving stolen credit card numbers. Much of it, however, is due to low cyber-security awareness by end-users (you and me), rather than banks or credit card companies.

Second, a great deal of internal government communication flows across computer networks, and hostile and not-so-hostile parties are understandably interested in what is being said. Moreover, data that are just sitting on one’s computer are fair game, too, as long as the computer has a network connection or a USB port. Despite the “cyber” prefix, however, the basic risks are strikingly similar to those of the analog age. Espionage has been around for centuries, and there is very little we can do to protect ourselves beyond using stronger encryption techniques and exercising more caution in our choices of passwords and Wi-Fi connections.

To be sure, there is a war-related caveat here: if the military relies on its own email system or other internal electronic communications, it is essential to preserve this capability in wartime. Once more, however, the concern is not entirely novel; when radio was the primary means of communication, radio-jamming was also a serious military concern; worries about radio go back as far as the Russo-Japanese War of 1904-1905.

Before accepting the demands of government agencies for new and increased powers, we should look more closely at well-defined dangers.

The ultimate doomsday scenario—think Live Free or Die Hard—could involve a simultaneous attack on economic e-infrastructure and e-communications: imagine al Qaeda disabling banks, destroying financial data, disrupting networks, and driving the American economy back to the nineteenth century. This certainly sounds scary—almost as scary as raptors in Central Park or a giant asteroid heading toward the White House. The latter two are not, however, being presented as “national security risks” yet.

There are certainly genuine security concerns associated with the Internet. But before accepting the demands of government agencies for new and increased powers to fight threats in cyberspace and prepare for cyber-warfare, we should look more closely at well-defined dangers and ask just where existing technological means and legal norms fall short. Because the technologies are changing so quickly, we cannot expect definitive answers. But cyber-skeptics—who argue that cyber-warfare is still more of an urban legend than a credible hazard—appear to be onto something important.

One kind of cyber-security problem grows out of resource scarcity. A network has only so much bandwidth; a server can serve only so much data at one time. So if you want to disable (or simply slow down) the computer backbone of a national economy, for example, you need to figure out how to reach its upper limit.

It would be relatively easy to protect against this problem if you could cut your computer or network off from the rest of the world. But as the majority of governmental and commercial services have moved online, we expect them to be offered anywhere; Americans still want to access their online banking accounts at Chase even if they are travelling in Africa or Asia. What this means in practice is that institutions typically cannot shut off access to their online services based on nationality of the user or the origin of the computer (and in the case of news or entertainment sites, they do not want to: greater access means more advertising income).

Together, these limitations create an opportunity for attackers. Since no one, not even the U.S. government, has infinite computer resources, any network is potentially at risk.

Taking advantage of this resource scarcity could be an effective way of causing trouble for sites one does not like. The simplest—and also the least effective—way of doing this is to visit the URL and hit the “reload” button on your browser as often (and for as long) as you can. Congratulations: you have just participated in the most basic kind of “denial-of-service” (DoS) attack, which aims to deny or delay the delivery of online services to legitimate users. These days, however, it would be very hard to find a site that would suffer any noticeable damage from such a nuisance; what is missing from your cyber-guerilla campaign is scale.

Now multiply your efforts by a million—distribute your attacks among millions of other computers—and this could be enough to cause headaches to the administrators of many Web sites. These types of attacks are known as “distributed denial-of-service” or DDoS attacks. Administrators may be able to increase their traffic and bandwidth estimates and allocate more resources. Otherwise they have to live with this harassment, which may disable their Web site for long periods.

DDoS attacks work, then, by making heavier-than-normal demands on the underlying infrastructure, and they usually cause inconvenience rather than serious harm. Not sure how to do it yourself? No problem: you can buy a DDoS attack on the black market. Try eBay.

In fact, your own computer may well be participating in a DDoS attack right now. You may, for example, have inadvertently downloaded a trojan—a hard-to-detect, tiny piece of software—that has allowed someone else to take control of your machine, without obvious effect on your computer’s speed or operations. Some computer experts put the upper limit of infected computers as high as a quarter of all computers connected to the Internet.

Because a single computer is inconsequential, the infected computers form “botnets”—nets of robots—that can receive directions from a command-and-control center—usually just another computer on the network with the power to give commands. What makes the latest generation of botnets hard to defeat is that every infected computer can assume the role of the command-and-control center: old-fashioned methods of decapitation do not work against such dispersed command-and-control. Moreover, botnets are strategic: when network administrators try to block the attacks, botnets can shift to unprotected prey. Commercial cyber-security firms are trying to keep up with the changing threats; thus far, however, the botnets are staying at least one step ahead.

