Wednesday, August 05, 2009

Real Cyberwar: Mannes & Hendler in the Washington Times

This morning, The Washington Times ran an op-ed on cyberwar I co-wrote with my friend (and former boss) Jim Hendler. Much has been written about cyber-war, but very little of it is grounded in reality. Many over-hype the issue while others discount it completely. Much of the misinformation about cyberwar revolves around denial of services attacks, which are serious criminal activity but not much of a national security concern - we've written on this topic in the wake of Russian conflicts with Estonia and Georgia.

Here we try to inject a bit of sober and informed reason into the discussion.

Profile of a Real Cyberwar by Aaron Mannes and James Hendler

The denial-of-service (DoS) attacks that started on July 4 garnered typical headlines about cyberwar, but in fact, from a technical standpoint, those "attacks" may be the opposite of real cyberwar. A much less noticed report in Israel's leading daily, Ha'aretz, on Israel's operations against Iran's nuclear program may give greater insight into how cyberwar actually will work.

It is no secret that several countries, including the United States, China, Russia and Israel, have examined cyberwar capabilities. What those capabilities might be or how a cyberwar might look are shrouded in mystery. The denial-of-service attacks that made headlines are not it.

Those attacks are nothing more than the sending of enormous numbers of requests to servers, preventing Web sites from responding to legitimate traffic and interfering with e-mail. Competent information-technology professionals usually can mitigate these attacks, and even when successful, their impact -- from a national security standpoint -- is marginal.

The DoS attacks are carried out by botnets, thousands of compromised computers that can be commanded to simultaneously send e-mails or visit a Web site. The botnets are built using malware that attacks individual computers, often simply taking advantage of software that has not downloaded current security patches.

Computers linked to government agencies have been compromised and have become part of botnets -- but this does not necessarily have tremendous security implications. Real cyberwar may require the opposite of the skills required for the DoS attacks that make headlines.

According to the article in Ha'aretz, Israeli intelligence has sought to systematically insert malware that can damage information systems within the Iranian nuclear program. It is believed those systems are not connected to the broader Internet and that the malware is inserted into equipment sold to the Iranian government.

This is the probable future cyberwar. Modern societies are complex networks of people, information systems and equipment. Enormous advantages will be obtained by powers that can quickly identify and neutralize critical nodes within the systems.

Critical government systems are run on Intranets, networks that are separate from the Internet. The most crucial systems, such as the command-and-control system for nuclear weapons, are believed to be air-gapped -- that is, they do not link to other systems. Most government Intranets do have points at which they interface with the Internet, and Intranets have been infected with malware from the Internet. However, Intranets are relatively controlled environments, so anomalous activity (at least theoretically) can be controlled and isolated quickly.

Because compromising those networks may be crucial in a military conflict, nation-states with serious cyberwar ambitions will carefully tailor malware for specific systems. This is the opposite of the malware that builds botnets by seeking low-hanging fruit.

The most serious cases of identity theft usually involve social engineering, tricking the target to reveal crucial information that facilitates the crime. The same may be true in tailoring attacks to critical networks. Most advanced nation-states have extensive infrastructures of contractors and academics that have both public roles and contacts with the security establishment. Social-network analysis could be used to identify individuals who are likely to have contacts within the security establishment and attempt to insert malware through them.

Imagine the now ubiquitous phishing attacks masquerading as e-mail from banks and credit card companies but instead designed by sophisticated intelligence agencies and carefully targeted at small communities.

What the malware might do when it gets into a system is an open question. Chinese hackers reportedly have infiltrated computers and manipulated them to remove sensitive documents, log keystrokes and trigger Web cameras. Whether these capabilities could operate for a substantial length of time on a secure Intranet is an open question. Any malware that entered a sensitive system might have a short life span and its designers would need to consider carefully how best to use this window. Alternatively, this malware may be embedded for long periods of time and activated when needed. Options might include relaying valuable information, manipulating information, damaging the network or providing information on the real-world location of crucial network nodes so that they can be destroyed physically.

However, cyberwar capabilities cannot be used lightly. Once malware is detected, the defenders can counter it and make their system stronger and more resistant to further infiltration.

In the heat of battle, the ability to penetrate an enemy information network could be crucial. However, in the long-term dialectic of war, in which sides continually respond to one another's innovations, cyberwar will become another facet of conflict -- at times decisive and at other times peripheral. The nations that first master cyberwar could obtain a fundamental advantage at the beginning stages of a conflict. Nations that ignore cyberwar will do so at their own peril.

No comments: