Tuesday, September 29, 2009
The fog of (cyber) war
Cybermilitias, black hat hackers and other non-nation-state bad guys blur the lines on the
virtual battlefield.
Don Tennant
Analysts and strategists gathered at the Cyber Warfare 2009 conference in London last
January were grappling with some thorny problems associated with the cyberaggression
threat. One that proved particularly vexing was the matter of exactly what constitutes
cyberwarfare under international law. There's no global agreement on the definitions of
cyberwarfare or cyberterrorism, so how does a nation conform to the rule of law if it's
compelled to respond to a cyberattack?
Back in the U.S. trenches, drawing up a legal battle plan is indeed proving to be
extraordinarily complex. Those definitions are especially elusive when you consider that
no one can even be sure who the potential combatants are.
"There is some real work that needs to be done, not only in the U.S., but globally, to think
about what is a use of force or an act of war in cyberspace," says Paul Kurtz, a partner at
Good Harbor Consulting LLC in Arlington, Va., and a former senior director for critical
infrastructure protection on the White House's Homeland Security Council.
The need to establish global norms about what is acceptable behavior in cyberspace, he
says, is complicated by the fact that "the weapons are not just in the hands of nationstates.
They're essentially in everybody's hands."
Steven Chabinsky
"Laws of war would forbid targeting purely civilian infrastructure," adds Steven
Chabinsky, senior cyberadvisor to the director of national intelligence. "But terrorists, of
course, don't limit themselves by the Geneva Conventions."
Time, effort and expertise
Further fogging up the battlefield is the fact that it's nearly impossible to identify all of
the potential targets. It is possible to conduct a threat assessment, however, and there
appears to be general consensus in the cyberdefense community that the biggest threat in
terms of scale is presented by nation-states.
"Cyberattacks which seek to manipulate [an adversary's] critical infrastructures would
take more time, effort and expertise than mere data theft," says Kenneth Geers, U.S.
representative to the Cooperative Cyber Defense Centre of Excellence in Tallinn,
Estonia. "But computer network defenders should understand that time, effort and
expertise are resources that militaries and foreign intelligence services often have in
abundance."
Analysts and former intelligence officials, including Kurtz, say that, not surprisingly,
China and Russia top the list of countries with highly developed cyberwarfare
capabilities. Kurtz also named Iran and North Korea as countries with known
cyberwarfare aspirations.
While Chabinsky declined to be specific because of concerns about compromising
intelligence-gathering methods, he affirmed that the U.S. has identified "a number of
sophisticated nation-state actors who we believe have the capability to bring down
portions of our critical infrastructure." Fortunately, he added, "we don't think they have
the intent to do so, [since] our country would respond accordingly, and not necessarily
symmetrically through cyber means."
On the other hand, Kurtz notes, governments "would have more resources at their
disposal in order to disguise or bury the true source of an attack." But, he says, "It would
be a grave mistake to believe that a small, well-funded cell could not inflict very serious
damage on the information infrastructure supporting the U.S. and the global economy."
Resources and motive
Chabinsky notes that deterring or responding to cyberwarfare threats from other countries
is more in the comfort zone of national governments. "There's a lot more to worry about
should the same computer network attack capabilities exist in the hands of irrational or
otherwise unrestrained criminals or terrorists," he says.
Intelligence officials and analysts agree that so far, there's little direct threat of a
cyberattack by organized terrorist groups. "Nonstate actors such as al-Qaeda probably do
not possess the infrastructure or expertise to attempt a cyberattack that would rival the
shock value of using bullets and explosives," Geers says.
But these officials and analysts recognize that terrorist groups have the resources and
motive to fund such activity by others.
Although terrorists may not be capable of attacking our critical infrastructure themselves,
"it's less clear whether they could find a hired gun to do so," Chabinsky says. "Obviously,
terrorist groups have the intent to harm us, are aware of the potential impact of a
successful cyberattack and would find the ability to attack us from a distance quite
appealing."
According to Chabinsky, some potential "hired guns" are in an extraordinarily effective
position to cause trouble. That position is within the walls of corporate America.
"I think the primary cyber-risk to our critical infrastructure is from disgruntled employees
who have insider knowledge and access," Chabinsky says. "Insider threats can take
advantage of the most serious vulnerabilities; in fact, they can create them. Could they
sell their capabilities to a terrorist group? Certainly."
Criminal element
To make matters worse, it's not only terrorist groups that are equipped to pose this sort of
threat. In fact, they may not even be the most ominous nongovernmental source of
potential cyberdamage.
Mike Theis
"I would say that currently, organized criminal activity provides a more pervasive and
damaging threat than organized terrorists," says Mike Theis, who until recently served as
chief of cyber counterintelligence at the National Reconnaissance Office (NRO), an
agency of the U.S. Department of Defense.
That could change at any time, Theis says.
While the motives of organized terrorists and organized criminals differ, their profitgenerating
tactics are largely the same. Terrorists use cybercrime to fund their ideologyinspired
activities, and criminals do it for the sake of profit itself (see sidebar, next page).
Theis cites the infamous Russian Business Network as an example of the cybercriminals
highest on the most-wanted list, but he pointed out that it would be difficult to name any
organized crime syndicate that's not heavily engaged in electronic crime.
"Traditional organized crime has now moved to cyberspace to commit, support and
enhance their crimes," says Ira Winkler, founder and president of Internet Security
Advisors Group. These crime syndicates are "performing intelligence and
counterintelligence collection of their own to see what governments are doing to stop
their efforts."
Moreover, Winkler says, drug cartels, organized crime gangs and terrorist organizations
are joining forces to combat the U.S. military and law enforcement agencies. "Possibly
most important is that Russian crime gangs are heavily involved with the Taliban and al-
Qaeda in the distribution of the poppy crops they grow," he says. "They are interested in
stopping any coalition efforts to slow down the poppy distribution."
According to Chabinsky, cybercriminals have increased the scope and sophistication of
their activities beyond those of all but a few nation-states. "There's big money to be had
over the Internet, and organized crime is spending a lot of time and money to enhance
their tradecraft," he says. "Organized cybercrime concerns me not just because of the
money being stolen, but because cybercriminals are gaining the capacity to harm our
critical infrastructure and could be motivated to do so as part of an extortion scheme."
Adding to the complexity of the problem are questions about the preparedness of other
countries to combat the threat.
Cyberweapons
According to former NRO official Mike Theis, terrorists and criminals pose similar
threats with respect to illicit profit generation. The following are some examples of
activity these groups might aim to perpetrate:
• Theft of personal information that could be used for sale to the highest bidder or
on an information exchange.
• Theft of trade secrets, intellectual property or superior business processes. "It
could be something as simple as your customer list, but there is usually a lot more
of value than that," Theis says.
• Cyberhostage taking. If the contents of your entire hard drive were remotely
encrypted by a hacker, would you pay $100 to get the decryption key? Would
10,000 people like you do the same?
• Cyberblackmailing. How much would you pay to prevent your
family/customers/competitors/regulators from knowing something that was found
on your computer?
• Cyberslaving. The perpetrator installs a back door or "loader" on your machine
and sells it to the highest bidder. It would allow the buyer to install any type of
software on that machine without being detected. "The last I heard, the average
price was still about $1 per machine," Theis says. "It's not uncommon to see
machines purchased in blocks of 10,000 or more in order to launch a denial-ofservice
attack."
"So basically," Theis says, "anything that can be done in the world of brick and mortar
has some type of a cyber equivalent."
"There is reason to consider whether some nation-states lack the ability to control
organized crime within their borders, lack the resources to control criminals who
victimize people and businesses outside their borders, or suffer from corruption in which
government officials are complicit in lucrative criminal schemes," Chabinsky says.
The hacker myth
Another complicating factor is that these criminal elements are anything but cohesive
units with consistent objectives.
