Cyber War: The Next Threat to National Security and What to Do About It

Home > Other > Cyber War: The Next Threat to National Security and What to Do About It > Page 3
Cyber War: The Next Threat to National Security and What to Do About It Page 3

by Richard A. Clarke


  What has happened, often weeks or months before a botnet went on the offensive, is that a computer’s user went to an innocent-looking webpage and that page secretly downloaded the software that turned their computer into a zombie. Or they opened an e-mail, perhaps even one from someone they knew, that downloaded the zombie software. Updated antivirus or firewall software may catch and block the infections, but hackers are constantly discovering new ways around these defenses.

  Sometimes the zombie computer sits patiently awaiting orders. Other times it begins to look for other computers to attack. When one computer spreads its infection to others, and they in turn do the same, we have the phenomenon known as a “worm,” the infection worming its way from one computer through thousands to millions. An infection can spread across the globe in mere hours.

  In Estonia the DDOS was the largest ever seen. It appeared that several different botnets, each with tens of thousands of infected machines that had been sleeping, were now at work. At first, the Estonians thought that the takedown of some of their webpages was just an annoyance sent at them from outraged Russians. Then the botnets started targeting Internet addresses most people would not know, not those of public webpages, but the addresses of servers running parts of the telephone network, the credit-card verification system, and the Internet directory. Now over a million computers were engaged in sending a flood of pings toward the servers they were targeting in Estonia. Hansapank, the nation’s largest bank, was staggered. Commerce and communications nationwide were being affected. And the attacks did not stop.

  In most previous eruptions of a DDOS attack, one site would be hit for a few days. This was something different. Hundreds of key sites in one country were being hit week after week, unable to get back up. As Internet security experts rushed to Tallinn from Europe and North America, Estonia brought the matter before the North Atlantic Council, the highest body of the NATO military alliance. An ad hoc incident response team began trying countermeasures that had been successful in the past with smaller DDOS attacks. The zombies adapted, probably being reprogrammed by the master computers. The attacks continued. Using trace-back techniques, cyber security experts followed the attacking pings to specific zombie computers and then watched to see when the infected machines “phoned home” to their masters. Those messages were traced to controlling machines, and sometimes further traced to higher-level controlling devices. Estonia claimed that the ultimate controlling machines were in Russia, and that the computer code involved had been written on Cyrillic-alphabet keyboards.

  The Russian government indignantly denied that it was engaged in cyber war against Estonia. It also refused Estonia’s formal diplomatic request for assistance in tracing the attackers, although a standing bilateral agreement required Moscow to cooperate. Informed that the attacks had been traced back to Russia, some government officials admitted that it was possible perhaps that patriotic Russians, incensed at what Estonia had done, were taking matters into their own hands. Perhaps.

  But even if the “patriotic Russians” theory were to be believed, it left unanswered the question of why the Russian government would not move to stop such vigilantism. No one doubted for a minute that the KGB’s successors had the ability to find the culprits and to block the traffic. Others, more familiar with modern Russia, suggested that what was at work was far more than a passive Russian police turning a blind eye to the hooliganism of overly nationalistic youth. The most adept hackers in Russia, apart from those who are actual government employees, are usually in the service of organized crime. Organized crime is allowed to flourish because of its unacknowledged connection to the security services. Indeed, the distinction between organized criminal networks and the security services that control most Russian ministries and local governments is often blurry. Many close observers of Russia think that some senior government officials permit organized crime activity for a slice of the profits, or, as in the case of Estonia, for help with messy tasks. Think of Marlon Brando as the Godfather saying, “Someday…I will call upon you to do a service for me…”

  After Bronze Night, the Russian security services had encouraged domestic media outlets to whip up patriotic sentiment against Estonia. It is not a stretch to imagine that they also asked organized crime groups to launch the hackers in their employ, perhaps even giving those hackers some information that would prove helpful. Did the Russian government security ministries engage in cyber attacks on Estonia? Perhaps that is not the right question. Did they suggest the attacks, facilitate them, refuse to investigate or punish them? And, in the end, does the distinction really matter when you are an Estonian unable to get your money out of a Hansapank ATM?

  Following the cyber attack, NATO moved to create a cyber defense center. It opened in 2008, a few miles from the site where the giant bronze solider had originally stood. On the original site of the bronze soldier there is a nice little grove of trees now. Unfortunately, the NATO center in Tallinn was of little use when another former Soviet satellite republic, Georgia, and Mother Russia got into a tussle over some small disputed provinces.

  The Republic of Georgia lies directly south of Russia along the Black Sea, and the two nations have had a decidedly unequal relationship for well over a century. Georgia is geographically slightly smaller than the state of South Carolina and has a population of about four million people. Given its location and size, Georgia has been viewed by Moscow as properly within the Kremlin’s “sphere of influence.” When the original Russian empire began to disintegrate after the Russian Revolution, the Georgians tried to make a break for it while the Russians were too busy fighting each other, declaring Georgian independence in 1918. As soon as the Russians finished fighting each other, however, the victorious Red Army quickly invaded Georgia, installed a puppet regime, and made Georgia part of the Union of Soviet Socialist Republics. Soviet control of Georgia lasted until 1991, when, as the central Russian government was again in turmoil, Georgia once more took the opportunity to declare independence.

