Chapter 1. Assessing the Problem
“You can’t say that civilization don’t advance, however, for in every war they kill you in a new way.”
On August 31, 2008, in the North Caucasus Republic of Ingushetia, Yevloev was arrested by Nazran police, ostensibly for questioning regarding his anti-Kremlin website Ingusheta.ru. As he was being transported to police headquarters, one of the officers in the car “accidentally” discharged his weapon into the head of Magomed Yevloev.
The U.S. Department of State called for an investigation. Vladimir Putin reportedly said that there would be an investigation. To date, nothing has been done.
Ingushetia.ru (now Ingushetia.org) and the Chechen website kavkazcenter.com are some of the earliest examples of politically motivated Russian cyber attacks dating as far back as 2002. In other words, in addition to Russian military operations in Chechnya, there were cyber attacks launched against opposition websites as well.
The Russia Georgia War of August 2008 is the latest example, occurring just a few weeks before Magomed Yevloev’s killing. If anyone would qualify as a casualty of cyber warfare, it might just be this man.
The Complex Domain of Cyberspace
The focus of this book is cyber warfare, and therein lies the first complexity that must be addressed. As of this writing, there is no international agreement on what constitutes an act of cyber war, yet according to McAfee’s 2008 Virtual Criminology Report, there are over 120 nations “leveraging the Internet for political, military, and economic espionage activities.”
The U.S. Department of Defense (DOD) has prepared a formal definition of this new warfighting domain, which is discussed in Chapter 11, but inspired by the writings of Sun Tzu, I offer this definition instead:
Cyber Warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood.
To that end, what follows are some examples of the disparate ways in which governments have attempted to force their wills against their adversaries and find victory without bloodshed in the cyber domain.
Cyber Warfare in the 20th and 21st Centuries
The emergence of the People’s Republic of China’s (PRC) hacker community was instigated by a sense of national outrage at anti-Chinese riots taking place in Indonesia in May 1998. An estimated 3,000 hackers self-organized into a group called the China Hacker Emergency Meeting Center, according to Dahong Min’s 2005 blog entry entitled “Say goodbye to Chinese hackers’ passionate era: Writing on the dissolving moment of ‘Honker Union of China.’” The hackers launched attacks against Indonesian government websites in protest.
About one year later on May 7, 1999, a NATO jet accidentally bombed the Chinese embassy in Belgrade, Yugoslavia. Less than 12 hours later, the Chinese Red Hacker Alliance was formed and began a series of attacks against several hundred U.S. government websites.
The next event occurred in 2001 when a Chinese fighter jet collided with a U.S. military aircraft over the South China Sea. This time over 80,000 hackers became engaged in launching a “self-defense” cyber war for what they deemed to be an act of U.S. aggression. The New York Times referred to it as “World Wide Web War I.”
Since then, most of the PRC’s focus has been on cyber espionage activities in accordance with its military strategy to focus on mitigating the technological superiority of the U.S. military.
In late December 2008, Israel launched Operation Cast Lead against Palestine. A corresponding cyber war quickly erupted between Israeli and Arabic hackers, which has been the norm of late when two nation states are at war.
The unique aspect of this case is that at least part of the cyber war was engaged in by state hackers rather than the more common non-state hackers. Members of the Israeli Defense Forces hacked into the Hamas TV station Al-Aqsa to broadcast an animated cartoon showing the deaths of Hamas’ leadership with the tag line “Time is running out” (in Arabic).
In contrast, during the Chechnya, Estonia, and Georgia conflicts, nationalistic non-state hackers acted in concert but were not in the employ of any nation state.
That is the second complication: attribution. And lack of attribution is one of the benefits for states who rely on or otherwise engage non-state hackers to conduct their cyber campaigns. In other words, states gain plausible deniability.
The Second Russian-Chechen War (1997–2001)
During this conflict, in which the Russian military invaded the breakaway region of Chechnya to reinstall a Moscow-friendly regime, both sides used cyberspace to engage in Information Operations to control and shape public perception.
Even after the war officially ended, the Russian Federal Security Service (FSB) was reportedly responsible for knocking out two key Chechen websites at the same time that Russian Spetsnaz troops engaged Chechen terrorists who were holding Russian civilians hostage in a Moscow theatre on October 26, 2002.
