Cyberwar « SecureThinking

Posts tagged Cyberwar

Friday, July 9, 2010

Weaponization of Cyberspace — It’s not science fiction, it’s war

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

There are a number of folks in the security industry who have downplayed the realities of cyberwar. In some circles, the conversation of cyberwar will elicit some interesting reactions and many tend to deny its potency relative to traditional warfare and traditional weapons.

Moreover, many begin to blur the lines between cyberwar, cyberterrorism and other cyberattack scenarios, confusing the topic. In virtually every conversation of this nature, I’m the one who stands out as the lone voice saying they’re not only wrong, but woefully underestimating the situation.

Throughout history, advances in weapon technology have dramatically changed the battlefield. Everything and anything that can be used as a weapon that offers even the slightest advantage over your enemy will be developed and deployed.

Folks… it is war. Therefore, within this context, cyberspace has evolved from “advantage acquisition” to weaponization because the battlefield now includes the virtual domain.

Early uses of cyber assets mostly took the form of intelligence gathering to establish situational awareness and, of course, counter intelligence. Moreover, technologies were employed to advance communications and support accurate mobilization of resources. For example, the Joint Strike Fighter (JSF), as part of the next generation strike fighter, multi-variation platform F-35, has highly sophisticated computers and communications to align multiple forces for effective, real-time battlefield management. Cyber has allowed for air, sea and ground assets to work together so there is a unified view of battlefield conditions and enemy activity.

The move to weaponization of cyber technologies is in full swing. Initially, weaponization in cyberspace involved taking hacker tools and tactics and refining them to be more effective, not unlike riffling of cannon barrels. It is converting something that is reasonably dangerous and can be generally targeted into a manageable device that can be consistently developed, effectively deployed, and accurately directed at the target. And it produces the intended results by effectively exploiting vulnerabilities in the enemy’s defenses.

A simple example is malware, which comes in multiple forms with a wide range of impact potential. However, much of what we experience today is indiscriminant because a common hacker’s mission is to infect any system and as many as possible to build a botnet for dishing out spam or causing havoc. Clearly, the concept is sound but is not conducive to the ultimate role of a weapon.

A meaningful aspect of weaponization is refinement so that it can be accurately targeted and its impact controlled. Even malware in the wild has been weaponized, retaining its viral, self-propagating features; but it includes highly sophisticated methods to operate in a predictable manner and submit to in-flight commands to adjust to changes in the environment.

However, today’s weaponization has moved well into the development of completely new forms of cyberweapons. Things that have been researched, developed, tested, and refined from scratch, creating completely new types of weapons – not unlike the hydrogen bombs of WWII – they are game changers. These new weapons employ comprehensive targeting capabilities, have the ability to effectively navigate cyberspace, comprise a wide spectrum of impact control, and have multipurpose functionality that can change on command or autonomously, based on interpreted conditions.

Fundamentally, cyberweapons are no different from a guided missile. But instead of traversing the physical domain, they travel across the virtual domain. In fact, as I write this, DARPA (Defense Advanced Research Projects Agency) is developing (and have likely completed) a cyber range – an environment for test firing cyberweapons.

Make no mistake — weaponization of cyberspace is a reality.

Wednesday, June 23, 2010

Part 2 — Cyberwar vs. cyberattack

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Cyberwar is not your typical hacker attack. The difference — cyberwar is when a cyberattack is launched or condoned by a country, as opposed to being performed by a group, such as a terrorist group or cyber-criminals performing acts of vigilantism or some skewed version of patriotism.

A cyberwar is considered a “hack” – using the term very loosely – by a nation, government, and/or military to harm other countries. Granted, the lines are very blurry, especially when governments permit cyber-criminals to operate in their country or turn a blind eye, which can be construed as supporting the effort. But in general, cyberwar is considered a military action funded and driven by an established government.

Cyberwar is sometimes confused with the recent advent of counties using cyberwar-like tactics for various purposes – such as espionage or general disruption. For example, there is some evidence that the Chinese government was behind Project Aurora against Google and other companies. Or the formation of China’s GhostNet, where more than a thousand computers in more than a hundred countries were infected, with more than 30% considered high-valued targets, such as computers in embassies, international organization, news media and ministries of foreign affairs, among others. These are examples of the escalation to cyberwar — blatant attacks against digital assets around the world. It’s easy to see how these are examples of initial planning, testing of cyberweapons and information gathering.

