Friday, April 10, 2009

What is a Cyber Attack?

I came across an interesting argument raised by Kent Anderson at the Politically Motivated Computer Crime and Hacktivism Blog. Mr. Anderson notes some interesting inconsistencies in the recent Wall Street Journal report that claimed Chinese and Russian hackers had infiltrated the U.S. power grid. Specifically, the article stated,
The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
However, the article also claims,
Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on.
Mr. Anderson astutely notes that the contention that the "intruders haven't sought to damage the power grid" is fundamentally flawed. According to our discussion of information security theory, specifically the concepts of confidentiality, integrity, and availability, the act of installing malicious code into the power grid is a cyber attack. Although the hackers haven't attacked the availability of the grid, the installation of this code does attack the integrity of the power grid.

Recall that according to the National Institutes of Standards and Technology, "a loss of integrity is the unauthorized modification or destruction of information." According to the WSJ, "software tools" were installed within the power grid "that could be used to destroy infrastructure components." This represents a clear attack on integrity.

The WSJ article appears to have raised the threshold for what defines a cyber attack. By this new definition, an attack must involve physical damage or economic damage. Some advice to the WSJ, when reporting on complex cyber security stories please do your homework and do not rely on "anonymous sources".

2 comments:

Arman Ismail said...

In reflecting on our assigned reading, Matthew Devost and Neal Pollard’s line of reasoning in “Taking Cyberterrorism Seriously” draws to light several issues in my mind. First of all, while a state like China might, at the moment, be far more capable of a large-scale and dangerously effective cyber attack on the United States or a U.S ally like Great Britain than most standard terrorist organizations are, this by no means should invite an underestimation of the level of terrorist interest in developing cyberterrorism capabilities. Indeed, while Devost and Pollard point out that the capacity to initiate a serious cyber assault requires a level of expertise and preparation that terrorist organizations would generally need many years to acquire, their emphasis on the way in which a remote cyberterrorism attack could be utilized to support a larger conventional attack illustrates just how useful a tool cyber warfare can be for terrorists. Consequently, this demonstrates precisely why terrorists would be so keen on enhancing their abilities to engage in cyberterrorism.

As a result, the probability that a cyberterrorism attack would be relatively small-scale compared to a possible (thought currently unlikely) intentional Chinese or even Russian cyber attack does not diminish the necessity for the U.S. to take the threat of cyberterrorism seriously. The utility of cyberterrorism to bolster a conventional terrorist attack is truly cause for great alarm. In light of this, the faster that Devost and Pollard’s well-thought-out recommendations on strategic courses that the U.S. needs to adopt are implemented, the safer and better off we will be.

One recommendation I found particularly interesting was the notion of actively enlisting the private sector with reasonable incentives to act as the first line of defense against a cyberterrorism attack. