Information Security Today Home

New Books

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS by Tyson Macaulay and Bryan L. Singer; ISBN 978-1-4398-0196-3
Network Attacks and Defenses: A Hands-on Approach by Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, and Sujith Samuel Mathew; ISBN 978-1-4665-1794-3
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World
Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It by Jesse Varsalone and Matthew McFadden; ISBN 978-1-4398-2119-0
Cyber Fraud: Tactics, Techniques and Procedures by Verisign iDefense Security Intelligence Services; ISBN 978-1-4200-9127-4

A Brief Summary of Cyber Warfare

Rob Shein

Throughout past history, civilian commercial entities have not been the primary targets of warfare and have even been avoided as targets. In the earliest days when such groups existed, they did not make feasible targets in and of themselves. Such organizations existed within the physical boundaries of nation-states, such that attacks upon them could only be conducted within the scope of much larger, comprehensive attacks upon the nation-states themselves, or the castles and cities in which they were located. The concept of weakening an enemy by focusing on causing economic impact exclusive of significant loss of life simply did not exist, and even if one were to focus military efforts on disruption of commercial activity, it inevitably involved a focus on killing civilians. In those days, the only means of warfare was kinetic warfare, using spears, swords, ballistic weapons, explosives, and so on. Non-kinetic warfare, also known as cyber warfare, was not an option as there simply was no digital infrastructure through or against which to leverage attacks.

Trade, both between and within nation-states and cities, was conducted using material goods, which in and of themselves were transported by people. As a result, the notion of warfare even for the specific purpose of halting or impeding such trade necessarily involved direct attacks on civilians. This fact remained in effect from the feudal era on until the late twentieth century, and as a result, by the time warfare (especially aerial warfare in general and bombing in particular) allowed for the capability to target commercial entities specifically, the Fourth Geneva Convention, provided some degree of protection.

There have been exceptions to the degree with which nations have followed the Geneva Conventions, but these exceptions have tended to stand out as just that: exceptional events, accidents (such as a bomber crew targeting the wrong building through genuine human error), or the misbehavior of nation-states that were judged to be barbaric for their actions. Despite these outlying events, the general fact has been that nations have sought to target counterforce (military) targets and avoid damage to countervalue (civilian) targets.

As kinetic warfare has evolved, this differentiation has only grown. The advent of precision-guided munitions has reduced the civilian death toll from bombing raids to numbers so low as to have been unimaginable during earlier conflict. Where once entire neighborhoods would be bombed in the course of attacks on a single building of military value, it is now considered a tragedy if a single civilian building is destroyed as a result of human error or incorrect information. In a sense, the protection of civilian industry was a beneficial side effect of the Geneva Conventions, given the fact that one could not deliberately attack a commercial enterprise without physically harming or killing its employees. Such organizations also experienced reduced risk from their geographic distance from theaters of warfare, and their attack surface was relatively small compared to that of the military itself. A shop owner need not fear the destruction of his business by a war that was fought thousands of miles away.

In the late twentieth century, this began to change. Now, as the methods, processes, and doctrine around cyber warfare have evolved, the above-described world has nearly reversed itself. Attacks using non-kinetic means are nonlethal in nature, and do not even incur physical harm; as such, the Fourth Geneva Conventions do not apply. Furthermore, while the IT infrastructure of the military is often sequestered (with varying success, admittedly) into enclaves, private industry is heavily interconnected with a great deal of exposure to the digital world and all of its inhabitants.

Non-Kinetic Warfare and Civilian Exposure

There exists a larger problem with the evolution of non-kinetic warfare as a form of low-intensity conflict during peacetime. While non-kinetic warfare offers the potential for impact without loss of life, it also broadens the battlefield in a fashion that has not been seen since the advent of the airplane. Even worse, it has extended the theater of combat to organizations that have never before been responsible for defending themselves against nation-state aggressors. Most conflict on the globe is considered "low intensity," meaning that it takes the form of guerrilla warfare, insurgency, special operations, and other such means. Even current wars between the United States and its enemies in Iraq and Afghanistan may be considered this, from the perspective of its enemies, since they themselves do not engage in large military maneuvers on defined fronts. The days of two large armies amassing their forces to face off on a battlefield with clear battle lines are no more, except between two smaller powers in a regional conflict of only local interest.

