- Cyber War « Secure Thinking

Posts tagged - Cyber War

Monday, July 11, 2011

On Cyberspace, Cyber Security, and War

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Back in 2000/2001 I started giving a number of speeches about cyber war. Funny thing was, back then, most of the audience concluded I was simply nuts. The concept that a war could occur in cyberspace seemed so surreal to most people.

Given how reliant we are on the digital world I thought it was obvious that issues in cyberspace would have implications in the physical world and the two would eventually become inseparable. With the rash of cyber policies emerging from governments, the recent report that the Pentagon has noted that computer sabotage coming from another country can constitute an act of war is entirely predictable.

Today, technology – interconnected and interdependent technology – has become so integrated into how we function it’s nearly invisible. It’s not simply e-mail, Twitter, Facebook, cable TV, and iPads, but that’s what you see every day. Technology is what moves trains and trucks, electricity and water, food, fuel, and, importantly, money. It enables resources, such as emergency services, military, textiles, communication, transportation, and intelligence.

Technology, or more specifically cyberspace – a genera term representing a digital ecosystem – is a resource. And, it is a resource that has become essential to all other resources. As such, it is a force multiplier and can have far reaching effects. Although it may be hard to imagine, it is not beyond comprehension that a cyber-attack could result in the loss of life directly and indirectly. Disruptions in the digital world can have resonating impacts, most notably in the form of resource impedance, such as shutting off electricity, disabling the banking system, or shutting down the transportation infrastructure. It can affect production leading to economic instability and downstream civil unrest. We need to take a defensive stance to protect our resources, because without it, the country will dissolve and cyber space is no different from the other resources we seek to protect.

The resort to war is human and is usually a result over competition for resources. Accumulation of resources means power and, eventually, someone wants your resources and your power, or wishes harm against you because of your power. To ignore this is ignorance and denial resulting in being unprepared, ineffective, and, frankly, doomed.

So, what is my take on the Pentagon’s position? On a very basic level it is an acknowledgement of the importance of cyberspace as a resource, and this isn’t a bad thing. The point here is that, like it or not, an attack in cyberspace is quickly becoming indistinguishable from a physical attack and we must prepare, on many levels, for this outcome. I’m not suggesting you go off-grid, hide in a bunker, and fill your basement with food, water, and ammo… far from it. I’m saying understand the realities of the 21st century and recognize the entanglement of things we’ve tried too hard to view separately.

We need to come to grips with the importance of cyberspace, not only as a nation, but as a global community. I for one don’t. I don’t differentiate the relevance of cyberspace and our national infrastructure as separate resources. You can’t because the lines have grown so thin they are invisible. But know they are there and becoming more integrated and important every day.

Thursday, July 7, 2011

An Internet Kill Switch?

By Sushila Nair, Product Manager, BT Counterpane

The Cybersecurity Act of 2009 attempts to address the risks posed by cyber threats posed in the United States of America. Concern about how to legislate and to some extent exert some control over the internet is an issue that not only concerns the government of the USA but is the subject of debates by governments globally.

The act gives the President the ability to “declare a cyber-security emergency” and shut down or limit Internet traffic in any “critical” information network “in the interest of national security.” There is no definition of what a critical information network or a cyber-security emergency is in the bill and would presumably be left to the President’s interpretation.

The emotive term “internet kill switch” was coined around the capability to completely shut down the Internet.

It is interesting to note that this same act was attempted in Egypt, earlier this year. On January 27 the Egyptian authorities ordered the top ISPs to shut down all their services. The Organization for Economic Co-operation and Development (OECD) estimated the cost of the five day shutdown to have incurred direct costs of at minimum USD 90 million.

The question becomes in an economy far more reliant on the Internet would the damage from a shutdown be greater than the damage done by the Internet being available to cyber attackers?

Beyond the question of the damage done would be the question of what would be gained during a temporary shutdown what would it accomplish. It might stop cyber attackers infiltrating systems but it would also bring most businesses and a large part of government to a halt. The proliferation of virtual private networks that use the Internet for critical business connectivity would cause failures in unexpected supply chains. It must be doubted that a risk assessment has been done to even see if an Internet shutdown would be possible and if not then why is this even in a piece of legislation.

