Warfare 2.0

Originally published in SPIDER Magazine on February 15, 2009.

Cyber war is coming, say security experts and analysts. But while they’ve been saying that for the last decade or so, it took a few major events for the fear to break into the general public conscience.

Computer systems exist in almost all aspects of critical infrastructure – economic transactions, military operations and even personal commerce and communication among other things depend on their smooth functioning. A direct attack on such networks can clearly disrupt day-to-day communications with losses culminating in loss of real money. But does “War 2.0” just mean the use of computer networks to achieve the same ends as its traditional bullets-and-blood predecessor, or has war really evolved into a different, if not altogether new, form?

In part one of this series, we looked at the origins and rationale of cyber warfare. This article looks at the tools of the trade in what seems to be an evolution of the art of war.

There is understandably much confusion as to the real nature of cyber war, with mainstream media and overzealous military analysts perpetuating vastly differing ideas about the concept. Cyber war is, as defined in traditional terms, an assault on electronic communication networks – the use of computer networks to ‘attack’ and enemy’s strategic assets in cyberspace. Be it infiltration of sensitive private networks, DoS (denial of service) attacks on critical infrastructure or a drive-by defacement of a political party’s website – this all falls under the definition of ‘cyber war,’ and this is perhaps why the term is shrouded in fear, uncertainty and doubt.

To simplify, we can divide cyber war into 2 generalized types – overt and covert.

Overt cyber war is the type most commonly recognized – it is what was seen in the DDoS (distributed denial of service) attacks on Estonia in 2007 or Georgia in 2008, which is hardly the most damaging type of assault. James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, says, “Denial of service is not the most dangerous form of attack. This was not the first time that a government has seen foreign protestors attack servers and Web sites with botnets, hacks, and graffiti. China, Israel, India, Pakistan, and the United States have seen similar attacks, albeit on a smaller scale.”

Recent showdowns between Pakistani and Indian hacker groups are also great examples of such hacktivism at work. While hackers from both sides of the border have engaged in random, and on some occasions somewhat orchestrated targeted DDoS attacks and defacements (where the hacker posts a derogatory message or deletes/adds content at the victim site), a recent outburst took place in November 2008, prefacing the terrorist incidents in Mumbai. A hacker group calling themselves HMG (Hindu Militant Group) hacked and defaced Pakistan Oil and Gas Regulatory Authority’s (OGRA) website. In response, a Pakistani group, PCA (Pakistani Cyber Army), defaced a handful of Indian sites and DDoS’d some others, including those of India Oil and Natural Gas Corp., CID Andhra Pradesh, and the Bank of Baroda. Battles such as this one are commonplace among Pakistani and Indian hackers, and similar episodes have taken place in 1999 (during the Kargil War) and in 2002-3 when there was a possibility of an outbreak of war.

Although the most recent bout ended with a joint statement of peace from PCA and ICW (Indian Cyber Warriors) after about a week of intense cyber action, it is not difficult to imagine how this sort of situation can arise, especially considering the current political situation with emotions and stakes running high on both sides of the border.

A new kind of cyber warfare

Then there is the covert type of cyber attack, the kind which keeps security experts up late at night. This is the form of cyber war experts are preparing to see and in some cases already are; governments probing each others’ networks for intelligence gathering, the internet being used as a propaganda tool and the public engaging in politically motivated cyber riots under the cover of internet anonymity.

An example of this can be seen in Titan Rain, a series of coordinated breaches in US military networks in 2004 which resulted in approximately 10TB (terabytes) worth of information being downloaded by alleged Chinese military hackers. The hackers broke in to several high-security US networks and managed to steal a pile of sensitive documents, including documentation on one of NASA’s probes to Mars, and a missile & flight planning systems used by the Air Force and Army.