What this means in broader terms is that the world's major powers have an incentive and model through which to conduct non-kinetic warfare against potential adversaries, even in peacetime. Between themselves, this category of nation-states typically participate in low-intensity conflict through clandestine operations and special warfare to avoid becoming enmeshed into full-fledged conflict, and the additional deniability that inevitably comes from information warfare makes cyber warfare an attractive means of conflict. Furthermore, the overwhelming military superiority of the United States-in terms of kinetic warfare-provides an equally overwhelming incentive for smaller nations to adopt cyber warfare for other reasons. Simply put, cyber warfare provides an economically cheap means of asymmetric warfare that is unlikely to incur a conventional military response from a much larger power.

Differentiation between Nation-State and Cybercriminal Actors

There are several things about cyber warfare that differentiate it from hacking related to other motivations. Originally, hackers (or "vintage hackers," as they shall be described here) were people with extraordinary expertise and talent, but typically benevolent motivations. It was not uncommon for a hacker to notify the sysadmin of a compromised system as soon as a hack was successful, both informing them of the way they gained access and of how to prevent it in the future. The key motivation was a quest for knowledge and greater expertise, combined with a lack of a legitimate outlet for their skills. While their actions were unquestionably illegal, there nonetheless existed a consistent morality to these individuals, and they rarely caused the havoc they were capable of.

Later came the time of the "script kiddie." Once Internet access became commonplace, hacking tools became more widespread, and a far lesser degree of skill was needed to break into vulnerable systems. These individuals lacked the expertise or moral fiber found in their predecessors, typically defacing Web sites with profane messages just to gain bragging rights. Dealing with this group has been little more than a matter of implementing best practices for security because the threat posed by them has not proven to be particularly sophisticated. Most recently, criminal organizations have adopted hacking as a means toward generating revenue through extortion, embezzlement, or identity theft. This threat has been gaining in sophistication and scope, and still poses an evolving challenge to both individual people and private organizations.

A nation-state leveraging offensive cyber warfare with hostile intent, however, embodies the worst aspects of all three groups. The sophistication and expertise of the vintage hacker, the indiscriminate scope of the script kiddie, and the targeted hostile intent to maximize damage of the cybercriminal combine. In addition, cyber warfare units of military and intelligence organizations are furnished with unprecedented resources. The vintage hackers and script kiddies both did their work on a shoestring budget; while criminal organizations are better funded, they still have limited resources plus a significant need to avoid capture and prosecution. A nation-state's offensive cyber warfare assets, however, have plentiful resources and training, and no fear of criminal prosecution for their acts. They operate within save enclaves from which they have little fear of facing retribution for whatever they may do. The morality of their acts is typically limited to that of the government they serve; as two of the more sophisticated cyber warfare actors are North Korea and China, this is a chilling thought indeed.

Addressing the Threat: Private Organizations on the Front Line

So, the question becomes this: what can be done about managing the risk imposed by these developments? Even the largest multinational private companies have never had more than a limited capability to address the challenges of warfare, even when operating in conflict regions. Smaller organizations are still grappling with the threat imposed by cybercrime and nuisance hacking, neither of which typically represents the same degree of threat posed by a motivated nation-state actor. In contrast to information about typical hacking elements, where information is plentiful and openly available, information about the true capability and intent of cyber warfare elements is typically classified and not available for public consumption. So, while financial organizations and entities that process large number of credit card transactions have been properly forewarned that they are being targeted by criminal organizations; for example, other industries may not be aware of the fact that they are being targeted by the operators of other countries for reasons not directly related to their core business.