There are many provisions in the bill that are designed to improve the security posture of businesses and critical infrastructure within the Sates. The focus on the provision of an Internet ‘kill switch” is unfortunate and really arguably the least likely to have an impact on cyber security.

In fact the instigation would be for cyber attackers to see if they could trigger such a switch and watch the devastation that followed. The focus around improved technology and funding into vulnerabilities and countermeasures are far more likely to pay dividends into a more secure future.

Friday, June 24, 2011

Let’s Make a Deal: Managing Cyber Threats with Treaties

by Tara Savage

In the fourth and final part of his series on cyber war and cyber terrorism recorded at this year’s Infosec conference Bruce Schneier talks about how governments might manage cyber threats through old fashioned treaties. In much the same way as nuclear arsenals have been managed by START or the Nuclear Non-Proliferation Treaty, Bruce speculates that codifying the rules of engagement and having mechanisms such as a hotline in place might aid in mitigating the consequences of cyber threats. Ever the realist, Bruce also notes that there are certain problems with this approach including verification and what to do with script kiddies.

Click below to learn more about the impact of cyber mercenaries and how companies that make cyber weapons are flourishing.

Thursday, June 23, 2011

Hackers Don’t Know When to Quit

by Tara Savage

Continuing his conversation at Infosec 2011, Bruce tackles the challenges of hackers who don’t know when to quit. As Bruce notes, attacks have a natural advantage in launching cyber attacks because the number of target computers and the complexities of network create not only myriad entry points but also innumerable different types of attacks. This is why they are referred to as Advanced Persistent Threats.

Find out more about what Bruce has to say about this new generation of hacker.

Tuesday, June 21, 2011

Of Schneier and Cyber Security

by Tara Savage

At the recent Infosec conference in London, BT’s Chief Security Officer, Bruce Schneier, talked extensively about his views on cyber war and cyber security. In this first of four videos Bruce discusses whether or not we should be concerned with cyber war as a real threat with interesting results! With his typical acumen, Bruce points out that what we actually need to do first is define key words and phrases so that we can discuss the impact of cyber war more clearly.

Friday, May 20, 2011

Book Review: Global Terrorism and New Media: The Post-Al Qaeda Generation

By Ben Rothke, Senior Security Consultant, BT Global Services

Global Terrorism and New Media: The Post-Al Qaeda Generation. By Philip Seib and Dana Janbek; published by Taylor & Francis Group/Routledge, www.routledge.com; 160 pages; $38.95.

The Internet has revolutionized how we socialize and do business, speeding commerce, facilitating knowledge sharing, and creating networks that could not have existed a decade ago. Unfortunately, terrorists reap the same benefits. Global Terrorism and New Media: The Post-Al Qaeda Generation is a fascinating new book that provides an excellent overview of how terrorist organizations use today’s technology to spread their message.

The book opens with the observation that communication is at the heart of terrorism. The principal accomplishment of al Qaeda on 9-11 was not mass murder and destruction of property but rather terrifying millions and, by doing so, changing the way people live the world over.

The authors note the central role news media plays in defining terrorism. Knowing this, terrorists calculate the consequences of their deeds and the likely scope of media coverage to inject themselves into the conversation of civil society. The authors also discuss how terrorist organizations often make full use of various technologies, including producing periodicals for their followers to learn about using electronic data security to evade detection online by authorities.

From Facebook, YouTube, Twitter, online forums, and more, terrorist organizations are making full use of Web 2.0. Hezbollah, the authors note, used Facebook to try to arrange meetings with Israeli soldiers in the attempt to kidnap them. Elsewhere, terrorists use the Web to exchange confidential information for money.

To fight the terrorist threat, Yuval Diskin, head of Israel’s internal security service, recently observed that “countries need to cooperate closely and develop technology together to counter new threats.”

The authors concede that there’s no easy way to stop terrorists’ extensive use of new media. The best approach may be to create a comprehensive communications strategy, executed via new media, to counter the extremists’ messages. So far, extremists who embrace violence have done a superior job of mastering these tools, but there is no reason why they should be allowed to maintain the upper hand.

Global Terrorism and New Media is a fascinating read and of benefit to anyone involved in terror prevention, security studies, or political science.

This book review was originally published by Security Management Magazine in the May 2011 issue.

