Cyber warfare battles have already been fought in Estonia and Georgia.

For three weeks in the spring of 2007, Estonia, which has one of the highest levels of Internet penetration in Europe, was bombarded with a wave of sophisticated cyber attacks that targeted the country’s parliament, banks, newspaper and government ministries.

The denial of service attacks, from tens of thousands of computers in Russia and around the world effectively paralyzed Estonia.

Estonian officials, who for weeks had been embroiled in a bitter diplomatic dispute with Russia over the removal of a Soviet-era monument, were quick to blame the Kremlin for the attacks.

The Russians denied the charge.

But months later, an aide to one of the leaders of the then-president Vladimir Putin’s pro-Kremlin United Russia party claimed responsibility for the cyber attacks, saying they were an “act of civil disobedience” by the pro-Kremlin youth group Nashi.

Estonian experts discount that claim, saying the attacks were too sophisticated to be the work of a single group of mischievous hackers.

A year later, when Russia and Georgia had a brief border war, the Russian ground invasion was preceded by a denial of service attack on the Georgian government’s websites.

“Everyone assumed this was coming from Russian websites, but research we have done showed you can’t really tell,” said Ron Deibert, a telecommunications expert who runs the Citizen Lab research facility at University of Toronto’s Munk School of Global Affairs. “More importantly though, we found that the tools that were used in the attack were associated with the criminal underground. They had been used to attack banking sites, pornographic websites and engaging in extortion, long before the Georgian attacks. So they were either operating on their own in a patriotic manner or they were contracted out by the government.”

There is widespread suspicion Russia was renting the services of cyber criminals in much the same way great powers gave letters of marque to privateers in the 17th and 18th centuries and authorized them to attack foreign shipping.

“It is more effective for them to cultivate a criminal underground in order to shield their own identities,” Prof. Deibert said.

That sort of flexible anonymity worries U.S. policy makers.

“Cyber attacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous and exceedingly hard to trace,” said William Lynn, the U.S. Deputy Secretary of Defence. “A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target.”

At the end of a dusty road leading north from the town of Gori — Stalin’s birthplace — a small encampment of sandbags and a Georgian flag marks the border with South Ossetia. About 100 metres away another flag pokes up into the dull sky, but that one is Russian. Neither side has any communication with the other, says an enormous policeman in full camouflage, and it has been more than a year since anyone fired a shot.

In the mountains behind him, however, there are more than 4,000 Russian troops and 1,000 FSB border guards with tanks, armoured vehicles and helicopters. Over to the west, in Abkhazia, there is a similar force.

Georgia celebrates its Independence Day today in the belief it is in a fight for existence with a ruthless, implacable enemy. With the loss of Abkhazia and South Ossetia — the latter after a short, disastrous war in August 2008 — 20 per cent of Georgia belongs to someone else.

To the Kremlin these regions are autonomous republics; Georgian politicians use the phrase “occupied territories”.

“When you have foreign forces on Georgian soil you can’t describe it any other way than an occupation,” says Eka Tkeshelashvili, Secretary of the National Security Council.

The wars in South Ossetia and Abkhazia have left Georgia with about 22,000 refugees to house, some of whom now live in long rows of small buildings that line the road from Tbilisi to Gori, better than tents but no substitute for the homes they were driven out of.

“For Russia, Georgia is unfinished business,” a top intelligence official told The Times. Apart from the military presence in Abkhazia and South Ossetia, he cited a “very active intelligence operation”, intimidation of investors, support for sympatheticpoliticians and the continued threat of cyber attacks. Hackers managed to cripple Georgia’s banking system for several days during the August 2008 conflict.

He also raised the fear that the Kremlin would encourage further ethnic unrest to create more conflicts such as that in South Ossetia; Georgia has sizeable Armenian and Azeri populations and several other ethnic groups, including Russians. “We are in a fight for our survival,” the official said.

To that end Georgia is eager for membership of Nato. The Government has been modernising its armed forces with Western assistance and contributes about 900 troops to the Nato force in Afghanistan. In Tbilisi government buildings ostentatiously display the EU flag next to their own, a sign of an unwavering aspiration to join the club.

Georgia will have to be patient; it is highly unlikely that Nato countries would have any desire to risk being dragged into a fight with Russia in such a volatile area, and some politicians are quietly dismayed at the Obama Administration’s efforts to“press the reset button” on its relations with Moscow. “The US has a policy of engagement with Russia which we don’t oppose if it leads to positive changes,” Ms Tkeshelashvili said.

But the Government has its heart set on Nato membership and is adamant that it will join, Russian objections notwithstanding. “Russia still calls the former Soviet states the Near Abroad, meaning that once you were a part of us, and in the future you will be part of us again,” said David Bakradze, Speaker of Parliament. “We are willing to co-operate on almost everything but we have our red lines: we decide who is our president, not the Kremlin, and we decide if we want to join Nato, not the Kremlin.”

While it waits, the Government says that strengthening the country’s democracy and economy is its best defence. Politicians proudly point to progress made in rooting out corruption and modernising the state since Mikhail Saakashvili came to power in the Rose Revolution of 2003, and international observers back this up. Transparency International ranks it at 67th out of 179 countries in its annual index, a vast improvement compared to only a few years ago. Yet unemployment remains a big problem. Official statistics put it at about 15 per cent but the true figure is probably higher and levels of foreign investment are still low.

