Cyber Warfare: Should We Be On The Offensive?

The world needs a treaty to prevent cyber attacks becoming an all-out war, the head of the main UN communications and technology agency warned Saturday.

“A cyber war would be worse than a tsunami — a catastrophe,” the UN official said, highlighting examples such as attacks on Estonia last year

Craig Mundie, chief research and strategy officer for Microsoft, said “there are at least 10 countries in the world whose internet capability is sophisticated enough to carry out cyber attacks … and they can make it appear to come from anywhere.”

Mundie and other experts have said there is a growing need to police the internet to clampdown on fraud, espionage and the spread of viruses. (here)

There is much discussion of the changing dynamics and technologies of warfare but references particularly to cyber warfare have increased recently. Many people in the information security industry believe that we have entered an era of ‘cyber warfare’ and that government leaders need to go on the cyber-offensive. Although future wars are expected to include cyber-targets of some form, the hype surrounding cyber warfare created by the IT industry simply isn’t justified.

Worse still, the conjecturing about cyber warfare can lead to a distraction from an IT professional’s real concerns – responding to the less exciting but very real day to day threats.

These forms of attack are evidently a concern as the US government has appointed a cyber coordinator to provide guidance, and the Cooperative Cyber Defence Centre of Excellence (CCDCOE) has recently been set up by NATO. In the UK, the House of Lords has discussed a framework to protect the EU’s infrastructure. It has also been reported that the European Commission wants to introduce harsher penalties for cyber criminals, potentially increasing jail sentences to five years.  However, what would a cyber attack look like, is it really feasible, and what is the real risk to IT?

One suggestion is that a cyber-attack would be in the form of a botnet, used offensively to disable another country’s computing infrastructure. Botnets are designed to direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. Col. Charlie Williamson, a US Air Force officer, recently told the BBC that his country should create an offensive botnet to target any forces that launch a cyberattack against it.

From the IT industry’s perspective however, the concept of an offensive botnet has many drawbacks – logistical, technical, political and commercial – and could easily be abused. A ready-made tool to take control of, or disable, so many devices at once is the same as any other weapon, in the wrong hands it can be used against the infrastructure it was meant to defend. There is also doubt amongst IT professionals as to whether cyber warfare can really be developed to a military grade from a technical standpoint, whilst ensuring there are sufficient defensive methods preventing it.

Another form of cyber attack could be less to do with disabling devices and infrastructure, and more focused on accessing or destroying a nation’s data. For example, accessing confidential and classified information – this could be in the form of hacking but on a larger coordinated scale. Information can even be modified or updated without the target knowing. Any information that is not handled securely in the public or defence sector could be an easy target.

The idea of modifying data undetected can also be escalated into a more damaging form of attack, using hacking methods and viruses to take control of a nation’s IT infrastructure, and therefore take control of its utilities. For example, the US government has claimed its energy grid was potentially under threat through cybercrime, where computer systems could turn off electricity for an entire city.

Many IT security professionals generally lack the military and political expertise to make policy decisions on cyber warfare, even though some of them are qualified to discuss cybercrime. Cyber warfare and cybercrime are fundamentally different and require, in many cases, drastically different approaches. However for IT specialists, there is a real day-to-day concern and requirement for the government’s understanding of these issues. Organisations should expect that they could be targets themselves; the attacks described above are not limited to the public sector.

The private sector could also be affected indirectly by outages of essential services, lack of electricity, payment systems and the internet. There are a lot of unknowns that IT executives cannot predict or control. One thing is certain: this should elevate network and systems monitoring as well as business continuity and disaster recovery to the highest priority. Whatever the situation, organisations should be able to restore normal operations as soon as possible and not lose any vital data due to an emergency of any kind.

The fact remains however, that it is highly unlikely that we would experience warfare isolated only to the digital realm. Warfare has changed dramatically over the decades, but the realities of it haven’t, meaning a serious cyber attack would not be an isolated incident and it is highly likely to include some form of kinetic attack or response.

It serves little purpose to continue communicating the misinformation, propaganda, and fear that the industry currently seems to be embracing. So many in the information security industry are not adequately informed, nor do we possess the requisite experience to decide in what fashion the military should respond to protect our nation’s interests. Conversely there is a lack of technical understanding within the US government that can adequately inform and provide guidance to deal with the emerging threats posed by interconnected digital assets with no physical boundaries. The solution is an understanding of how to protect against real, not imagined, threats and to create a foundation of cooperation that will enable rationale discussion between public and private sector within our own national boundaries and in cooperation with our international allies.

Advertisements

9 thoughts on “Cyber Warfare: Should We Be On The Offensive?

  1. Amrit, like most commentators, you seem to be talking in the traditional terms of warfare conducted by nation states against each other, whereas we are already experiencing a different form of warfare or terrorism conducted largely by factions and extremists, backed by organised criminals and by cults that are more international than national in scope and power base. While you are asking us to consider cyberwarfare [between nations], we are already experiencing cyberwarfare [between criminal gangs against ordinary individuals at one level, and against the financial industry, the digital economy and broader social systems at another]. Is cyberterrorism really any different to cyberwarfare, I wonder? At what point should we “declare” that cyberterrorism, phishing, malware, spam, industrial espionage and all that has crossed the boundary into cyberwar, especially if the pepetrators can’t simply be labelled according to nationality or religion? I’m beginning to doubt the whole concept that war has a start and end any more. There are, from time to time, going to be some extreme cyberincidents or cyberatrocities, war or no war.

