On 7 January, the Cyber Division assistant director of the US Federal Bureau of Investigation (FBI) warned that, beyond weapons of mass destruction, cyber attacks pose the greatest threat to businesses across the globe. There were warnings of a ‘Cybergeddon’ in which an advanced society, that has most of its major infrastructure systems linked to (or completely controlled by) computers, is sabotaged by computer hackers.
The March 2009 Inkerman Group Monitor examines the implications of this statement within new and changing risks in cyberspace that challenge the boundaries of conventional ‘warfare’. The Monitor also provides concrete examples of how these techniques are being used as an integral part of conducting international conflicts.
Such attacks are currently unregulated, and are passing by relatively unchallenged in some cases. They have the potential to threaten Critical National Infrastructure (CNI), commerce and the ability for Governments to function.
The fear of Cybergeddon
Cyber attacks pose the greatest threat to nation states after nuclear war and weapons of mass destruction and, according to intelligence experts, they’re increasingly hard to prevent.
A new global strategic environment is emerging which will be deeply competitive, although this competition will usually not take the form of traditional superpower confrontation. Co-operation, competition and conflict, at some level, will be routine elements of the international environment, and of international interaction between Governments solely because of the threat emanating from cyber attacks.
Navies, armies and military alliances will not be as important in this competition as the ability for a nation to accelerate its technological progress, and economic growth, to create new ideas and products and to protect its informational advantages.
In this environment, gaining asymmetric advantage over an opponent will be about much more than amassing ponderous conventional forces. Moreover, cyber attacks that occurred between Russia and Georgia during the summer of 2008 can be seen as a model for military cyber engagements in 2009 and beyond.
What, exactly, is Cyberterror?
Cyber terrorism is the convergence of terrorism and cyberspace. It’s generally understood to mean unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a Government or its people in furtherance of political or social objectives.
Further, to qualify as cyber terrorism an attack should result in violence against persons or property, or at least cause enough harm to generate fear.
Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination or severe economic loss serve as perfectly relevant examples. Serious attacks against CNI also count as acts of cyber terrorism with the intention of disrupting essential services and resources (to the extent where Governments have been paralysed).
Simply put, cyberspace is constantly under assault. Cyber spies, thieves, saboteurs, career hackers and thrill seekers break into computer systems, steal personal data and trade secrets, vandalise web sites, disrupt servers, sabotage data and systems, launch computer viruses and worms, conduct fraudulent transactions and harass individuals and companies.
These attacks are facilitated by increasingly powerful and easy-to-use software tools which are readily available for free from thousands of web sites on the Internet. Many of the attacks are serious and costly. The recent ILOVEYOU virus and its variants, for example, were estimated to have hit tens of millions of users and cost billions of dollars in damage.
The February 2009 Distributed Denial of Service (DDoS) attacks against Yahoo, CNN, eBay and other e-commerce web sites was estimated to have caused more than US$1 billion in losses. It also shook the confidence of businesses and individuals in e-commerce.
Reliance on interdependent computer networks
The cyber threat is rapidly increasing because the number of actors with the tools and abilities to use computers against nations and its interests is rising. A country’s vulnerability is escalating as its economy and CNI becomes increasingly reliant on interdependent computer networks and the World Wide Web. Therefore, large-scale computer attacks on critical infrastructures and the economy would have potentially devastating results.
Domestic and foreign terrorist organisations, foreign intelligence actors and criminal enterprises are increasingly using encryption technology to secure their communications and to exercise command and control over operations and people without fear of surveillance.
US intelligence officials claim terrorist groups are working to create a virtual 9/11, with the intent of inflicting the same kind of damage to each country. Experts also claim that, merely because an online attack of that scale has not yet happened, the tools for conducting malicious attacks – using the Internet as a weapon – are commonplace, often inexpensive to conduct and need little assistance to cause maximum impact.
For this reason, cyber attacks are an understandable concern as they’re rapidly evolving around the world as a tool of war. In the last two years alone, Russian hackers allegedly mounted huge assaults on Government targets in Estonia, Georgia and Kyrgyzstan where internet networks and Government infrastructure were targeted in a calculated and well executed move to paralyse communication.
Both Palestinian and Israeli sympathisers also orchestrated attacks against hundreds of web sites as a response to the Gaza offensive. It’s clear that such attacks are popular and effective, and are very much on the increase as a tool for achieving the aims of affecting a country’s people and even a Government.
The potential of misusing cyberspace
Jihadists are already using the Internet as a tool for manipulating public perception, co-ordinating operations and even sharing tactics, training and practices.
At the same time, cyberspace has opened new avenues for espionage and crime alike. The free flow of information across international boundaries has influenced colour revolutions in countries like the Ukraine and precipitated the fall of Governments.