For all the criticisms of Mr Saakashvili — that he is too powerful, too flashy and too fond of favouring friends and allies — no one attacks his stance on Russia. “The more concessions you make, the more Russia wants,” the President told reporters this week. “Show me one example when lying down before Russia proved successful.”

“If we give up the idea of territorial integrity we are deeply damaged as a state,” said Mr Bakradze. “We may have resumed flights [this week] and have diplomatic relations but there is no solution to our long-term relations unless and until Moscow accepts Georgia as a normal neighbour.”

http://www.timesonline.co.uk/tol/news/world/world_agenda/article7136828.ece

An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are captured from the targeted organizations and individuals or politically motivated distributed denial of service (DDoS) attacks that aim to punish, disrupt and censor the ability of the targets to communicate to the world.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring, making issues of attribution increasingly complex. It may also indicate that there is an emerging market for sensitive information and politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006).

In the paper Nazario discusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names 091809.ru and sexiland.ru both hosted on the same IP address (210.51.166.238, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, 091809.ru had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the 091809.ru recorded 64346 infections. According to the statistics in the interface, sexiland.ru (210.51.166.238) had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the sexiland.ru recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.

1. bachuna.net

2009-12-15 05:00:01
flood http bachuna.net

The attackers began flooding bachuna.net on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites bachuna.net and bachun.net. While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that bachun.net was transfered to the owner of bachuna.net.

2. ingushetiyaru.org

2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http www.ingushetiyaru.org

Rights in Russia reported that “a website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. Ingushetiyaru.org reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.

3. angusht.com

2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http angusht.com

This website, angusht.com, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inaccessible. The timing of the inaccessibility of the sites and the DDoS attacks on angusht.com and ingushetiyaru.org also correlate with reports of an explosion of a gas pipeline in Ingushetia.

4. kadyrov2012.com

2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http kadyrov2012.com

The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Full list of sites DDoS’d by this botnet here.

Tags: Censorship, DDoS, Malware

http://blogs.forbes.com/firewall/2010/04/12/blurring-the-boundaries-between-cybercrime-and-politically-motivated-attacks/?boxes=Homepagechannels

TERRORISTS are about to vent their fury on Australia with an attack that will reveal a diabolical new dimension to the terrorist threat. In a prelude designed to cripple the country’s defences, an all-out cyber assault is unleashed.

First, the Defence Department’s internal communications system is paralysed by botnets, networks of thousands of zombie computers, hijacked in cyberspace and now remote-controlled by the enemy. Next, radar stations are jammed to give foreign aircraft unrestricted access to Australian airspace. Fighter jets deployed by the Australian air force are electronically commandeered by firewall-penetrating software injected in advance into their avionics systems. Maritime defences are immobilised by electronic interference that confounds the ships’ communication systems. Communication links with the fleet are in enemy hands when all the satellite transponders are hijacked.

A hypothetical such as this, once the stuff of futuristic Hollywood fiction, is being seriously envisaged by strategic analysts, who see the risk of cyber attack as the most disturbing new threat to national security.

Australia’s leading electronic spy agency, the Defence Signals Directorate, says cyber threats posed by terrorists, malicious hackers and organised criminals are “huge and multiplying”.

“Online is the new front line,” DSD warns in its latest assessment of the cyber threat. Its director Ian McKenzie told a recent security conference that if there were a Billboard list for national security, cyber attack would be “going up the charts with a bullet”.

The attack scenario above is laid out in a new book, Australia and Cyber-Warfare, by Des Ball of the Strategic and Defence Studies Centre in Canberra, retired air commodore Gary Waters and national security consultant Ian Dudgeon. Their point is that not only Australia’s civilian IT networks but also the defence force’s command, control, communications, intelligence, surveillance and reconnaissance systems “are at great risk if they are not adequately defended”. They argue Australia has been a laggard in responding to the multiple threats.

When Defence Minister John Faulkner opened the new Cyber Security Operations Centre at DSD headquarters in Canberra in January, he declared cyberspace was a battlefield. He revealed there had been an average of 200 cyber invasion attempts against Defence computers last year, plus another 220 attacks on other government networks.

The cyber warfare scenario is not as far-fetched as it may seem. Cyber assaults have been used already as a prelude to conventional military offensives.

In 2008, as the former Soviet republic of Georgia was preparing to invade the breakaway region of South Ossetia, cyber attackers commandeered Ossetian news websites. Ossetians blamed Georgia for trying to cover up news of its invasion. A series of counter-strikes then took out key Georgian sites, including those of its President, parliament and national bank. The Russian government was widely blamed for the attacks but denied it.

Last August The New York Times reported that in 2003 the Pentagon and US intelligence agencies planned a cyber strike to cripple the Iraqi financial system before the US sent its troops into Iraq. The attack would have frozen billions of dollars in Saddam Hussein’s accounts, leaving him unable to buy war supplies or pay his troops. “We knew we could pull it off, we had the tools,” a former Pentagon official told the paper. It was abandoned because the Bush administration feared it would cause worldwide financial havoc.