Wednesday, June 23, 2010

Part 2 — Cyberwar vs. cyberattack

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Cyberwar is not your typical hacker attack. The difference — cyberwar is when a cyberattack is launched or condoned by a country, as opposed to being performed by a group, such as a terrorist group or cyber-criminals performing acts of vigilantism or some skewed version of patriotism.

A cyberwar is considered a “hack” – using the term very loosely – by a nation, government, and/or military to harm other countries. Granted, the lines are very blurry, especially when governments permit cyber-criminals to operate in their country or turn a blind eye, which can be construed as supporting the effort. But in general, cyberwar is considered a military action funded and driven by an established government.

Cyberwar is sometimes confused with the recent advent of counties using cyberwar-like tactics for various purposes – such as espionage or general disruption. For example, there is some evidence that the Chinese government was behind Project Aurora against Google and other companies. Or the formation of China’s GhostNet, where more than a thousand computers in more than a hundred countries were infected, with more than 30% considered high-valued targets, such as computers in embassies, international organization, news media and ministries of foreign affairs, among others. These are examples of the escalation to cyberwar — blatant attacks against digital assets around the world. It’s easy to see how these are examples of initial planning, testing of cyberweapons and information gathering.

Regardless, what we’re seeing today is not what I would call cyberwar, but more so cyberattacks that are testing the bounds of what is possible. In some discussions, I’ve referred to attacks of this nature as live-fire weapons testing.

Cyberwar is scary because of a few interesting attributes that are a little different from traditional warfare as we generally understand it, making it somewhat complicated:

There is a great deal of anonymity, generally referred to in cyberwar circles as the “attribution problem,” representing the deniability of the attacker. Although there are technologies that help to identify the source of a cyberattack, they do not provide indisputable evidence, at least not in the eyes of the international community. This attribute represents fundamental counterattack challenge. In conventional war, the source point of a fired weapon or the location of a threatening weapon system is rapidly identified and quickly targeted for destruction. In cyberwar, the attribution problem makes effective combatant identification nearly impossible. You may be able to determine what systems are attacking and from what location, but this is not enough to attribute to the real enemy.
Force multiplication uses resources that are not directly related to the attacking country. For example, in conventional warfare there are tanks, planes and other assets directly associated with the attacking force and are therefore quantifiable targets. In cyberwar, a country will likely take control of computing resources, such as hundreds of thousands or millions of personal computers around the world from which to launch an attack. This too makes a counterattack extraordinarily complex and fraught with risk. If not planned and executed with acute accuracy, a force could inadvertently take down a neutral country or ally.

These two simple and basic codependent features create an environment that is difficult to fully engage. For example, assume that the United States imposes additional strict sanctions against North Korea as a result of the recent sinking of a South Korean vessel; and in retaliation, the North Korean government wages a cyberattack against the American financial system. In doing so they utilize a vast network of commandeered computers in Brazil, Argentina, South Africa, France, Italy, Saudi Arabia, Ireland, the Netherlands, and Belarus to launch a well-planned attack through a complex web of command and control systems spread across a number of other counties.

Within minutes, the financial system begins to strain, automatic financial controls become engaged. Within the next 24 hours the system fails. The U.S. government has few options, if any, for an offensive. Resources are directed to defensive tactics to stem the tide, establish protective measures to thwart the attack as much as possible and start recovery processes. In short, the attacker is everywhere, including inside your environment.

You can’t simply start taking down systems because they may be owned by allies or may be your own systems working against you. Meanwhile, the impact to the U. S. is not unlike if a bomb were dropped in the middle of a major city. Therefore, in cyberwar there is a great deal of ambiguity and uncertainty, yet the level of impact is, on a very fundamental level, not all that different from an equally well-formed conventional attack.

This reality does impose a sense of fear that if truly understood and acknowledge throughout society would equal or even surpass levels of fear experienced during the cold war and the threat of nuclear annihilation. It’s ultimately based on the feeling of helplessness and the inability to respond. However, this is not entirely the situation that is evolving today.

In the coming weeks, we’ll continue on this topic. In the meantime, please share your thoughts on this important topic.

For more on Jim’s thoughts on cyberwar, see: Cyberwar is a reality, but what exactly is it?

Monday, June 21, 2010

Cyberwar is a reality, but what exactly is it?

