Ebook: The Virtual Battlefield: Perspectives on Cyber Warfare
All political and military conflicts now have a cyber dimension, the size and impact of which are difficult to predict. Internet-enabled propaganda, espionage, and attacks on critical infrastructure can target decision makers, weapons systems, and citizens in general, during times of peace or war. Traditional threats to national security now have a digital delivery mechanism which would increase the speed, diffusion, and power of an attack. There have been no true cyber wars to date, but cyber battles of great consequence are easy to find. This book is divided into two sections – Strategic Viewpoints and Technical Challenges & Solutions – and highlights the growing connection between computer security and national security.
On January 14, 2009, I posted a Call for Papers (CFP) to Bugtraq for a Conference on Cyber Warfare. Within hours, I received an email from n3td3v, an infamous computer security commentator :
How can you have a security conference on “cyber warfare” when it doesn't exist and has never taken place.
n3td3v has a point. Estimating the threat posed by cyber attacks is not easy. Case studies are few in number, much information lies outside the public domain, and there have been no wars – yet – between modern, cyber-capable militaries. While the era of cyber espionage is already here , a possible era of broad-scale cyber warfare still lies in the future .
Nevertheless, an examination of international affairs over the past two decades suggests that cyber battles of great consequence are easy to find. Since the earliest days of the World Wide Web, Chechen guerilla fighters, armed not only with rifles but with digital cameras and HTML, have clearly demonstrated the power of Internet-enabled propaganda. During the 1999 war over Kosovo, likely non-state actors tried to disrupt NATO military operations through computer hacking, and were able to claim minor victories . In 2007, Syrian air defense was reportedly disabled by a cyber attack moments before the Israeli air force demolished an alleged Syrian nuclear reactor . In 2009, the entire nation-state of Kyrgyzstan was knocked offline during a time of political crisis .
What military officers call the ‘battlespace’ grows more difficult to define – and to defend – over time. Advances in technology are normally evolutionary, but they can be revolutionary: artillery reached over the front lines of battle; rockets and airplanes crossed national boundaries; and today, cyber attacks can target political leadership, military systems, and average citizens anywhere in the world, during peacetime or war, with the added benefit of attacker anonymity.
Information Technology (IT) now pervades our lives. In 1965, Gordon Moore correctly predicted that the number of transistors on a computer chip would double every two years . There has been concomitant growth in almost all aspects of IT, including the widespread availability of practical encryption, user-friendly hacker tools, and Web-enabled open source intelligence (OSINT). It should therefore no longer be surprising that political and military strategists use and abuse computers, databases, and the networks that connect them in order to achieve their objectives . In the early 1980s, this concept was already known in the Soviet Union as the Military Technological Revolution (MTR); following the U.S. victory in the 1991 Gulf War, the Pentagon's Revolution in Military Affairs was almost a household term .
Cyberspace, narrowly defined, is a collection of networked computers. But the extent to which humans (and other computers) obtain their information and marching orders from somewhere in cyberspace grows by the day. This is in part what hackers call the expanding ‘attack surface’. In national security terms, the concepts of attack, defense, and security remain unchanged, as do the threats posed by adversary propaganda, espionage, and attacks on critical infrastructure. The difference is that traditional threats are now Internet-enabled; they employ a new delivery mechanism that can increase the speed, diffusion, and even the power of an attack. The cyber skirmishes we witness today likely foreshadow a long march that cyber warfare will make from a corollary of real-world disputes to a lead role in conflicts of the future.
This book consists of the research papers presented at the Cooperative Cyber Defense Centre of Excellence (CCD CoE) Conference on Cyber Warfare, which took place in Tallinn, Estonia, in June 2009. Individually and collectively, they explore the relationship between computer security and national security. Unsurprisingly, the devil is found in the details: the challenge of attribution, the calculation of damages, the security of critical infrastructure, ethics, jurisdiction, responsibility, and much more. This book is divided into two sections: Strategic Viewpoints and Technical Challenges and Solutions.
Chapter 1: “Cyber Wars: A paradigm shift from Means to Ends.” Amit Sharma, from the Indian Ministry of Defence, argues that cyber warfare is different from other types of conflict, and merits its own set of rules. He warns against trying to fit cyber warfare into the traditional definitions found in the Law of Armed Conflict (LOAC). Sharma believes that it is easy to underestimate the strategic potential of cyber warfare, stating that cyber attacks alone are powerful enough to achieve political goals. In his view, cyber warfare will cease to be merely a force multiplier for conventional warfare; rather, conventional warfare will be used to support the objectives of cyber warfare. Sharma examines the legal treatment of nuclear weapons, and deterrence theory, for possible application in the cyber domain.
