2.9 Cyber Wars

The Internet is a public place, and someone innocently shopping on eBay will share the line with major corporations, banks and financial institutions, government organizations, the military, the security forces, criminals, hostile governments, other shoppers and citizens exchanging emails, tweets and a host of other services. Nothing prevents traffic from being lost, scrambled or sent into the wrong hands beyond a relatively simple set of network protocols and auxiliary security measures.

Given that the Internet is used for such a diverse and conflicting range of purposes, it's not surprising that security is now an area of potential conflict. What need is there to launch missiles or blow up buildings when installations can be shut down in seconds and organizations paralyzed by simply breaching their Internet security? What was once a theoretical possibility is now an urgent reality, and attacks thought to originate from China and North Korea suggest that the next war could very well be fought online. All major institutions have suffered security breaches at one time another, and these seem only to become more serious as expertise and money are devoted to their analysis. {1}

Today's threatscape is constantly changing, adapting to countermeasures and continuing to successfully pursue various missions ranging from identity theft, to criminal and nation-based corporate espionage, and, in the case of a worm called Stuxnet, to sabotage. {3}

Today's Reality

Many trends are making Internet security more problematic:

1. Increasing numbers of people are using the Internet.
2. The Internet has become more diffuse (and security porous) with the move from mainframe computers to PCs, mobile devices and smart phones.
3. Hacking tools are becoming more sophisticated: even novices can use them to devastating effect. {2}.
4. Malware is increasing in extent, type and effectiveness.
5. Computer literacy is increasing, and so is peer pressure to 'break into systems for fun'.
6. Distinctions are becoming blurred: teenage hackers, criminal organizations and governments themselves are blending into an amorphous but serious threat to everyone who uses the Internet. {1}

Companies

Companies are increasingly at threat from: {8}

1. Malware, malicious code that can destroy programs and data.
2. Loss of laptop or mobile device: data, even encrypted, can fall into the wrong hands and cause embarrassment, legal proceedings or worse.
3. Phishing: emails purporting to come from trusted organizations can elicit passwords, bank details, etc.
4. Unprotected networks and wireless Internet networks: sensitive information or customer data breaches can be phenomenally expensive.
5. Disgruntled insider/employees: information can be stolen and systems sabotaged.
6. Industrial espionage, not only from Russia and China on the USA, but from the USA on Europe and China. {39}

Security systems need to be installed {9} and rigorous procedures followed.

When companies step into the public arena, however, and upset sectors of public opinion, reprisals pass into cyberwar with security breaches by hackers and denial of service attacks. {10}

Government Organizations

The problems faced by private companies are much increased with government organizations. By their very nature and political associations, such organizations must offend some of their own countrymen and become a target for hostile government attention. {11}

A March 2011 Market Research Media report suggests that the US Federal Cybersecurity market is valued at $55 billion and will grow at about 6.2% p.a. {12}

The market is driven by:

1. Ever-increasing number and severity of cyber attacks.
2. Dramatic expansion in computer interconnectivity.
3. Exponential increase in the data flows and computing power of the government networks.
4. Perception that the United States is dependent on information technology.
5. Developments in the existing cyber security approaches and technologies.
6. Emergence of new technologies and approaches.

The Military

The military envisage cyberwar as a real war, {2} not a shutting down of installations but a cyber attack on such installations prior to war by conventional means. The installations run the command and control systems, manage the logistics, enable the staff planning and operations, and form the backbone of the intelligence capabilities. Most command and control systems, as well as the weapon systems themselves, are connected to the Global Information Grid (GIG) or have embedded computer chips. Airplanes constantly receive and send targeting information. Air Defense and Artillery are guided by computers systems, adjusting their fight to Global Positioning System (GPS) updates to reach their target. Indeed the Intelligence Surveillance and Reconnaissance (ISR) systems gather so much information that the challenge becomes one of sifting through to find the most important data. Today's infantry has communication gear, GPS, tracking devices, cameras, and night vision devices. Computer chips are used throughout, and any production holdups would be serious. Loss of GPS satellites would also critically remove many advantages on the battlefield. {3}

Cyberwar would impact on the very principles of war, namely objective, offensive, mass, economy of force, maneuver, unity of command, security, surprise, and simplicity. {3} Acknowledged probes and attacks on US military installations include:

1. Moonlight Maze: started in 1998 against the Pentagon, National Aeronautics and Space Administration (NASA): possibly originated in Russia.
2. Solar Sunrise: started in 1998: originally thought to be Iraqi but in fact came from 'a couple of kids in California'.
3. Titan Rain: discovered in 2003, against the DoD and Defense Industrial Base: assumed to be at state level.
4. Buckshot Yankee: a 2008 worm attack introduced through thumb drives on DoD networks: thumb drives were discontinued on such networks.