"One of the things that's very tricky about cyberspace is you can have criminal
organizations easily morph with hacker organizations, and you may have a cell within
that that may have a different purpose or objective than the criminal organization," Kurtz
explains. "This comes down to the essence of what makes the cybertradecraft so
complex. It's only a keystroke difference between getting inside someone's system and
shutting it down."
Indeed, the role that hackers play on the cyberwarfare stage is widely underestimated. "I
think that a big myth is that cybercrime is still about a 15-year-old kid doing Web
defacements," Chabinsky says.
In truth, the hacker element is gaining influence worldwide, and that influence is being
targeted by governments. In China, hacker groups have traditionally been motivated by
national pride, says Carl Setzer, an associate partner at Dallas-based iSight Partners Inc.,
a security research firm that monitors hacking communities in China .
The government has done a good job of channeling that pride toward its own ends, even
if government officials don't issue direct orders to hacker groups, Setzer says. Still, iSight
Partners says it has found evidence of direct interaction between large Chinese hacker
groups and the government, a relationship Setzer characterizes as "indirect control."
According to Winkler, China has a problem it has to acknowledge. "They have the
Internet so filtered that even if [cybercrime] is not supported by the Chinese government,
given the hold they have on their Internet connections, they can't claim clean hands," he
says. "For them to say, 'We aren't noticing attack traffic' is absurd."
Plausible deniability
Of course, the Chinese government is hardly alone in its aim to manipulate the role of
hackers. Theis says cyberconflicts anywhere in the world that are attributed to the efforts
of "patriotic hackers" tend to be the stuff of myth. Usually, he says, they're the "wellthought-
out efforts of nation-states with well-developed strategies and resources."
Although Theis has no doubt that patriotic hackers participate in cyberconflicts, he's
convinced that far more is ascribed to them than real-world conditions would sensibly
allow.
"To be truly effective on anything other than the smallest of scales takes strategic
planning, resourcing and practiced execution to ensure activities are focused at the right
place and time to be a force multiplier, and not wasted on the overkill of nonessential
targets or activities," Theis says. "It seems ludicrous that countries that have stated their
understanding of the importance of cyberconflict dominance and have dedicated
resources to that effort would not use them in a decisive way, but [instead] would depend
on patriotic hackers to just happen to get it right and just at the right time."
Still, governments have every reason to want to strain the limits of credibility, Theis says.
"It's a nice myth to perpetuate if you're trying to maintain plausible deniability."
Jeremy Kirk and Sumner Lemon of the IDG News Service contributed to this story.
Next: A short history of hacks, worms and cyberterror
Related Links
• Internet Warfare: Are we focusing on the wrong things?
• The fog of (cyber) war
• A short history of hacks, worms and cyberterror
• Software: The eternal battlefield in the unending cyberwars
• The grid: The new ground zero in Internet warfare
• Russia's cyber blockade of Georgia worked. Could it happen here?
• Cyberwar's first casualty: your privacy
• The Internet is down. What does that really mean?