Regardless, what we’re seeing today is not what I would call cyberwar, but more so cyberattacks that are testing the bounds of what is possible. In some discussions, I’ve referred to attacks of this nature as live-fire weapons testing.

Cyberwar is scary because of a few interesting attributes that are a little different from traditional warfare as we generally understand it, making it somewhat complicated:

There is a great deal of anonymity, generally referred to in cyberwar circles as the “attribution problem,” representing the deniability of the attacker. Although there are technologies that help to identify the source of a cyberattack, they do not provide indisputable evidence, at least not in the eyes of the international community. This attribute represents fundamental counterattack challenge. In conventional war, the source point of a fired weapon or the location of a threatening weapon system is rapidly identified and quickly targeted for destruction. In cyberwar, the attribution problem makes effective combatant identification nearly impossible. You may be able to determine what systems are attacking and from what location, but this is not enough to attribute to the real enemy.
Force multiplication uses resources that are not directly related to the attacking country. For example, in conventional warfare there are tanks, planes and other assets directly associated with the attacking force and are therefore quantifiable targets. In cyberwar, a country will likely take control of computing resources, such as hundreds of thousands or millions of personal computers around the world from which to launch an attack. This too makes a counterattack extraordinarily complex and fraught with risk. If not planned and executed with acute accuracy, a force could inadvertently take down a neutral country or ally.

These two simple and basic codependent features create an environment that is difficult to fully engage. For example, assume that the United States imposes additional strict sanctions against North Korea as a result of the recent sinking of a South Korean vessel; and in retaliation, the North Korean government wages a cyberattack against the American financial system. In doing so they utilize a vast network of commandeered computers in Brazil, Argentina, South Africa, France, Italy, Saudi Arabia, Ireland, the Netherlands, and Belarus to launch a well-planned attack through a complex web of command and control systems spread across a number of other counties.

Within minutes, the financial system begins to strain, automatic financial controls become engaged. Within the next 24 hours the system fails. The U.S. government has few options, if any, for an offensive. Resources are directed to defensive tactics to stem the tide, establish protective measures to thwart the attack as much as possible and start recovery processes. In short, the attacker is everywhere, including inside your environment.

You can’t simply start taking down systems because they may be owned by allies or may be your own systems working against you. Meanwhile, the impact to the U. S. is not unlike if a bomb were dropped in the middle of a major city. Therefore, in cyberwar there is a great deal of ambiguity and uncertainty, yet the level of impact is, on a very fundamental level, not all that different from an equally well-formed conventional attack.

This reality does impose a sense of fear that if truly understood and acknowledge throughout society would equal or even surpass levels of fear experienced during the cold war and the threat of nuclear annihilation. It’s ultimately based on the feeling of helplessness and the inability to respond. However, this is not entirely the situation that is evolving today.

In the coming weeks, we’ll continue on this topic. In the meantime, please share your thoughts on this important topic.

For more on Jim’s thoughts on cyberwar, see: Cyberwar is a reality, but what exactly is it?

Monday, June 21, 2010

Cyberwar is a reality, but what exactly is it?

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

You can’t pick up a paper, read a news article or scan a blog without something about cyberwar in there somewhere. Moreover, there are a number of books surfacing and, conservatively speaking, a great deal of activity in the government sector concerning cyberwar. While I’m working on a series of posts on this topic, I thought we should first try to define it.

In short, cyberwar is the use of technology to render some form of harm against an enemy. Suffice it to say that we’re not talking about your typical hacker trying to steal credit card numbers.

Cyberwar is technically more of a statement of condition as opposed to a specific act, such as a battle or attack. The term encompasses all the different forms of attacks, defenses and counter attacks that occur in the digital domain over time. You hear some in the government make statements such as, “we’re in a cyberwar,” referring to the vast number of attacks against government and private networks and systems from distant entities. These forms of attacks are on the rise, and the United States is clearly making the necessary political and military adjustments to address such threats (more on this in future posts).

On the other hand, you hear a more accurate representation of a cyberwar as a future condition where cyberattacks will have devastating results that are analogous to what we would see in conventional warfare. In many cases, experts will refer to situations where an attacking force would use “cyber weapons” to bring down the power grid, financial systems, communication networks and the like (e.g., critical infrastructure), rendering them unusable.