Fortunately, while the motives and degree of sophistication possessed by attackers may vary, the nature of vulnerability does not. Technical vulnerability to one form of attack is the same regardless of whomever may seek to exploit it. The challenge is that a more sophisticated and determined actor will leverage vulnerabilities in combination to greater effect while more capably evading detection. Additionally, while major private organizations (like members of the Fortune 100) will likely themselves be targeted directly and subjected to the full brunt of an attack, smaller organizations need only be more secure than the norm to avoid signifcant attacks.

The governments of many nations are aware of this new form of risk that their citizenry now faces, and steps are being taken in an effort to manage the risk. The current Obama administration in the United States is making bold moves toward a national policy to improve the cybersecurity in the private sector, for example. How effective such measures will be has yet to be seen, as the organizations and individuals tasked with such things have historically been given few tools with which to affect any true measure of change. Even within civilian government, positions typically tasked with responsibility for cybersecurity on a broad scale have lacked any kind of budgetary control, therefore rendering them incapable of imposing or facilitating change.

The Other Side of the Coin: Cyber Partisans

Despite the fact that many nation-states have invested significant resources into developing their offensive cyber warfare capabilities, to date most activities seem to have been carried out by sympathetic civilians, apparently with little more than tacit and indirect support from the nation on whose behalf they act. Examples of this include the coordinated attacks by Russian citizens (some not even located in Russia) on Estonia and Georgia in 2008. Chinese military doctrine allows for and welcomes this manner of leveraging civilian actors, and the People's Liberation Army has even carried out military cyber warfare exercises involving use of these units. This has tended to keep the impact of attacks limited, either in terms of duration or in terms of strategic impact, and denies the attackers the benefits of state-funded vulnerability research related to exotic technologies like Smart Grid/advanced metering infrastructure (AMI), embedded devices, or SCADA environments.

An appropriate description of the potential role of such civilian hackers acting in support of a nation-state is of partisans. In the case of cyber warfare, they are able to act in the nation of their enemy, unlike partisans of the more traditional form in kinetic warfare who act as an insurgent resistance. Otherwise, the metaphor holds, as these "cyber partisans" strike at targets of opportunity from the digital woods to foment disorganization and chaos among those they consider to be the enemy.

This concept is not so new, in a manner. In 2001, after a Chinese fighter collided with a U.S. electronic surveillance plane off the coast of the Hainan Peninsula, a "hacker war" erupted between Chinese and United States-friendly hackers. In that day and age, the distributed denial-of-service attack was relatively new and infrequently employed; instead the method of choice was Web site defacement. Vulnerabilities still abounded among public Web servers, cybercrime had not come to fruition, and there was still great social value placed within the underground hacking community on bragging rights gained by defacing random Web sites.

Ironically, in hindsight, it is considered likely that this conflict did not develop organically, but rather as the result of the questionable journalism of Michelle Delio, who authored a story in Wired magazine claiming that Chinese hackers were preparing to unleash attacks upon the United States in retaliation for American hegemony. Acting in response to the article, Western hackers attacked Chinese sites, and thus the "war" began. Later, Delio stated that the war was over, and as simply as that, the exchanges seemed to cease. (It is worth noting that Delio was later exposed as having manufactured information for a number of her articles, and is no longer used by Wired magazine as a contributor.) "Jericho" of the organization titled the whole affair with the phrase, "Wag the Delio," at a presentation given at the Black Hat Briefings.

Other examples of mass Web site defacements in support of one national cause or another relate to Pakistani interests, the Palestinian-Israeli conflict, and curiously enough a mass dispute in South America over which country produces the best "pisco," which is a liquor distilled from grapes in both Peru and Chile. The same ease with which nation-states attack each other with cyber warfare also translates to irate private citizens with the desire to overreact on a global scale. It may well be that unlike traditional terrorists, such people have not endured more than annoyance by the general populace because there has yet to be any significant loss of life, or other reason to see them as more than a nuisance. As would be expected given the trivial basis for some of these exchanges, the true motivation is to inflict damage on information technology assets, with the nationalist motivation merely providing a thin veneer of legitimacy in the eyes of the attacker. Unfortunately, as cyber warfare increasingly becomes a tool of formal nation-states, the problems posed by such people will become more apparent.