The theft of military technology has been a motivator for some of the most audacious cyber attacks. As Ball and his co-authors outline, China has been the main offender. In December 2007, The New York Times reported that Chinese hackers had stolen data from a US nuclear weapons laboratory in Tennessee. During 2007-08, more than 80,000 attempted attacks on US Defence Department computers were reported, along with another 13,000 on other federal agencies.

Cyber warfare units in the Chinese People’s Liberation Army have penetrated the Pentagon’s internal internet router and designed software to disable it in the event of a conflict, Ball and co report. In January, US media outlets cited a classified FBI report indicating China has enlisted an army of 180,000 cyber-spies that “poses the largest single threat to the United States for cyber-terrorism and has the potential to destroy vital infrastructure, interrupt banking and commerce, and compromise sensitive military and defense databases”.

In Australia, Faulkner says a series of “sophisticated cyber intrusions” have occurred, some of them successful. In its last annual report, ASIO revealed it had found evidence of hostile intelligence services using the internet to appropriate confidential Australian government and business information. ASIO chief David Irvine describes internet-enabled espionage as “a rapidly growing threat to the national interest”.

The ease with which hackers can penetrate the government’s cyberspace was revealed when online vandals went on the attack over the Rudd government’s internet filtering legislation. Last September, the self-styled internet vigilante group known as Anonymous shut down the Prime Minister’s website by bombarding it with millions of simultaneous requests for information. Last month it struck again, taking over the PM’s site, plastering it with pornography and re-badging it as Operation Titstorm: A part of Operation Internet Freedom.

Operations such as these are known as denial-of-service attacks, when assailants cripple a site by overloading it with communications. During Operation Titstorm, the federal parliament website was made to crash when it was hit by 7.5 million requests for information a second. The government confirmed afterwards that the Cyber Security Operations Centre knew the attack was coming but was unable to stop it.

In the most recent attack of this kind in Australia, visitors to the National Gallery of Victoria website at the weekend were greeted by a message from “One Turk Against The World . . . 1923Turk-Grup Turkish Cyber Attack and Defance Army” [sic].

Denial-of-service attacks are carried out by botnets, networks of robot-like computers that have been hijacked by being infected with malicious software – known as malware – that allows them to be taken over and remotely controlled. The software is typically inserted in drive-by downloads, using rogue email attachments or web links opened by unwitting PC owners. Unbeknown to them, their computers then become part of a phalanx of nodes controlled by bot-herders using nicknames such asMarshviperX, to carry out denial-of-service assaults, spam attacks or online fraud schemes.

Several mass botnets have been exposed. Dutch cyber police shut down a network that had 1.5 million zombie computers and servers under its control. The largest existing botnet, known as Srizbi, has 450,000 computers at its command and is capable of sending out 100 billion spam messages a day. American computer scientist Vinton Cerf, who is often credited with inventing the internet, says botnets are spreading like a pandemic and up to a quarter of all PCs linked to the internet may be part of a botnet.

Events such as the commandeering of the PM’s website are largely nuisance attacks by issue-motivated groups or individuals, designed to gain publicity and make a political point: the equivalent of an “electronic poke in the eye”, according to cyber-crime consultant Alastair McGibbon, a former Australian Federal Police agent and founder of the Australian High Tech Crime Centre. A far more worrying use of botnets is for grand-scale information and identity theft. In one case last year, the NSW government’s job site was hacked and raided.

“It appears that people who were uploading their CVs and applying for government jobs had their identities stolen, or at least, they could have had their identities stolen; all their credentials [were] captured by the people who got into that site,” McGibbon says.

Many computer users are unwittingly making themselves targets for identity theft through social networking sites such as Facebook. The AFP’s high tech crime group recently conducted a trial among a group of Facebook users and found that 98 per cent of them had put enough information on their personal pages to allow their identities to be stolen.

Another significant issue is an explosion of online fraud. In the US, 28-year-old Miami man Alberto Gonzalez was indicted late last year over the world’s largest credit card theft after stealing the credit and debit card details of 130 million people by hacking into chain stores such as 7-Eleven. In Australia, online florist Roses Only and the Sydney Opera House are among the many businesses whose customers have been likewise targeted. In both cases it is likely that the victims not only had their banking and personal details stolen but that, unknown to them, their computers were recruited into botnets.

McGibbon says cyber crime has grown “from a cottage industry to a factory production line”. The cyber-thieves have portals on the internet where criminals sell or exchange the information they have stolen. McGibbon says the price of stolen identities and credit cards has recently plunged because so many of them are for sale.

With more than a billion internet users globally, 32 million new domains being added annually and the national broadband network about to deliver 100 megabits of data per second to 90 per cent of Australia’s population, the cyber threat can only grow. It will be compounded by the advent of so-called cloud computing. In five or 10 years, it’s predicted, all small and medium computer users will be “on the cloud”, with their information stored remotely in cyberspace rather than on their own hard drives, and thus even more vulnerable.

Cyber strategists can only imagine what the future holds. Raymond Choo, a cyber crime research analyst at the Australian Institute of Criminology, predicts the next wave will include targeted attacks aimed at specific government agencies, organisations and individuals. He says energy and water supplies could be vulnerable, as control systems that are increasingly linked to the internet are used to monitor power plants, oil and gas pipelines, chemical refineries and dams.