Chapter 2: “Towards an Evolving Theory of Cyberpower.” Dr. Stuart H. Starr, from the Center for Technology and National Security Policy (CTNSP) at the National Defense University (NDU), discusses the development of a theory of ‘cyberpower’ in research that systematically addresses five key areas: it defines the key terms that are associated with cyber issues; it categorizes the elements, constituent parts, and factors that yield a framework for thinking about cyberpower; it explains the major factors that are driving the evolution of cyberspace and cyberpower; it connects the various elements of cyberstrategy so that a policy maker can place issues in proper context; and it anticipates key changes in cyberspace that are likely to affect decision making.
Chapter 3: “Sub Rosa Cyber War.” Martin C. Libicki of the RAND Corporation explains that the battlefield terrain of cyberspace allows not only for stealthy attack and defense, but even for the existence of a stealthy war. Sub rosa cyber war is a conflict in which the warring parties do not publicly acknowledge battlefield victories and defeats, or even the existence of an ongoing war. Two reasons such a conflict is possible include the difficulty of good cyber battle damage assessment and the diabolical challenge of cyber attack attribution. Further, opponents may desire to keep a cyber conflict sub rosa in order to preserve freedom of action; public awareness and scrutiny could complicate negotiations or lead to unwanted escalation. Libicki cautions that sub rosa cyber war carries serious risks, such as insufficient operational oversight and a dubious assumption that the conflict is truly sub rosa to third parties.
Chapter 4: “Warfare and the Continuum of Cyber Risks: A Policy Perspective.” Andrew Cutts, the Director of Cyber Security Policy at the U.S. Department of Homeland Security, explains that nation-states are beginning to appreciate the potential benefits and costs of employing cyber attacks as a means of projecting national power. He offers a framework for evaluating national cyber security policy that includes prioritizing competing missions and balancing short- and long-term objectives. The focus of this chapter is on the long-term, strategic threat. To get ahead of the most serious cyber risks, national security leadership must strive to find the appropriate balance of resources, energy, and focus, specifically to distinguish between the most frequent threats and those that are the most consequential.
Chapter 5: “Cyber Terrorism: A New Dimension in Battlespace.” Major J. P. I. A. G. Charvat, from the Centre of Excellence Defence against Terrorism in Ankara, Turkey, examines the emerging threat of cyber terrorism. First, he discusses the phenomenon of terrorism and the motivations of terrorist organizations. Next, he explores the way terrorists now use IT to disseminate propaganda, to recruit new members, and to support conventional attacks. Finally, he considers the possibility that a terrorist organization might adopt a pure cyber attack strategy in an attempt to inflict electronic or physical damage.
Chapter 6: “Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?” Forrest Hare, from the School of Public Policy at George Mason University, writes that while cyberspace has no borders, nation-states do. Therefore, governments must consider how they will define and defend their sovereignty in this new domain. Crucially, Hare argues that governments should realize that to some degree they will be forced to coordinate and integrate their efforts on the international level. To help explore the nature of boundaries in cyberspace, this research makes use of two very different frameworks: the first is a comparison of the challenges of cyber security to international drug trafficking; the second employs game theory to support the cyber security decision-making process.
Chapter 7: “Towards a Global Regime for Cyber Warfare.” Dr. Rex Hughes, Co-Director of the Cyber Security Project, Chatham House, London, explains that when novel, disruptive technologies dramatically alter the nature of warfare, history shows that the likelihood of a new arms race is high. As more nations aspire to project national power in cyberspace, a digital arms race may be around the corner. Therefore, diplomats should find a coherent set of principles, rules, and norms to govern state security and military operations in cyberspace. Hughes argues that the most importat cyber challenge facing national security thinkers today concerns how to prevent a major arms race in this arena. This chapter introduces readers to the Law of Armed Conflict, examines how it might apply to cyber warfare, and outlines the steps required to create a global regime for cyber warfare.
Chapter 8: “What Analogies Can Tell Us About the Future of Cybersecurity.” David Sulek and Ned Moran of Booz Allen Hamilton examine the benefits and drawbacks of using historical analogies to understand cyber warfare. When such analogies are appropriately chosen and systematically applied, they can clarify the present situation and offer decision-makers strategic insight; vice versa, poor analogies obscure objectives, unnecessarily complicate choices, and create blind spots. In every case, analogies are bound to fail unless they incorporate objective analysis and their hand is not overplayed. The authors consider the well-known Electronic Pearl Harbor, and explore a range of new ideas: Cyber Katrina, Cyber Sputnik, Cyber Balkanization, Cyber Tribes, Cyber Conquistadors, and Cybernization.