The recent battle between Israel and Hamas in Gaza showed us another face of cyber warfare – using the internet to change public opinion. “The Israel/Gaza bloodbath is being fought on the ground, in the air, and—furiously—on the Internet,” writes Nate Anderson, senior editor at Ars Technica. Both sides are leveraging the internet and social media to the fullest to propagate their points of view across the world. Israel’s military (IDF) has their own YouTube channel and a blog, offering official news and updates on the military operation. The Israeli Consulate in New York held a press conference on Twitter (a microblogging site) in December, accepting questions from all Twitter users. The user-base of Twitter consists mainly of bloggers and people with active online presence – the move to hold a press conference there was therefore an excellent way to leverage the power of ‘word-of-mouth’ to spread what the Israeli government had to say. On the other side, Hamas is doing the same thing but on a smaller scale, with a website (available in eight languages) and a YouTube clone that launched back in October last year (but was taken offline soon after). Hamas has also accused Israel of interrupting their radio and TV broadcasts in Gaza with anti-Hamas messages. Of course, with all that also come the obvious website defacements and DDoS attacks from both sides.

Because the internet is open-to-all and is an essentially free to use medium which can be used as a weapon with the right tools, but which lacks any formal ‘rules of engagement’ in case of conflict, cyber war makes sense.

Although cybarmageddon (a tongue-in-cheek term for all-out cyber war) does seem unlikely, the fact remains that governments all over the world have begun using the internet as a “weapon.” McAfee, in their annual Virtual Criminology Report (2007) estimated more than 120 countries are leveraging the Internet for “political, military, and economic espionage activities.”

Kevin Poulsen, senior editor at Wired News points out the much looked over fact that “real cyberwarriors aren’t interested in clogging the public internet like spammers; they use the internet as a path to sensitive, private networks where sabotage has some hope of causing physical, real-world mayhem that outlasts the attack.” Poulsen, who is skeptical of real cyber war or cyber terrorism ever occurring, asks, “They unleash their deadly viruses and then they land on the beaches and sweep across our country without resistance because we’re rebooting our P.C.s?”

So the question to ask: is cyber war really a threat? Can a cyber assault alone serve as a devastating enough attack? Perhaps not in the same sense as some Hollywood movies might have you believe (hint: Die Hard 4.0 and Eagle Eye), but cyber warfare is a valid concern nonetheless. Will governments use it? Definitely.

It isn’t just simple website defacements and denial of service attacks that worry people – both of which can be easily combated. There can be any number of ways an attacker could carry out this type of cyber attack. They could infiltrate a private network by socially engineering (or phishing) the credentials out of someone who already has access; install a keystroke logger by exploiting a security vulnerability in Windows, for example. Targeted hits like this are already happening in the online criminal world. The city of Sandwich, MA for example lost nearly $50,000 to a hacker who was using a similar technique. The attacker had used a virus to install a keystroke logger on the city treasurer’s computer, which provided him with the credentials needed to funnel the money out to an account in St. Petersburg, Russia.

In other news, October last year saw European law-enforcement agencies uncover a highly sophisticated fraud ring that funneled stolen credit card information to Lahore, Pakistan. Credit card machines installed in several grocery stores across the UK were found to have a special device inserted behind the motherboard that stole information from the machine’s firmware. The device stole information intermittently to avoid detection and once a day, uploaded data to a server in Lahore. Estimates of losses range from $50 million to $100 million with no idea who was behind the whole thing. The only way to tell a bugged machine from a regular one was to weigh them – the bugs added a few extra ounces to the machine’s weight. The whole operation was discovered when a security guard alerted authorities after noticing static on his cell phone when the device was uploading data. The technological achievement of this story cannot be overstated. Who is to say the same startling expertise cannot be applied to bigger targets? Computers exported to a rival country, perhaps?

Governments are very reserved about revealing their respective defensive and even offensive capabilities in cyber space. Independent researchers and analysts meanwhile, try to come up with ways of dealing with such a situation. The first action is proactive defense, but this step is sadly often either ignored completely or carried out lackadaisically. Locking the front door is always a good idea, and the same principles apply here. Firewalls, solid authentication systems and log monitoring are all part of the plan. Ideally a good system would provide physical security such as restricted special access points, logistic security like encryption, system audits etc., and structural security which deals with informing users of security practices or what to do in case a breach does occur.