The Estonian cyber war (2007)
Although there is no hard evidence linking the Russian government to the cyber attacks launched against Estonian government websites during the week of April 27, 2007, at least one prominent Russian Nashi youth leader, Konstantin Goloskokov, has admitted his involvement along with some associates. Goloskokov turned out to be the assistant to State Duma Deputy Sergei Markov of the pro-Kremlin Unified Russia party.
The activating incident was Estonia’s relocation of the statue “The Bronze Soldier of Tallinn,” dedicated to soldiers of the former Soviet Union who had died in battle. The resulting massive distributed denial of service (DDoS) attacks took down Estonian websites belonging to banks, parliament, ministries, and communication outlets.
The Russia-Georgia War (2008)
This is the first example of a cyber-based attack that coincided directly with a land, sea, and air invasion by one state against another. Russia invaded Georgia in response to Georgia’s attack against separatists in South Ossetia. The highly coordinated cyber campaign utilized vetted target lists of Georgian government websites as well as other strategically valuable sites, including the U.S. And British embassies. Each site was vetted in terms of whether it could be attacked from Russian or Lithuanian IP addresses. Attack vectors included DDoS, SQL injection, and cross-site scripting (XSS).
The Iranian Presidential elections of 2009 spawned a massive public protest against election fraud that was fueled in large part by the availability of social media such as Twitter and Facebook as outlets for public protest. The Iranian government responded by instituting a harsh police action against protesters and shutting down media channels as well as Internet access inside the country. Some members of the opposition movement resorted to launching DDoS attacks against Iranian government websites. Twitter was used to recruit additional cyber warriors to their cause, and links to automated DDoS software made it easy for anyone to participate.
Over the July 4th weekend of 2009, a few dozen U.S. websites, including the White House and other U.S. government sites, came under a mild DDoS attack. A few days later the target list grew to include South Korean government and civilian websites. The Democratic People’s Republic of Korea (DPRK) was the primary suspect, but as of this writing there is no evidence to support that theory. Nevertheless, South Korean media and government officials have pressed the case against the North, and U.S. Rep. Pete Hoekstra (R-MI) has called for the U.S. military to launch a cyber attack against the DPRK to send them a “strong signal.”
In December 2007, Jonathan Evans, the director-general of MI5, informed 300 British companies that they were “under attack by Chinese organizations,” including the People’s Liberation Army.
“Titan Rain” is the informal code name for ongoing acts of Chinese cyber espionage directed against the U.S. Department of Defense since 2002. According to Lieutenant General William Lord, the Air Force’s Chief of Warfighting Integration and Chief Information Officer, “China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD’s Non-Classified IP Router Network).” This stolen data came from such agencies as the U.S. Army Information Systems Engineering Command, The Naval Ocean Systems Center, the Missile Defense Agency, and Sandia National Laboratories.
According to testimony by Timothy L. Thomas (Lt. Col., USA Retired) of the Foreign Military Studies Office, Joint Reserve Intelligence Office, Ft. Leavenworth, Kansas, before the U.S.-China Economic and Security Review Commission in 2008, DOD computers experienced a 31% increase in malicious activity over the previous year, amounting to 43,880 incidents.
In 2006, Department of Defense officials claimed that the Pentagon network backbone, known as the Global Information Grid, was the recipient of 3 million daily scans, and that China and the U.S. were the top two sources.
Acts of cyber espionage are not only directed at U.S. Government websites but also at private companies that do classified work on government contracts. According to Allen Paller of the SANS Institute, Raytheon, Lockheed Martin, Boeing, Northrup Grumman, and other large government contractors experienced data breaches in 2007.
In January 2009, SRA, a company that specializes in providing computer security services to the U.S. government, reported that personal information on its employees and customers was at risk when it discovered malware on one of its servers.
At this time it is unknown if the attacks originated from the North Korean Army, a lonely South Korean Student, or the Japanse-Korean Mafia. Indeed, all of these entities could have been involved in the attacks at the same time. This is because the differentiation between Cyber Crime, Cyber Warfare and Cyber Terror can be a misleading one—in reality, Cyber Terror is often Cyber Warfare utilizing Cyber Crime.
—Alexander Klimburg, Cyber-Attacken als Warnung (DiePresse.com, July 15, 2009)
Most of the sources on cyber warfare that are publicly available do not address the problem of cyber crime. The reasoning goes that one is a military problem, whereas the other is a law enforcement problem; hence these two threats are dealt with by different agencies that rarely speak with one another.
