LAS VEGAS — Attribution is one of the biggest problems on the internet when it comes to cyberwarfare. How do you hold a nation responsible for malicious attacks if you can’t determine whether the activity was state-sponsored?

Retired General Michael Hayden, former director of the National Security Agency, said Thursday that one solution being discussed in government is to simply forget about trying to determine if the source of an attack is state-sponsored and hold nations responsible for malicious activity coming from their cyberspace. His words were greeted with applause from the audience of computer security professionals.

“Since the price of entry is so low, and … it’s difficult to prove state sponsorship, one of the thoughts … is to just be uninterested in that distinction and to actually hold states responsible for that activity emanating from their cyberspace,” said Hayden during his keynote address at the Black Hat security conference. “Whether you did [the attack yourself] or not, the consequences for that action [coming from your country] are the same.”

Asked later for examples of what the consequences to a nation might be, he suggested some kind of cyberexile, or a response that would thwart the flow of the internet from the suspect country in a way that would slow their cybercommerce and ability to communicate.

Hayden, who is currently a principal at the Chertoff Group, a security consultant company founded by former Homeland Security Secretary Michael Chertoff, focused his talk on cyberwarfare and acknowledged that the term is thrown “pretty much at anything unpleasant.”

He said the U.S. military doesn’t consider intelligence attacks acts of war but the kind of “normal espionage thing that routinely happens between states.”

“Without going into great detail, we’re actually pretty good at this, and the Chinese aren’t the only ones doing this,” he said.

Outside of this, the U.S. and international community haven’t made much progress in determining what would actually constitute an act of war in this domain, but he said there have been some initial discussions about the idea of having global agreements to restrict certain kinds of activity. He cited denial-of-service attacks as an example of one type that could be restricted under a kind of Geneva Convention agreement on the rules of cyberwar.

“That is such an easily available weapon that we [might decide we] ought to stigmatize its use so that adult nations don’t do it and they don’t allow it to happen from their sovereign space — that’s one thought,” he said.

He also said ideas have been raised about forming the cyber equivalent of demilitarized zones for sensitive networks, such as the power grid and financial networks, that would be off-limits to attack from nation states. He acknowledged that this contradicts the view in kinetic warfare where attacks on power grids and other infrastructures are considered legitimate targets.

In a press conference following his talk, Hayden was asked about cyberespionage and whether the United States considers collateral damage that could occur as a result of such activity by the United States, such as an incident that reportedly occurred in the early ’80s in Russia.

In 1982, the United States reportedly sabotaged the Siberian pipeline through a logic bomb planted in software, causing an explosion. The United States learned from a Russian scientist that the Soviets were stealing data on U.S. technology, so the CIA hatched a plot to insert the logic bomb into software headed to Russia to operate pumps, valves and turbines on the Siberian natural gas pipeline.

At a pre-programmed time, the malware caused excessive gas pressure to build on the valves, resulting in an explosion that was captured by orbiting satellites. Although there were no human casualties, there might have been under different circumstances if the explosion had occurred in a populated area.

Hayden acknowledged during his keynote that there are problems with anticipating consequences of cyberwarfare attacks.

“You can never do anything in this domain without something going pop in [the physical world],” he said. “At the end of the day, it really isn’t a videogame and something’s going to happen in somebody’s physical space.”

He added that in considering the possibilities for collateral damage from a cyberattack, generally the military considers whether the good that is perceived to come out of an action greatly outweighs the possible unintended consequences. But with cyberattacks, the consequences can be much less predictable.

“When you do this, are lights still going to be on on the eastern seaboard?” he said. “When you do something in the cyberdomain, you’re asking a policy maker to accept a risk that’s probably a little less measurable than a parallel operation outside of cyberspace…. The thinking on cyberstuff is so immature that, if we’re not careful, they’ll become the special weapon of the 21st century like nuclear weapons were [in the last century] that you really had to have the president in the room before you could use them.”