Chapter 9: “The Information Sphere Domain – Increasing Understanding and Cooperation.” In this chapter, Dr. Patrick D. Allen (Johns Hopkins University, Applied Physics Lab) and Dennis P. Gilbert, Jr (Booz Allen Hamilton) write that a great advantage always accrues to a competitor who understands and operates within a domain better than their opponent. First, the authors define what constitutes a domain, and describe how new domains are created over time. Their research outlines the ‘Information Sphere’ domain, which has features that are both similar to and different from the four traditional, physical domains: air, land, sea, and space.
Chapter 10: “Sun Tzu was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack.” Billy K. Rios, of GreyLogic, LLC, examines the nuts and bolts of a real world, international cyber attack. Rios was in a unique position to witness the “communications, execution, and responses” of the cyber attackers and defenders in the 2008 war between Russia and Georgia. The author concludes that the availability and effectiveness of cyber attack tools ensure that data packets, fired purely on the battlefield terrain of computer networks, are likely to play a role in all future international conflicts. This research paper considers cyber attacks in the light of traditional concepts of maneuver warfare, as described in Marine Corps Doctrinal Publication 1 (MCDP-1).
Chapter 11: “Belarus in the Context of European Cyber Security.” Fyodor Pavlyuchenko, of www.charter97.org, examines the use of Internet censorship as a government tool that can be used to suppress political dissent within a nation-state. The author, representing one of the most popular – and hacked – online news sites in Belarus, catalogues a decade of cyber attacks that the site has suffered (usually during times of political tension). The author believes that the use of political DoS attacks threatens not only freedom of expression in Belarus, but the integrity of Internet resources in other European countries as well. Finally, he contends that the cyber conflict in Belarus is analogous to the ongoing struggle between state and non-state actors in Russia.
Chapter 12: “Politically Motivated Denial of Service Attacks.” Jose Nazario of Arbor Networks dissects DDoS attacks that have been used in support of political or ideological goals. He explains how DDoS attacks have evolved from a platform used to inflict “punitive damage” on a target to a sophisticated means of Internet censorship. Nazario uses extraordinary access to a wide range of data, including Internet backbone traffic, border gateway protocol (BGP) routing data, botnet communications, and community chatter, to create a compelling narrative. He concludes that while most Internet attackers appear to be non-state actors, they are nonetheless capable of using botnets of significant size and power to launch effective DDoS attacks.
Chapter 13: “A Brief Examination of Media Coverage of Cyberattacks (2007-Present).” Cyrus Farivar, a freelance technology journalist, critiques the media coverage of three politically-oriented cyber attacks: Kyrgyzstan (2009), Georgia (2008), and Estonia (2007). He reflects on where journalistic analysis was correct and where it was off the mark. On balance, he argues that there is enormous room for improvement, and that it is in the interest of the cyber security community, the media, and policymakers to improve their understanding of and their ability to write on the subject of cyber attacks, so that public understanding and appreciation of this new threat will increase. Technical Challenges and Solutions
Chapter 14: “Behavioral Analysis of Zombie Armies.” Olivier Thonnard, Wim Mees (both from the Royal Military Academy, Belgium) and Marc Dacier (Symantec Research Labs, France) present ground-breaking research on the behavior of ‘zombie armies’. They characterize the long-term behavior, global characteristics, strategic evolution, size, lifespan, and resilience of botnets. Their research highlights the uneven spatial distribution of infected computers across the Internet, specifically on a limited number of “unclean” or “zombie-friendly” networks. Most of the botnets they studied have an impressive attack capability in terms of bandwidth and the number of ways they are able to probe and exploit other computers; further, like real-world armies, they can coordinate their efforts with other botnets. Their analysis employed data from the European Union (EU)-funded WOMBAT project (Worldwide Observatory of Malicious Behaviors and Attack Threats).
Chapter 15: “Proactive Botnet Countermeasures – An Offensive Approach.” Felix Leder, Tillmann Werner, and Peter Martini, from the Institute of Computer Science IV, University of Bonn, Germany, contend that cyber defenders are at a disadvantage vis-à-vis attackers in part because computer science evolves too quickly for cyber law to keep up. In this chapter, the authors describe a technically feasible, proactive way to detect and defeat computer botnets, based on the assumption that reactive measures alone are insufficient. Their research formalizes botnet topologies, via real-world examples, and derives effective strategies for attacking them. However, they explain that their approach employs tactics that go well beyond what current cyber law encompasses, and argue that “controversial discussions” are needed to explore the political, legal, ethical, and liability-based ramifications of a proactive, counter-botnet approach – sooner rather than later.