Insider threats to military and intelligence networks are also a concern. “Corrupt insiders could deliberately introduce vulnerabilities during the coding of in-house software that is used to manage sensitive military or intelligence networks,” Choo warns.

“This could allow politically or issue-motivated and state-sponsored actors to exploit the vulnerabilities and surreptitiously enter systems, gain control and launch online attacks via and against compromised systems.”

While they welcome the advent of the Cyber Security Operations Centre and its partner body the Australian Computer Emergency Response Team, experts say the government response has been too little, too late, and too reactive.

“There is a widening gap between the cyber security problem and our national capacity to deal with it,” McGibbon says.

More worryingly, the public remains complacent about the many threats. McGibbon says there is a need for mass public education, which should be treated like an urgent public health campaign.

“We need to be educating everyone, from the mum and dad users to the CEOs and chairmen of boards, about their responsibilities and the consequences of their actions. We need to look at this as not just a technical issue, we need to change public behaviour and take responsibility for protecting ourselves in the online space. This is not a science fiction discussion, this is the reality, and we need to be investing in it properly to reduce the likelihood of it happening.”

http://www.theaustralian.com.au/politics/terror-moves-into-the-digital-age/story-e6frgczf-1225841555397

Harry was a Russian secret service agent who spoke perfect English and wore cowboy boots with his uniform. I never knew what his face looked like because he wore a mask during the lengthy interrogation sessions he put me through during five days of captivity in Federal Security Service (FSB) hands in Chechnya in 1999. The first item taken from me by Harry and his friends was my laptop. I was as much unnerved as relieved when it was returned on my release. “I can have it back?” “Yeah, have it back,” the FSB agent replied, and laughed.

Within 24 hours of arriving home in London the laptop was deluged with spam, pornography and Russian hate mail, eventually crashing completely. The act was more a digital slap on the wrist than the attacks that the Russians would allegedly inflict on entire countries several years later, but it was my first experience of cyberwar.

The incident came to mind eight years later on a February morning in Helmand, southern Afghanistan, when I heard a Royal Marines colonel briefing his officers. He mentioned, almost as an aside, that one of the men’s e-mail accounts had been closed after being compromised by a “hostile intelligence agency”. In other words, someone hacked into a soldier’s computer to see what might be found there. Last December, in Sri Lanka, a senior UN official confided to me that his e-mails were being intercepted by a “key log” program that allowed everything he wrote and received to be read by an intelligence agency.

Today barely a week passes without the phrase “cyberattack” in the news. It is a loose term, incorporating everything from criminal hacking and commercial espionage to attempts to seize control of weapon systems or sabotage national infrastructures. Britain is treating the surge of hostile computer activity seriously enough to have established two organisations last year to co-ordinate, assess and expand its cyber strategy. The Office for Cyber Security (OCS), established by the Cabinet Office, was created in the autumn after a warning by intelligence chiefs that China may have acquired the ability to cripple key points of infrastructure such as telecommunications.

Whitehall departments were allegedly first targeted by Chinese hackers in 2007. Later that year Jonathan Evans, director-general of MI5, wrote to 300 chief executives warning of potential Chinese hacking attacks and data theft. In the year up to November 2009 Britain suffered 300 cyber intrusions — defined as a sophisticated attempt, successful or not, to steal data or sabotage systems — on government and military networks.

The OCS, at present staffed by 14 people, including personnel from the security services and military, is to be fully operational with a strength of 20 later this year. It works closely with a second organisation, the secretive Cyber Security Operations Centre, located within Government Communications Headquarters in Cheltenham. A key part of the approach is establishing rules of engagement for retaliatory cyberstrikes should critical infrastructure be attacked and crippled.

“If I go and bomb someone’s power station, that is an act of war,” Baron West of Spithead, the Permanent Under Secretary of State for Security and Counterterrorism, told The Times. “But if I use a computer to make that power station effectively not work, is that an act of war? That is a simple stark example. There are much more complex examples. These were issues that hadn’t been addressed before, and we are now at the forefront of doing so.”

The majority of attacks have been to obtain funds from commercial organisations, and a full assault on a country’s banks, stock market, energy grid, telecommunications and health systems is more likely if countries are already in a “hot” war. There are several other potential triggers, however. In 2007 Estonian ministries, banks and newspapers were bombarded with denial-of-service attacks — mass requests for information that cause systems to crash — for several days after the Government moved a Soviet war memorial in the capital, Tallinn.

In 2008 Georgia complained of similar attacks during its brief conflict with Russia over the breakaway province of South Ossetia. The Russians were blamed in both cases, although they denied involvement.

The threats and scenarios of cyberwar require some sideways thinking. British assessments conclude, for example, that the risk of a serious attack in this country is still lower than that of a flu pandemic — but that a flu pandemic would be a lot worse if combined with an attack on NHS computer systems involved in vaccine distribution. American academics have predicted that the physical damage from a country shutting the US power grid for three months would be several times greater than the damage done by Hurricane Katrina in Louisiana.