Military installations are subject to the same threats as other systems: malware, denial of service, insider activity, etc. Besides imposing the usual security measures, the US Military is exploring or undertaking:

1. Agreements or understandings with other powers through organizations like Computer Emergency Readiness Teams (CERT), Department of Homeland Security (DHS) and NATO.
2. Cyber arms control, adopting the mutual destruction model that saw the world through the cold war.
3. Cyber treaties under the auspices of the UN.
4. A Cyberspace Policy Review that creates organizational bodies and responsibilities to put practical policies in place.

Similar moves are afoot in Russia, China, India, France, Israel, Brazil, South Korea, and Estonia. {3}

In its turn, China has accused the US of cyberwar tactics against its Internet-search engine Baidu, {26} and of meddling in middle east countries. {27}

Constant Battle

Threats are real and ongoing. Some of the best-known attacks:

2000. Mafaboy shuts down major commercial web sites.
2001. Code Red worm hit, designed to conduct DoS against the White House.
2001. Kournikova virus hit.
2003. Titan Rain: probably from China.
2003. SQL Slammer worm reached its peak in three minutes.
2004. Love Letter email attack hit.
2007. First Cyber Storm Exercise: hackers linked to Russian government bring down the web sites of Estonia's parliament, banks, ministries, newspapers, and broadcasters.
2007. Storm Worm infects thousands of (mostly private) computers in Europe and the United States.
2007. Chinese intrusion into British Security Service, and offices of French Prime Minister and German Chancellor.
2008. Operation Buckshot Yankee caused US military to stop using thumb drives.
2008. Databases of Republican and Democratic presidential campaigns hacked by unknown foreign intruders.
2008. Government and commercial web sites hacked in Georgia. 2009. FAA computer systems hacked.
2009. Ghost Net: espionage tools attributed to China implanted on government networks of 103 countries.
2009. Plans for new presidential helicopter found on file-sharing network in Iran. 2009. Conficker worm infiltrates millions of PCs worldwide.
2009. Hackers download data on the F-35 Joint Strike Fighter.
2010. Operation Aurora: Google hacked by China.
2010. WikiLeaks releases US embassy cables.
2010. Stuxtnet worm attacks SCADA devices. {3}
2011. Coreflood Botnet. {37}

There were more than 300,000 reported attacks on US installations in 2010. {13} China claimed nearly 500,000 attacks at its computers in the same period. {28} Both countries are in fact watching and manipulating the activities of their own citizens. {37-40}

Legislation

One obvious approach is legislation to make cyberattacks a criminal offense: {14}

Virginia Computer Crimes Act: 1984

Felony: to use a computer to commit fraud, to maliciously access a computer without authorization, and to damage, copy, or remove files.
Misdemeanor: to use a computer to examine private files without authorization.

Computer Fraud and Abuse Act (CFAA):1986

Felony: unauthorized access to a Federal computer system with the intent to steal or commit fraud or inflict malicious damage.

Electronic Communications Privacy Act: 1986

Electronic communications are private. Unauthorized access to and disclosure of private communications is unlawful.

Communications Assistance for Law Enforcement Act (CALEA) : 1994

Law enforcement and intelligence agencies can conduct electronic surveillance.

Freedom of Information Act: 1996

Guaranteed access to data held by the state. Nine exemptions apply, including state security, commercially sensitive information, medical records, etc.

National Information Infrastructure Protection Act: 1996

Denial of Service (DoS) attacks illegal.

Gramm-Leach-Bliley Act: 1999

Authorized widespread sharing of personal information by financial institutions such as banks, insurers, and investment companies.

Safety and Freedom through Encryption (SAFE) Act: 2000

Relaxed US export controls on encryption.

Computer Security Enhancement Act: 2000

Hacking into federal government systems is illegal.

Electronic Signatures in Global and National Commerce Act: 2000

Allowed electronic signatures in legal documents.

Patriot Act: 2001

Drastically increased federal police investigatory powers, including the right to intercept email and track Internet usage. {25}

Homeland Security Act: 2002

Centralized federal security functions to meet post-cold war threats and challenges.

Can-Spam Act 2003

Created offenses of spamming, hiding the source of spams and sexually explicit spamming not marked as such.

Intelligence Reform and Terrorism Prevention Act: 2004

Promoted a culture of information sharing among intelligence agencies and federal departments. Set up a five-member Privacy and Civil Liberties Oversight Board to protect privacy and civil liberties.

US Safe Web Act: 2006

Increased FTC's financial redress for spamming, Internet fraud and deception. Improved FTC's cooperation with overseas counterparts. Ensured law enforcement authorities were proactive, with perhaps one in four of hackers now working for the FBI. {17}

Most countries have similar legislation. {18}

Cyber Intelligence Sharing and Protection Act 2012

Internet traffic information can be shared between the U.S. government and certain companies.

New Storage Techniques

A partial solution is new storage techniques, like that of Cleversafe, {19} which splits data into 'slices', and stores each slice at a different geographic location. Somewhat similar are Bitvault, {20} Wuala, {21} and the Tahoe Least-Authority Filesystem. {22} All make it difficult to copy information in one swift operation.