Cyber Warfare’s threat to Critical National Infrastructure
Cyber Warfare
Written By Jeffrey Bernstein
Published April 2009 in MIS-ASIA Recently, news concerning the ongoing security compromise of the North American power grid via various breaches of computing infrastructure was distributed throughout news and media outlets worldwide. While not a new problem by any means, the issue warrants attention from the international public, commercial and government sector audiences. The electronic computing environments that make up a country’s infrastructure are often taken for granted. However, a disruption to only a single live production computer system can create cascading consequences across multiple sectors. For example, a computer breach that disrupts the distribution of electrical power across a region could lead to the forced shutdown of networked communications and controls within the transportation sector. Air traffic, road traffic and rail transportation might become affected as a direct result. By extension, subsequent disruption of emergency services would also occur. Recent highly publicised cyber attacks on the republics of Estonia, Lithuania and Georgia are representative of the growing problem at hand. Because each country has a unique environment, cyber attacks will yield varying consequences from nation to nation. Georgia, for instance, was a relative latecomer to adopt Internet technologies. Because of this, the country’s population of fewer than five million saw little effect beyond service denial to many of its government Web sites. Cyber attacks have far less impact on a country such as Georgia than they might on more Internet-dependent places such as Taiwan, South Korea, Singapore or the United States where vital services including government, transportation, power and banking depend on the Internet. These increasingly frequent, sophisticated and targeted international cyber incidents involving denial of service, espionage, propaganda and information theft are driving governments to develop effective tactical and strategic cyber-warfare capabilities. While government military forces have been traditionally more equipped for warfare involving guns, tanks and missiles, almost all now recognise the need to adopt strategies to support success in this new electronic theatre of operations. Most countries, of course, deny that their cyber capabilities are involved with any of the higher-profile international cyber security events that we read about in the press almost daily. Regardless of the truth in these denials, the anonymous nature of the Internet provides plausible deniability for attack sources. Mission statement In the Americas, the current mission statement of the United States Air Force is to ‘Fly, Fight and Win...in Air, Space and Cyberspace’. Similarly, in Eastern Asia, The People’s Liberation Army (PLA) reportedly continues to mature its integrated network electronic warfare and space/counter-space capabilities. China and the US are only two of the countries included in the rapidly expanding list of nations now racing to assemble arsenals of cyber-weaponry. In fact, it is well-documented and commonly accepted by the international security community that more than 140 countries are actively
developing cyber-espionage and warfare capabilities. The common thinking for all is to facilitate increased superiority over an adversary. When it comes to the modern-day battleground, ‘bits and bytes’ now accompany the ‘bullets and bombs’ that have historically powered warfare. As multinational cyber arsenals continue to mature, international concerns over operational cyber ‘espionage’ and ‘warfare’ grow. Perhaps most vulnerable to attack are the critical infrastructure and key resources that operate within any particular country. Critical infrastructure resources support the crucial services that generally serve as the supporting foundation for any society. Cyber security protection With the majority of global vital infrastructure operated by the commercial sectors, the issue of cyber security protection is weighing heavily on both industry and government. For example, in the US, 80 per cent of critical infrastructure is owned and operated by the commercial sectors. Some critical infrastructure elements are so essential that their destruction, disruption or exploitation could have a debilitating impact on a country’s national security or economic well-being. While critical infrastructure categorisation varies from country to country, it usually includes some combination of the following sectors from industry and government; • Government services • Law enforcement, fire and emergency response • Banking and financial services • Transportation • Power including electricity, oil and gas • Public works including water and drainage • Internet, media and telecommunications • Agriculture and food supply • Health Many countries also categorise prominent public places, national monuments and high-profile events as critical infrastructure. Power and utility sectors One specific area of concern is in the power and utility sectors where Supervisory Control and Data Acquisition (SCADA) industrial control systems monitor, coordinate and control process. Within the enterprise, information technology systems typically have a lifecycle of five years or less allowing for enhancements designed to mitigate the latest known security threats. By comparison, many mission critical SCADA control systems have been in production for 15 years and sometimes longer. Unfortunately, many of these systems were originally architected with little to no concern for security. Because of this, Internet-exposed SCADA-based systems and the organisations that operate them remain highly vulnerable to Internet-borne threat. A recent article from the North America-based Council on Foreign Relations quoted a well-known economist as having estimated that a shutdown of electrical power to any sizeable region for more than 10 days would stop more than 70 per cent of all economic activity in that region. Given the
costs involved to finance a traditional military attack, is it any surprise that cyber-warfare strategies are gaining attention? Perhaps the most unique aspect of cyber-warfare is its ability to be launched from anywhere in the world. Computers that are physically located in foreign countries may also be compromised and used as a launch platform for attack making identification of any initial attack source extremely difficult. Cyber-attacks are inexpensive, easy to deliver and leave few fingerprints. Therefore, they will continue to remain a component of modern-day warfare. While countries around the world are in the process of integrating offensive and defensive cyber capabilities into their overall military strategies, the responsibility to protect high-value critical infrastructure targets will remain a significant challenge. Because of this, government and industry need to collaborate to develop protection strategies that carefully consider how a cyber war or attack could affect society and world economies.