However, while the geopolitical significance of cyberspace is undeniable, its exploitation in global conflict, cyber warfare has largely been limited and deniable to date but the potential remains for comprehensive military exploitation of cyberspace in an international conflict.
The potential for sustained cyberattacks against the US Government is a serious concern for Washington, and though the US Air Force is working to consolidate its cyber warfare efforts under the aegis of a new Cyber Command, it’s common knowledge that the Pentagon doesn’t have anything close to the established dominance that it enjoys in more traditional domains.
For example, some experts claim that the massive 2004 blackout in the American northeast was precipitated by a Chinese hacker tinkering with systems relevant to the power grid.
Benefits to be had from cyber warfare
An attack can be executed from almost anywhere in the world without consideration for strategic geographic buffers and otherwise insurmountable distances. Their ability to spread uncontrollably is therefore an inherent advantage.
Attacks can bring a country to an economic standstill and cause social mayhem. Government infrastructures like power plants and air traffic control systems are vulnerable to attack. Electrical generators could be hacked into and induced to self-destruct, raising the threat of large-scale physical damage to critical infrastructure.
Offensive actions in cyberspace often provide a great deal of deniability, and are easier to conceal than engaging in a conventional war.
Common methods of attack involve the use of DDoS technology to target a PC or network and infect it with malicious software. This could remain covert to the victim until, on a given signal, it connects to the target web site. It could also saturate the target machine with external communications requests, such that it cannot respond to legitimate traffic or it resets.
The execution of malware is intended to ‘max out’ the processor’s usage, preventing any work from occurring and triggering errors in the microcode of the machine. These attacks can be performed either through wired or wireless routers, and are carried out against high-profile web servers of banks and credit card payment gateways, but also increasingly against Government targets.
Botnets as a means of cyber attack
In general, hackers use botnets or groups of computers to launch these attacks. The cost of obtaining a small network of bots is minimal, and many are easily obtainable from web sites.
For example, in February 2009, a network of 300 bots could be bought online for just US$75. 300 bots would not derail a standard well-resourced web site, but much larger networks or botnets exist and would require a minimal financial input in order to achieve their goals.
If an attack is used in this way, it’s difficult to trace the operators of botnets. Other problems exist with the chosen enemy, the hackers, as they exist outside of traditional domestic law enforcement and most have a strong distaste for authority and a distrust of Government.
Cyberspace is a domain in which many of the traditional considerations of geopolitical conflict are fundamentally altered, if not obviated altogether (eg geography may not matter, resources can be amassed largely undetected and the primary form of damage may be economic rather than physical).
The US is the obvious target of this new conflict because symmetrical competition is often inconceivable due to the superiority of the US conventional warfare technology. Cyber warfare efforts are also under way in many countries around the world, including Russia and China, with the latter being widely considered to have the most advanced and robust capability. Russia explicitly views hackers as a national asset.
US under the microscope – a potential main target?
From Washington’s perspective, the ability to project its influence abroad, often militarily, continues to be a core geopolitical imperative for transformation of US security policy from the Cold War to the current ‘war on terror’.
The very nature of the Internet makes comprehensive national cyber security a geopolitically relevant national interest. When the US intelligence community presented its 2008 Annual Threat Assessment, it conspicuously featured cyber threats for the first time. The cyber threat was placed very early on and prominently in testimony, directly after discussions of the India-Pakistan nuclear dynamic and the security of the Pakistani nuclear arsenal.
It also came before any discussion of operations in Iraq and Afghanistan. This placement did not occur by accident, but in order to obtain congressional support and funding for new initiatives to address cyber security coherently across the full spectrum of federal agencies. The report also claimed that the Chinese military was increasing its efforts to pose a threat in this area in particular.
Recognising the international aspects and national economic implications of cyber threats, the US Government – via the FBI – created a Cyber Division to manage the threat.
On 7 January this year, Shawn Henry – assistant director of the FBI’s Cyber Division, told a conference in New York that computer attacks posed the biggest risk “from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities”.
US experts are talking of ‘Cybergeddon’ in which an advanced economy – where almost everything of importance is linked to or even controlled by computers – is sabotaged by hackers.
McAfee study tells it own story
Henry’s statement came in response to a study from antivirus software company McAfee who revealed that data theft and breaches from cyber crime may have cost businesses as much as US$1 trillion globally in lost intellectual property and expenditures for repairing the damage in 2008 alone.
US officials claim that the most dangerous target of opponents in a cyber attack against its infrastructure are militaries and intelligence services of other nations which have the capabilities to be sophisticated, well-resourced and persistent. Current porous information systems have allowed remote access and downloading of critical military technologies, which have the affect of arming enemies in cyberspace (as it essentially gives them the ability to arm themselves and achieve parity).