Hayden was asked about WikiLeaks and the possible repercussions that will come from the secret-spilling site publishing 77,000 intelligence documents on the Afghanistan war.

“This is an interesting aspect of a cyberwar [that] would not exist in physical space,” he said. “So, how now do we deal with this? Can we sustain espionage? Will it be possible for America to spy if this cultural trend is not modified or muted …? We have less control of our secrets than some other states.”

Hayden said the intelligence community will likely push back against open intelligence-sharing initiatives that evidently made this and other documents published by WikiLeaks vulnerable to leaking. After the 9/11 terrorist attacks, the government made the sharing of intelligence easier in order to combat criticism that people responsible for defending the country didn’t have the information they needed. As a result, intelligence reports and documents were made available to a much wider group of people in the government and military.

Hayden said “it’s going to take very strong leadership” to ensure that there isn’t a knee-jerk reaction that simply closes access to intelligence going forward.”

Read More http://www.wired.com/threatlevel/2010/07/hayden-at-blackhat/#ixzz0vZd9lCMA

http://www.wired.com/threatlevel/2010/07/hayden-at-blackhat/

“The moment you mention a particular state, they will deny it,” West added. “The problem with cyberspace is that attribution is extremely difficult. It’s almost impossible to do it in terms of evidence that would be necessary in a court of law.”

However, he said the UK government had sufficient intelligence to be confident that it knew who the main perpetrators were. Russia has been widely blamed for launching debilitating cyber-attacks on Estonia and Georgia. West said such actions prompted new questions.

“If I went and bombed a power station in France, that would be an act of war,” he said. “If I went on to the net and took out a power station, is that an act of war? One could argue that it was.”

And he warned that there might come a time when the UK would feel compelled to retaliate. “If some state sponsor keeps trying to get into your systems, probably for industrial espionage, are you going to go back into their system and bugger it up? We’re all capable of doing these things. At the moment we wouldn’t do that, but maybe this is where we need to have discussions.”

He suggested that the UK needed to be prepared to tackle a spectrum of threats in cyberspace, including those posed by criminal gangs and terrorists. “I’m very worried they [terrorists] may start becoming cuter and try to use our connectivity to have a go at our critical infrastructure, things [that control] our services, our food [distribution] and water supply,” he said. Terrorists were currently “not brilliant” at attempting this sort of attack on infrastructure, he added, but they would learn fast and “we’ve got to be ahead of them”.

As an example of the potential effects, he talked about what would happen if time signals from global positioning system satellites were disabled. “Not a single cash machine would work, the Docklands Light Railway wouldn’t work, you wouldn’t be able to berth oil tankers, great chunks of our transport infrastructure would stop,” West said.

He drew comparisons with ice storms in the Canadian capital, Ottawa, several years ago. “All the power went down; there were riots with people smashing into stores,” he said.

The government is so concerned at the evolving threats in cyberspace that this month it launched the Office of Cyber Security, which draws on expertise from organisations such as GCHQ, the Ministry of Defence, the Home Office and the Serious and Organised Crime Agency.

The OCS is engaged in planning exercises looking at warfare in 2015 and 2040. Another part of its remit will be tackling online fraud. West described the rise of “malicious” computer code as “exponential” and “mindboggling”. “The more you realise the malicious elements that are out there trying things, the more horrifying it becomes,” he said.

Last week Spanish investigators arrested three alleged ringleaders of the so-called “Mariposa” botnet, which had infected and controlled up to 12.7m PCs. West acknowledged that the 2012 Olympics would be a target for cyber-attacks. “People will be trying to get into the Olympics [ticketing] site to see what they can do,” he said.

His comments come days after the director of the FBI, Robert Mueller, warned that militant groups, foreign states and criminal organisations posed a growing threat to US security as they targeted government and private computer networks. “Apart from the terrorist threat, nation states may use the internet as a means of attack,” Mueller said. “They seek our technology, our intelligence, our intellectual property, even our military weapons and strategies.”

Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

Mac Slocum: If you had five minutes or less to give somebody a firm sense of cyber warfare, how would you do that? What would you tell them?