The strategy being developed by Lord West is not limited to risk assessment; retaliation is part of the package. “We could do what these people do [to us] if we wanted to,” he said. “We’re looking at … the ethics of all of this. If someone dropped a bomb on us, I would have no hesitation in shooting their bloody plane down and giving them a slapping … So we need to think through how we react to these ‘other things’ and the implications.”

The murky world of cyberwar is inhabited by small-time hackers, criminal syndicates and people operating with the support of their government.

“Everything that happens to us is called an ‘attack’,” said a senior official with a lead role in British cyber operations, “[but] most of what we see on a large scale … is about the exfiltration of data — theft, not an attack.” There exists, however, an overlap between the interests of hostile state intelligence agencies and cybercriminal syndicates seeking to steal intellectual data for profit. Russian cybercrime syndicates, better known as partnerka, lead commercial espionage in Europe and are known to have links with Harry and his comrades in the FSB. China has its own dedicated cyber operations headquarters within the People’s Liberation Army but also holds top rank in the league of cyberhostile countries — the list used by Western security companies to warn business clients of cyber-threat.

The West’s nuclear strategy was based on deterrence — the assurance that a guaranteed second strike would prevent a first strike from coming. Yet cyberwar is more complex because the attacks have certain things in common: they are fast, cheap and hard to trace.

“Attribution is unbelievably difficult,” admitted Lord West. “These guys could attack [as if it was from] your site — the attacks would come in from different nodes in a strange way that you can’t even identify. Follow the attack back and it gets to you — but it wasn’t you.”

The sophistication of commercial and state-sponsored activity has developed immensely since the attacks on Estonia and Georgia, with denial-of-service operations now considered relatively low-grade. More worrying is “zero-day malware” — an unidentifiable new generation of Trojan programs that are implanted into a host computer and lie dormant until activated.

“Let’s say that someone has received an e-mail that looks like it’s from someone they know, about a subject they feel comfortable with,” said Ian McGurk, associate director for information security at Control Risks, a security consultancy. “As a consequence they trust the material. If there’s an attachment — a photograph, a Word document, whatever — embedded within that attachment is some sort of malicious code that is going to install itself on the machine. That machine is then compromised, and a Trojan is installed that can search for information.”

As well as transmitting information back to its handler, zero-day malware can also hand a computer to outside control before going on to infect an entire system.

Raimund Genes, the chief technical officer of Trend Micro, said: “We grew up fearing the mushroom cloud, now we should fear a roomful of hackers with their electricity and internet bills paid for by a government.”

A very recent assessment by a highly reputed London-based think-tank that cyber warfare between nations is a reality and cannot be brushed aside as fanciful should make us sit up and take notice. The warning is contained in an annual report, The Military Balance, issued by the International Institute for Strategic Studies (IISS). This in-depth document analyses each year the competitive arms race that goes on between major nations and predicts its possible fall-out from the point of view of military capabilities and defence economics.

The latest analysis, apart from citing threats in cyberspace, refers to dangers arising from the conflict in Afghanistan, the determined Chinese exercise to diversify its military prowess and the nuclear ambitions of Iran. As a Western analysis, it naturally devotes considerable attention to what is happening in China and North Korea, especially on the cyber front. Releasing the report, the IISS said: “Despite evidence of cyber attacks in recent political conflicts, there is little appreciation internationally of how to assess cyber-conflict. We are now, in relation to the problem of cyber-warfare, at the same stage of intellectual development as we were in the 1950s in relation to possible nuclear war.” This may appear to be a strong statement, but it is obviously intended to shake policy makers out of their ignorance and complacence.

It is relevant to recall here events of the past few years in which some small and hapless nations were subjected to a major cyber offensive from their adversaries. First was the attack in 2007 on Estonia, whose economic life was paralysed by Denial of Service (DoS) attacks unleashed from about a million computers, many of which were traced to Russia. It is an open secret that relations between the two nations have been frosty for quite some time. Estonia was under Soviet occupation from 1944 and obtained its freedom only in 1991.

Next was the Russian offensive against Georgia in 2008 as part of a dispute over South Ossetia. Apart from military exchanges, the occasion saw the hijacking of Georgian computers through cyber attacks originating from Russia. Even the Georgian President’s official computers were not spared. In July 2009, German espionage agents complained of Internet spying operations by Russia and China with the objective of stealing vital information on critical infrastructure and defence plans. In December, Seoul reported attempts by North Korean computers to hack into the former’s databases relating to US-South Korean defence strategies in the event of a war in the Korean peninsula.

Also, Google recently launched an investigation into attacks on Internet accounts of human rights activists in China. This has actually ballooned into a major controversy, as a result of which Google has decided not to submit itself to censorship imposed by the Chinese authorities and also revealed the possibility of it pulling out of China altogether.

All this is evidence enough to substantiate the growing feeling that the wars of the future will be fought in cyberspace rather than on traditional battle fields. It is this assessment that has persuaded the Pentagon to prepare itself for a war in cyberspace on par with land, sea and aerial combat. According to one report, it will deploy a large number of cyber experts to look after its 15,000 computer networks spread over 4,000 installations. I presume our South Block has a similar core of trained cyber security team. Or else, in these troubled times, with several hostile neighbours around us, we could be in trouble.

