Cyber Warfare
Page 3
Cyberspace is essentially the same: it is an environment in which you operate. Instead of physically being somewhere, you are using computer equipment to interact over a network and connect to other resources that give you information. Instead of objects, like a car or a sofa, you have email, websites, games, and databases.
Just like real life, most people you interact with are benign, but some are malicious. In the physical space, a vandal can pick up a spray paint can and tag your car. In cyberspace, a vandal can replace your website’s home page with web defacement. This is called a cyber attack, and the vandal is a cyber-vandal.
The graphic below illustrates the overall cyberspace environment, threat actors, and possible targets. To help you conceptualize this, think about the same model, but in a physical space.
Take away the word cyber and you have warriors, terrorists, vandals, and spies that attack a variety of targets. The actual attack may look the same or similar coming from various threat actors, but goals, ideology, and methods differentiate them.
An excellent definition of an attack that occurs in cyberspace comes from James Clapper, Director of National Intelligence—a non-kinetic offensive operation intended to create physical effects or to manipulate, disrupt, or delete data. DNI Clapper intentionally left this definition very broad. It does not attempt to attribute political ideologies, motivations, resources, affiliations or objectives. It merely states the characteristics and outcome of the cyber intrusion.
Cyber attacks of varying degrees of destruction occur daily from a variety of actors. Some of the more recent high-profile attacks result from retail data breaches. The Sony Pictures Entertainment hack, website vandalism and distributed denial-of-service (DDoS) attacks are all examples of data breaches.
The groundwork is set for what is a cyberattack and the environment, cyberspace, in which they are launched and experienced by the victim. This is the first step in dispelling myths to understand risk and what is possible—and not possible—when it comes to protecting your firm and the nation.
Now the real fun begins – we’ll dissect the four most commonly confused terms: cyber-terrorism, cyber vandalism, cyber espionage and cyber war. The objective is to dispel myths and, by establishing a shared understanding, provide a way for managers to cut to the chase and understand risk without all the FUD. The graph below shows the four terms and attributes at a glance.
Now let’s dig into each definition and examine the fundamentals.
Cyber Terrorism
No one can agree on the appropriate definition of terrorism, and as such, the definition of cyber terrorism is even murkier. Ron Dick, director of the National Infrastructure Protection Center, defines cyber terrorism as a criminal act perpetrated through computers resulting in violence, death, and destruction, and creating terror for the purpose of coercing a government to change its policies.
Many have argued that cyber terrorism does not exist because cyberspace is an abstract concept. On the other hand, terror in a shopping mall is a very real, quantifiable event that can lead to bodily harm for the average citizen. Cyber terrorism, as a term, has been used (and misused) so many times to describe a cyber attack, it has almost lost the impact its real world counterpart maintains.
According to US Code, Title 22, Chapter 38 § 2656f, terrorism is defined as premeditated, politically motivated violence perpetrated against non-combatant targets by subnational groups or clandestine agents.
By definition, a cyber terrorist attack must include violence toward non-combatants and result in large-scale damage or financial harm. Furthermore, it can often be difficult to attribute motivations, goals and affiliations to cyber attacks, which makes attribution and labels difficult in the cases of both accepted acts of terrorism and cyber terrorism.
Based on publically available knowledge, there are no known examples of cyber terrorism. It will happen – it just hasn’t happened yet.
Cyber Vandalism
There is not an official U.S. government definition of cyber vandalism, although the terminology has been used by the President at times. Supreme Court Justice Potter Stewart opined precise terminology may not be easy to describe, but you will know it when you see it.
The traditional definition of vandalism from the Merriam-Webster dictionary is the willful or malicious destruction or defacement of public or private property.
Cyber vandals usually perpetrate an attack for personal enjoyment or to increase their stature within a group, club or organization. They also act very overtly, wishing to leave a calling card, so the victim and others may assign responsibility. Some conventional methods are website defacement, denial-of-service attacks, forced system outages and data destruction.
Here is an example from the hacktivist group Anonymous.
The following are a few examples of cyber vandalism from Wikipedia:
Anonymous DDoS attacks on various targets in 2011-2012
Operation Payback was a coordinated group of attacks on high-profile opponents of music and video file sharing. Operation Payback was orchestrated by Anonymous utilizing distributed denial of service (DDoS) attacks on torrent sites—websites that contain metadata about files and folders spread over a vast number of networks. File-sharing proponents decided to launch DDoS attacks on the most vocal piracy opponents. The initial reaction snowballed into a wave of attacks on major pro-copyright and anti-piracy organizations, law firms, and individuals.
Lizard Squad DDoS attacks and website defacements in 2014
The Lizard Squad is a black hat hacking group, mainly known for their claims of distributed denial-of-service (DDoS) attacks primarily to disrupt interactive gaming related services.
On September 3, 2014, Lizard Squad falsely announced that it had disbanded only to return later on, claiming responsibility for a variety of attacks on prominent websites during the holiday season. Victims included the Sony PlayStation Network, the Xbox Live network, and online gaming participants of League of Legends and Destiny.