Jeffrey Carr: I like the illustration of the introduction of the handgun. When Colt invented it, it became known as the great equalizer. So the way that the handgun revolutionized warfare is being done now, again. And it would be fair to call cyber warfare the great equalizer because it balances the scales between a vastly superior force and any nation. That’s because of two things: the vulnerability of the current Internet and because most modern military forces are network-centric. The reliance on networks, particularly power networks, to conduct war is critical. Anybody who can attack the network can greatly inhibit a superior adversary. So I think that’s a revolutionary step forward.

MS: Does the cyber warfare threat come from a specific government, or is it more broadly disbursed than that?

JC: I think that every government potentially would use cyber warfare in its own defense, including the ones that we normally would think of. So when it comes to China, for example, they’ve made it very clear they’ll act defensively. You can go back historically and see that.

Part of the Chinese government’s operational guidance for their military is that if an imminent attack was present from the United States, they would launch a preemptive network attack. And so in order to be able to do that, they need to have access to our network beforehand. And that’s why I believe this is such a serious matter. You may not hear about blackouts or power grid failures or any kind of cyber intrusion into the vast electrical grid system, but I think you need to accept the Chinese military at their word and recognize that this is their goal.

Russia, on the other hand, has not made it as clear as China. And Russia has not demonstrated that it would only attack in self-defense. It has used cyber attacks in an aggressive, offensive manner many times, going back into the late ’90s. It’s a whole different ballgame there.

So it really depends on the state. Is it an aggressor nation? Then they’ll use it offensively like Russia has done. There are numerous states in Africa that are using cyber in an offensive manner against internal opposition. We’re going to see more of the prevailing party attempting to silence the opposition party through various means, including cyber attacks.

MS: Doesn’t that mean we’ve got an awful lot of states infiltrating and spying on each other’s systems right now?

JC: Sure. But that’s not new. I call espionage the world’s third oldest profession because it’s been around forever. This is just a new way to conduct espionage that we didn’t see before.

MS: How long has cyber warfare been going on?

JC: It was already happening back in the late ’90s. There was a commission during the Clinton administration. They released the Marsh Report [PDF] in 1997 and it discussed a lot of the same things that we’re hearing about today. It’s not new. It just happens to be a hot topic today.

Governments should worry, not people

MS: Clearly, there’s a threat. And clearly, it’s been present for quite a while. But if we take this down to the individual level, how does personal privacy factor into all this?

JC: Most people don’t have to worry about it. Like the current deal that’s being negotiated between Google and the NSA. The NSA really doesn’t care about most people. They’re only looking for certain things. So I don’t think privacy is an issue.

However, the more important part about privacy is that we’ve already given up privacy voluntarily because of what we post on Facebook, MySpace, Twitter, LinkedIn, Live Journal, and a host of other smaller but still available web forums. So if all a country is doing is mining what’s already out there, then is that considered a violation of privacy? Because it’s publicly available and you made it available.

MS: So how should people approach this?

JS: What I do is if I don’t want it to be known, I don’t post it. I don’t care if it’s password protected or not.

But you don’t want to get carried away. You need to consider: What do I have that’s of value to someone else? That’s what you don’t want to post. Like your bank information. Or if you work for a government or a company and you’re in a position where you know that you’re going to be targeted, then you would have a different approach to your Internet security vs someone who just works in his own neighborhood. That guy doesn’t have any national security ties or work for any industries that are of interest to foreign estates. Most likely, he’s perfectly safe. He shouldn’t really be too concerned.

MS: That’s just common sense, right?

Yeah. I really do want to see it balanced. I hate exaggeration on either side. To over blow the threat is just as wrong as to hide it. What I tried to do in the book is just make it as factual and as balanced as I possibly could.

MS: So some people might work themselves up unnecessarily, but what about governments? Do they take this seriously enough?

JC: The U.S. government is clearly not taking it seriously enough. It makes absolutely no difference what they say because, like I said, you can go back to 1997 and read the Marsh Report and see for yourself. Action is what counts.

