Security

Cyberwarfare: Characteristics and challenges

The specter of cyberwarfare isn't just a problem for governments -- many types of organizations could be in the line of fire. Knowing the types of attacks and their probability will help you prepare.

Journalists, business executives, and government bureaucrats like to use the term "cyberwarfare" when it suits their needs: especially when an organization loses intellectual property through an advanced persistent threat. A warfare claim is often accompanied by the victim organization's claims that it was helpless in the face of state- or crime organization-sponsored espionage, theft, or denial of service. Many managers believe the government should do more. While there are things the federal government can do, each organization is responsible for implementing basic prevention, detection, and response controls to deal with inevitable breach attempts.

In this first installment of a two-part series, we'll examine the characteristics of cyberspace that enable the growing number of cyberwarfare events. In addition, we'll explore the various types of warfare-related attacks as well as underlying motives, tools, and techniques. Part two develops a cyberwarfare defense using existing standards of best practice.

Cyberspace

Unlike physical space, cyberspace is a manmade landscape of interconnected devices and networks. Organizations must connect, and remain connected, to this Internet in order to compete in today's markets. However, consistent governance does not apply across all geographic Internet presences. Lior Tabansky, a Neubauer research associate working on the Cyber Warfare Program at INSS, writes,

"Much of cyberspace is organized and managed by private and cooperative organizations without state or geographical overlap. The internet [sic], which is a central and growing component in this space, is built in a decentralized manner. The ideology of the internet's creators and its leading thinkers is opposed to any type of state management" (p. 78).

Lack of governance is only one challenge facing connected businesses and government agencies. For years, relatively inexpensive tools have enabled almost anyone with a little computer knowledge to circumvent prevention controls, given enough time. Many tools, used by both white hat and black hat hackers, are free (e.g., Live Hacking). Others, like Metasploit, are intended for the professional cybercriminal and penetration tester. Finally, nation-sponsored intrusions often make use of proprietary tools and techniques designed specifically for a planned or ongoing attack.

Cyberspace itself lacks governance and control. This exposes the perimeters and internal systems (especially end-user) to a wide variety of threats. Table A, based on Tabansky's work, lists cyberspace characteristics and associated vulnerabilities.

Table A

Cyberwarfare

The emergence of cyberspace adds an additional dimension to warfare: with and without clashes of traditional troops and machines of war. Cyberwarfare is often defined as major disruptions to critical infrastructure. However, this is the least likely outcome. Attacking a nation via the Internet will have extreme consequences to the attacker as well as collateral global damage. No nation-including both public and private infrastructure-is immune from attack.

Cyberwarfare occurs continuously across cyberspace connections, resulting in minor disruptions, website defacement, theft of national defense information, and intellectual property theft. As Michael Riley and Ben Elgen write in China's Cyberspies Outwit Model for Bond's Q, China is one country that is actively invading U.S. infrastructure, stealing defense secrets, and walking away with industrial technology useful in narrowing industrial and military gaps. According to The Economist, "Some experts believe that such thefts have cost hundreds of billions of dollars in stolen R&D" (para. 2). While some of this is simply related to criminal activity, much of it is attributable to nation-sponsored espionage.

A country or group does not need a strong military or economy to wage warfare against industrial powers. Sreeram Chaulia writes in Cyber warfare is the new threat to the global order,

"Cyber war capacities are not the domain of only big guns like China and the U.S. They are spreading horizontally to middle and even minor powers" (para. 5).

Anyone with the right tools and legal/political environment can launch attacks against large or small targets, regardless of how may guns and tanks the objective has. Table B lists several characteristics of current cyber threats.

Table B

Government's role in defense

The U.S. has been very slow to react to cyberwarfare threats. Although the military is taking steps to shore up its controls, private and public organizations are not moving to properly protect themselves. The Sarbanes-Oxley and the Gramm-Leach-Bliley Acts, for example, do little to protect publicly traded companies and financial institutions from cyber attack. While protecting data integrity and customer privacy, they fall short in providing mandates for preventing, detecting, and responding to known and future nation-sponsored advanced persistent threats. Congress doesn't seem to be able to make this situation any better.

The Cyber Security Act of 2012 died as Congressional leaders waged their own internal ideological warfare regarding challenges like the fiscal destruction brought on by government policy (Experian). President Obama has made an attempt to shore up this gap with Presidential Policy Directive 20 (PPD 20).

PPD 20 instructs the military to take steps to identify attackers and take offensive or other relevant action against them: according to risk. However, it does little to require the government to review private and public infrastructure and assist organizations in their efforts to mount a cyber defense. This begs the question whether offense or defense is the best way to protect against attack.