  Two years later, Georgia lost control of two territories, South Ossetia and Abkhazia. Supported by Moscow, the local Russian populations in those territories succeeded in defeating the ragtag Georgian army and expelling most Georgians. The territories then set up “independent” governments. Although still legally part of Georgia as far as the rest of the world was concerned, the regions relied on Russian funding and protection. Then, in July 2008, South Ossetian rebels (or Russian agents, depending upon whose version of events you trust) provoked a conflict with Georgia by staging a series of missile raids on Georgian villages.

  The Georgian army, predictably, responded to the missile strikes on its territory by bombing the South Ossetian capital city. Then, on August 7, Georgia invaded the region. Not surprised by this turn of events, the Russian army moved the next day, quickly ejecting the Georgian army from South Ossetia. Precisely at the same time that the Russian army moved, so did its cyber warriors. Their goal was to prevent Georgians from learning what was going on, so they streamed DDOS attacks on Georgian media outlets and government websites. Georgia’s access to CNN and BBC websites were also blocked.

  In the physical world, the Russians also bombed Georgia and took over a small chunk of Georgian territory that was not in dispute, allegedly to create a “buffer zone.” While the Georgian army was busy getting routed in Ossetia, rebel groups in Abkhazia decided to take advantage of the situation and push out any remaining Georgians, with a little help from their Russian backers. The Russian army then took another little slice of Georgian land, as an additional buffer. Five days later, most of the fighting was over. French President Nicolas Sarkozy brokered a peace agreement in which the Russians agreed to withdraw from Georgia immediately and to leave the disputed territories once an international peacekeeping force arrived to fill the security vacuum. That force never arrived, and within a few weeks Russia recognized South Ossetia and Abkhazia as independent states. The declared independent states then invited their Russian benefactors to
stay.

  To most in the U.S., except then presidential candidate John McCain, who tried to portray it as a national security crisis for America, all of this activity in Georgia seemed remote and unimportant. As soon as most Americans reassured themselves that the news reports they heard about the invasion of Georgia did not really mean Russian army troops or General Sherman again marching on Atlanta, they tuned out. The event’s true significance, beyond what it revealed of the Russian rulers’ thinking about their former empire, lies in what it exposed of their attitudes toward the use of cyber attacks.

  Before fighting broke out in the physical world, cyber attacks hit Georgian government sites. In the initial stages, the attackers conducted basic DDOS attacks on Georgian government websites and hacked into the web server of the President’s site to deface it, adding pictures that compared the Georgian leader, Mikheil Saakashvili, to Adolf Hitler. It had seemed trivial, even juvenile, at first. Then the cyber attacks picked up in intensity and sophistication just as the ground fighting broke out.

  Georgia connects to the Internet through Russia and Turkey. Most of the routers in Russia and Turkey that send traffic on to Georgia were so flooded with incoming attacks that no outbound traffic could get through. Hackers seized direct control of the rest of the routers supporting traffic to Georgia. The effect was that Georgians could not connect to any outside news or information sources and could not send e-mail out of the country. Georgia effectively lost control of the nation’s “.ge” domain and was forced to shift many government websites to servers outside the country.

  The Georgians tried to defend their cyberspace and engage in “work-arounds” to foil the DDOS attack. The Russians countered every move. Georgia tried to block all traffic coming from Russia. The Russians rerouted their attacks, appearing as packets from China. In addition to a Moscow-based master controller for all the botnets being used in the attacks, servers in Canada, Turkey, and, ironically, Estonia were also used to run botnets.

  Georgia transfered the President’s webpage to a server on Google’s blogspot in California. The Russians then set up mock presidential sites and directed traffic to them. The Georgian banking sector shut down its servers and planned to ride out the attacks, thinking that a temporary loss of online banking was a better bargain than risking the theft of critical data or damage to internal systems. Unable to get to the Georgian banks, the Russians had their botnets send a barrage of traffic to the international banking community, pretending to be cyber attacks from Georgia. The attacks triggered an automated response at most of the foreign banks, which shut down connections to the Georgian banking sector. Without access to European settlement systems, Georgia’s banking operations were paralyzed. Credit card systems went down as well, followed soon after by the mobile phone system.

  At their peak, the DDOS attacks were coming from six different botnets using both computers commandeered from unsuspecting Internet users and from volunteers who downloaded hacker software from several anti-Georgia websites. After installing the software, a volunteer could join the cyber war by clicking on a button labeled “Start Flood.”