All reports suggest that the al Qaeda is still very active. Its principal foes are the US and the UK. India comes a close third. It is the expert estimate that the al Qaeda may not any longer aim at our defence establishments. It is likely rather to concentrate on our weakest spot, namely, the financial sector. The latter may be strong in terms of business acumen. But what it is generally lax about is in respect of protection of its valuable information networks. The stock market is especially vulnerable. Any interference with its online traffic relating to financial transactions, through tactics such as DoS attacks, could be disastrous. Any deliberate corruption of data relating to deals carried out by large-scale credit agencies will be equally ruinous. These are not imaginary but real threats of which financial managers in government and the private sector need to be aware. Any large-scale disruption of the financial market, especially at a time like the present, when economies are passing through a lean phase, could greatly affect political stability. Expert apprehensions of a terrorist use of weak information networks run by financial institutions cannot therefore be ignored.

I would like to draw reader attention to an interesting piece, Cyber Warriors by James Fallows in the latest issue of Atlantic, in which he has a lot to say about threats emanating from the Chinese mainland. Its huge population and high computer literacy (with hundreds of millions of Internet users) give an advantage that is difficult to surpass. In crude terms, China could raise a formidable team of young hackers who could cause havoc to other nations with whom China does not enjoy good relations. This is an army that has the might to bring about a total breakdown of the commercial life of any nation of any size. This is an interesting analysis worth pondering over.

James Fallows refers to a forthcoming novel Directive 51 by John Barnes, which depicts a situation where there is such a breakdown. I am sure it is worth waiting for. We can possibly also draw from it some lessons on how to look after our networks!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

Most cyber attacks are likely to remain difficult to trace to official sources, the report explains, citing the denial of service attacks on Georgia as Russia’s army invaded in 2008. This year GCHQ’s close US counterpart, the National Security Agency (NSA), has been called in to investigate attacks on Google’s GMail service apparently from inside China.

“An internationally agreed definition of cyber warfare will remain elusive, with state actors making increasing use of hired criminals and ‘hacktivists’ to carry out deniable cyber attacks on their behalf,” CSOC predicts.

The official British view casts ongoing talks (http://www.nytimes.com/2009/12/13/science/13cyber.html) between the US and Russia – aimed at fostering cooperation between states on internet security and agreeing ground rules – in a pessimistic light.

“States are likely to increasingly see the cyber domain as an area in which to wage war… it is difficult to see international agreement on what acts are and are not acceptable in a cyber war being achieved within five years,” CSOC says. “Even if regulation of this kind was to emerge, it is likely that it would make little difference.

“The increasing sophistication of criminal cyber tools and the availability of cheap, fast broadband will mean that states are able to achieve their aims by hiring criminal botnets to carry out DDOS or other attacks on their enemies’ infrastructure.”

Cyber arms race

Government eavesdroppers also face a secret “cyber arms race” to develop quantum cryptography technology, according to GCHQ.

“In the next 5 to 10 years, states are likely to engage in a cyber arms race for quantum cryptanalysis, which would enable the users to crack any encryption within a very short space of time, and for quantum cryptography, which would prevent secure communications from being intercepted,” it said.

Quantum computers would be able to test every possible cipher for a traditionally-encrypted message very quickly. Meanwhile a quantum-encrypted message would be impossible to intercept because just by observing it the eavesdropper would destroy it.

GCHQ – the descendent of the UK’s famous World War Two codebreaking effort at Bletchley Park – is responsible for intercepting foreign communications and for trying to ensure government communications are not intercepted. Without directly referring to its own work on quantum cryptography, it said the revolution the technology would spark in both areas remains out of reach.

“It is unlikely that any state actor will have been able to put quantum systems into operation by 2015, although some state actors may have basic quantum computing capabilities by 2020,” CSOC says.

The NSA is said to be investing heavily in quantum computing.

The predictions in CSOC’s report have served as the basis of a series of classified and unclassified meetings with industry and academics hosted by the Office of Cyber Security in recent weeks. Officials plan to feed the results of the meetings into policy, including whether and how the UK should develop offensive capabilities online. ®

A new kind of warfare, cyber warfare, is a true threat to security, not just for governments, but also businesses and individuals.

Just about everyone has received one of those bogus E-Mails that appear to come from a friend in trouble in, say, London—please send me $2,000! The clumsy handiwork of petty cyber-swindlers is easy to spot, but more creative cyber-crimes against individuals, businesses and governments are perpetrated every day. And cyber-war is already a threat against which national security experts must plan.

In August 2008, Russia’s invading Soviet vintage tanks were backed by a 21st Century cyber attack on Georgia. Maintaining our security and stability suddenly became more complex than fending off the tanks and fighter jets of our gigantic neighbor. Cyber attacks can be the equivalent of special operations or air strikes against critical infrastructure.

In contrast to the time and money required to train and equip spetsnaz or air forces, high technology and online skills are now available for rent to malevolent governments, organized crime and terrorist organizations. Such skills can be used to destabilize a country’s economy and degrade its critical infrastructure. Operating along the seam between crime and war, cyber-criminals have sparked a debate among experts about whether cyber attacks should be treated as criminal acts or acts of war.
However, these are not the clowns who hijack your friend’s electronic address list to look for someone dumb enough to send them $2,000 or even more intelligent hackers seeking to vandalize your PC or steal money from your bank account. They are sophisticated criminals operating networks that can threaten global security and stability. Moreover, some states not only tolerate them but hire them.