One of the great challenges posed by the acts of such individuals is the difficulty they add to the task of attributing attacks to nation-state entities. When one cannot be sure that an attack is committed by a nation, or simply on behalf of that nation by sympathetic elements, it becomes difficult to wield the tools of international accountability. Even more troubling is that such people could conceivably trigger larger conflicts or adversely affect ongoing diplomatic negotiations between nations, since they cannot be assumed to recognize the true and full impact of their acts.

Just as peace negotiations have often been disrupted or even halted by a single act of aggression using kinetic violence, so might similar discussions be threatened by an act of cyber warfare, particularly since the aggressors would be unlikely to claim responsibility for their acts. It is not difficult to imagine a regime that is trying to appease two different constituencies going to the negotiating table, but also fomenting such attacks so as to avoid alienating too many of its supporters; the mere possibility of such a thing in (for example) Pakistan would be enough to jeopardize talks with other nations should an independent group carry out such an attack on their own, even without even tacit approval from their own country.

Two recent examples highlight how tenuous the connection can be between the individual hackers and the countries on whose behalf they act. In the recent attack on Georgia by pro-Russian activists, one of the two coordinating Web sites behind the attacks was actually hosted by a small Russian company that, in turn, had leased its server from a London shell company that operated out of a mail drop. That company is owned by a Russian national living in the Netherlands that leased a server block from a major hosting and services firm in Texas. The participants of the forum themselves were from multiple nations, apparently joined by little more than Russian patriotism and the ability to wreak havoc with Georgian networks through the use of distributed denial-of-service attacks and vulnerability research. Finally, within these forums, there was a "journeyman-apprentice" approach, whereby the more experienced and capable hackers took on a leadership role, and subordinate tasks were meted out to less seasoned actors. In a situation like this, assigning responsibility, blame, or criminal liability is an obvious nightmare.

Another way in which such behavior clouds matters is where the actors for cybercrime and cyber warfare overlap. It follows that a populace that is highly represented with regard to criminal operations like the establishment and operation of botnets, illicit online activities, and cyber-based fraud will also serve just as well for cyber warfare. The problem that arises is in the motivation that some governments have in protecting such enterprises to some degree, so as to maintain a capability for later use should the need arise.

Regulatory Efforts to Defend Critical Infrastructure

There is one way in which government agencies and industry coalitions can affect change to cybersecurity in the private sector. Regulatory standards related to security can be developed and implemented as a driver toward greater security. In many cases, the standards act mostly to create a driver for funding and support of cybersecurity within organizations; in other cases, they provide guidance as to best practices and requirements to get to a more secure state. There have been few regulatory standards yet that have much direct relevance to the threat posed by cyber warfare, but one such set of standards is put forth by the North American Electricity Reliability Corporation (NERC). A particular subset of the NERC standards, known as NERC Critical Infrastructure Protection (or "NERC CIP," as the standards are known), focus on information security for critical assets related to the generation, management, and transmission of electricity in North America.

NERC CIP is comprised of nine standards, CIP-001 through CIP-009. CIP-001 is rarely discussed, as it merely describes the need for a process whereby sabotage is reported to the appropriate entity within the Department of Energy. But CIP-002 through CIP-009 cover the gamut of information security practices, from user security awareness training and personnel security to backup procedures. Currently in its first iteration, NERC CIP is currently succinct and lacking in specific details or guidance on many topics. A new iteration is currently in development, which is expected to reflect a radical shift in methodology toward a framework based around NIST standard 800-53. In addition, the scope of NERC's requirements is expanding to include additional forms of power generation and transmission assets.