My biggest aggravation — I published a post about this on my blog — is you need to start putting your country first. I realize that sounds corny. But in adversary states, it’s not corny. They do put their nation’s interests first. In the U.S., we push that aside for profit. If it hurts business, if it hurts the economy or if it even has the potential of doing that, then we set it aside. And that’s taken us to a place of high vulnerability.

I would like to see people put their self-interests aside, recognize the seriousness of the threat, and collaborate together on actions that can defend us.

The solutions

MS: So what recommendations would you make to governments? What actions can be taken?

JC: The first thing that I would do is enforce the existing requirements that ISPs vet their customers. By ISP I mean any Internet service company that sells or leases servers to host websites. Servers are used as attack points, and if they’re in the United States that’s the best because you’ve got reliable power, great up-time, and it’s relatively cheap. Attribution is almost impossible because you’re attacking a U.S. government website from a server that’s located in the U.S. So who’s responsible?

We can fix that if you simply bring the law to bear on these companies and force them to vet their customers and to monitor what their customers are doing. You could solve a lot of problems overnight because you would force them [countries/people looking to conduct cyber warfare] to find other servers outside of the U.S. It would help attribution and it would help reduce the vulnerability via the internet.

The other thing I would counsel is to evaluate what you own that’s at risk. Consider taking it entirely off the internet. Crucial infrastructures use what’s called an air-gapped strategy, where the control servers have no connection whatsoever to the public Internet. The U.S. government does that with their secret network. SIPRNet is completely isolated from NIPRNet, which is the unclass intranet that runs throughout the government.

MS: You mentioned cyber attack attribution. How are you tackling that?

JC: Most companies are trying to find a technical solution. The thinking is: If you look at the malware closely enough, if you look at the nodes, is there a particular signature that assigns attribution? I’m not convinced there will ever be a technical solution to attribution.

What my company does is expand the picture greatly. We start at the state level. What do we know about what those states are doing? What R&D projects are they financing within their research institutions? That’s where you have to begin because once you know what’s been attacked, then the next question is who does that serve? Who would find that information of value? Is it only of value to a state? That’s where you’ll start looking.

If you can find a state who is actively researching a particular area, and the information that was stolen supports that research, that adds another brick to the wall. We’re looking at it like a criminal case. You have to build a full picture because you’ll never find a smoking gun.

No source, no counter-attack

MS: If a cyber attack can come from anywhere, how does that change the whole notion of a counter-attack?

JC: Right now, that’s why deterrence is impossible. As long as attribution is not forthcoming, you cannot deter. You cannot respond, unless you completely change the model of attribution. And that might be possible. That’s what my company and others are working on. We’re building a more comprehensive model of how to identify where an attack has come from. So it is a challenge that’s being addressed, but it’s going to take a little time before we have an agreed upon way of doing that.

It requires international cooperation. I think the U.S. is on the right track when it comes to trying to have agreements signed among various law enforcement agencies to pursue cyber criminals across borders. It’s the same network. The network that’s being used to send out phishing scams and botnets is, often times, the very same network that’s used to launch various attacks against nation states.

MS: Is “warfare” the wrong word to describe what’s happening? Is it dangerous to categorize cyber warfare as a military domain, like “air,” “land,” or “sea”?

JC: The name of the book is “Inside Cyber Warfare,” but I hate using that word. I used it because that’s what everybody’s using. But there is no agreed upon definition of what an act of cyber warfare is. It just doesn’t exist. There’s cyber conflict. There’s cyber attacks. There’s cyber espionage. There’s all of that. But there is no cyber war that we can point to that has any legal substance.

I think it’s dangerous to define domains in the sense you don’t want to put limitations in your mind about what’s possible via the Internet. The Internet is so completely pervasive that if you only think of it as a single domain, you’re going to block out threat possibilities that could impact other domains. You’re not safe if you’re at sea from a network attack. You’re not safe in the air from a network attack. That’s why I think it’s limiting and probably shouldn’t be defined that way.