A stark reality emerged from Russia’s August 2008 war on Georgia. After a year of study, the U.S. Cyber Consequences Unit (USCCU), an independent research institute, concluded that cyber attacks were an integral part of Russia’s armed attack on Georgia.

Most of the attacks were of a type called Distributed Denial of Service attacks—DDOS. Cyber criminals take over bits of perhaps thousands of privately owned computers and lash them together into so-called botnets that then blast information at a target, rendering it unable to perform its intended service.

Such an attack requires advance mapping, testing, registering new domains and creating dedicated websites. However, the USCCU analysis indicated that all the necessary preparatory work had been accomplished before the war—the cyber war coordinators were fully aware of the impending attack upon Georgia and its timing. Most of the botnets used against Georgia had already been used for criminal activities. There were strong implications that the Russian government was in cahoots with Russian organized crime! Amateur hackers were also recruited through social networks to augment the attacks.

The Cyber attacks disrupted the Georgian Government’s information and communication efforts, financial transactions, Internet and cellular telephone connections for several days.
Georgiahas not been the only victim of cyber attack. In 2007, Estonia was attacked through cyber space after its government decided to relocate a Soviet war memorial away from the Tallinn city center. And there are many indications that we are on the cusp of a new, multifaceted trend.
Recently the giant American Internet company Google sparked an international incident when it threatened to leave China. Google is irked by what it says are Chinese government efforts to hack personal E Mail accounts in order to spy on political dissidents. This came on the heels of 2009 allegations that the Chinese government blocked social networking and other Internet services such as Twitter, Facebook and YouTube to preclude their use as forums to protest government policies and actions. US Secretary of State Hillary Clinton called upon China to conduct a transparent investigation into Google’s allegations.

And China is regularly accused of cyber espionage against American businesses and government. “This is a big espionage program aimed at getting high-tech information and politically sensitive information—the high-tech information to jump-start China’s economy and the political information to ensure the survival of the regime,” said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies in Washington. European countries have also complained.

As with any major new technology, the Internet has brought good and bad. Now the international community—or portions of it, at least—is seeking effective ways to counter cyber attacks and to define the border between crime and war. What are the most effective technical, legal and political strategies against these threats? For example, at what point, if any, should NATO consider a cyber attack to be an armed attack for the purpose of collective defense?

Dealing with this problem will require each country to become cyber-security conscious—and active. However, it will also require close international cooperation because cyber-crime and cyber-war are hard to identify and locate.

Moreover, businesses must be thoroughly involved in new security efforts. A company such as Google can be dragged into what was once the realm of police, intelligence agencies and foreign embassies. Or, as was the case in Georgia in August 2008, an attack against our country by a foreign power was actually carried out against Georgian banks and telecommunications companies, making them incidental victims. Any business with Internet-based IT systems could become a victim of the cyber attack. Of course, businesses must take steps to protect themselves, but in the 21st Century, they will have a growing interest to cooperate with other businesses, governments and international organizations.

Regrettably, the international community will be unable to reach consensus on effective measures to prevent cyber-war and cyber-crime so, to be relevant to the new reality, like-minded countries must gather relevant intelligence, devise countermeasures and defenses, develop contingency plans and conduct exercises. It can be done. It must be done—it is a matter of global security and stability.

Khatuna Mshvidobadze is Senior Associate at the Georgian Security Analysis Center, Tbilisi.

Source: Investor.ge

http://georgiandaily.com/index.php?option=com_content&task=view&id=17071&Itemid=132

“History teaches us that the character of each individual war is always different and most certainly will change, but the enduring nature of war as a human endeavor will remain largely unchanged.”

—General James N. Mattis

The United States Army War College in partnership with The SecDev Group conducted a workshop examining cyberspace operations from the warfighter’s perspective. The workshop was held 26–28 January 2010 at the Collins Center for Strategic Leadership, U.S. Army War College, Carlisle Barracks, Pennsylvania.

BACKGROUND
The U.S. Department of Defense defines cyberspace operations as “the employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace.” Cyberspace emerged as a national level concern through several recent events of geo-strategic significance. Estonian infrastructure was attacked in the spring of 2007 allegedly by Russian hackers. In August 2008, Russia allegedly again conducted cyber attacks this time in a coordinated and synchronized kinetic and non-kinetic campaign against Georgia. It is plausible that this may become the norm in future warfare among those nation-states having the capabilities to conduct such complex excursions. Much has been written about the issues of cyberspace at the national strategic level: lack of attribution; applicability to the law of armed conflict and international treaties; determination of criminality vice act of war. But
the body of knowledge does not inform us about how this concept of cyberspace operations impacts and will be adapted by warfighting commanders in the contemporary and future operational environment. The workshop seeks to examine this issue and use the Georgia-Russia case study to draw lessons to apply to current and future warfare.