DDoS threats have been far more commercial than political. The driving force has been cyber-gangs (many of them based in the former Soviet Union and Southeast Asia) which are in the extortion business. They find a profitable Internet business that cannot afford downtime and threaten to take down its Web site(s) with DDoS attacks. The online gambling industry—by some estimates, a $15-billion-a-year business—is a particularly appealing target because it is illegal in the United States: it cannot seek protection and take advantage of robust U.S. communications infrastructure. Thus, administrators of popular gambling sites commonly receive threats of DDoS attacks and demands for $40,000-$60,000 to “protect” the sites from attacks during peak betting periods (say, before big sporting events such as the Super Bowl). Many legitimate businesses fall victim to cyber-extortion, too. Since it is better to dole out a little cash to stop future attacks than to deal with the PR fallout—and possible drop in stock prices—that usually follows cyber-attacks, cyber-crime is underreported and underprosecuted.

The risks to online freedom of expression may be considerable: saying anything controversial may trigger cyber-attacks that your adversaries can purchase easily.

Another commercial opportunity for cyber-gangs is the creation of a large army of for-hire botnets, with extremely powerful attack capabilities. It is currently quite straightforward to rent the destructive services of a botnet ($1000/day is a going rate). The point was made forcefully by a controversial recent experiment: a group of BBC reporters purchased the services of a botnet 22,000 infected-computers strong from a vendor of cyber-crime services and used it to attack the site of a cyber-security company.

The commercial availability of DDoS-attack capability has generated excitement about political applications. The risks to online freedom of expression may be considerable: saying anything controversial may trigger a wave of cyber-attacks that your adversaries can purchase easily. These attacks are financially burdensome and politically disabling for the victim. Getting your server back online is usually the least of your problems. Your Web hosting company may kick you off its servers because the cost of dealing with the damage caused by cyber-attacks usually outweighs the monetary gains of hosting controversial groups, from political bloggers to LGBT groups to exiled media from countries such as Burma (just to mention some recent victims of DDoS attacks). Protection from DDoS is available, but usually too expensive for nonprofits.

An alternative to expensive DDoS protection is a kind of distributed defense network. Imagine an idealized world in which every computer has the latest anti-virus update and where users do not open suspicious attachments or visit dubious Web sites. Cyber-gangs would then be left to their own devices—to attacking with computers they own—and the security issues would be considerably diminished. This perfect world is impossible to achieve, but the right policies could get us pretty close. One option is to go “macro”—to ensure that all critical national infrastructure is prioritized and protected, with extremely flexible resource allocation for the key assets (part of the job of a cyber-czar). This, however, would do little to curb the DDoS market. Indeed, it might embolden the attackers to ratchet up their capabilities. An alternative is to go “micro”—ensure that people who are responsible for the creation of this market in DDoS attacks in the first place (i.e., you and me) are knowledgeable (or at least literate) in cyber-security matters and do not surf with their antivirus protection turned off. This latter solution could eliminate the problem at root: if all computers were secure and computer users careful, botnets would significantly shrink in size. This, however, is a big “if,” and most skepticism over whether the federal government is well-placed to educate about these threats is justified.

The security threats from DDoS attacks pale in comparison with the potential consequences of another kind of online insecurity, one more likely to be associated with terrorists than criminals and potentially more consequential politically: data breaches or network security compromises (I say “potential” because very few analysts with access to intelligence information agree to speak on the record). After all, with DDoS, attackers simply slow down everyone’s access to data that are, in most cases, already public (some data are occasionally destroyed). With data breaches, in contrast, attackers can gain access to private and classified data, and with network security compromises, they might also obtain full control of high-value services like civil-aviation communication systems or nuclear reactors.

Data breaches and network security compromises also create far more exciting popular narratives: the media frenzy that followed the detection of China-based GhostNet—a large cyber-spying operation that spanned more than 1250 computers in 103 countries, many of them belonging to governments, militaries, and international organizations—is illustrative. Much like botnets, cyber-spying operations such as GhostNet rely on inadvertently downloaded trojans to obtain full control over the infected computer. In GhostNet’s case, hackers even gained the ability to turn on computers’ camera and audio-recording functions for the purposes of remote surveillance, though we have no evidence that attackers used this function.