A different view of China

MS: For China in particular: what are the things to consider and what are the things to look out for?

JC: China clearly has a lot of problems internally. Their economy is growing, but it’s still relatively fragile and highly dependent on the U.S. The difference in economic conditions varies radically from the countryside to the cities. On the other hand, they own over a trillion dollars of U.S. debt. That gives them incredible leverage. So that’s a balancing act that’s going to be very interesting to watch, especially over this Google issue. But they’ll never concede to eliminating censorship on their Internet. They’ll walk away from Google if that’s what it takes.

People inflate fear about China, but China has no interest in attacking the U.S. They want the same things that any country would want. And they’re going about it the same way that we would go about it. We’re doing espionage. We’re looking after our interests. We’re exerting our will as a nation. It’s silly to try to take the moral high ground here. It doesn’t serve any useful purpose.

MS: One of the interesting points that came out of the Google-China analysis is the idea that Google has its own foreign policy now. Do you think that’s the case?

JC: Honestly, I don’t see it as anything new. The idea of a new, more sophisticated attack against Google that we’ve never seen before, I think that’s overblown. The idea that you have hackers who gain entrance to a network and then exploit data from that network, that’s not new. This is all just espionage. Google is just another company that has something of value.

But Google does represent a turning point because it’s getting so much press. It’s raising the issue to the point where the U.S State Department got involved. That’s all good.

Near-term hotspots and the most vulnerable target

MS: Broadly, what do you see happening within cyber warfare over the next few years?

JC: Africa has a huge population of infected computers. I read one estimate a few months ago that they have about 100 million PCs scattered throughout the continent and maybe 80 percent of those are infected. Once broadband hits Africa, then you’ve got this huge opportunity for botnets to spring up. These mega botnets could conceivably dwarf Conficker or some of these other huge botnets.

East Africa is another spot to watch. In Somalia, where piracy is lucrative and the area is so lawless, it’s such a chaotic environment. There’s a growth of religious extremists there as well. So you’ve got criminals with a huge pile of cash, these pirates, and then you have these radical extremists looking for ways to create havoc. Should their interests coincide, I would fear for very destructive Internet attacks.

MS: Last question: Out of all this, what’s the thing that keeps you up at night?

JC: The most worrisome thing to me is the vulnerability of the power grid. I just released a report on this — it’s Project Grey Goose’s Report on Critical Infrastructure — where I and my team of researchers document the problem. The Department of Defense has identified 34 critical assets to conducting its mission. Thirty-one out of the 34 are dependent on the public power grid.

I know in my state of Washington, they tell us that if there’s an earthquake or some other natural disaster, you can expect no help for at least seven days. There will be no police response, no 911 response, no National Guard for at least seven days because they’ll all be busy protecting critical infrastructures. And so that’s what I worry about. The grid is so vulnerable. It would cause a lot of chaos here if somebody were to actually attack it.

Note: This interview was condensed and edited.

While the Feds embrace this idea, many businesses in Corporate America fail to see the benefits in taking this extra step in their cyber forensic investigations. Most are concerned only with ensuring that such an attack never occurs on their systems again, and pay little – if any – attention to whomever is playing havoc with their network. Anecdotal evidence suggests the reasons are numerous, with the most popular being that it’s not worth the time and effort since there’s most likely no real legal recourse against such organizations anyway. Additionally, some organizations believe that making the suspects known will only encourage future attempts to infiltrate their networks.

A notable exception to this tendency is Google’s recent corporate blog posting regarding suspected hacking of Gmail servers by the Chinese government. Google made the effort to determine the source of the attack on their servers, and more notably, disclose the information that they discovered forensically to the public with the methods and suspected perpetrators of the attack.

Benefits outweigh the costs

More companies should follow Google’s example, if not in the publication of cyber attacks and methods, at the very least in determining the “who” and the “how” of the attack. In fact, companies that don’t try to uncover the people and groups behind the attacks are doing themselves more harm than good, both in long term monetary loss to their shareholders and loss of competitive advantage. Determining who was responsible can shed light on numerous opportunities and unforeseen pitfalls.