The workshop will center on three themes. The first theme considers the strategic frame from the perspective of defining cyberspace as a domain of military operations including a consideration of what defines “maneuver” in cyberspace. The second will consider situational understanding in terms of how cyberspace operations fit within the warfighting commander’s mission set across the full spectrum of conflict. It will specifically consider how to gain
situational understanding as input to planning and executing joint operations. The final theme considers cyberspace “fires,” that is the toolset such as authorities and rules of engagement that determine strategic utility and tactical applicability.

OVERALL WORKSHOP OBJECTIVE

The objective of the workshop is to examine the strategic utility of cyberspace operations in the existing contemporary and future operational environment from the perspective of the warfighter.

WORKSHOP DESIGN

The workshop will bring together an international audience of military, national security community and intelligence community leaders as well as experts from academia. It will be conducted over the course of three days and will begin with a plenary session and a dinner and keynote speech to set the stage for the subsequent presentations and discussions.

Day two will include additional plenary presentations to establish a foundation of understanding followed by breakout groups which will address the key issues involved in order to satisfy workshop objectives. Day three will be devoted to briefing the recommendations, observations and insights gained from the breakout groups to the plenary group.

PROPOSED PLENARY SESSION AND BREAKOUT GROUP TOPICS

The plenary sessions will define and analyze the scope, nature and impact of cyberspace operations employed in conjunction with other actions by parties to the conflict during the Georgia-Russia conflict of 2008. Specifically, these sessions will seek to better understand the assumptions, intent, and the strategic frame (or lack thereof) employed by military actors in the conflict. The plenary also provides an opportunity to debate a key question: has the recognition of cyberspace operations as a capability within a new warfighting domain changed the nature of warfare…or is it more simply another capability to be integrated into an age-old system and process of planning and execution?

Breakout groups look to draw lessons from the case study for application to current and future conflict. Three groups will consider: operating in a constrained cyberspace domain; integrating cyberspace operations into the overarching campaign plan across the spectrum of conflict; and, achieving situational understanding to enable effective cyberspace operations.

WORKSHOP DELIVERABLES

A report reviewing the key issues, discussions, findings and recommendations of the workshop will published by the Center for Strategic Leadership and The SecDev Group.

CONTACT INFORMATION
For additional information regarding this event please contact Professor Dennis Murphy at 717-245-3937, or Mr. Jerry Johnson at 717-245-3392. Email: dennis.murphy@us.army.mil or jerry.dwayne.johnson@us.army.mil

The United States is also a leading source of “hacktivists” who use digital tools to fight oppressive regimes. Scores of individuals and groups in the United States design or employ computer payloads to attack government Web sites, computer systems and censoring tools in Iran and China. These efforts are often supported by U.S. foundations and universities, and by the federal government. Clinton boasted about this support seven paragraphs after complaining about cyberattacks.

Finally, the U.S. government has perhaps the world’s most powerful and sophisticated offensive cyberattack capability. This capability remains highly classified. But the New York Times has reported that the Bush administration used cyberattacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran’s nuclear weapons program. And the government is surely doing much more. “We have U.S. warriors in cyberspace that are deployed overseas” and “live in adversary networks,” says Bob Gourley, the former chief technology officer for the Defense Intelligence Agency.

These warriors are now under the command of Lt. Gen. Keith Alexander, director of the National Security Agency. The NSA, the world’s most powerful signals intelligence organization, is also in the business of breaking into and extracting data from offshore enemy computer systems and of engaging in computer attacks that, in the NSA’s words, “disrupt, deny, degrade, or destroy the information” found in these systems. When the Obama administration created “cyber command” last year to coordinate U.S. offensive cyber capabilities, it nominated Alexander to be in charge.

Simply put, the United States is in a big way doing the very things that Clinton criticized. We are not, like the Chinese, stealing intellectual property from U.S. firms or breaking into the accounts of democracy advocates. But we are aggressively using the same or similar computer techniques for ends we deem worthy.

Our potent offensive cyber operations matter for reasons beyond the hypocrisy inherent in undifferentiated condemnation of cyberattacks. Even if we could stop all cyberattacks from our soil, we wouldn’t want to. On the private side, hacktivism can be a tool of liberation. On the public side, the best defense of critical computer systems is sometimes a good offense. “My own view is that the only way to counteract both criminal and espionage activity online is to be proactive,” Alexander said last year, adding that if the Chinese were inside critical U.S. computer systems, he would “want to go and take down the source of those attacks.”

Our adversaries are aware of our prodigious and growing offensive cyber capacities and exploits. In a survey published Thursday by the security firm McAfee, more information technology experts from critical infrastructure firms around the world expressed concern about the United States as a source of computer network attacks than about any other country. This awareness, along with our vulnerability to cyberattacks, fuels a dangerous public and private cyber arms race in an arena where the offense already has a natural advantage.

Everyone agrees on the need to curb this race by creating proper norms of network behavior. But like Clinton, U.S. cybersecurity policymakers are in the habit of thinking too much about those who attack us and too little about our attacks on others. Creating norms to curb cyberattacks is difficult enough because the attackers’ identities are hard to ascertain. But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.

Jack Goldsmith teaches at Harvard Law School and is on the Hoover Institution’s Task Force on National Security and Law. He was a member of a 2009 National Academies committee that issued the report “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.”