In fact, what may be most remarkable about GhostNet is what did not happen. No computers belonging to the U.S. or U.K. governments—both deeply concerned about cyber-security—were affected; one NATO computer was affected, but had no classified information on it. It might be unnerving that the computers in the foreign ministries of Brunei, Barbados, and Bhutan were compromised, but the cyber-security standards and procedures of those countries probably are not at the global cutting edge. With some assistance on upgrades, they could be made much more secure.

In part, then, the solution to cyber-insecurity is simple: if you have a lot of classified information on a computer and do not want to become part of another GhostNet-like operation, do not connect it to the Internet. This is by far the safest way to preserve the integrity of your data. Of course, it may be impossible to keep your computer disconnected from all networks. And by connecting to virtually any network—no matter how secure—you relinquish sole control over your computer. In most cases, however, this is a tolerable risk: on average, you are better off connected, and you can guard certain portions of a network, while leaving others exposed. This is Network Security 101, and high-value networks are built by very smart IT experts. Moreover, most really sensitive networks are designed in ways that prevent third-party visitors—even if they manage somehow to penetrate the system—from doing much damage. For example, hackers who invade the email system of a nuclear reactor will not be able to blow up nuclear facilities with a mouse click. Data and security breaches vary in degree, but such subtlety is usually lost on decision-makers and journalists alike.

Hype aside, what we do know is that there are countless attacks on the government computers in virtually every major Western country, many of them for the purpose of espionage and intelligence gathering; data have been lost, compromised, and altered. The United States may have been affected the most: the State Department estimates that it has lost “terabytes” of data to cyber-attacks, while Pentagon press releases suggest that it is under virtually constant cyber-siege. Dangerous as they are, these are still disturbing incidents of data loss rather than seriously breached data or compromised networks. Breakthroughs in encryption techniques have also made data more secure than ever. As for the data loss, the best strategy is to follow some obvious rules: be careful, and avoid trafficking data in open spaces. (Don’t put important data anywhere on the Internet, and don’t leave laptops with classified information in hotel rooms.)

Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Although there is a continuous spectrum of attacks, running from classified memos to nuclear buttons, we have seen no evidence that access to the latter is very likely or even possible. Vigilance is vital, but exaggeration and blind acceptance of speculative assertions are not.

So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Politicians, too, deserve some blame, as they are usually quick to draw parallels between cyber-terrorism and conventional terrorism—often for geopolitical convenience—while glossing over the vast differences that make military metaphors inappropriate. In particular, cyber-terrorism is anonymous, decentralized, and even more detached than ordinary terrorism from physical locations. Cyber-terrorists do not need to hide in caves or failed states; “cyber-squads” typically reside in multiple geographic locations, which tend to be urban and well-connected to the global communications grid. Some might still argue that state sponsorship (or mere toleration) of cyber-terrorism could be treated as casus belli, but we are yet to see a significant instance of cyber-terrorists colluding with governments. All of this makes talk of large-scale retaliation impractical, if not irresponsible, but also understandable if one is trying to attract attention.

Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand. But what about genuine cyber-warfare? The cyber-attacks on Estonia in April-May 2007 (triggered by squabbling between Tallinn and Moscow over the relocation of a Soviet-era monument) and the cyber-dimension of the August 2008 war between Russia and Georgia have reignited older debates about how cyber-attacks could be used by and against governments.

The Estonian case is notable for the duration of the attacks—the country was under “DDoS-terror” for almost a month, with much of its crucial national infrastructure (including online banking) temporarily unavailable. The local media and some Estonian politicians were quick to blame the attacks on Russia, but no conclusive evidence emerged to prove this. The Georgian case—widely discussed as the first major instance of cyber-attacks (primarily DDoS) accompanying conventional warfare—has barely lived up to its hype. Many Georgian government Web sites were, in fact, targets of severe DDoS attacks. So was at least one bank. Yet, the broader strategic importance of such attacks within the Russian military operation is not clear at all, nor did Russia acknowledge responsibility for the attacks.

Although the attacks on Estonia and Georgia are often grouped together—perhaps because of the tentative Russian involvement in both—they are also very different. One important difference is in the degree of technological sophistication of the two countries. Attacking the Internet in Estonia, which made Internet access a basic human right in 2000, is like attacking the banks in Lichtenstein: the country’s economy, politics, and even some emergency services are pegged to it so tightly that being offline is a national calamity.

Georgia, on the other hand, is a technological laggard. When Georgia’s major government Web sites became inaccessible during the war, the Foreign Ministry was slow in finding a temporary home on a blog. The lapse may have gone largely unnoticed: 2006 Internet statistics gathered by the United Nations show that Georgia had about seven Internet users per one hundred population compared to 55 in Estonia and 70 in the United States. The Georgian case also highlights the danger of drawing too many strategic lessons from cyber-attacks. After all, one common result of the loss of Internet access is power outages, common during wartime regardless of cyber-attacks.