For example, a multi-national firm may discover that an overseas competitor was behind a particular attempt to hack into their network because they were looking to gain insight into their technology for use in a developing market. Recognizing that the attack came from a foreign government allows the corporation to bring in U.S. government resources who are interested in criminal activity or espionage threats. Even marketers who measure such things as brand equity can leverage such information about who’s attacking the system to determine the depth and nature of the competitive threat in different geographic areas and market.

Identifying the assailants by groups will not necessarily encourage additional attacks. In many cases the opposite is true– hackers don’t want to be known and will run for cover when the light is shined upon them. Google is betting on just that by publicly threatening to shut down its Chinese operations in the wake of the aforementioned attacks against its networks.

Suffice it to say there are ample reasons why companies should spend time and resources to not just understand the “how” of cyberattacks directed against them, but also the “who”. If knowledge is indeed power, than organizations need to make it a point to seize the opportunity to learn more about their people behind such events in order to learn from them. The dividends can be significant and potentially critical to the company’s future success.

“We know that cyber weapons are being used. It’s a reality,” said Paul Kurtz, who led Obama’s cybersecurity transition team and is a partner at Good Harbor. “But what does that mean? We need some way of evaluating what’s happening in order to frame [the national] response, and we have to take this discussion outside the classified confines of government. What would our response be to cyberwarfare? Who are our partners? Government is very reluctant to talk openly about these issues.”

Kurtz said one reason for government’s lack of transparency regarding a cyber defense strategy is that it hasn’t been developed yet, and federal officials are reluctant to engage in any public discussion with companies or international partners until they have established a basic framework.

Among the biggest hurdles to developing a strategy is defining what constitutes an act of cyberwar, according to the report. Good Harbor recommends considering four factors to determine whether a cyberattack is an act of war:

–What is the source of the attack? Was it carried out or supported by a nation-state?
–What were the consequences of the cyberattack? Did it cause harm?
–What was the purpose of the attack? Was it politically motivated?
–How sophisticated was the cyberattack? Did it require customized methods and complex planning?

Cyberattacks against Estonia in 2007 and against Georgia in 2008 both could be reasonably defined as acts of war because they were motivated by clear political reasons. In the case of Georgia, it was generally accepted that the source of the cyberattacks was Russia. The attack shut down the governments.

The cyberattacks against Estonia were targeted against Web sites operated by the Estonian parliament, banks, ministries, newspapers and broadcasters amid conflicts with Russia.

By comparison, attacks that took down multiple federal Web sites on July 4, 2008, including those run by the State, Transportation and Treasury departments, showed no solid evidence that they were sponsored by a nation-state, were not politically motivated, resulted in limited consequences and were not sophisticated, according to the report. Therefore the attacks, as defined by Good Harbor’s criteria, were not likely an act of cyberwar.

“A lot of people are jumping up and down and saying, ‘The age of cyberwar is here,’ but we need to try to evaluate the situation in a context that people find meaningful, to find a way to better understand what is happening around us,” Kurtz said.

The threat from cyber attacks, which can be politically or criminally motivated, is apparently relentless.

“Every quarter of a second, there is an attack somewhere on the Internet,” said Mr Ilias Chantzos, director of government relations at Symantec Corporation, maker of Norton security products.

Cyber attacks can present problems for general Internet users.

“Roughly, you’re looking at an attack rate of one (out of) every five persons… connected on the Internet right now,” claimed Mr Chantzos, who added that this did not mean that the computer attacked would necessarily be compromised, as that would depend on whether it had adequate protective safeguards.

The ascendency of broadband, following the dark ages of slow, dial-up connections to the Internet, ironically increases cyber security risks.

“It’s not that the broadband is vulnerable… we leave the computer always on, the computer is always connected, therefore by definition, it’s more susceptible to attacks,” said Mr Chantzos.