The obvious problem with this approach is, of course, that it can never be foolproof. Even with the smartest implementation, there can always be complications or unforeseen circumstances that blindside the mechanism. Every information system has a potential weakness and the aim is to minimize the effects of that weakness being exploited.

In cases where an attack or breach does occur, there is a tendency to panic, or overreact in the heat of the moment. For example, when Estonia was being hit with DDoS attacks in 2007, its leaders lost control and panicked; speaker of Estonian parliament equated the DDoS attack to a nuclear explosion! Behind the scenes, however, the Estonian CERT (Computer Emergency Response Team) worked to take control of the situation, blocked attacking IPs and took stock of the country’s bandwidth.

Estonian politicians and media was quick to blame Russia straight off the bat, but it was soon pointed out that just because some IPs seemed to be from Russia didn’t mean the Russians were behind it. Attackers can bounce packets from one place to another before they hit the target, which essentially means the methods used to trace the source of a DDoS attack are moot. “Any capable adversary, which includes both nations and criminals, won’t use their own computers,” says Stephen Kent, a computer-security expert with BBN Technologies. “They’ll use someone else’s computers.” Nearly a million computers from a 100 different countries attacked – they were all part of botnets, of course, and the country from which they attacked cannot be held responsible. “Most of them came from the United States,” says General William Lord, commander of the US Airforce Cyber Command (AFCC). “But the United States and Estonia are great friends. So, the problem for a nation-state is: Who do you take action against?”

Some advocate a more aggressive approach to the cyber war problem. Col. Charles Williamson of the US Air Force Intelligence Agency suggested the creation of the military’s own botnet to help fight back against attackers. However such a tactic is risky because, there’s a possibility that the botnet might instead be used against the military itself. “In the perverse logic of network security, an army of weaponized computers at your disposal is just as likely to be used against you,” writes Glenn Derene, contributing editor at Popular Mechanics and 3-time Emmy nominee. What’s more, such a weapon would turn out useless, even as a scare tactic, without reliable methods of identifying the attacker.

“War 2.0” is about using computer networks and the internet to set and help achieve the goals of a traditional war. The DDoS attacks on Estonian and Georgian networks, the defacements of Indian and Pakistani websites and the online war of perceptions raged by Israel against Hamas are all examples of cyber war – but what they hope to achieve is more than just denial of service or geek cred.

Cyber warfare is far from a black/white problem. It involves not only highly trained hackers, but also the public and how the masses can be manipulated. Its true face may never materialize, or if it does, it may not be evident at the time. Government, military and economic systems are increasingly reliant on computer networks, and the security of these networks is a problem we need to deal with. On one hand we have the alarmists and prophets of doom, declaring cybarmageddon. The other side of the fence sees the calm and reassuring pundits debunking the hype. But whatever form it may take in the future, cyber war is nonetheless a valid concern. Whether it just involves cutting off a rival country’s access to the outside World as with Georgia; cross-border hacktivism like with India and Pakistan; or infiltration of top secret networks such as with Titan Rain. We can dream up dozens of possible scenarios where a cyber attack could lead to an economic disaster or even loss of life, but doing just that will get us nowhere. What we really need to be working on is a plan of action. What a good cyber strategy involves, and if it is purely up to the government to implement or if it engages a wider approach involving the private sector is up for debate.

In the face of actual war—the kind involving guns, tanks and bombs—worrying about a hacker may seem folly. However it is important to realize that actual cyber war isn’t so much denial of service attacks; rather it could be a national security breach at the hands of rival states or criminal organizations. As Erich Simmers, a PhD student at the University of Florida, puts it in his blog Weaponized Culture, “The question is not whether an unavailable service or defaced website outweighs the human cost of war but rather how cyberwar fits into its larger scope.”