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

You can’t pick up a paper, read a news article or scan a blog without something about cyberwar in there somewhere. Moreover, there are a number of books surfacing and, conservatively speaking, a great deal of activity in the government sector concerning cyberwar. While I’m working on a series of posts on this topic, I thought we should first try to define it.

In short, cyberwar is the use of technology to render some form of harm against an enemy. Suffice it to say that we’re not talking about your typical hacker trying to steal credit card numbers.

Cyberwar is technically more of a statement of condition as opposed to a specific act, such as a battle or attack. The term encompasses all the different forms of attacks, defenses and counter attacks that occur in the digital domain over time. You hear some in the government make statements such as, “we’re in a cyberwar,” referring to the vast number of attacks against government and private networks and systems from distant entities. These forms of attacks are on the rise, and the United States is clearly making the necessary political and military adjustments to address such threats (more on this in future posts).

On the other hand, you hear a more accurate representation of a cyberwar as a future condition where cyberattacks will have devastating results that are analogous to what we would see in conventional warfare. In many cases, experts will refer to situations where an attacking force would use “cyber weapons” to bring down the power grid, financial systems, communication networks and the like (e.g., critical infrastructure), rendering them unusable.

In this future, the difference between a cyberattack and a traditional attack is that the physical infrastructure remains generally intact. For example, a bomb blowing up a critical power station clearly hinders the ability to distribute electricity until it is rebuilt, consuming time and resources. Conversely, a cyberattack will render the deeply integrated computing systems temporarily useless, also hindering the ability to distribute electricity. Although the physical asset is unaffected in this scenario, the end result is very similar to a physical attack – electricity cannot be delivered to homes, businesses and other utilities for a period of time.

Of course, we have to acknowledge that a well-formed cyberattack can make computers perform dangerous acts that can manifest themselves as physical destruction. An example would be opening waste gates on a sewer system to dump raw sewage into the environment; or redirecting trains, placing them on a collision course; or channeling electricity in a manner that overloads systems, such as lines and transformers, causing them to explode or become completely inoperable; or disrupting air and ground controls, greatly increasing the potential for a devastating accident.

The list is very long. Think of all the computer controlled elements in our lives and about how the “logic” of their control could be manipulated to cause physical damage.

More importantly, we have to understand the condition and sensitivity of today’s major countries. During World War 2, it took a bomb to destroy an asset — such as a train, manufacturing plant, airfield, roads and bridges — to disrupt the stability of the enemy. However, today there is far more sensitivity to disruption.

Let’s go back to the power station attack example. If power was lost for an extended period of time, say two weeks, in key locations, such as New York, Chicago, San Francisco, Dallas, Atlanta, Boston, and the like, the United States would be brought to its knees. Financial systems would strain to a point of failure, emergency services would rapidly become overloaded, products couldn’t be delivered, trains wouldn’t run, hospitals would be overrun, impassable traffic would form and people – many of them – would die. Imagine if this occurred in the middle of winter or even summer – it would be a catastrophe. Therefore, a cyberattack against the power grid doesn’t have to physically destroy the power grid to cause massive damage and disruption because there is very little resilience in how our society functions. One critical aspect goes missing for a short period and the entire fabric begins to come apart.

This concept was demonstrated in the recent Icelandic volcano eruption that virtually halted all air traffic between the United States and Europe for weeks. This cost airlines millions, disrupted the travel plans of hundreds of thousands of people, and stopped the delivery of perishable resources, such as donated organs. The total cost in money and lives will never truly be known. Therefore, an attack against something like the power grid can cause mass disruption well beyond the targeted environment.

In the coming weeks, I will continue this series on cyberwar by writing about the “weaponization” of cyberspace and the cyber cold war. And then I will elaborate on the future “theater of war,” setting the foundation for sharing views of what World War 3 could look like.

Thursday, June 3, 2010

Has the Cyber War Threat been Exaggerated?

By Pete Russo, Senior Marketing Manager, BT Global Services

Almost every time you pick up a newspaper, you read how cybersecurity should be at the top of every company’s list of top concerns.

However, there are some who would say that this is up for debate. So, a debate is scheduled. Intelligence Squared U.S. (IQ²US) is presenting a debate entitled, “The Cyber War Threat Has Been Grossly Exaggerated,” on Tuesday, June 8, in Washington, D.C.