Cyber attacks can take place via “botnets”, which are networks of “zombie” or “Web robot” computers infected with a virus that lets criminals remotely control these innocent machines.

These “bots” could number in the tens of thousands, or, Mr Chantzos said, even “1 million” or more.

If your PC has been corralled into a botnet, you could experience significant slowdown but there aren’t always obvious signs that your computer has been infected.

According to Mr Tan Wei Ming, Symantec’s senior manager for government relations, possible signs of infection include your computer “(sending) out spam, sometimes it could receive some strange emails, and your friend calls you and says, ‘did you send that out?’ You say no”.

Dr Godfrey Gaston, director of Queen’s University Belfast’s Centre for Secure Information Technologies, said that home computers would be more vulnerable than corporate computers to being used as part of a botnet as the latter tend to be better protected.

Zombie computers are often programmed to launch denial-of-service attacks, blitzing targets with data, sometimes forcing them to shut down.

Such botnet attacks, targeted at American and South Korean government and commercial websites, were seen in July. Official Estonian and Georgian websites have also been targets in 2007 and 2008, respectively.

More sophisticated forms of hacking include attempts to infiltrate website defences to steal confidential data. In April, a former US government official said that spies had hacked into the US electric grid and left behind computer programmes that would let them disrupt service.

One of the problems in identifying perpetrators is that locations can be masked.

“It’s really easy to disguise a cyber attack as coming from another place,” said Ms Jena Baker McNeill, an analyst at the Washington-based Heritage Foundation.

A cyber attack targeted at a computer in the US, for example, could be launched by a hacker in Japan, who remotely controls a compromised computer in France.

Cyber attacks are therefore complicated by “the problem of attribution”, said Mr Tony Skinner, the features editor of trade journal Jane’s Defence Weekly.

Said Mr Chantzos: “What you need to do is… find the PC that was attacked, forensically analyse it, identify the origin of the attack, go to the Internet Service Provider (ISP), then determine from the ISP where the attack is coming from, then follow the chain. This is a job that the police are equipped to do.”

Cyber attacks that make the news – and many such attacks go unreported – are often played out along nationalistic lines.

Regarding the massive cyber assault on Estonia in 2007, Dr John Harrison, a terrorism expert at Nanyang Technological University’s S Rajaratnam School of International Studies, said: “It wasn’t entirely clear if the Russian government was directly behind it, but it was certainly people who were sympathetic to the views that the Russian government held.”

Arguably, cyber attacks can be read in some cases as a proxy conflict, even where the protagonists are not unequivocally identified, as in the case of the Georgian-Russian war last year, which was immediately preceded by a wave of cyber attacks.

Another conflict arena for cyber attacks, Dr Harrison said, was “the Israeli-Palestinian conflict, where both Hamas… and the Israeli government are attacking each other’s… websites”.

The researchers of GhostNet, which was accused of spying on the Dalai Lama, said the computers used were based almost exclusively in China, though the Chinese denied the allegations of spying.

Last month, the US’ intelligence director Dennis Blair grouped China, Iran, North Korea and Russia as nations with the ability to “challenge US interests in traditional and emerging ways”.

His report, the National Intelligence Strategy, noted that China “is very aggressive in the cyber world”.

Dr Harrison noted that these four countries have also been accused of “attempting to develop offensive cyber capabilities particularly targeting the US and Western militaries”.

While nations like America are taking steps to combat cyber threats (in the case of the US, with its US Cyber Command agency), there is a recognition by some that offensive cyber capabilities are the flip side to such defensive efforts.

Jane’s Mr Skinner said that “people outside of the (US) cyber command have pointed out that a cyber attack capability is effectively part of cyber defence … part of the whole deterrence aspect of it”.

When asked if this was similar to the concept of nuclear deterrence, he agreed.

In this respect, the generals perhaps need to learn from the bankers. Said Mr Skinner, “the militaries are in a lot of ways catching up” with banking institutions, the traditional targets of cyber attacks and criminal hackers.

- TODAY/yb