Unfortunately, this approach is not only counterproductive, but it also creates serious information gaps in intelligence gathering and analysis. My experience as Principal Investigator of the open source intelligence effort Project Grey Goose provides ample evidence that many of the non-state hackers who participated in the Georgian and Gaza cyber wars were also involved in cyber crime. It was, in effect, their “day job.”
Additionally, cyber crime is the laboratory where the malicious payloads and exploits used in cyber warfare are developed, tested, and refined. The reason why it is such an effective lab environment is because cracking a secure system, whether it’s Heartland Payment Systems or the Global Information Grid, is valuable training, and it’s happening every day inside the cyber underground.
The chart in Figure 1-1, prepared by independent security researcher Jart Armin, demonstrates the rapid rise in volume and sophistication of attacks in just the last 10 years.
A 2009 report by Gartner Research states that financial fraud was up by 47% in 2008 from 2007, with 687 data breaches reported. What does that translate to in dollars? No one seems to know, although Chris Hoofnagle, Senior Fellow with the Berkeley Center for Law and Technology, says in an article that he wrote for the Fall 2007 issue of the Harvard Journal of Law and Technology that it’s probably in the tens of billions:
Currently we don’t know the scope of the problem…. We do know that it is a big problem and that the losses are estimated in the tens of billions. Without reporting, we cannot tell whether the market is addressing the problem. Reporting will elucidate the scope of the problem and its trends, and as explained below, create a real market for identity theft prevention.
In January 2009, Heartland Payment Systems revealed that it was the victim of the largest data breach in history, involving more than 130 million accounts. No one really knows for sure because hackers had five months of uninterrupted access to Heartland’s secure network before the breach was discovered.
Organized crime syndicates from Russia, Japan, Hong Kong, and the U.S. are consolidating their influence in the underground world of cyber crime because the risk-reward ratio is so good. Although law enforcement agencies are making sustained progress in cyber crime detection and enforcement—such as Operation DarkMarket, an FBI sting that resulted in the arrest of 56 individuals worldwide, more than $70 million in potential economic loss prevented, and recovery of 100,000 compromised credit cards—cyberspace is still a crime syndicate’s dream environment for making a lot of money with little to no risk.
A recent report by the European Commission predicts:
There is a 10% to 20% probability that telecom networks will be hit by a major breakdown in the next 10 years, with a potential global economic cost of around €193 billion ($250 billion). This could be caused by natural disasters, hardware failures, rupture of submarine cables (there were 50 incidents recorded in the Atlantic Ocean in 2007 alone), as well as from human actions such as terrorism or cyber attacks, which are becoming more and more sophisticated.
- Preparedness and prevention
Fostering cooperation of information and transfer of good policy practices between member states via a European Forum Establishing a European Public-Private Partnership for Resilience, which will help businesses share experience and information with public authorities.
- Detection and response
Supporting the development of a European information-sharing and alert system.
- Mitigation and recovery
Stimulating stronger cooperation between member states via national and multinational contingency plans and regular exercises for large-scale network security incident response and disaster recovery.
- International cooperation
Driving a Europe-wide debate to set EU priorities for the long-term resilience and stability of the Internet with a view to proposing principles and guidelines to be promoted internationally.
- Establish criteria for European critical infrastructure in the Information and Communication Technologies (ICT) sector
The criteria and approaches currently vary across member states.
The potential impact of attacks delivered in cyberspace has not always been as appreciated as it is today. As early as February 18, 2003, in an interview with PBS’s Frontline: Cyberwar!, noted expert James Lewis, director of the Center for Strategic and International Studies, said:
Some people actually believe that this stuff here that they’re playing with is equal, if not a bigger threat, than a dirty bomb…. Nobody argues—or at least no sane person argues—that a cyber attack could lead to mass casualties. It’s not in any way comparable to weapons of mass destruction. In fact, what a lot of people call them is “weapons of mass annoyance.” If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft’s face on his website, it’s annoying. It’s irritating. But it’s not a weapon of mass destruction. The same is true for this.
Now contrast that statement with the following excerpt from “Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency” (issued December 2008), for which Mr. Lewis was the project director:
The Commission’s three major findings are: (1) cybersecurity is now a major national security problem for the United States; (2) decisions and actions must respect privacy and civil liberties; and (3) only a comprehensive national security strategy that embraces both the national and international aspects of cybersecurity will make us more secure.