In this future, the difference between a cyberattack and a traditional attack is that the physical infrastructure remains generally intact. For example, a bomb blowing up a critical power station clearly hinders the ability to distribute electricity until it is rebuilt, consuming time and resources. Conversely, a cyberattack will render the deeply integrated computing systems temporarily useless, also hindering the ability to distribute electricity. Although the physical asset is unaffected in this scenario, the end result is very similar to a physical attack – electricity cannot be delivered to homes, businesses and other utilities for a period of time.

Of course, we have to acknowledge that a well-formed cyberattack can make computers perform dangerous acts that can manifest themselves as physical destruction. An example would be opening waste gates on a sewer system to dump raw sewage into the environment; or redirecting trains, placing them on a collision course; or channeling electricity in a manner that overloads systems, such as lines and transformers, causing them to explode or become completely inoperable; or disrupting air and ground controls, greatly increasing the potential for a devastating accident.

The list is very long. Think of all the computer controlled elements in our lives and about how the “logic” of their control could be manipulated to cause physical damage.

More importantly, we have to understand the condition and sensitivity of today’s major countries. During World War 2, it took a bomb to destroy an asset — such as a train, manufacturing plant, airfield, roads and bridges — to disrupt the stability of the enemy. However, today there is far more sensitivity to disruption.

Let’s go back to the power station attack example. If power was lost for an extended period of time, say two weeks, in key locations, such as New York, Chicago, San Francisco, Dallas, Atlanta, Boston, and the like, the United States would be brought to its knees. Financial systems would strain to a point of failure, emergency services would rapidly become overloaded, products couldn’t be delivered, trains wouldn’t run, hospitals would be overrun, impassable traffic would form and people – many of them – would die. Imagine if this occurred in the middle of winter or even summer – it would be a catastrophe. Therefore, a cyberattack against the power grid doesn’t have to physically destroy the power grid to cause massive damage and disruption because there is very little resilience in how our society functions. One critical aspect goes missing for a short period and the entire fabric begins to come apart.

This concept was demonstrated in the recent Icelandic volcano eruption that virtually halted all air traffic between the United States and Europe for weeks. This cost airlines millions, disrupted the travel plans of hundreds of thousands of people, and stopped the delivery of perishable resources, such as donated organs. The total cost in money and lives will never truly be known. Therefore, an attack against something like the power grid can cause mass disruption well beyond the targeted environment.

In the coming weeks, I will continue this series on cyberwar by writing about the “weaponization” of cyberspace and the cyber cold war. And then I will elaborate on the future “theater of war,” setting the foundation for sharing views of what World War 3 could look like.

Wednesday, April 28, 2010

Cybercrime, Cyber-espionage, and Cyberwar: Data Loss Prevention is Serious Business for Industry and Government

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, PCI QSA

According to Richard Clarke, cybersecurity adviser to presidents Bill Clinton and George W. Bush, who was quoted in a recent story on National Public Radio, “The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes.”

Before you accuse Clarke of having a Noam Chomsky linguistic moment, consider for a moment that Clarke is one of the few people who really gets security. For instance, Clarke is the first to dismiss full-body scanners for the hype they are, and would rather spend the money on intelligence gathering.

As to this observation, the truth is that the technique that would allow a hacker to steal intellectual property or money is essentially the same basic technique that would allow a nation-state to get into a system and wreak havoc, according to Clarke.

So, whether you are the U.S. government trying to ensure that your military networks are well defended, or a small company trying to guarantee that your customer’s basic credit card information is secure, the bottom line is that data loss prevention (DLP) should be something you should seriously consider.

In a recent post, I explained that DLP is more than blindly deploying DLP software (that identifies, monitors and protects data) and letting it “do the work for you.” First, remember that DLP is just one part of a larger set of information tools. Here are the other considerations I outlined:

Know where your company data is stored
Classify your data – what needs to be protected and why
Create a DLP strategy that details the specific business and technology needs and requirements
Run a pilot test with a variety of DLP products to ensure that various use cases are tested to analyze the product in different scenarios

DLP is a necessity in today’s business and government environments. It is just one part of a greater security picture, however. Keeping hackers at bay requires a big-picture view of what you are trying to protect and ensuring that your security solution is up to the challenge.