Information Warfare Doctrine: The View of Data as Both Sword and Castle

The concept of attacking cyber infrastructure using logical attacks is not difficult to grasp, but simply performing such attacks for their own sake fails to elevate one's effect (or relevance) above that of the chaos-inducing cyber partisans discussed earlier. The true benefit of any form of warfare lies in its integration with other forms. This is an already established doctrine in terms of kinetic warfare doctrine, whereby troops on the ground move after aerial attacks have severely damaged enemy emplacements, which in turn were first observed using various reconnaissance and intelligence-gathering methods.

While attacking, the troops have the ability to call upon artillery strikes, close air support, or armor to support their mission. This is known as "combined warfare," and is the norm on today's battlefield. But what happens when the concept of information--both as a weapon and as an objective to be attacked or captured--comes into play? The Chinese People's Liberation Army (PLA) has been a pioneer in thought around this question, and while their doctrine is still evolving they are remarkably open in their thinking, at least to those who can read Mandarin.

There exist two primary objectives that compete for primacy in the context of information warfare. One is the control of information, either in the sense of gaining access to it or denying access to it. The other is influence over that information. The two concepts may sound vague and unrelated to warfare until one considers the way in which they can be applied. For example, denying access to information could take on the form of using logical attacks to cause an air defense system's radar to lie; if the enemy cannot perceive the intrusion into its airspace of an invading force, that becomes a remarkable tactical advantage to the invader as it would provide obscurity about the scale and composition of the attack while maintaining total surprise until the last possible minute. If the same effect were to be sought using kinetic warfare, such as bombing the radar installations, then the element of surprise would be lost, and the only benefit would be denial of information about how the attack was progressing at the early stages.

To apply the alternate objective (influence over information) would be to cause the radar systems to false positive at times, showing things that are not there. Eventually, the information produced by the radar systems would be considered so unreliable as to be nearly worthless, thus degrading the quality of decisions made based upon that data. This seems like the lesser of the two approaches until one recognizes that it is far easier to make fake objects show up on a screen than it is to selectively hide the ones that you wish to keep hidden.

Most notable is that even formal Chinese information warfare doctrine does not distinguish between countervalue and counterforce targets in terms of escalation. It is not considered a more aggressive act to attack a bank or other civilian target (countervalue) than it would be to restrict the scope of an attack to military targets (counterforce), for example. In fact, the result of this aspect of doctrine tends to favor attacks against private organizations for the numerous reasons listed earlier. Furthermore, this reality has been acknowledged by leading members of the Chinese cyber warfare community on many occasions.

The Evolution of Technology and Impact on Vulnerability to Cyber Warfare

As a result of recent spikes in the price of petroleum products, attention focused on energy conservation. Fortunately, a number of technologies have recently come into maturity to address such a need, and as a result new phrases have started appearing in the vocabulary of the news: "Smart Grid," "AMI," "Smart Metering," "Demand Response," and so on. These refer to a set of enabling technologies, which provide the ability to do things that were never before possible with the power grid:

AMI: Uses "smart meters" that monitor electrical usage at individual homes in 15 minute increments (instead of the 3 month increments that are the current norm) and throttle power consumption by noncritical devices like air conditioners and dishwashers in response to spikes in demand (or unforeseen drops in power generation). These communicate back to the central power utility company via wireless protocols of various forms, and communicate with devices inside the home using protocols like ZigBee.

These meters have a feature called "remote disconnect," which permits a utility to toggle power delivery to a home or office with a command sent to the meter, saving cost and time needed to handle disconnects and reconnects. This feature also facilitates services like payment in advance for power, much like a prepaid cell phone; when the balance runs low, the household is alerted so that they may top off their balance with more funds.

Smart Grid: Refers to a set of technologies that provide additional control capability to the power grid using devices like "reclosers" (which can remotely force tripped power connections to be reestablished) and capacitors. By leveraging the information gleaned from AMI, Smart Grid allows routing of power around downed lines and better management of the power generated by uncertain sources of generation (like windmills), among other things.