  As in the Estonian incident, the Russian government claimed that the cyber attacks were a populist response that was beyond the control of the Kremlin. A group of Western computer scientists, however, concluded that the websites used to launch the attacks were linked to the Russian intelligence apparatus. The level of coordination shown in the attacks and the financing necessary to orchestrate them suggest this was no casual cyber crusade triggered by patriotic fervor. Even if the Russian government were to be believed (namely, that the cyber storm let loose on Georgia, like the previous one on Estonia, was not the work of its official agents), it is very clear that the government did nothing to stop it. After all, the huge Soviet intelligence agency, the KGB, is still around, although with a slightly different organizational structure and name. Indeed the KGB’s power has only increased under the regime of its alumnus, Vladimir Putin. Any large-scale cyber activity in Russia, whether done by government, organized crime, or citizens, is done with the approval of the intelligence apparatus and its bosses in the Kremlin.

  If it was, as we suspect, effectively the Russian government that asked for the “vigilante” DDOS and other cyber attacks as a stand-alone punishment of Estonia and later conducted them as an accompaniment to kinetic war on Georgia, those operations do not begin to reveal what the Russian military and intelligence agencies could do if they were truly on the attack in cyberspace. The Russians, in fact, showed considerable restraint in the use of their cyber weapons in the Estonian and Georgian episodes. The Russians are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved.

  For years U.S. intelligence officials had thought that if any nation were going to use cyber weapons, even in the small ways demonstrated in Estonia and Georgia, the likely first movers would be Russia, China, Israel, and, of course, the United States. The nation that joined that club in the summer of 2009 came as a surprise to some.

  It was a little after seven p.m. in Reston, Virginia, on the last Monday in May 2009. Outside, the rush-hour traffic was beginning to thin on the nearby Dulles Airport Access Road. Inside, a flat screen at the U.S. Geological Survey had just indicated a 4.7 magnitude earthquake in Asia. The seismic experts began narrowing in on the epicenter. It was in the northeastern corner of the Korean Peninsula, specifically forty-three miles from a town on the map called Kimchaek. The data showed that there had been a similar event very nearby in October 2006. That one had turned out to be a nuclear explosion. So did this one.

  After years of negotiating with the U.S., as well as with China and Russia, the weird, hermetic government of North Korea had decided to defy international pressure and explode a nuclear bomb, for the second time. Their first attempt, three years earlier, had been characterized by some Western observers as something like a “partial fizzle.” In the ensuing hours after this second blast, U.S. Ambassador to the United Nations Susan E. Rice was attached to the phone in her suite at New York’s Waldorf Towers. She consulted with the White House and the State Department, then she began to call other UN ambassadors, notably the Japanese and South Koreans. The South Korean who is the head of the UN, Secretary General Ban Ki-moon, agreed to an emergency meeting of the Security Council. The outcome of that feverish round of diplomatic consultations was, eventually, further international condemnation of North Korea and further sanctions on the impoverished tyranny. A decade and a half’s worth of diplomacy to prevent a North Korean nuclear capability had come to naught. Why?

  Some observers of the Pyongyang government explained that the destitute North had no other leverage to extract concessionary loans, free food, and gifts of oil. It had to keep selling the same thing over and over, a promise not to go further with its nuclear capability. Others pointed to the rumored ill health of the strange man known in the North as the Dear One, Kim Jong-il, the leader of the Democratic People’s Republic of Korea. The tea-leaf readers believed that the Dear One knew that he was fading and had selected Number Three Son, Kim Jong-un, a twenty-five-year-old, to succeed him. To prevent the United States, or South Korea, from taking advantage of the transition period, the analysts claimed, the North believed it had to rattle its sabers, or at least its atoms. The pattern with North Korea in the past had been to threaten, get attention, give a taste of what awful things might happen, then offer to talk, and eventually to cut a deal to enrich their coffers.

  If the detonation was designed to provoke the United States and others to rush with offers of wheat and oil, it failed. Having condemned the explosion and announced the movement of defensive missiles to Hawaii, as June moved on, the U.S. leadership shifted its focus back to health care reform, Afghanistan, and self-flagellation over its own intelligence activities. Somewhere in the bureaucracy an American official publicly announced that the U.S. would again be conducting a cyber war exercise known as Cyber Storm to test th
e defense of computer networks. The 2009 exercise would involve other nations, including Japan and Korea, the one in the south. North Korean media soon responded by characterizing the pending exercise as a cover for an invasion of North Korea. That kind of bizarre and paranoid analysis is par for the course with North Korea. No one in Washington thought twice about it.

  As the July 4 break began in Washington, bureaucrats scattered to vacation homes on East Coast beaches. Tourists in Washington swarmed to the National Mall, where a crowd of several hundred thousand watched the “rockets’ red glare” of a sensational fireworks display, a signature of the Fourth of July holiday. On the other side of the world, the association of rockets and the Fourth was not lost on some in the North Korean leadership. In outer space, a U.S. satellite detected a rocket launch from North Korea. Computers in Colorado quickly determined that the rocket was short-ranged and was fired into the sea. Then there was another rocket launch. Then another and another. Seven North Korean rockets were fired on the Fourth of July. Whether a plea for help, or more saber rattling, it certainly seemed like a cry for attention. But that cry did not stop there. It moved into cyberspace.

 

‹ Prev