That shows a significant difference of opinion on the part of Mr. Lewis in a relatively short period of time. Part of the reason for various respected individuals such as James Lewis to downplay the potential impact of cyber war is that past examples have not demonstrated any significant harm. Website defacements and extended downtime of a small country’s Internet access, while burdensome, have not resulted in human injuries.
Even in 2009, when there is little doubt remaining about the critical need to address cyber vulnerabilities, there are still voices of dissent such as Jim Harper, director of information policy studies at the CATO Institute, who said in an interview with Russia Today on July 31, 2009 that “Both cyber terrorism and cyber warfare are concepts that are gross exaggerations of what’s possible through Internet attacks.”
Although acts of cyber espionage such as Titan Rain or incidents of cyber crime resulting in major data losses such as Heartland Payment Systems are gravely serious in their own right, stove-piped thinking that excludes cyber crime from cyber war means that the potential for a threat case doesn’t cross over in the mind of the military strategist.
There is a growing awareness of the vulnerability of a nation’s critical infrastructure to network attack. Transportation, banking, telecommunications, and energy are among the most vulnerable systems and may be subject to the following modes of attack:
Anonymous access to protected networks via the Internet and Supervisory Control and Data Acquisition (SCADA)
Employee abuse of security guidelines leading to malware propagation inside the firewall
The following future threat scenario is modeled after the ones created for the latest National Intelligence Council (NIC) report “Global Trends 2025.” While containing many scenarios on a variety of national security issues, the NIC did not include a large-scale cyber event. The authors did, however, have this to say:
Cyber and sabotage attacks on critical US economic, energy, and transportation infrastructures might be viewed by some adversaries as a way to circumvent US strengths on the battlefield and attack directly US interests at home.
The question of whether a nuclear catastrophe could be initiated by a hacker attack was explored through multiple scenarios in a paper commissioned by the International Commission on Nuclear Nonproliferation and Disarmament entitled “Hacking Nuclear Command and Control” by Jason Fritz, et al.
This scenario is perfectly plausible given what we know today about software exploits driven by social engineering; the availability of counterfeit hardware such as routers, switches, Gigabit Interface Converters, and WAN interface cards; and Conficker-type botnets that consist of millions of infected PCs.
Combine those threats with a motivated, patient, and well-financed hacker crew and any number of doomsday scenarios become possible.
If this scenario sounds far-fetched or seems to overstate the risk, the following news stories represent a sampling of actual cyber security events that have occurred at nuclear power plants since 2003:
- “NNSA wants more funding for cyber security” (Federal Computer Week, February 6, 2008)
“Numerous cybersecurity problems at the department have come to light over the past few months. A recently released report by the department’s inspector general report said Energy had 132 serious security breaches in fiscal 2006.”
- “Slammer worm crashed Ohio nuke power plant” (SecurityFocus, August, 19, 2003)
“The Slammer worm penetrated a private computer network at Ohio’s Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.”
- “Cyber Incident Blamed for Nuclear Power Plant Shutdown” (The Washington Post, June 5, 2008)
“A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.”
- “Fed aims to tighten nuclear cyber security” (SecurityFocus, January 25, 2005)
“The U.S. Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide ‘Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.’ The current version, written in 1996, is three pages long and makes no mention of security.
Adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the U.S.—a detail that irks some security experts. In filed comments, Joe Weiss, a control systems cyber security consultant at KEMA, Inc., argued the regulatory guide shouldn’t be limited to plant safety systems, and that existing plants should be required to comply.
“There have been numerous cases of control system cyber security impacts including several in commercial nuclear plants,” Weiss wrote. “Many nuclear plants have connected their plant networks to corporate networks making them potentially vulnerable to cyber intrusions.”
- “Congressmen Want Explanation on Possible Nuclear Power Plant Cyber Security Incident” (SC Magazine, May 21, 2007)
“U.S. Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on Homeland Security, and Rep. James R. Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, have asked Dale E. Klein, chairman of the U.S. Nuclear Regulatory Commission (NRC), to investigate the nation’s nuclear cybersecurity infrastructure.
They said a cybersecurity ‘incident’ resembling a DoS attack on Aug. 19, 2006 left the Browns Ferry Unit 3 nuclear power facility in northern Alabama at risk.”
Besides the risks posed by various malicious attacks, both real and projected, a further complication that must be considered is the significant age of most of our nuclear power plants and how difficult it will be to rid a legacy network of a virus.
In a speech at the 2006 American Nuclear Society Winter Meeting, Nuclear Regulatory Committee Commissioner Peter B. Lyons recounted how, as he visited many of the U.S. Nuclear power plants, he was struck by the number that still use “very old analog instrumentation.” Keep in mind that this was just a few years ago.