The military uses information and data scrambling to inform commanders about the position of friendly forces globally. The US military uses a system called ‘blue-force tracking’. If hackers disrupted this system, they could easily change the status of force location, even to the extent of changing the blue signals to red, and thus indicating they are enemy forces.
Hackers could even make some of the red force disappear. In this case, the lack of a considered and effective approach to counter cyber attacks in the US is rapidly eroding its status as a superpower.
The increased threat level given to US cyber security has increasingly been voiced in 2009. However, the US has previously experienced damaging cyber attacks. In 2007, the Departments of Defence, State, Homeland Security, and Commerce, NASA and the National Defence University all suffered major intrusions by unknown foreign entities.
The unclassified e-mails of the Secretary of Defence were hacked, which resulted in terrabytes of information being lost. The Department of Commerce was forced to take the Bureau of Industry and Security off-line for several months, and NASA had to impose e-mail restrictions before shuttle launches to a host of cyber compromises.
In February 2009, the White House itself had to deal with unidentifiable intrusions in its networks. Moreover, senior representatives from the US intelligence community claimed they had obtained concrete evidence from foreign sources that US companies had lost billions in intellectual property.
International incidents of cyber warfare since 2000
September 2000: Israel
Israeli hackers launched DDoS attacks against Hezbollah and the Palestine Authority’s web sites which defaced the homepages. Palestinian authorities responded by calling for a cyber Holy War. The Israeli Government and financial web sites were attacked as a result.
April 2001: US/China
A Chinese army general and head of the Chinese Government’s Communications Department became the first international official to advocate the use of pre-emptive cyber attacks for Chinese military policy in March 2000.
Only a year after this statement, in April 2001, a US navy plane caused an international incident when it collided with a Chinese jet fighter. This provoked cyber attack incidents in both countries entitled ‘Kill USA’ and ‘Kill China’.
According to the US, the former e-mail was sent to the California electricity grid, causing a power outage and compromised security.
April 2007: Estonia
Estonian Governmental and business web sites underwent nearly three weeks of cyberattack using DDoS. The action came in the wake of the controversial relocation of a Soviet World War II memorial. The attack resulted in the paralysis of Estonian commerce and Governmental web sites were shut down, including that of the Prime Minister, as well as some key elements of infrastructure such as military communications.
Attacks on Government web sites were interspersed with disinformation and fraudulent postings. The attacks ultimately involved more than 1.5 million computers from some 75 countries (including Brazil and Vietnam, as well as from two of their NATO allies, the US and Canada).
Tallinn initially blamed Moscow for the attacks. Immediately after the incident with the monument, Russian politicians were calling for an economic blockade of Estonia, and the Estonian Embassy in Moscow was attacked. It’s possible that the relocation of the Soviet war memorial could have been reason enough for Moscow to conduct a cyber attack against Estonia, but it’s more likely that it was used as a short term trigger to test its own capacity to launch a cyber-attack against a Government.
Estonia would have been an attractive target as it’s one of the most computerised societies in Europe, and has the intention to be home to a part of NATO’s operational cyber defence centre this year.
While nationalist fervour on the Russian side certainly played a part in the rallying of independent hackers – the Russian website Xakep posted simple codes to use to launch DDoS attacks against the Estonian police web site – the attack couldn’t solely be traced to Russia.
September 2007: Syria
An Israeli air strike on a military building in Syria in September 2007 was reportedly aided by a cyber attack against Syrian radar air defences.
Non-stealth Israeli fighters were able to enter and leave Syrian airspace virtually undetected.
August 2008: Georgia
A well-known Russian hacker-hosting network was accused of being responsible for cyber attacks against sites belonging to the Georgian Government in the advent of the South Ossetian conflict in the summer of 2008.
In an attempt to counter the attacks, Georgia was largely unsuccessful in retroactive attempts to move important Government and infrastructure web sites to out-of-country blog hosts, mainly located in the US.
The attacks crippled Georgia’s information infrastructure, and the Georgian Foreign Ministry was even forced to move its content to a Google blog. This was mainly due to the speed and accuracy of the attack against them.
The incident was classed as the first real cyber war as DDoS tools were distributed across Russian web forums actively encouraging the targeting of Georgian Governmental sites that hackers claimed were vulnerable to SQL injection attacks.
The extent of Russian infiltration cannot only be attributed to independent hackers with a nationalist penchant as logs of DDoS traffic and changes in network routing indicate that Russian cyber warfare operations coincided almost exactly with the final ‘all clear’ for Russian Air Force attacks sometime between 0600 hrs-0700 hrs on the first day of the assault on Georgia (9 August 2008).
DDoS attacks targeted media outlets and local Government communication systems as well as targeting Air Force targets in the Georgian city of Gori, which appears to indicate co-ordination between known hacking groups and military operators.