Chapter 16: “When Not to Pull the Plug – The Need for Network Counter-Surveillance Operations.” Scott Knight and Sylvain Leblanc of the Royal Military College of Canada argue that one traditional response to a cyber attack – to immediately remove compromised machines from the network – has two primary drawbacks: it warns the intruder that he or she has been discovered, and it can prevent the collection of crucial evidence to help determine motive and estimate damage. The authors delineate a Network Counter-Surveillance Operation designed to maintain quiet contact with a hacker while information is gathered on intentions, techniques and more.
Chapter 17: “Autonomic Computer Network Defence Using Risk State and Reinforcement Learning.” Luc Beaudoin (Defense Research and Development Canada), Nathalie Japkowicz and Stan Matwin (both from the University of Ottawa) write that humans are simply not able to handle the complexity and speed of many forms of cyber attack, and that it is essential to automate certain aspects of traffic analysis and attack mitigation. They argue that a level of autonomic computer network defense can be achieved using reinforcement learning and dynamic risk assessment, with a view toward determining optimal action sequences (or policies) to recover from computer network risk situations. In their view, this approach will benefit commercial network management and security products by aiding in the selection of automatic mitigation actions, as risk states are sensed.
Chapter 18: “Enhancing Graph-based Automated DoS Attack Response.” Gabriel Klein, Marko Jahnke, Jens Tölle (all from FGAN-FKIE, Germany), and Peter Martini (University of Bonn, Germany) argue that timely and appropriate responses to DoS attacks are critical in both civilian and military settings. While intrusion detection systems (IDS) are capable of detecting DoS attacks, the growing sophistication and speed of such attacks increase the need for automated countermeasures to support computer network defense. Per force, it is necessary to quickly evaluate the potential effects of proposed countermeasures on network resources. This chapter discusses GrADAR, an intuitive, graph-based approach for automatically assessing the likely effects of DoS countermeasures on a network. Further, it proposes an enhancement which takes into account the effects of the workload on resource availability.
Chapter 19: “On nth Order Attacks.” Daniel Bilar, from the University of New Orleans, USA, explores a class of cyber attack designed to subvert “mission-sustaining ancillary systems”. In technical terms, ancillary systems could be throughput control, visualization environments, memory resource allocation, manufacturing, and the supply chain; the purpose of such systems – and the real target of the attacker – is its political, military, or economic mission. The attacker's goal could be to disrupt power management, logistics, elections, or even the social welfare of the target. Bilar discusses historical, current and forward-looking examples, with special emphasis on attacks against computerized, open societies.
Chapter 20: “Business and Social Evaluation of Denial of Service Attacks in View of Scaling Economic Countermeasures.” Louis-Francois Pau, from the Copenhagen Business School and Rotterdam School of Management, writes that DoS attacks not only affect computer network resources; they can have a direct, negative impact on the bottom line of a business in the real world. This chapter proposes a method to determine the direct and indirect costs associated with DoS attacks, which is a necessary step in determining countermeasures aimed at legal- or policy-driven dissuasion, retaliation, compensation, and restoration. Dr. Pau's method relies on time-preference dynamics applied to monetary mass for the restoration of capabilities, on long-term investments to rebuild capabilities, and on the usability level of capabilities after an attack. A real-world example of a DoS attack on a corporate data centre is provided. In conclusion, the author gives specific policy recommendations and suggests information exchange requirements.
Chapter 21: “Virtual Plots, Real Revolution.” Roelof Temmingh (Paterva) and Kenneth Geers (NCIS/CCD CoE) investigate whether computer botnets could evolve from spam and Distributed Denial of Service (DDoS) generators to semantic creatures that could voice opinions, arguments, and even threats via the Internet. Key to their argument is the assumption that only a small percentage of information on the Web is truly unique. In theory, a malicious actor could create a virtual population of fraudulent identities from stolen and/or randomized biographies, pictures, and histories of Internet activity, which could be used to support a criminal, political, military or terrorist agenda. The increasingly impersonal nature of Internet communications will make timely threat evaluation difficult.
Many thanks to all who were involved in organizing the 2009 Conference on Cyber Warfare, and especially to Christian Czosseck, for his diligence in helping to edit this book.
Kenneth Geers, Tallinn, Estonia, August 7, 2009
 “Who is “n3td3v”?", Hacker Factor Solutions, White Paper, Release 1.4.1, 12-October-2006, www.hackerfactor.com/papers/who_is_n3td3v.pdf.
 “Espionage report: Merkel's China visit marred by hacking allegations”. Spiegel Online, August 27, 2007, http://www.spiegel.de/international/world/0,1518,502169,00.html; Cody, E. “Chinese official accuses nations of hacking”. Washington Post, September 13, 2007, http://www.washingtonpost.com/wpdyn/content/article/2007/09/12/AR2007091200791_pf.html#.