Sony Pictures Entertainment in November 2014
The Sony Pictures Entertainment hack was a release of confidential data belonging to Sony Pictures Entertainment on November 24, 2014. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of previously unreleased Sony films, and other information. The hackers called themselves the Guardians of Peace and demanded the cancelation of the planned release of the movie The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un. United States intelligence officials, evaluating the software, techniques, and network sources used in the hack, allege that the attack was sponsored by North Korea. Naturally, North Korea has denied all responsibility, and some cybersecurity experts have cast doubt on the evidence, alternatively proposing that current or former Sony Pictures employees may have been involved in the hack.
The Sony Pictures case is an excellent example of the problems of attribution. The United States government, which quickly referred to the Sony attack as cyber vandalism, launched an intense investigation and were still unable to point a finger of blame.
Cyber Espionage
Much of what the public, politicians or security vendors attribute to cyber-terrorism or cyber war is cyber espionage, a real and quantifiable type of cyber attack that offers plenty of legitimate examples. An eloquent definition comes from James Clapper, Director of National Intelligence in which he refers to cyber espionage as intrusions into networks to access sensitive diplomatic, military, or economic information.
There have been several high-profile cases in which hackers, sanctioned by the Chinese government, infiltrated US companies, including Google and The New York Times, with the intention of stealing corporate secrets from firms that operate in business sectors in which China lags behind. These are examples of corporate or economic espionage, and there are many more players – not just China.
Cyber spies also work in a manner s
imilar to the methods used throughout history. Sun-Tzu infiltrated his military opponents with moles. Undercover espionage was prevalent during the Greek and Roman empires and were employed by ancient governments to further political goals and information gathering. Many examples exist, from propaganda campaigns to malware that has been specifically targeted against an adversary’s computing equipment.
For example, the Flame virus is a very sophisticated malware package that records through a PC’s microphones, takes screenshots, eavesdrops on Skype conversations, and sniffs network traffic. Iran and other Middle East countries were targeted until the malware was discovered and made public. The United States is suspected as the perpetrator.
After WikiLeaks, the Snowden documents revealed many eavesdropping and espionage programs perpetrated against both US citizens and adversaries abroad by the NSA. The programs, too numerous to name here, are broad and use a wide variety of methods and technologies.
Cyber Warfare
Nineteenth-century Prussian general and military theorist Carl von Clausewitz stated, War is a mere continuation of policy by other means. Today, rogue nations and a number of private actors use cyber intrusions as a means of attaining policy goals. These goals often include stealing sensitive corporate data, disrupting information technology systems, and reconnoitering the cyber networks of potential military adversaries. In the same way that ships patrolling coastal waters or infantry prodding along ill-defined borders risked sparking conflict throughout modern history, today’s aggressive use of cyber warfare has led to diplomatic clashes, and the threat of escalation.
Cyber warfare, utilizing the Clausewitz theories, is the use of computers by a nation state for an extended, cross-sector interruption of an opponent’s activities, especially through the use of deliberate attacks on their information technology or critical infrastructure systems. This definition excludes minor acts of cyber vandalism such as DDoS attacks, and also the collection of information from the adversaries’ network systems.
Due to the lack of a broadly accepted definition via an international treaty or established set of guidelines, limiting the definition of cyber warfare is the norm. At the same time it’s challenging because definitions can’t cover every contingency and are of limited use in gray areas.
International organizations and governments have taken various and often cryptic steps to try to define doctrine for their self-serving approach to cyber war.
A recently published NATO manual on the applicability of international law to cyber warfare does not explicitly define the term, although it does distinguish between cyber warfare and cyber operations. In it, cyber weapons are defined as those that can destroy objects and injure or kill people. Recently a NATO official said a cyber attack on one NATO member could be treated as the equivalent of an armed attack that will be responded to by all NATO allies. But the nature of the NATO response will be decided by allies on a case-by-case basis.
President Obama in 2013 issued a classified Presidential Policy Directive that authorizes military and intelligence agencies to identify likely overseas targets for U.S. cyber attacks. The document permits military commanders to launch cyber attacks to respond to the threat of an imminent attack or an emergency situation.
Apparently, the U.S. is following the lead of the Israelis. The Israeli Defense Forces say their military directives handle the event in cyberspace similarly to other battlefields on the ground, at sea, in the air, and space. Israel acknowledges that it engages in cyber activity consistently and relentlessly, gathering intelligence and defending its cyberspace. The IDF unabashedly states it is prepared to use cyber space if necessary to execute attacks and intelligence operations—both in defense and part of its military capabilities.
For more than ten years, China’s military doctrine has been relatively explicit on the issue of cyber warfare. China sees the use of cyber intelligence as a methodology whose primary purpose is to seize and maintain information dominance. Chinese military tacticians recommend the use of cyber weapons to deceive the enemy or apply psychological pressure on its adversaries.
