-
The fog of (cyber) war – Annotated
-
Analysts and strategists gathered at the Cyber Warfare 2009
conference in London last January were grappling with some thorny problems associated with the cyberaggression threat. One that proved particularly vexing was the matter of exactly what constitutes cyberwarfare under international law. There’s no global agreement on the definitions of cyberwarfare or cyberterrorism, so how does a nation conform to the rule of law if it’s compelled to respond to a cyberattack?- Cynical translation: How do create a whole new class of reasons to use military force, all while making it seem as legitimate as possible. – post by TransTracker
-
Steven Chabinsky, senior cyberadvisor to the director of national intelligence.
-
While Chabinsky declined to be specific because of concerns about compromising intelligence-gathering methods, he affirmed that the U.S. has identified “a number of sophisticated nation-state actors who we believe have the capability to bring down portions of our critical infrastructure.” Fortunately, he added, “we don’t think they have the intent to do so, [since] our country would respond accordingly, and not necessarily symmetrically through cyber means.”
- An affirmation that the U.S. would conduct “cross-domain responses” as a result of a cyberattack. – post by TransTracker
-
“I think the primary cyber-risk to our critical infrastructure is from disgruntled employees who have insider knowledge and access,” Chabinsky says. “Insider threats
can take advantage of the most serious vulnerabilities; in fact, they can create them. Could they sell their capabilities to a terrorist group? Certainly.”- So is that really something that needs to become “militarized”–i.e. a security threat primarily within the purview of the national security community (military, intelligence, homeland security)? – post by TransTracker
-
“I would say that currently, organized criminal activity provides a more pervasive and damaging threat than organized terrorists,” says Mike Theis, who until recently served as chief of cyber counterintelligence at the National Reconnaissance Office (NRO), an agency of the U.S. Department of Defense.
- Sounds like a law enforcement issue. Again, is it appropriate to militarize the threat? – post by TransTracker
-
According to former NRO official Mike Theis, terrorists and criminals pose similar threats with respect to illicit profit generation. The following are some examples of activity these groups might aim to perpetrate:
- Theft of personal information that could be used for sale to the highest bidder or on an information exchange.
- Theft of trade secrets, intellectual property or superior business processes. “It could be something as simple as your customer list, but there is usually a lot more of value than that,” Theis says.
- Cyberhostage taking. If the contents of your entire hard drive were remotely encrypted by a hacker, would you pay $100 to get the decryption key? Would 10,000 people like you do the same?
- Cyberblackmailing. How much would you pay to prevent your family/customers/competitors/regulators from knowing something that was found on your computer?
- Cyberslaving. The perpetrator installs a back door or “loader” on your machine and sells it to the highest bidder. It would allow the buyer to install any type of software on that machine without being detected. “The last I heard, the average price was still about $1 per machine,” Theis says. “It’s not uncommon to see machines purchased in blocks of 10,000 or more in order to launch a denial-of-service attack.”
“So basically,” Theis says, “anything that can be done in the world of brick and mortar has some type of a cyber equivalent.”
- And in the world of brick and mortar, these would all be law enforcement issues, not military issues. – post by TransTracker
-
-
“There is reason to consider whether some nation-states lack the ability to control organized crime within their borders, lack the resources to control criminals who victimize people and businesses outside their borders, or suffer from corruption in which government officials are complicit in lucrative criminal schemes,” Chabinsky says.
- And here we have a reason to violate sovereignty, despite an ability to accurately determine from where an attack is being launched. Lack of knowledge can provide just as much justification as positive knowledge. Let’s say an attack is coming from computers in country X. Did country X’s government perpetrate the attack? Or was it country Y? At some level, it could be argued that it doesn’t matter. The computers in country X are the ones doing the damage, so take them out…either through retaliatory cyberstrikes, or through “cross-domain responses” in the form of airstrikes, EMP, etc. This is the beginning of the same kind of reasoning we saw regarding terrorism and soverignty following 9/11. Either you are against us or with us. If you don’t have control of the terrorists in your country, then you are by default against us. Your lack of control is evidence that you have already lost your sovereignty and therefore we are justified in attacking you. In fact, we’re doing you a favor! Returning your otherwise hijacked country to you! Will we see the same kind of logic develop in regards to cyberwar? – post by TransTracker
-
Indeed, the role that hackers play on the cyberwarfare stage is widely underestimated. “I think that a big myth is that cybercrime is still about a 15-year-old kid doing Web defacements,” Chabinsky says.
In truth, the hacker element is gaining influence worldwide, and that influence is being targeted by governments.
-
“It seems ludicrous that countries that have stated their understanding of the importance of cyberconflict dominance and have dedicated resources to that effort would not use them in a decisive way, but [instead] would depend on patriotic hackers to just happen to get it right and just at the right time.”
Still, governments have every reason to want to strain the limits of credibility, Theis says. “It’s a nice myth to perpetuate if you’re trying to maintain plausible deniability.”