There are obvious security ramifications to replacing current power meters (which are mechanical in design) with computerized systems that have the ability to turn appliances off while they report back wirelessly to a power company. These implications have also been covered by the media, including one story where a vulnerability in key management for a specific brand of AMI meter was discovered. Unfortunately, there is more hype than truth to the discussion of these vulnerabilities at the moment. Even more unfortunate is that sooner or later, significant vulnerabilities will likely be uncovered. Either way, this expansion of information technology into a realm of infrastructure provides new opportunities for attackers to wreak havoc from afar. By gaining access to the "head end" system of an AMI infrastructure, which accepts data from and sends commands to the meters, it would be possible to trigger a mass disconnect of tens or even hundreds of thousands of meters simultaneously. Such an event is called a "mass load-shedding event," and would cause an outage similar in both nature and scale to the power outage suffered in the Northeastern United States in 2003.

The good news is that the potential for abuse of these technologies has not gone unnoticed. A number of organizations have sprung up to address security with Smart Grid and AMI solutions, and the offerings put forth by some vendors are also quite promising. Standards around communications and data security, a taxonomy for defining security domains within AMI infrastructure, and a vibrant working group dedicated to the discussion of security requirements all exist and are proving to be viable in addressing the risk. The power grid will remain a target of interest to hostile actors, and successful breaches have occurred outside the United States, but the picture is not nearly as gloomy as it could be, and it is getting better as time passes.

Addressing the Threat

While single private organizations have few options against a determined cyber warfare attacker (above and beyond proper information security practices), as stated earlier it will be uncommon for a foreign actor to be focused specifically on any single company in particular. Instead it ends up being more like the joke about two men running from a bear, where the punch line states "I only need to outrun you." There is a great deal of protection afforded the fact that nation-states rarely take such bold action unless there is a specific and deliberate reason, and globalization greatly narrows the potential number of reasons to attack a corporation or civilian organization of any significant size (while smaller ones are quite unlikely to pose much interest to foreign nations at all). And while the behavior of cyber partisans is not so measured and restrained, they are largely not of great impact unless they band together and work in concert.

Which brings the threat to three different forms. One, an organization that is smaller, relatively immature in information security measures, and thus useful as a stepping stone in attacks on other organizations. The second is of organizations that, for some reason, have gained the attentions of groups with nationalist, environmental, or other motivators. The third contains organizations which themselves are tightly linked to national drivers and infrastructure. Examples of this third group include defense contractors, financial institutions, and public utilities.

Cyber Warfare as a Threat to Small/Medium Civilian Organizations and Individuals
Within the first group, as stated above, the primary goal of an attacker would be merely to gain a foothold in their infrastructure for the facilitation of attacks on other organizations. This tactic is nothing new, and a more granular form of it takes place even within well-secured larger organizations. Incident response teams have noticed that many attackers choose to take control of relatively unimportant IT assets, and remain dormant until the time comes to exploit the control they already have. This takes place only when there is sufficient cause for them to reveal the penetration and tip their hand.

The same can and does happen on a national scale, where smaller, less-defended environments are used for the staging of attacks against more vigilant targets; this allows for some degree of obfuscation regarding the source of the attack, and adds flexibility should the intended final target notice an attack and start blocking the networks from which it originates. Thus, in a time of open, no-holds-barred cyber warfare between any two factions, this segment of the population would be more heavily hit than normal, both in terms of the number of attacks and the effect of already-compromised machines being more heavily leveraged to perform attacks.

Cyber Warfare as a Targeted Threat for Non-State Causes
The second group involves a greater risk of facing a determined attacker, but still lacks the risk inherent in a coherent, well-coordinated attack by a large or well-supported group. Still, an attacker who is bound and determined to bring harm to or gain entry to a target is far more dangerous than one who is merely looking for a target of opportunity. These organizations will tend to be larger, and thus better protected, but not themselves useful targets for cyber warfare. In the event of greater conflict between nations, however, the equation changes for organizations within this group. The largest of multinational corporations are themselves tightly bound to foreign nations with significant cyber warfare capabilities for outsourcing and manufacturing; this almost provides a kind of hostage situation whereby an attack upon them would inevitably (and quickly) incur harm upon the attacking nation.