 However, this is already a point on which reasonable people can disagree: “How robot drones revolutionized the face of warfare”, Cable News Network (CNN), July 24, 2009. http://edition.cnn.com/2009/ WORLD/americas/07/23/wus.warfare.remote.uav/index.html.
 Geers, Kenneth. “Cyberspace and the Changing Nature of Warfare,” SC Magazine, August 27, 2008, http://www.scmagazineus.com/Cyberspace-and-the-changing-nature-of-warfare/article/115929/.
 Fulghum, David A., Wall, Robert, and Butler, Amy. “Cyber-Combat's First Shot,” Aviation Week & Space Technology. November 26, 2007. Vol. 167, Iss. 21, p. 28.
 Keizer, Gregg. “Russian ‘cyber militia’ knocks Kyrgyzstan offline”, Computerworld, 01/28/2009, www.networkworld.com/news/2009/012809-russian-cyber-militia-knocks-kyrgyzstan.html.
 “Moore's Law”, Intel Corporation, www.intel.com/technology/mooreslaw/.
 Adams, James. “Virtual Defense”, Foreign Affairs, May/June 2001, 80, 3, p. 98.
 Mishra, Shitanshu. “Network Centric Warfare in the Context of ‘Operation Iraqi Freedom''' Strategic Analysis, Vol. 27, No. 4, Oct-Dec 2003, Institute for Defence Studies and Analyses, http://www.idsa.in/publications/strategic-analysis/2003/oct/Shitanshu.pdf.
The last couple of decades have seen a colossal change in terms of the influence that computers have on the battle field, to an extent that defence pundits claim it to be a dawn of a new era in warfare. The use of computers and information in defence has manifested into various force multipliers such as Information Operations, C4I2SR Systems, Network Centric Warfare, to the extent that commentators are terming this information age as a Revolution in Military Affairs (RMA). These advances have not only revolutionized the way in which wars are fought, but have also initiated a new battle for the control of a new dimension in the current contemporary world: The Cyber Space.
Over time cyber warfare has assumed the shape of an elephant assessed by a group of blind people, with every one drawing different meanings based upon their perceptions. Under these circumstances there was a gradual paradigm shift in military thinking and strategies, from the strategic aspect to the tactical aspect of cyber warfare laying more emphasis on cyber attacks and counter measures. This resulted in the formation of a notion that cyber warfare or information warfare is a potent force multiplier, which in a sense downgraded the strategic aspects of cyber war to a low grade tactical warfare used primarily for a force enhancement effect. The author believes this is wrong, cyber war is a new form of warfare and, rather than cyber war merely being an enhancement of traditional operations, traditional operations will be force multipliers of cyber war.
This paper tries to shatter myths woven around cyber warfare so as to illuminate the strategic aspects of this relatively misinterpreted notion. This paper will elucidate the scenarios and mechanisms illuminating the process of using the strategies of cyber war, so as to achieve conventional objectives. The paper will also analyze the doctrine and strategies including first and second strike capabilities with regard to cyber war. This paper identifies a paradigm shift from the conventional belief of cyber warfare acting as a force multiplier for conventional warfare to the recognition, that conventional warfare will be acting as a force multiplier around cyber war and hence making cyber war as the primary means of achieving grand strategic objectives in the contemporary world order.
In the 2006 Quadrennial Defense Review, a request was made to have the Center for Technology and National Security Policy (CTNSP), National Defense University (NDU), develop a theory of cyberpower. It was noted that there was a need to develop a holistic framework that would enable policy makers to address cyber issues in proper perspective.
To satisfy that tasking, CTNSP convened five workshops, drawing on experts from government, industry, academia, and think tanks. Those workshops addressed a broad set of issues related to the evolution of cyberspace, cyberpower, cyberstrategy, and institutional factors that influence those factors (e.g., governance, legal issues).
To develop the desired theory, this paper systematically addresses five key areas. First, the paper defines the key terms that are associated with cyber issues. Particular emphasis is placed on the terms “cyberspace”, “cyberpower”, and “cyberstrategy”. Second, the paper categorizes the elements, constituent parts, and factors that yield a framework for thinking about cyberpower. Third, the paper explains the major factors that are driving the evolution of cyberspace and cyberpower. To support that effort, the paper presents strawman principles that characterize major trends. Fourth, the paper connects the various elements of cyberstrategy so that a policy maker can place issues in proper context. Finally, the theory anticipates key changes in cyberspace that are likely to affect decision making.