- So, lack of evidence is not only not evidence of lack. But lack of evidence is evidence of a cover-up, which is therefore evidence of state sponsorship. In short, lack of evidence is evidence. – post by TransTracker
Internet warfare: Are we focusing on the wrong things? – Annotated
-
A crystal-clear denouement of U.S readiness to combat threats in cyberspace came at a hearing held March 10 by the U.S. House Committee on Homeland Security.
-
Adversaries, which include unfriendly governments and militaries, intelligence agencies, organized criminals groups and hactivists, have by most accounts already penetrated U.S government and private networks or are actively engaged in doing so.
-
Most of the efforts appear to be focused on leeching away secrets from public and private IT sectors for profit and for espionage.
-
The threat that has not going unnoticed. Earlier this month, Sens. Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va.) introduced new legislation that would give the federal government sweeping new authority on the cybersecurity front.
The legislation would give the government a more direct role in developing and enforcing baseline standards, not just for agencies but also on companies in critical infrastructure areas such as financial services, utilities and health care. It would empower the president to declare a cyberemergency if needed and allow him to disconnect federal or private-sector networks in the interests of national security.
-
“Our digital infrastructure has become the most important underpinning of U.S. national and economic security,” says Amit Yoran, former director of the National Cybersecurity Division at the U.S. Department of Homeland Security (DHS).
-
A National Cyber Security Center (NCSC) that was set up within the DHS in January 2008 with the specific task of coordinating information security across the federal government has so far failed to get off the ground. In March, its first director, Rod Beckstrom quit the post after just a year on the job, citing a lack of support from within the DHS and turf wars with the National Security Agency (NSA).
-
The NSA, which is in charge of the Comprehensive National Cybersecurity Initiative (CNCI), has been jostling for broader control of the federal information security agenda.
-
Rather, the role of setting, overseeing and coordinating a national information security agenda needs to rest directly with the White House, according to the Center for Strategic and International Studies
(CSIS) and others. The DHS and other federal agencies would then work with a new specially created White House Office of Cyberspace to roll out and manage security policy. -
The CSIS, a Washington-based bipartisan think tank that in December submitted a set of security recommendations to President Obama, argues that such a strategy would require the government to declare its cyberinfrastructure a vital asset for national and economic security. It would then need to indicate its willingness to use all of the tools at its disposal — diplomatic, economic, military and intelligence — to protect that asset.
- You mean, like the one that we already have? The one created by the White House in 2003, but which is now gone from the White House website? Luckily, it is still available through the Internet Archive at http://web.archive.org/web/20080307022926/http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf. If it’s still the official policy of the United States Goverment, shouldn’t it still be available on the White House website? – post by TransTracker
-
James Lewis, director of the technology and public policy program at the CSIS.
-
Paul Kurtz, former special assistant to the president and senior director for critical infrastructure protection on the White House’s Homeland Security Council.
-
Kurtz, who is currently a partner at Good Harbor Consulting LLC.
-
The “digital Pearl Harbor” in which large swathes of the Internet would be taken down by adversaries to create widespread disruption is a possibility that needs to be prepared for, security analysts say. But far more likely and worrying are more focused attacks against critical infrastructure targets such as power, financial services and water services.
The cascading blackout in the Northeast in 2003 remains a potent example of the havoc a computer failure can cause — even if, as in that case, the incident was caused by negligence rather than malice.
-
Another reminder is an experiment conducted in March 2007 in which the Idaho National Laboratory showed how it could reduce a power turbine to a smoking, shuddering, metal-spewing mess simply by executing malicious code on the computer controlling the system.
-
This was demonstrated in 2000 when a disgruntled employee at an Australian water-treatment plant released about 264,000 gallons of raw sewage into nearby rivers and parks by breaking into the control systems using a radio transmitter, he says.
Similarly, in August 2003, a computer virus called Sobig managed to infiltrate a control system at CSX Corp.’s headquarters in Florida and shut down train signaling systems throughout the East Coast for hours, he says.
-
And in October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee’s laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant’s computer system.
-
Patti Titus, the previous chief information security officer at the Transportation Security Administration, is among a growing number of executives arguing for the development of deterrent capabilities in cyberspace. “What we need to say is, ‘We are the U.S., and if you mess with us, you’d better be careful,'” says Titus, who is currently chief information security officer at Unisys Corp.
-
But figuring out the nuances of such a strategy can be tricky, and care needs to be taken, says Kurtz. “There is some real work that needs to be done” on a global basis to think through issues, he says. “What is an act of war in cyberspace? We need to have a far more substantial dialog here in the United States and abroad about what this means,” he says, especially because the means to do harm in cyberspace are not restricted just to governments and militaries.
- Of course, the underlying assumption here is that it is possible for there to be acts of war in cyberspace. The question then becomes which acts are acts of war. – post by TransTracker
-
Shawn Carpenter, a former network security analyst at Sandia National Laboratories.
-
But make no mistake, he says, the enemy is already here, lurking in sensitive systems and networks, in control of large botnets, inside financial systems and the power grid, and it needs to be stopped.
“My definition of a digital Pearl Harbor is where these people are already here. They already have access and are just sort of hanging out maintaining their access for the time when they get some instruction to bring down the system or corrupt information,” he says.
Posted from Diigo. The rest of my favorite links are here.