Companies from Accenture to General Electric to General Motors all rely heavily upon their operations in other nations. This, combined with the ways in which our economies interact, would not only serve to cause any harm to be shared by both the attacker and the target, but in some cases would actually cause far greater harm to the attacker's economy. In the recent worldwide downturn, it has become apparent just how slim a margin the economic powers of Asia have been maintaining in their fight to compete globally; once things slipped backward even a small amount, that margin was eliminated and disaster ensued on a regional scale. The same event would be triggered by a successful and devastating attack on a large multinational corporation by China, for example, except in this case only China would suffer the impact, and the other countries in the region (particularly Taiwan) would actually benefit, as they would pick up the slack.

The phrase, "Globalization stops wars," is at least as true with cyber warfare as it is with kinetic warfare. For those few nations who possess a significant cyber warfare capacity but lack significant economic ties to the rest of the world: the best example of this is North Korea, whose lack of economic ties is accompanied by both a lack of large-scale connectivity to the rest of the world and a lack of large groups of motivated actors in other countries. As a result, an attack by such a nation would be easily stopped merely by severing the links between that nation and the rest of the Internet.

Cyber Warfare as a Threat to Organizations of Interest to Nation-State Actors
This final group has the most to fear from cyber warfare, given that they comprise organizations that would be specifically targeted by the disciplined, well-resourced actors of nation-state entities. Fortunately, these are also typically organizations that have had to face a significant and sophisticated threat model to begin with for other reasons; e.g., the same financial organizations that would be attacked by another nation for countervalue economic impact tend to have a lot of money, and have always been targeted for purposes of theft and fraud, and, therefore, have highly evolved defensive capabilities.

In addition, this segment of the population holds the fewest members, has the highest level of collaboration with officials in the intelligence and defense sectors, and is likely to get the quickest and most effective response from government agencies in the event of an attack. In some situations (particularly organizations that have some degree of overlap with the defense industry) attacks on this segment of the population would fall under the definition of counterforce attacks. In even rarer cases, these organizations are already adept at defensive cyber warfare operations, since they already provide services to the military and government in that capacity. So, while the potential threat to this group is the greatest, they are also far better prepared than any other component of private industry.

Fear vs. Reality: Cyber Warfare in the Press and in Reality

On a final closing note, it is wise to discuss the differential between what is likely to occur and what some reports in the popular media envision in terms of cyber warfare and how it would be conducted. Some of the visions come from books or film, and, therefore, cannot be seriously faulted; after all, these are venues of entertainment, not education. But news media tends to follow similar plotlines in their conceptualization of cyber warfare, to the detriment of popular perception and, eventually, efforts to prepare for the future. So this chapter will close with a bit of debunking.

The first basic rule of cyber warfare is this: cyber warfare rarely causes new things to occur. What instead is more probable is that an attack, at most, could cause something minor that happens occasionally to happen a great deal at once, either in terms of scale or in terms of frequency. The challenge there is that since these are things that can happen for other reasons, there are usually already ways to prevent them or mitigate their impact.

The classic example of this concept is the "green lights in all directions" idea. This has both shown up in popular film and in the dire warnings of "experts" on the topic of cyber warfare. The idea is that as more cities integrate networks over their municipal operations, including stoplights and traffic management systems, a hacker could take control of the network and cause traffic lights to show a green signal in all directions at once, causing car crashes. The truth of the matter is that many things have been proven to cause a traffic signal to attempt to do this, like corrosion, rodent infestation, human error in installation, electrical failure, and so on. As a result, the circuitry of these traffic light controllers is designed with an inherent failsafe. Should the controller attempt to display a pattern that would be considered dangerous (like all green lights in all directions), it fails into a failsafe mode, with blinking yellow or red lights in all directions. Anyone with significant driving experience has seen this phenomenon. Getting control of the signal controller via the Internet will not override this circuitry; it is inherent to the wiring of the signal itself, to make it as reliable a failsafe as possible.