In view of the dramatic changes that are taking place in cyberspace, it is important to stress that this effort must be regarded as a preliminary effort. It is expected that the theory will continue to evolve as key technical, social, and informational trends begin to stabilize.
Cyberspace offers the prospect of sub rosa warfare, in which neither side acknowledges that they are in conflict with one another or even that one side has been attacked at all. This is possible for two reasons: first, because the battle damage from some types of cyber attack may not be globally visible, and second because attribution can be very difficult. The reason that both sides may keep matters sub rosa is to maintain freedom of actions, on the theory that public visibility may complicate negotiations and lead to escalation. Nevertheless, sub rosa warfare has it dangers, notably a lack of the kind of scrutiny that may promote actions which cannot bear the light of day, and the overconfident assumption that no third party is aware of what is going on between the hackers of both sides.
At the highest levels of national government, two of the most important decisions to get right are properly prioritizing among competing missions, and balancing between short-term and long-term objectives. The most consequential and highest risk threat is attack by one or more nation-states intent on projecting power, and who are willing to damage or destroy critical information infrastructure by cyber means in order to achieve this objective. Threat actors falling into this category have the necessary time, resources, sophistication, and access to do so. This category certainly includes cyber warfare. Today, nation-states are beginning to understand in concrete terms the potential benefits and costs of cyber attacks used as a means of projecting national power. It may not take a great deal of a nation's cyber resources, planning time, or technical access to achieve limited national objectives.
In the U.S., cyber defense of critical infrastructures is largely a homeland security mission. It may be that defense always lags the most potent offense. But the goal is an effective defense, not a perfect one. To get ahead of the most serious national cybersecurity risks, including that of cyber warfare, a country's cybersecurity leadership must seek an appropriate balance of resources, energy, and focus between those threats that are most frequent and those that are most consequential. The historical bias in dealing with cyber risk has been to look at it through the lens of commerce, not national security – and to reinforce the emphasis on short-term thinking rather than long-term strategy. One way to overcome this bias is simply to emphasize efforts that mitigate the most consequential risks. A nation's cyber leadership could decide, for example, that it should apply significant early resources to mitigating the national security risk associated with defending critical infrastructure against nation-state threats.
This paper discusses the concept of terrorism, who the terrorists are and develops an understanding of why they conduct the activities they do. Understanding the mens rea of the attacker will allow consideration of the type of attack they may plan and the effect they are likely to try and achieve. It looks at the main motivations of terrorist groups and discusses their use of the Internet for various aspects of a terrorist campaign such as propaganda and recruitment. It will consider the various tactics that have been used and how the Internet has provided a new opportunity for terrorists to conduct their campaigns and how it has been adapted by them for their purposes. It examines the potential threat of a cyber attack by terrorist organizations and how they can use the Internet and Cyber Space to attack a target with similar results to a conventional physical attack. The paper will briefly discuss some of the possible defences against this form of terrorism.
The new US administration has begun efforts to securitize the substantial problems the United States is currently facing in cyberspace. Recently, President Obama ordered his National Security Council to conduct a rapid review of existing measures being undertaken by the federal government, and provide recommendations for additional ones. Many stakeholders in the US government and private industry are watching these actions closely as there seems to be broad acceptance that the issues call for more extensive security measures. However, many issues will complicate effective securitization of threats in cyberspace. For example, not all stakeholders agree on the priorities or where the focus of security measures should be yet cyber security is a “trans-sovereign” issue affecting both developed and developing countries in an interdependent manner.
Because actors in cyberspace enjoy relative anonymity and can threaten interconnected targets around the globe, there is considerable debate as to whether the concept of borders is relevant to the challenges of cyber security. Regardless the focus of the debate, the concept of borders is important because they define the territory in which national governments can employ sovereign measures. To analyze borders in the context of cyber security, this paper asks the question, “Is there an important role for the concept of borders, if not physical lines, in improving national security in cyberspace?” To explore the question, the paper takes two approaches. The first is a comparison of the cyber security issues to international drug trafficking in an effort to explore how sovereign measures used to combat drug trafficking may be applicable to improving cyber security. The second approach is an examination of the issue from the perspective of the Heal and Kunreuther Inter-Dependent Security Model with an attempt to inform the cyber security decision process of national governments as they consider options to invest in a higher level of security.
The paper will argue that, whether the problem is addressed from the standpoint of criminal behavior like drug trafficking, or cyber attacks in an interdependent, global domain, borders can be a potentially useful construct to address cyber security issues and inform national policy decisions, regardless of the physical location of relevant nodes. However, sovereign powers must be careful not to use the concepts of borders to curtail the progress our nations have made to connect and better the world via this evolving and expanding environment.
