If current online skirmishes can’t be branded ‘war’, how soon before a major global conflict unfolds, asks Tom Brewster.
Say the words ‘cyber-warfare’ to most security professionals and it’s likely they will respond with a withering look. Say ‘cyber 9/11’ or ‘cyber Pearl Harbour’ and you can get ready for a verbal pummelling, maybe worse.
Such faux pas get the disrespect they deserve. For ‘war’ should only be used where there’s destruction of property or lives, according to Peter Sommer, who drew up a document on cyber-warfare for the OECD in 2011, and who specializes in cybersecurity and digital evidence at Leicester de Montfort and the Open University.
“The word ‘war’ itself has gotten devalued,” he tells Infosecurity. “When you talk about war, you talk about levels of destruction you’re seeing in Iraq or Gaza. That isn’t to say there aren’t very powerful cyber-weapons.”
Indeed, there have been many examples of states flexing their muscles when it comes to cyber power. Two stand out: the Stuxnet malware that disrupted uranium enrichment at an Iranian plant, and the 2008 distributed denial of service (DDoS) attacks on Estonia, which prevented the country from contacting networks outside its borders. Russia has always been suspect number one in the latter case, while the US and Israel have been blamed for the former.
Cyber + War = Cyber-war?
But neither case resulted in direct loss of life, nor genuine destruction. Both were related to tensions between the nations involved, but they were not conducting a war with each other at the time, nor have they since. “I define cyber-warfare as a part of warfare. If you’re not engaged in warfare, you’re not engaged in cyber-warfare,” says Jeffrey Carr, CEO and co-founder of physical and cybersecurity consultancy Taia Global.
If you follow that outlook, there are numerous examples of digital combat, says Carr. Cyber has been a part of the two most significant wars of 2014, at least according to Western eyes, with Israel and Hamas trading blows in Gaza, and Ukraine tussling with Russian-backed rebels.
DDoS attacks and website defacements appear to be the most popular tactics, though many may be coming from outside of Israel or Palestine territory. Attacks on Mossad, the Israeli intelligence agency, and the country’s stock exchange are believed to have been carried out by the operators of the Brobot botnet, namely the Izz ad-Din al-Qassam Cyber Fighters, said to be backed by the Iranian government. The hacktivist collective Anonymous also took responsibility for a range of hits on Israel. Arbor Networks reported a rise in DDoS attacks on Israel between 1 June and 3 August 2014, rocketing from an average of 30 per day in June to 150 in July, peaking at 429 on July 21st. Little damage has been caused to Israel’s networks, however.
Similar attacks have been seen across Ukraine, including infections within the Ukrainian prime minister’s office and DDoS strikes which took out various government websites. Reports also claimed Ukrainian politicians were being spied on following an infiltration of telecoms systems.
Iraq has been a hive of malicious activity. Security firm Intel Crawler claimed in July that local groups within the country were attacking each other using a range of different Remote Access Trojans (RATs) and botnets. Much of the action took place in Baghdad, Basra, Mosul and Erbil, as extremists from the Islamic State of Iraq and the Levant (ISIS) started its offensive.
It’s understood the US used its cyber capabilities to great effect in Iraq before it removed troops. In 2012, Marine Lt. Gen. Richard P. Mills said: “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber-operations against my adversary with great impact … I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”
Though none of these attacks had any apparent physical impact, it is evident that cyber is now one side of standard conflict.
“Given the computer controlled aspects of modern weapons and infrastructures, as well as the importance of networks in carrying command and control information, cyber will be a part of every single mission,” says Ed Skoudis, founder of CounterHack, which runs training for government digital defenders on protecting cities from hackers.
A Cold War
One could suggest digital espionage is an act of cyberwar, but Skoudis and many others don’t believe the two should be confused with one another. “That is a hugely controversial point. I've tried to wade into those waters myself by saying that ‘cyber-warfare’ requires some kinetic impact – that is, stuff breaks or blows up and people get hurt or killed,” Skoudis says.
“Drawing a line between espionage and warfare is an important thing to do, otherwise blurring the lines may make things spiral out of control – from mere espionage to a shooting war too quickly.”Ed Skoudis, Founder of CounterHack
In light of Edward Snowden’s recent comments, this is even more pertinent.