On one side will be Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), and our very own Bruce Schneier, Chief Security Technology Officer, BT, and internationally renowned security author, who will debate in favor of the proposition.

On the other side of the debate will be Vice Admiral (ret.) Mike McConnell, former director of National Intelligence from 2007-2009, and Jonathan Zittrain, Professor of Law at Harvard Law School and co-founder of the Berkman Center for Internet & Society.

Sponsored by Neustar, the debate will be in formal Oxford debate style. Neustar is sponsoring the event to help deepen understanding about cybersecurity needs.

If you want to see the debate live, visit the IQ²US website for tickets. If you can’t make it, look for an international broadcast on Bloomberg Television beginning on June 14 or listen for it on National Public Radio. Newsweek, IQ²US’s print and online media partner, will also feature coverage of this special debate in its magazine and on www.newsweek.com. Of course, we will also post content following the event on SecureThinking, so check back following the event.

Friday, February 5, 2010

Operation Aurora: The Dawn of a New Era of Network Attacks

By Toby Weir-Jones, Vice President – Product Development, Managed Security Solutions Group, BT Global Services

Over the past few weeks, there has been a great deal of coverage given to Google’s announcement that it has been the target of sophisticated network attacks from China. While many have suspected that western companies and government agencies have been attacked by the Chinese, Operation Aurora was confirmation that online espionage, if not cyber war, is prevalent.

It’s interesting to note that the purpose of the attacks was not to gain information for immediate profit, as is typically the case, but to keep tabs on the movement of information between individuals, groups, corporations, and government agencies without needing to filter content.

As has been well documented, Operation Aurora took advantage of a vulnerability in Microsoft’s IE platform. This continues a pattern of browser-based attacks originating in China against US networks, the most notable of which, until now, being Titan Rain back in 2003. The specific mode of attack is not new and is not really the story in this case; sadly we’re all familiar with proliferation of attacks against browsers and their plugins, the resulting malware, and ceaseless buffer overflow attacks against thoroughly-vetted products.

But what can companies do to combat these attacks and secure their operations? After all, not doing business in China isn’t really an option for most companies that are recovering from the economic downturn. And really, we shouldn’t single out China as the only source of suspicious firewall logs, nor should we assume that addresses originating in the US and Europe should be benign.

What can the CSO do, then, to protect the company and customers?

Product vendors will universally claim they could have detected the attacks because they would have seen it either in the raw network traffic (for NIDS products) or in the application data in memory (for AV and HIDS products). However, this level of detection relies on buffer overflow alerts that are so generic you’ll never know where the threat is coming from. In their defense, host products, such as AV and HIDS, can potentially detect the source of the attack as they are application aware. However, as is often the case, to use these host products effectively, the advanced application protections need to be enabled and not turned off—as many are—to avoid reporting false positives.

On the front-end what we advise our customers to do is to ensure they are monitoring the right devices, and logging is configured correctly. They also need to ensure that a well-documented and rehearsed incident response plan is in place in the event that a breach occurs.

In the SOC what we’re doing is much more time-consuming. Our analysts and engineers are relentlessly scouring every log, every security and non-security event, collecting every piece of contextual evidence and sending it back to the lab for analysis, comparing the results of a single customer network against our global customer base to document quickly and accurately that one host in a thousand within a monitored subnet is actually compromised.

Whether the motivation is fraud, spam, or espionage is technically immaterial because it has no bearing on finding infected hosts or revealing the methods of attack. What we rely on instead is dozens of combined years of experience in monitoring network security activity; we’re not limited to expertise on one or two technologies, we have extensive knowledge across numerous vendor platforms. Our CMAL and CBOT modules (first released in 2008) are great examples of advanced technology that solves real business problems, and they don’t simply offer up pretty reports about knee-jerk reactions performed by other devices.

We want to know where it’s coming from first, and then worry about the details behind what it’s doing. Security policies don’t distinguish between the details of buffer overflow attacks vs. brute-force — they focus on intent, so focusing efforts purely on signature-based detection can dangerously restrict your view.

This is the first post in a series about Aurora that we’re working on. Next up, Rob Jamison, our Manager of Network Intelligence, will offer up more insights into Aurora’s methods of propagation and detection.