With two years having passed since the infamous cyber conflict between Estonia and Russia, international society still lacks a coherent set of principles, rules, and norms governing state security and military operations in cyberspace. For parties committed to promoting the cause of peace and stability in a multipolar world, this is a troubling notion since history shows that the likelihood of a new arms race is high when disruptive technologies dramatically alter the means and methods of war. As more nations aspire to project national power in cyberspace, a new digital arms race appears to be imminent if not already upon us. Thus, there is a central question confronting international society and more specifically the diplomatic community in cyberspace: What steps can be taken both today and into the future to forestall a major arms race and interstate competition in cyberspace? In order to begin addressing this complex question from the perspective of the Euro-Atlantic Community, this paper discusses both the challenges and opportunities of regulating 21st century cyber warfare. The paper is divided into three sections. Section 1 examines the evolution of the laws of armed conflict (LOAC) since the late 19th century. Section 2 examines how the LOAC apply to cyber warfare as viewed primarily from a US perspective (since US scholars have dominated the international regime discourse thus far). Section 3 examines what is needed to create a global regime for cyber warfare and specifically the role that NATO and the Euro-Atlantic Community can play.
For more than a decade, leading experts in government and industry have warned of an impending Cyber Pearl Harbor, a surprise electronic attack with the potential to neutralize U.S. military power and cause massive disruptions in U.S. and global computer networks. This is a powerful historical analogy – but is it the right one? This paper articulates a framework to better explore and examine the use of historical analogies in their application to conflict in cyberspace. The resulting analysis does not seek to argue the Pearl Harbor analogy is a bad one. Quite to the contrary – our thesis is that while a cyber Pearl Harbor remains a possibility, is should not be treated by decision makers as an inevitability and that there may be equally powerful historical analogies to guide future cyber strategies.
Recent discussions regarding the emerging field of cyber warfare have focused on the term “cyberspace,” and have included cyberspace as being considered its own war fighting domain, much like air, land, sea, and space. In this stage of the Information Age, the international community is grappling with whether it needs to define this information realm as a domain, similar to the air, land, sea, and outer space domains that already exist. History shows that there is always an advantage in a conflict to the side that understands and operates within a domain better than the opponent. In this paper, the authors propose a definition of a domain, define what constitutes a domain, posit how new domains are created over time, and describe the features of what is and is not a domain. These definitions and features lead to our proposal that the “Information Sphere” should the preferred international term, and it is this “InfoSphere” that qualifies as a new domain, with features both similar to and different from the four existing physical domains.
This text will cover the operational and tactical techniques used in a “real world” cyber-attack and includes an analysis of the planning, command, control, execution, and outcome of these cyber-attacks. The text focuses on the cyber-attacks against the nation state of Georgia in 2008, as the author was in a unique position to observe the communications, execution, and responses from both attacking and defending entities. The various aspects of the attacks will be described and linked back to traditional concepts of Maneuver Warfare as described in Marine Corps Doctrinal Publication 1 (MCDP-1).
During the first decade of the 21st century, Internet censorship in Belarus has evolved into a government tool used to combat political dissent. State-sponsored denial of service (DoS) attacks against civil society have become a domestic crisis that threatens not only freedom of expression in Belarus, but also the integrity of Internet resources throughout Europe. The ongoing cyber conflict between state and non-state actors in Belarus is analogous to the struggle between the Russian government and its internal adversaries in cyberspace. In this essay, we recount the history of cyber censorship and attacks against Charter '97, a popular Belarusian website, and discuss the effectiveness of countermeasures.
Cyberwarfare has been waged for well over a decade, utilizing methods such as website defacement, data leakage, and distributed denial of service attacks (DDoS). This paper focuses on the latter, attacks that are easily carried out and designed to overwhelm a victim's network with wasted traffic. The goal of a DDoS attack is to make the use of the network impossible for internal or external users. Through a brief examination of the history of these attacks, we find they previously were designed to inflict punitive damage on the victim but have since grown into sophisticated censorship tools. Our approach measure such attacks by looking at Internet backbone traffic, botnet activities, BGP routing changes, and community chatter about such attacks to provide a robust picture of politically targeted DDoS attacks. Our analysis indicates that most of the attackers are non-state actors but are able to fluidly utilize a growing botnet population to launch massive denial of service attacks. This finding has broad ramifications for the future of these attacks.
As cyberattacks become more frequent, they draw new attention in the media. Indeed, there has been a significant spike in journalistic coverage of cyberattacks and cybersecurity in the last year alone, making this particularly relevant now. The aim of this paper is to provide an overview of coverage and make suggestions for future journalists and policymakers to work better together to better understand this new threat.