In an interview with Wired, the world’s most famous whistleblower raised concerns around an NSA-run program called MonsterMind, a tool designed to block malicious traffic from abroad entering the country. It could also automatically return fire, though few details were given on how it worked. A separate US attempt to tamper with Syrian infrastructure resulted in downtime for the country’s internet in 2012, Snowden claimed. In its attempts to block and ward off cyber-espionage on its infrastructure, as well as spy on others, the NSA could start a real-world war, Snowden fretted.
His revelations, amongst others, have highlighted a growing predilection for cyber-capability across governments. That Skoudis is running CyberCity, a mock urban landscape replete with genuine industrial control systems ripe for hacking, shows how much the US cares. The UK and Japan have also shown an interest in the CyberCity initiative, Skoudis says. China has repeatedly been linked with sophisticated espionage campaigns, as has Russia.
Then there are the so-called ‘second-tier’ cyber powers, including Iran and North Korea. It’s generally accepted that almost everyone has a decent level of capability or could pay for it, so much so that destructive digital attacks are more than a possibility. “There is an ongoing cyber arms race in the world and it is accelerating. That is a fact,” says Jarno Limnéll, director of cybersecurity at McAfee and a doctor of military science. “I estimate there are around 10-15 countries who have the real capability and also doctrine for these kinds of strategic level cyber-attacks.”
Power Plays
So why aren’t they flexing their muscles more? Why has the big red button not yet been pushed? One reason could be that attacks on power plants or other critical infrastructure would be better done with real firepower, says Carr. Yet munitions cost a lot more than malware, which doesn’t come with as much potential political blowback, he notes.
The most likely reason is that there simply isn’t the political will to cross the Rubicon yet.
“Countries are very unwilling to expose [their] level of cyber capabilities, especially from the offensive point of view,” says Limnéll, who believes any show of digital power would escalate corporeal warfare.
There would be negative economic consequences of any attack that causes damaging kinetic activity too. “Although one can never discount the possibility of irrationality…if China attacked [the US] national power grid, they would be stupid to do so,” says Sommer, noting the high level of trade between the two countries.
One other reason for the limited examples of online warfare is a lack of understanding of the fallout from such cyber-attacks. The Stuxnet malware, though it was targeted in nature, infected a wide range of targets, including a Russian nuclear power plant and thousands of PCs. “You can control munitions better than you can malware,” adds Carr.
Sommer points out that one of the interesting things about cyber-weapons is that the bigger the likely effect, the more uncertain the outcome. “In that respect it’s a bit like using a nuclear weapon.”
Rules of Engagement
This lack of understanding can also be found in the legalese on cyber-warfare, or lack thereof. There are no agreements on the rules of engagement for digital conflict, despite repeated calls for action. The Tallinn Manual is the closest the world has to such a framework, though it’s just a set of guidelines written up for Nato’s Cyber Defence Centre of Excellence.
The document, launched in March last year, accepts that “cyber-operations alone might have the potential to cross the threshold of international armed conflict” and recommends avoiding targets that would affect civilians, including dams, dykes, nuclear electrical generating stations and hospitals.
But proper codification remains absent.
“There is no international organization that really has the power and the will to produce some kind of general guidelines in how we should behave in the cyber domain,” says Limnéll. He believes the US and China should move to write up the rules, in the hope that others will follow and adopt them.
Exploiting Military Tactics
For most onlookers, especially businesses, talk of cyber-warfare has become somewhat tiresome. In terms of defense, similar measures are needed to block out advanced attackers of all types, whether criminal, government or both.
“But by adopting military tactics, organizations can better protect themselves.”Tom Cross, Director of Security Research at Lancope
For instance, the OODA loop, which was developed by the US Airforce as a strategy to observe, orient, decide and act, could be useful to businesses.
“Observe your environment, orient yourself within it, decide what you’re going to do and act on it. If you can do those things more quickly than your adversary, then you can really set them off balance,” says Cross.
Amidst the steady global build-up of digital weaponry and the polarised rhetoric, there are some instructive elements to the story of cyber-warfare.