Offense vs. defense

PPD 20 appears to favor offensive actions as a deterrent. This requires identification of attack sources and a willingness to attack infrastructure of countries like Russia and China. Emilio Iasiello writes in Identifying Cyber-Attackers to Require High-Tech Sleuthing Skills,

"No standard methodology exists today for establishing a degree of confidence in determining cyber-attribution. The defender must be able to identify the perpetrator for an appropriate response action" (Para. 5)

Even if a military identifies the attack source, will its government have the political will to take offensive action if the source is China, Russia, or North Korea? Will the public be willing to withstand the damaging effects of a response against a national infrastructure not ready to quickly react to a series of back-and-forth attacks in the name of deterrence? Not likely...

A strong defense must be the first step in dealing with cyberwarfare. This is the topic of Part 2.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

6 comments
Neon Samurai
Neon Samurai

The Center for Strategic and International Studies findings for 2013 ( rasing the bar on cybersecurity ) provides effective defense from the three types of online attack as discusssed by Mikko Hypponnen ( criminal, activist, government ). 1 minimize user privaledge ; only allow what the job requires for everybody including C level management. 2 patch rapidly ; keep your software and operating systems up to date and do it as soon as the update is available. I'd add; demand better quality control from vendors and demand they fix all known problems. I'm looking at you Microsoft (that didn't fix all known issues last patch tuesday) and Oracle (how long did it take to ship the last java update that didn't fix all known issues). 3 use whitelisting ; whitelist what programs can be run by what users. whitelist what remote nodes can connect into your local node. whitelist what your local node can connect out too. Blacklisting and other after-the-fact defenses become more usless by the day. With the PRISM news bringing to public light what IT has known for 30 years; I'd also now add - learn to use encryption and a password manager.

rm
rm

Since attackers often use innocent 3rd party machines to obscure origins - when is an offensive action justified? Is it wrong to kill a "relay machine" or is this now considered collateral damage? Microsoft's recent actions attempting to shut down the Citadel botnet illustrate the difficulties of coordinating multiple agencies in an offensive action. Many of the machines taken down were research honeypots that were attempting to define the exact origins of the attackers (and much valuable data was destroyed) while other parts of the botnet survived.

robo_dev
robo_dev

The cyber attack that stole RSA SecurID encryption was an email with malware. This simple email exploit led to some major defense contractor breaches. Since the attack was, we suspect, state sponsored, and concerned theft of military related data, we call it cyber warfare. So whoever sent the email started a war, and whoever opened the email with the malware...they were a war casualty? Defining the concept of cyber war is problematic.....like the whole concept of the 'war on terror'. So when does a 'whole bunch of attacks' spill over to 'this is war'? If we are not at-war with a country, but some of their people who may or may not be working for the government or that other country, decide to start hacking into more and more of our systems, where does that 'war' line get crossed? Ten attacks, ten thousand? Ten million? (per day, hour, second?). Who gets to make the call that we are 'under attack'?? CNN? This is like considering how a guy learns to catch bullets in their teeth.... do they start just throwing bullets underhand, then goto a slingshot, then a BB gun.... An attack may be state sponsored, group sponsored, or just some random individual...and to some degree the source does not matter. Whether some bored teenager from Peru or a whole building full of Chinese hackers brings down our national air traffic control system, the source is irrelevant, the system they brought down, is. But the kid from Peru committed a hack and the latter would be a cyber warfare strike. Defense is defense, security is security. The cynical would assert that calling something 'war' creates fear, and fear demands a response, which gets funding. Funding creates capability which needs to keep the threat-level high to keep the capability fully-funded. And so the circle of life continues. But if we are not sure, or cannot prove who did it, then how or when do you call it war? Attribution and identification is critical, obviously. False-flag operations can be somewhat easy to spot in the real world, while virtually impossible to spot in the cyber world.

robo_dev
robo_dev

Is that like that Alfred Hitchcock film where birds attack?

mrbobyu
mrbobyu

There are few companies who are working to get system protection and so. One of the well known one is Crowstrike, they are new in the market but they have a very a dedicated team. http://www.crowdstrike.com/

Neon Samurai
Neon Samurai

Winn Schwartau has a couple of great talks you can find on youtube. I think it's in his HITB2013AMS closing keynote that someone asks about attribution. (might be his EC council talk) In short, accurate attribution and the when a digital attack justifies a kinetic response are topics constantly under discussion.