Zombie armies – or botnets, i.e., large groups of compromised machines controlled remotely by a same entity – pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of “unclean networks”, and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.
Botnets, consisting of thousands of interconnected, remote-controlled computers, pose a big threat against the Internet. We have witnessed the involvement of such malicious infrastructures in politically motivated attacks more than once in recent years. Classical countermeasures are mostly reactive and conducted as part of incident response actions. This is often not sufficient. We argue that proactive measures are necessary to mitigate the botnet threat and demonstrate techniques based on a formalized view of botnet infrastructures. However, while being technically feasible, such actions raise legal and ethical questions.
The classic response to attack in computer networks has been to disconnect the effected system from the network, preserve the information on the system (including evidence of the attack for a forensic investigation), and restore the system. However, it can be argued that this type of response is not appropriate in many situations. This paper argues that understanding the adversary is essential to effective defence. Instead it may be appropriate to respond with a Network Counter-Surveillance Operation to observe the activity of the attacker. The aim of this research is to enable this new kind of operation through the identification and development of the new tools and techniques required to carry it out. This paper is an omnibus presentation of a group of research projects associated with satisfying this aim, namely tools to help observe the attacker's actions on the compromised system, tools to provide a realistic environment on the compromised system, and tools to mitigate the risks associated with the attacker's use of the compromised system. The argument for the tools and techniques described is presented in the context of an illustrative Network Counter-Surveillance Operation.
Computer Network Defence is concerned with the active protection of information technology infrastructure against malicious and accidental incidents. Given the growing complexity of IT systems and the speed at which automated attacks can be launched, implementing timely and efficient network incident mitigating actions, whether proactive or reactive, is a great challenge. We refer to the automation of action selection and implementation in this domain as Autonomic Computer Network Defence. In this work, we suggest that Autonomic Computer Network Defence can be achieved using Reinforcement Learning and dynamic risk assessment to learn the optimal action sequence, or policy, to recover from given computer network risk situations. Such a policy could then be used by commercial network management and security products to implement selected mitigating actions automatically, as risk states are sensed.
Timely and appropriate reactions to detected denial-of-service attacks against computer networks are crucial in both civilian and military settings. GrADAR is an intuitive graph-based approach for assessing the effects of DoS attacks against computer networks so that response measures can be automatically selected without human intervention. However, GrADAR has limitations insofar as implicit effects of countermeasures are only taken into account by propagation towards user nodes. Possible effects in the other direction are only considered if they are explicitly specified. For this, they need to be exactly known in advance which is often infeasible. This contribution presents an extension to GrADAR, in which we consider resource workload and processing capabilities and their effects on resource availability. We incorporate workload measurements into the GrADAR model which are done by passive analysis of network traffic. We further augment the active availability probes with passive measurements. This ensures more accurate availability values because additional measurement traffic that might falsify results only needs to be injected when resources are currently not accessed.
An nth order attack seeks to degrade, disable or subvert an end system indirectly by targeting one or more end mission-sustaining ancillary systems. We discuss the vulnerability etiology enabling such attacks. We illustrate the notion of these attacks with concrete historical, current and forward-looking examples; also in the context of cyberwar against advanced computerized societies. We sketch the challenges and requirements to detect and mitigate the effects of nth order attacks.
This paper gives an analytical method to determine the economic and indirect implications of denial of service and distributed denial of service attacks. It is based on time preference dynamics applied to the monetary mass for the restoration of capabilities, on long term investments to rebuild capabilities, and of the usability level of the capabilities after an attack. A simple illustrative example is provided for a denial of service on a corporate data centre. The needed data collection methodologies are categorized by classes of targets. The use of the method is explained in the context of legal or policy driven dissuasive, retaliation or compensation/ restoration actions. A concrete set of deployment cases in the communications service and transport industries is discussed. The conclusion includes policy recommendations as well as information exchange requirements.
It is increasingly difficult to separate ‘cyberspace’ from what we think of as the ‘real world’. Human beings respond to stimuli from both. Threats to persons, organizations, and governments require timely and accurate evaluation, but cyber attackers can exploit the imperfect and maze-like architecture of the Internet to make threat evaluation difficult. In cyberspace, it is possible to create fraudulent online identities – potentially millions of them – that could programmatically support any personal, political, or military agenda. In the future, computer botnets may evolve from spam and Distributed Denial of Service (DDoS) generators to semantic creatures that can post opinions, arguments and threats on the Internet. Counterfeit identities on the World Wide Web (WWW), complete with randomized or stolen biographies, pictures, and multi-year histories of Internet activity, will be difficult to separate from real human beings because there is no quick way to determine whether a virtual person really exists.