DDoS and cache poisoning attempts targeting DNS servers for major Georgian networks were also launched from Russian state-operated Rostelecom and Moscow-based COMSTAR networks. Moreover, the majority of DDoS attacks, route hijacking and system intrusions originated from sources not previously affiliated with known hacking groups, and appear to have been co-ordinated in a manner that would allow attackers to disable or intercept Georgian Government communications in accordance with Russian military and intelligence objectives.
Following on from the Estonia attacks, it formed the second instance of cyber warfare by elements based in Russia with the intent to escalate an international crisis (and respond with an electronic attack).
January 2009: Kyrgyzstan
The third cyber attack in the Russian sphere of influence in the last 18 months was inflicted against Kyrgyzstan in January 2009, when 80% of the country’s bandwidth was taken offline for two weeks as the two biggest Internet service providers in Kyrgyzstan sustained a massive DDoS attack.
The incident coincided with renewed Russian pressure on the country to close the US Manas airbase (used as a key route for US troops, fuel and supplies heading to Afghanistan). The Kremlin also offered the incentive of US$2 billion in aid to influence the Kyrgyz Government to end the agreement with the US.
Opposition to the current administration in Kyrgyzstan that were opposing any Russian deal is heavily reliant on the Internet, while President Bakiyev’s government has largely ignored monitoring of the web.
If the attack can be solely attributed to Russia, it could be argued that it would not, therefore, cause collateral damage to its ally in the area and only impacted the opposition. The attacks were traced to the same network of IP addresses associated with the Georgia attacks in 2008. However, it’s also equally possible that after the formation of anti-Estonian and anti-Georgian web sites, nationalist Russian hackers took the action themselves without control by the Kremlin.
January 2009: Israel/Gaza
During the Israeli Gaza offensive at the beginning of the year, a group of Israeli students calling themselves ‘Help Israel Win’ published a ‘Patriot’ tool to carry out DDoS attacks to target pro-Palestinian websites. The hackers also used the logo of the Israeli Defence Forces (IDF) as their own but called themselves the ‘Internet Defence Force’ (IDF).
The hackers entered web sites using a technique called SQL injection, which involves tricking a web site into running malicious code when it expects the user to enter an e-mail address. In response, hackers from Iran, Lebanon, Morocco and Turkey mounted their own cyber attacks on behalf of the Palestinians.
Can a solution be found to the threat?
In an attempt to find solutions to the emerging threat of cyber attacks, a protocol system for exchanging information over the Internet could be introduced under which web sites would include a token in the code they exchange with visiting computers.
Software installed at the site’s Internet service provider (ISP) would consequently see the token as proof that the communication was legitimate. If the site came under attack from suspected DDoS assault, it would cease distributing these tokens to any traffic it thought was suspicious.
The ISP could then be alerted to the problem, and therefore be prompted to block incoming connections. This method would effectively stop the debilitating spread of the virus and prevent a computer system from becoming crippled.
Given that the threat of cyber terrorism is multinational, and that it has the potential of affecting all areas of a country’s economy, military and politics, some form of international action, co-operation and agreement in the form of a binding treaty should be taken.
Thus, any norms agreed upon could be carried out with the use of anti-terrorist legislation domestically. If an attack took place, with concrete proof that it originated from a foreign nation, international sanctions could be imposed towards those who harbour cyber criminals as well as those who engage in cyber attacks themselves.
Addressing the global challenges now posed
Cyberspace spans the globe. No single nation can secure it, and any future strategy centred on domestic action will be inadequate to address the global challenge cyber terrorism poses. The frequency and extent of targeted DDoS cyber attacks against nation states show that they are on the increase.
Hacking techniques such as the use of bots to launch DDoS attacks are popular, inexpensive and speedy medium to launch an assault on infrastructure, business and Governments in order to achieve the aims of terrorist groups or rival Governments to cause maximum terror.
Moreover, the use of such asymmetric tactics confirms that warfare is evolving from relying on the use of conventional weapons and tactics for the future.
The Internet also affords the participants in such attacks, whether they are individuals or Governments, the excuse of “plausible deniability”. Moreover, the lack of ‘Cyber Rules of Engagement’ in conflicts between nation states creates a legal vacuum where it’s conceivable that the victim nation could resort to the use of force justified as an act of self defence under the UN Charter.
The response could include conventional weapons against the aggressor nation if it caused significant financial or physical damage. However, it’s almost impossible to obtain concrete proof for the origin of the attack. The Internet presents forensic challenges such as rerouting the attack to innocent computers spanning various countries.
Depriving a nation of electricity, communications and financial services may not be seen to be enough to provide the margin of victory in a conflict yet, but it could damage a nation’s ability to respond to attacks.
For this reason, the exploitation of vulnerabilities in cyber infrastructure is expected to form an integral part of any future conflict – and one which has the potential to lead to Cybergeddon.
Christian Earl is senior intelligence analyst at The Inkerman Group