Increased Awareness

Two things are currently needed:

1. Better awareness of cyber attack: its realities and preventive measures.
2. A more open debate on cyber security before an unnecessary 'arms race' is foisted on citizens of western democracies. {29} {30} {34}

Questions

1. Cyberwars belong to science fiction. Discuss.
2. How does the US military regard cyberwar, and why?
3. Outline, with the relevant acts, the legislative approach to its dangers.
4. What practical measures could be taken?

Sources and Further Reading

1. IT Governance by Alan Calder and Steve Watkins Publisher. Kogan Page. June 2008.
2. CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger by Mehan E. Julie. IT Governance Ltd. April 2009.
3. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by Jason Andress and Steve Winterfeld. Syngress. June 2011.
4. Rand.org. Research and analysis focusing on social and security issues.
5. Center for Strategic and International Studies. Strategic insights and policy solutions to decision makers in government, international institutions, the private sector, and civil society.
6. Carnegie Mellon University Software Engineering Institute's Computer Emergency Response Team (CERT). Web-based interface to analyze and respond to security threats.
7. Information Warfare Site (IWS). Research center for groups interested in information security and information operations.
8. Top Five Small Business Internet Security Threats by Ron Teixeira. Small Biz Trends. June 2007.
9. Small Business Internet Security Suites Review. Internet Security Suite Review.
10. Pro-WikiLeaks DoS reprisals overrated, says expert by Gregg Keizer. Computerworld. December 2010.
11. Cyberwarfare in the People's Republic of China. Wikipedia. Attacks on the USA, Canada and India.
12. US Federal Cybersecurity Market Forecast 2010-2015. Market Research Media. March 2011.
13. Governments Need To Do More To Protect Themselves Against Cybercrime. Articlebase. April 2011.
14. Computer Crime & Intellectual Property Section. United States Department of Justice. More cases than legislation per se.
15. Computer Crime and Intellectual Property Section. ITLaw Wikia. Objectives and detailed participation.
17. Hackers got hacked: One in four online criminals in the US 'is an FBI informer' by Paul Bentley. Daily Mail. June 2011.
18. Cybercrime Law. CyberCrimeLaw. Legislation around the world.
19. Cleversafe dreams of distributed mass storage service Quasi RAID with virtual disks all over a grid by Neil McAllister. Techworld. January 2007.
20. Microsoft Readies 'BitVault' Self-Healing Data Store. Microsoft Watch. April 2006.
21. You Have Three Days To Check Out Wuala's 'Social Grid' Storage by Mike Butcher. Techcrunch. July 2008.
22. Welcome to The Least Authority File System. Taloe-Lafs. Homesite of open source software.
23. Hypocrisy the order as our privacy prepares to depart by Judith Bessant. National Times. August 2011. Australia's proposed cybercrime bill.
24. The proposed "lawful access" bill bound for Parliament imposes worrisome limits on civil rights, and enormous financial costs on consumers by Alexander Ly and Adam Webb. The Mark. August 2011.
25. Beijing beefs up cyber-warfare capacity by Willy Lam. Asian Times. February 2010. China's concern with America's cyber abilities.
26. Beijing accuses US of cyberwarfare by Bill Gertz. Washington Post. January 2011.
27. China calls US culprit in global 'Internet war'. Yahoo News. June 2011.
28. China says it was targeted in 500,000 cyberattacks. Yahoo News. August 2011.
29. The Recognition Game: Soviet Russia Against the West by Erik Ringmar. Cooperation and Conflict. 2002. Summary of two traditional views on the arms race, and an explanation through the concept of recognition.
30. The Political Economy of US Militarism by Ismael Hossein-zadeh. Palgrave Macmillan. June 2007. How the 'peace dividend' was lost.
32. How a grid attack could unfold by Joseph Menn, Steve Bernard and Emily Cadman. FT. October 2011. Simple multimedia presentation.
33. They're watching. And they can bring you down by Joseph Menn. FT. September 2011. Poor security shown by prevalence of hacking.
34. Agreement on cybersecurity 'badly needed' by Joseph Menn. FT. October 2011.
35. Hackers Attack Nintendo by Juro Osawa. WSJ. June 2011. Serious but smaller than Sony's April data breach of 100 million accounts.
36. The Vulnerabilities Market and the Future of Security. Schneider on Security. June 2012.
37. With Court Order, FBI Hijacks 'Coreflood' Botnet, Sends Kill Signal by Kim Zetter. Wired. April 2011.
38. US-China Tensions Flare over Snowden's Revelations by John Chan. Global Research. June 2013.
39. Eavesdropping on the Planet, Whistleblowers and Edward Snowden by William Blum. Global Research. June, 2013.
40. When you Bareback with the Internet you Ride with the NSA. Jake Applebaum's/Der Spiegel's detailed video exposé of NSA tactics. Naked Capitalism. December 2013.