Moreover, both Georgia and Estonia are in a sense “cyber-locked,” with limited points of connection (even in Estonia) to the external Internet. This limited connectivity and the two country’s dependence on physical infrastructure heighten their vulnerability. Less cyber-locked nations do not face the same risk. As Scott Pinzon, former Information Security Analyst with WatchGuard Technologies, told me, “If Georgia or Estonia were enmeshed into the Internet as thoroughly as, say, the State of California, the cyber-attacks against them would have been reduced to the level of nuisance.” The smartest way to guard against future attacks may, then, be to build robust infrastructure—laying extra cables, creating more Internet exchange points (where Internet service providers share data), providing incentives for new Internet service providers, and attracting more players to sell connectivity in places that now have limited infrastructure. The United States has actually done quite a bit of this already, so the Estonian experience may have little to teach Americans. While it might benefit Estonia and some other countries to invest heavily in upgrades, the United States may be able to forego dramatic and costly changes in favor of regular maintenance and incremental improvements.

Quite apart from the technological issues of cyber-warfare, there is the question of what even constitutes cyber-war. How do existing legal categories apply in this new setting?

Using the metrics of conventional conflicts to assess these attacks is not easy. How severe must the damage be in order for the cyber-attacks to qualify as armed attacks?

For largely geopolitical reasons, Estonia initially called the cyber-attacks a cyber-war, a move that now seems ill-considered (on a recent trip to Estonia, I noticed that Estonian officials had replaced the term “cyber-war” with the more neutral “cyber-attacks”). The militarization of cyberspace that inevitably comes with any talk of war is disturbing, for there is no evidence yet to link the current generation of cyber-attacks to warfare, at least not in the legal sense of the term. However, the attacks on Estonia and Georgia did each pose an intriguing legal question, and neither has yet been answered definitively. First, do cyber-attacks constitute a “use of armed force” as understood by international law (the Estonian case)? Second, what kind of cyber-attacks are allowed under the laws of war once the conflict has already begun (the Georgian case)?

The first question is the trickiest. Commenting on the attacks, the Estonian defense minister said “such sabotage cannot be treated as hooliganism, but has to be treated as an attack against the state.” But did the cyber-attacks constitute the beginning of an armed conflict, as understood by the Geneva Conventions or Article 51 of the United Nations Charter? If the cyber-attacks constituted an armed attack, Estonia’s NATO allies should have followed Article 5 of the North Atlantic Treaty, which treats an attack against one member state as an attack against all and calls for collective defense. NATO only sent a team of experts to assess the damage. Using the metrics of conventional conflicts to assess the severity of these attacks is not easy. How intense and severe must the damage be in order for the cyber-attacks to qualify as armed attacks? Does damage in cyberspace qualify, even in the absence of offline damage? Is inconvenience to Internet users enough? What about the duration of the attacks?

However such questions are answered, the aggrieved party would still have to prove that a cyber-attack was state-sponsored, and it is unclear how one makes this argument in a legally convincing fashion. Are states only responsible for actions they directly control? Are they also responsible for all cyber-activity in their territory? And how far does that responsibility extend? At least one computer with an IP address belonging to the Russian government was identified as part of a botnet used in the Estonian attacks, but it is hard to build a case for Russian government responsibility on that IP address alone, since there were thousands of other participating computers.

If state involvement cannot be proven beyond doubt, cyber-attacks should be treated as crimes and dealt with under national and, in some cases, international criminal law. But there are difficulties on this front as well. For example, unlike Estonia and many countries, Russia has never signed the Council of Europe Convention on Cybercrime, which is the first international treaty seeking to harmonize national laws and facilitate cross-border cooperation among states on issues of cyber-crime. This makes it impossible to hold Russia to the standards envisioned in the Convention, and international law also provides few mechanisms for punishment.

The second question—what kinds of attacks would be allowed under the law of armed conflict?—presents another theoretical challenge, though for now at least, existing legal standards may suffice to address the issues.

Common sense dictates that the severity and targets of such attacks should be guided by international law, particularly the Geneva Conventions and associated protocols. Broadly speaking, current norms state that the conduct of war must meet three fundamental standards: belligerents must distinguish military from civilian objects when selecting targets; balance military necessity with humanitarian concern (the choice of weapons is not unlimited and must be made with the avoidance of unnecessary suffering in mind); and shun the use of force that is disproportionate, in the sense that it shows insufficient attention to the unnecessary suffering that might result. These principles have proved very hard, but not impossible, to interpret in conventional conflict; applying them to cyberspace is not an insurmountable challenge.