Written By Jeffrey Bernstein
Published April 2009 in MIS-ASIA Recently, news concerning the ongoing security compromise of the North American power grid via various breaches of computing infrastructure was distributed throughout news and media outlets worldwide. While not a new problem by any means, the issue warrants attention from the international public, commercial and government sector audiences. The electronic computing environments that make up a country’s infrastructure are often taken for granted. However, a disruption to only a single live production computer system can create cascading consequences across multiple sectors. For example, a computer breach that disrupts the distribution of electrical power across a region could lead to the forced shutdown of networked communications and controls within the transportation sector. Air traffic, road traffic and rail transportation might become affected as a direct result. By extension, subsequent disruption of emergency services would also occur. Recent highly publicised cyber attacks on the republics of Estonia, Lithuania and Georgia are representative of the growing problem at hand. Because each country has a unique environment, cyber attacks will yield varying consequences from nation to nation. Georgia, for instance, was a relative latecomer to adopt Internet technologies. Because of this, the country’s population of fewer than five million saw little effect beyond service denial to many of its government Web sites. Cyber attacks have far less impact on a country such as Georgia than they might on more Internet-dependent places such as Taiwan, South Korea, Singapore or the United States where vital services including government, transportation, power and banking depend on the Internet. These increasingly frequent, sophisticated and targeted international cyber incidents involving denial of service, espionage, propaganda and information theft are driving governments to develop effective tactical and strategic cyber-warfare capabilities. While government military forces have been traditionally more equipped for warfare involving guns, tanks and missiles, almost all now recognise the need to adopt strategies to support success in this new electronic theatre of operations. Most countries, of course, deny that their cyber capabilities are involved with any of the higher-profile international cyber security events that we read about in the press almost daily. Regardless of the truth in these denials, the anonymous nature of the Internet provides plausible deniability for attack sources. Mission statement In the Americas, the current mission statement of the United States Air Force is to ‘Fly, Fight and Win...in Air, Space and Cyberspace’. Similarly, in Eastern Asia, The People’s Liberation Army (PLA) reportedly continues to mature its integrated network electronic warfare and space/counter-space capabilities. China and the US are only two of the countries included in the rapidly expanding list of nations now racing to assemble arsenals of cyber-weaponry. In fact, it is well-documented and commonly accepted by the international security community that more than 140 countries are actively
developing cyber-espionage and warfare capabilities. The common thinking for all is to facilitate increased superiority over an adversary. When it comes to the modern-day battleground, ‘bits and bytes’ now accompany the ‘bullets and bombs’ that have historically powered warfare. As multinational cyber arsenals continue to mature, international concerns over operational cyber ‘espionage’ and ‘warfare’ grow. Perhaps most vulnerable to attack are the critical infrastructure and key resources that operate within any particular country. Critical infrastructure resources support the crucial services that generally serve as the supporting foundation for any society. Cyber security protection With the majority of global vital infrastructure operated by the commercial sectors, the issue of cyber security protection is weighing heavily on both industry and government. For example, in the US, 80 per cent of critical infrastructure is owned and operated by the commercial sectors. Some critical infrastructure elements are so essential that their destruction, disruption or exploitation could have a debilitating impact on a country’s national security or economic well-being. While critical infrastructure categorisation varies from country to country, it usually includes some combination of the following sectors from industry and government; • Government services • Law enforcement, fire and emergency response • Banking and financial services • Transportation • Power including electricity, oil and gas • Public works including water and drainage • Internet, media and telecommunications • Agriculture and food supply • Health Many countries also categorise prominent public places, national monuments and high-profile events as