Russian operations in this area reflect a desire to disrupt information systems of a nation-state while engaging in a disinformation campaign. Russian definitions avoid the term cyber. This Russian semantics may indicate a preference for establishing control of internal and external messaging on issues of importance to Moscow. The importance of their messaging became evident in the Russia-Georgia border war of 2007.
Chapter Two
Recent Cyber Skirmishes
A nation’s intelligence services use cyber tools to conduct the sort of sensitive tasks that, until recently, were carried out by more traditional means of espionage—spies, commandos, or missiles. Two examples indicate how such actions can disrupt military and economic infrastructure as efficiently as kinetic strikes.
In preparation for the Russia-Georgia border war in 2007, Russian hackers covertly penetrated the internet infrastructure of Georgia to deploy an array of DDOS attacks, logic bombs, and other cyber tools. Once the hot war began, the cyber weapons disabled the Tbilisi government and paralyzed Georgia’s financial system. The resulting uncerainty lead to a de facto international banking quarantine as international lenders and other payments processors feared infection from the cyber attack.
The United States and Israel designed the Stuxnet computer worm and remotely introduced it into industrial control systems of Iran that were critical to the country’s nuclear program. A long series of unfortunate accidents severely disrupted the Iranian nuclear program. Administration estimates reveal the Iranian nuclear program was set back by a couple of years.
The use of cyber attacks can make espionage appear so widespread and systematic that it creates a climate of insecurity resulting in increased public demands for a robust response. According to a 2013 study, Chinese cyber divisions have conducted espionage operations against nearly 200 American companies since 2006, pirating hundreds of terabytes of data. The Chinese cyber unit, located in Shanghai, apparently have been no direct human collaborators in the targeted companies. The media broadly covered this report coupled with other allegations of rampant Chinese cyber espionage. Enhanced public awareness played a role in the U.S. Department of Justice decision to indict Chinese military intelligence officers for cyber espionage. As a result of the public outcry, calls to engage in offensive cyber operations and take other stiff measures have increased.
Then there are the hacktivists. Hacker groups with ambiguous relationships to nation-states often play a clandestine role in cyber warfare. They provide cover for a government’s cyber activities. They are useful cyber proxies in cyber warfare.
The Russians are notorious for using criminal groups and other hackers with no overt links to the Russian Government. Russian cyber operations against Ukraine this year, Georgia in 2008, and Estonia in 2007 appear to have been carried out for the most part by unassociated hackers—although the affected governments and independent security researchers have charged a relationship exists.
China apparently tolerates and encourages patriotic hackers who have disrupted the computer networks of U.S., Japanese, and other organizations at times of diplomatic tension.
Finally, there is the ARAMCO cyber attack. Saudi Aramco, officially the Saudi Arabian Oil Company, most popularly known just as Aramco is a Saudi Arabian national petroleum and natural gas company based in Dhahran, Saudi Arabia. In 2012, the hackers, acting under the direction of the Iranian Government, attacked the websites and communications networks of the energy giant ARAMCO. The Saudi Aramco attack by the Iranians were purportedly carried out by independent hacker groups who infiltrated and disrupted political opposition groups’ websites.
Like many cyber intrusions, one of the computer technicians on Saudi ARAMCO's information technology team opened a scam email and clicked on a malicious link. The hackers were in.
The actual attack began during the Islamic holy month of Ramadan when most Saudi ARAMCO employees
were on holiday. On the morning of Wednesday, Aug. 15, 2012, the few employees noticed their computers were acting weird. Screens started flickering. Files began to disappear. Some machines just shut down without explanation.
That morning, a group calling itself Cutting Sword of Justice claimed responsibility, citing ARAMCO 's support of the Al Saud royal family's authoritarian regime.
"This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression," the group said.
In a matter of hours, 35,000 computers were partially wiped or entirely destroyed. Without a way to pay them, gasoline tank trucks seeking refills had to be turned away. ARAMCO’s ability to supply ten percent of the world's oil was suddenly at risk.
And one of the most valuable companies on Earth was propelled back into 1970s technology, using typewriters and faxes.
In a frantic rush, Saudi Aramco's computer technicians ripped cables out of computer servers at data centers all over the world. Every office was physically unplugged from the Internet to prevent the virus from spreading further.
Oil production remained steady at 9.5 million barrels per day, according to company records. Drilling and pumping of petroleum were automated, but the rest of the operation was in turmoil. Managing supplies, shipping, contracts with governments and business partners—all of that was forced to happen on paper.
Without the internet at the office, corporate email was gone. Office phones were dead. Employees wrote reports on typewriters. Contracts were passed around with interoffice mail. Lengthy, lucrative deals needing signatures were faxed one page at a time.
The company temporarily stopped selling oil to domestic gas tank trucks. After 17 days, the corporation relented and started giving oil away for free to keep it flowing within Saudi Arabia.