Another fallacy pertains to the production of food. One example was the warning that hackers could take control of the machines involved in the production of children's cereal and increase the amount of iron being put into the food until it would be toxic. This also fails as a threat when one considers the real-world situation, and how such an event would actually play out. For one thing, the additive in food used to provide supplemental iron (iron sulfate) is used in trace amounts normally; to poison someone with it, the amount would have to be increased by multiple orders of magnitude. Consider also the fact that iron sulfate is dark green in color. The cereal would have a rather peculiar appearance, which I doubt would go unnoticed by people working at the production facility, much less the child presented with a bowl full of the stuff .

Even more interesting is the odor and flavor of iron sulfate, which is not in the least bit appetizing. Getting a child to eat a bowl full of cereal laced with enough of it to harm him would only be possible in a household so draconian that the child would probably be tough enough to eat barbed wire and still survive the experience in the first place. And finally, it would not go without notice that the mixing machines would be going through iron sulfate at an unprecedented rate, requiring refills thousands of times more often than normal. So again, when one considers the operational world in which this attack would need to be successful, one can see that it would have very limited chances of success on any level, for a wide number of reasons.

Another fabled attack that is coming to the forefront in the news is the notion that attackers could take the entire Internet off -line. Oddly enough, this one has more truth to it than fiction, in that such a thing is conceivable. Testifying before the United States Senate in 1999, "Mudge" of the group L0pht stated that he could take the Internet down within approximately 30 min. This was later borne out to be entirely plausible, as 4 years later a series of vulnerabilities in a protocol called BGP (Border Gateway Protocol) were revealed. There were earlier indications of these flaws, going back to that same year when a person known as "Batz" (who was a friend of Mudge) gave a talk on "Security Issues Affecting Internet Transit Points and Backbone Providers," during which he detailed how attacks using BGP could result in the rerouting or even denial of traffic routing between major components of the Internet. An analogy would be the global destruction of all points of travel across bodies of water, mountains, desert, or other impassable terrain.

The problem with this scenario was detailed by Mudge in the sentence that followed the proclamation that hackers could demolish the Internet so quickly. He posed the simple question of asking why they would do such a thing, and sever the links to rich sources of information instead of exploiting them. And this point still holds true today. While most of the issues surrounding BGP have been addressed, there are probably other issues waiting to be found. But for a cyber warrior to "take down" the Internet makes little sense; it would be like an invading army blowing up a bridge that still lay before them.

In some cases, for brute force reasons (such as the attacks on Estonia and Georgia by hackers sympathetic to Russian causes), a limited version of this may be performed against a single nation, but for larger countries with significant connectivity to other parts of the world, such a thing is not feasible without causing numerous effects to friendly networks. The amount of traffic needed to perform a denial-of-service attack against the entire United States, for example, would cause backscatter traffic that would more than overwhelm the rest of the Internet, including the networks of the attacking country. Furthermore, the earlier-described economic interdependence of nations provides a strong disincentive to perform this kind of attack at all. And above all else, the cyber warfare doctrines of all companies with sufficiently advanced capabilities to perform such an attack would instead dictate that they exploit access to resources, rather than cut off the ability to continue to do so.

Related Reading

Cyber-Warfare Threatens Corporations Expanion into Commercial Environments

About the Author

Rob Shein is a cyber security architect for HP's Security and Privacy Professional Services division, where he provides security consulting to a wide range of clients in the private and public sector. This is from Information Security Management Handbook, Sixth Edition, Volume 4, edited by Harold F. Tipton and Micki Krause Nozaki, Auerbach Publications, 2010.

Subscribe to Information Security Today

Powered by VerticalResponse

Share This Article

© Copyright 2011-2013 Auerbach Publications