    G.

    • Hey Gary,

      Thanks for your comments. Fundamentally I do not believe we are experiencing anything we should consider as warfare. We are experiencing organized criminal activity using the Internet and computing devices – that is just crime. We are experiencing the poking and prodding of information technology and their associated defenses between nation states and other bad actors that has occurred for centuries – that is just espionage. The fact that there is a new medium to conduct these activities doesn’t change their definition only the method in how one can carry out these activities. I don’t see how warfare would be any different.

      There is crime – some of it committed on/off the Internet using computers as part of the value chain. This is the responsibility of the law enforcement agencies best provisioned to deal with such activities, such as the FBI, DHS ICE, etc. There is espionage – some of it carried out using technology to gain information from technical sources. This is the responsibility of the intelligence agencies best provisioned to deal with such activities, such as the CIA, NSA, ONI, etc. There is warfare – which we are not experiencing, but if we were this would be the responsibility of the Defense department.

      The problem with lumping all criminal cyber activity, such a DDoS attacks, botnets, organized crime targeting financial institutions is none of that should be the domain of the Defense Department, we should not and cannot consider the resources the defense department is responsible for, namely kinetic weapons, as a tool in the arsenal against the type of activity we are currently seeing and it becomes very dangerous to call what we are experiencing warfare

  2. Hey Amrit, from the title I thought you were going to advocate that the US be developing our own offensive “cyber attack” vectors and weapons. I think that kind of thing is already far underway.I would venture to guess even that we are probably more advanced in that than many would think. We are probably as nasty as the nastiest even.

    I like the term cyber attack rather than cyber war. Don’t compare the aurora stuff to a tsunami with hundreds of thousands dead.

    To me it is about espionage whether it be nation state to nation sate or business to business or even religion to religion has been around thousands of years. It will always use the best technology available. Today this is computers.

    Technology will continue to advance and technology will help keep these attacks in check. When the priorities are in put in place, I am sure we will see some read advances in anti-cyber attacks.

    a

  3. Pingback: Cyber Warfare: Should We Be On The Offensive? « Amrit Williams Blog - Hackers Today

  4. So, if you created a botnet to disable defenses, and it would be hard to limit it to disabling only the enemy’s defenses… is it feasible to create a cyber peacefare botnet to disable everyone? Now that has potential.

  5. The internet is both a wonderful and harmful place. While under the anonymous cover, people feel more inclined to post terrorizing or hateful organizations on MySpace, Facebook, or another social networking sites (possibly unaware of users finding their IP address). Not only is this action cowardly, it’s also despicable. However, without said sites, people could not keep in touch with college friends or distant relatives.

    I am in support of users finding these harmful sites and placing them on display for deletion. Cyber terrorism will only continue to grow as technology continues to advance, so it will be for the better if internet users are able to protect themselves and their loved ones as soon as possible. However, that bothers me is how advance the internet has the potential to become. During the conflict between Russia and Georgia, members of each party participated in cyber warfare. While this type of warfare didn’t physically hurt anyone, it created nationwide embarrassment and anger. True, this is small in the grand scheme of things, but in a few years, what will prevent cyber terrorist from cutting other countries communications off? Cyber warfare becoming dangerous is highly probable.

    What we can do about this issue is debatable. People who have knowledge in computer hacking can be seen as valuable. The government could use these people to further protect government documents and try to debug any possible bugs in the system. However, it’s only reasonable to have an extensive background search on these individuals, for one can easily give someone information that isn’t for sharing. Maybe colleges will be established so this knowledge of computers can be expanded upon?

  6. Cyber Warfare will be yet another buzzword that big governments use to control citizens instead of serve and protect them.

    ie:

    We give up our rights, our privacy, our anonymity, and pieces of our freedom until there is nothing left in the name of “safety”. Safety starts with each person caring and taking responsibility.

    It’s like the frog in boiling water – if you heat the water slowly, it will just sit there, in “relative” comfort until it is dead. The water is already boiling!

    We need programs, training, and a de-villification of “hacker” culture, methods, techniques. Hiding the “how” of things are done and keeping people ignorant (media in general), then punishing the ones that excel by making them appear to be criminals (recent Goatse case for example) is going to leave us defenseless, and subject to the digital controls and subjugation of big brother.

    Thank you for the enlightening post – now what will be done with the information that you have provided? How many will read it and go, “yeah, not me, not my country”, then flip on the sitcom of the month and drink a beer, happy with status quo?

    It’s great the govt has a program for the “hacker” types and is doing something right. I feel that it’s not enough and it’s not fast enough.

    We need digital resources – a culture of intelligence to be bred, through school systems, training incentives and a REAL awareness of what is coming as well as funds (and jobs) that help fuel our knowledge of these types of attacks. I doubt that the “bad” guys have any lack of funding or knowledge available to them!

  7. People that create malicious software really piss me off. Of course, now it’s no longer just a challenge to corrupt someone’s computer – there is the profit incentive behind it also. When the scammers start making money, we all lose. I use Malwarebytes to keep that crap out of my computer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s