Now imagine the complexity involved in returning an infected machine back to a trustworthy state. If there’s a known good source available, a reinstall should work; however, do these antiquated systems even have a known good source? How does a nuclear power plant take all of its critical systems offline? Much of the software used in critical infrastructures in the U.S. were custom-made one-off versions. After infection occurs, the likelihood of a kernel-level rootkit remaining on the machine is worrisome at best, and catastrophic at worst.
The Conficker Worm: The Cyber Equivalent of an Extinction Event?
Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.
—Phillip Porras, Hassen Saidi, and Vinod Yegneswaran “An Analysis of Conficker’s Logic and Rendezvous Points,” SRI International report updated March 18, 2009
There are at least two sustained mysteries surrounding the Conficker worm: who is behind it, and what do they plan to do with it?
Regarding the former, researchers who have studied the code contained in the worm as well as its A, B, and C variants can say with some certainty that the authors are skilled programmers with knowledge about the latest developments in cryptography along with an in-depth knowledge of Windows internals and security. They are also adept at code obfuscation and code packing, and they are closely monitoring and adapting to attempts to thwart Conficker’s operation.
Perhaps more importantly, the Conficker authors have shown that they are innovative, agile, and quick to implement improvements in their worm. Quoting from the SRI report:
They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.
There has been an unprecedented amount of collaboration in the software community to overcome the threat posed by Conficker. Microsoft has offered a $250,000 reward for information leading to the arrest and conviction of Conficker’s authors. Although the idea of a bounty is interesting, the amount offered is ridiculously low. There are carders (cyber criminals who engage in illegal credit card transactions) who earn that much in one month.
The software giant has also established a “Conficker Cabal” in the hope that collaboration will yield more results than one company’s efforts alone. Members of the cabal include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.
As of this writing, no progress has been made on discovery or mitigation of this threat, and the Conficker worm continues to propagate.
Africa: The Future Home of the World’s Largest Botnet?
African IT experts estimate an 80% infection rate on all PCs continent-wide, including government computers. It is the cyber equivalent of a pandemic. Few can afford to pay for anti-virus software, and for those who can, the download time on a dial-up connection makes the update out of date by the time the download is complete.
Now, with the arrival of broadband service delivered via undersea cables such as Seacom’s on July 23, 2009, Teams cable (September 2009), and the East African Submarine Cable System (mid-year 2010), there will be a massive, target-rich environment of almost 100 million computers available for botnet herders to add infected hosts to their computer armies (Figure 1-2).
One botnet of one million hosts could conservatively generate enough traffic to take most Fortune 500 companies collectively offline. A botnet of 10 million hosts (like Conficker) could paralyze the network infrastructure of a major Western nation.
As of today, there is no unified front to combat botnets of this size. However, since these botnets are Windows-based, a switch to the Linux operating system is a feasible alternative being floated to address the African crisis. Another would be for anti-virus (AV) companies to provide free subscriptions to African residents. A third would require that Microsoft radically modify its policy about pirated versions of Windows and make its security patches available to all who request them, regardless of whether they have genuine software loaded on their boxes.
The participation of the software industry is crucial as governments and the private sector face both criminal and geopolitical adversaries in a domain that has been in existence only since the birth of the World Wide Web in 1990, a domain that millions of individuals are impacting, shaping, and transforming on a daily, even hourly, basis.
The Way Forward
If I were asked what I hoped to accomplish with this collection of facts, opinions, and assessments about cyber warfare and its various permutations, my answer would be to expand senior leadership and policy makers’ limited thinking that surrounds the subject and instigate a broader and deeper conversation in the public sphere. This book will probably feel more like a collection of essays or an anthology by different authors than a cohesive story with a clean development arc. In part, that’s because of the nature of the beast. When it comes to how attacks orchestrated by a myriad of parties across globally connected networks are impacting national security for the U.S. and other nation states, we’re all like blind men describing an elephant. The big picture sort of eludes us. My hope for this book is that it will inform and engage the reader; inform through the recounting of incidents and actors stretching across multiple nations over a period of 10 years up to almost the present day (Thanksgiving 2009) and engage by firing the reader’s enthusiasm to get involved in the debate on every level—local, state, and national. If it raises almost as many questions as my contributors and I have attempted to answer, I’ll feel like the book accomplished its mission.