The careful application of these three principles to the conduct of war could explain why militaries might shy away from cyber-attacks. First, it is hard to predict the consequences of such attacks; cyber-attacks typically lack surgical precision and are notorious for side effects—a virus planted in a military network could easily spread to civilian computers, causing much unanticipated collateral damage.

Second, precisely targeted cyber-attacks could be a more humane way of conducting warfare. Instead of bombing a military train depot, with collateral civilian deaths, one can temporarily disable it by hacking into its dispatch system. However, the rules of war also stipulate that once a belligerent has used a more humane weapon, it ought to use that weapon in similar situations—and who would voluntarily abandon tanks in favor of computers only?

Third, most cyber-attacks are hard to justify in strategic terms and therefore would open associated personnel to prosecution for war crimes. For example, if there is little to be gained from attacking a poorly maintained Web site of the Georgian parliament, Russia could not justify an attack on it in military terms. If it went ahead with such an attack, its commanders woul risk prosecution for a disproportionate use of force.

The Internet does create one complexity worth considering in the context of applying existing laws of war: civilians on both sides can now participate in hostilities remotely. At the height of the war with Georgia, Russian blogs were full of detailed instructions on how to enlist in the cyber-war effort. Currently, humans are of little value in this process: a conventional botnet attack is more damaging. Yet, it is possible that human-powered botnets—or “meatbots”—could soon play a more serious role. Would participants then be liable for war crimes for their actions as civilians, who, unlike combatants, do not enjoy immunity under the law of war for their participation in hostilities? Would such civilian actions fall under the category of “direct participation in hostilities,” outlined in Commentary to Additional Protocol I to the Geneva Conventions (“Direct participation in hostilities implies a direct causal relationship between the activity engaged in and the harm done to the enemy at the time and the place where the activity takes place”)? We may need a special clarification of this concept for cyberspace, but other metrics—the damage caused, the targets chosen, and so forth—could still apply.

There is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The legal options are also complicated in the case of classical rather than meatbot-powered DDoS attacks because there are often at least five parties to it: attackers, computer users whose machines are enlisted by the attackers, target Internet sites, software vendors responsible for the exploited security vulnerabilities, and various Internet service providers who deliver the attack traffic. These parties have different degrees of responsibility, and some of them are liable for negligence, itself a murky legal area.

Putting these complexities aside and focusing just on states, it is important to bear in mind that the cyber-attacks on Estonia and especially Georgia did little damage, particularly when compared to the physical destruction caused by angry mobs in the former and troops in the latter. One argument about the Georgian case is that cyber-attacks played a strategic role by thwarting Georgia’s ability to communicate with the rest of the world and present its case to the international community. This argument both overestimates the Georgian government’s reliance on the Internet and underestimates how much international PR—particularly during wartime—is done by lobbyists and publicity firms based in Washington, Brussels, and London. There is, probably, an argument to be made about the vast psychological effects of cyber-attacks—particularly those that disrupt ordinary economic life. But there is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The usefulness of cyber-attacks as a military tool is also contested. Some experts are justifiably skeptical about the arrival of a new age of cyber-war. Marcus J. Ranum, Chief Security Officer of Tenable Network Security, argues that it is pointless for superpowers to develop cyber-war capabilities to attack non-superpowers, as they can crush them in more conventional ways. As for non-superpowers, their use of cyber-capabilities would almost certainly result in what Ranum calls “the Blind Mike Tyson” effect: the superpower would retaliate with offline weaponry (“blind me, I nuke you”). If Ranum is right, we should forget about the prospect of all-out cyber-war until we have technologically advanced superpowers that are hostile to each other. Focusing on cyber-crime, cyber-terrorism, and cyber-espionage may help us address the more pertinent threats in a more rational manner.

In the meantime, those truly concerned about the future of the Internet, global security, and e-Katrinas would be advised to watch a recent South Park episode, in which the Internet suddenly disappears and hordes of obsessed families head to the Internet Refugee Camp in California, where they are allowed to browse their favorite Web sites for 40 seconds a day, while the military fights the no-longer-blinking giant Internet router. Finally, a nine-year-old boy plugs the router back in, and its magic green light returns. This would make a sensible strategy for many governments, which are all-too eager to adopt militaristic postures instead of focusing on making their own Internet infrastructures more robust.