critical infrastructure. Power and utility sectors One specific area of concern is in the power and utility sectors where Supervisory Control and Data Acquisition (SCADA) industrial control systems monitor, coordinate and control process. Within the enterprise, information technology systems typically have a lifecycle of five years or less allowing for enhancements designed to mitigate the latest known security threats. By comparison, many mission critical SCADA control systems have been in production for 15 years and sometimes longer. Unfortunately, many of these systems were originally architected with little to no concern for security. Because of this, Internet-exposed SCADA-based systems and the organisations that operate them remain highly vulnerable to Internet-borne threat. A recent article from the North America-based Council on Foreign Relations quoted a well-known economist as having estimated that a shutdown of electrical power to any sizeable region for more than 10 days would stop more than 70 per cent of all economic activity in that region. Given the
costs involved to finance a traditional military attack, is it any surprise that cyber-warfare strategies are gaining attention? Perhaps the most unique aspect of cyber-warfare is its ability to be launched from anywhere in the world. Computers that are physically located in foreign countries may also be compromised and used as a launch platform for attack making identification of any initial attack source extremely difficult. Cyber-attacks are inexpensive, easy to deliver and leave few fingerprints. Therefore, they will continue to remain a component of modern-day warfare. While countries around the world are in the process of integrating offensive and defensive cyber capabilities into their overall military strategies, the responsibility to protect high-value critical infrastructure targets will remain a significant challenge. Because of this, government and industry need to collaborate to develop protection strategies that carefully consider how a cyber war or attack could affect society and world economies.
Downside to the "Twitter Revolution
Dissent
Volume 56, Number 4, Fall 2009
Among the unpleasant surprises that awaited Barack Obama's administration during the post-election turmoil in Iran, the unexpected role of the Internet must have been most rankling. A few government wonks might have expected Iranians to rebel, but who could predict they would do so using Silicon Valley's favorite toys? Team Obama, never shy to tout its mastery of all things digital, was caught off guard and, at least for a moment or two, appeared ill-informed about the heady developments in Iranian cyberspace. Speaking a few days after the protests began, Secretary of State Hillary Clinton confessed that she wouldn't know "a Twitter from a tweeter, but apparently, it's very important"—referring to Twitter, a popular mix between a blogging service and a social network that enables its users to exchange brief messages of up to 140 characters in length.
http://muse.jhu.edu/login?uri=/journals/dissent/v056/56.4.morozov.pdf
Volume 56, Number 4, Fall 2009
Among the unpleasant surprises that awaited Barack Obama's administration during the post-election turmoil in Iran, the unexpected role of the Internet must have been most rankling. A few government wonks might have expected Iranians to rebel, but who could predict they would do so using Silicon Valley's favorite toys? Team Obama, never shy to tout its mastery of all things digital, was caught off guard and, at least for a moment or two, appeared ill-informed about the heady developments in Iranian cyberspace. Speaking a few days after the protests began, Secretary of State Hillary Clinton confessed that she wouldn't know "a Twitter from a tweeter, but apparently, it's very important"—referring to Twitter, a popular mix between a blogging service and a social network that enables its users to exchange brief messages of up to 140 characters in length.
http://muse.jhu.edu/login?uri=/journals/dissent/v056/56.4.morozov.pdf
GLOSSARY OF INFORMATION WARFARE TERMS
GLOSSARY
AES Advanced Encryption Standard. The United States encryption standard that replaced the older and weaker DES standard.
DT>C4ISR
An alternative definition provided by a hacker in a white hat . . .a programmer who is an expert in computer security and administration. Hackers have exellent problem solving skills, and use them to get into computer systems with ease. True 'hackers' do not damage the information they find, for the only reason that they 'hack' into systems is for the challenge and 'thrill' they get from it. After 'hacking' into systems, they usually either tell the administrator, or do the security fix themselves and leave. Hackers are not limited to computer security and software, though. Hackers can be also people who modify or 'mod' computer hardware.
Subscribe to:
Posts (Atom)
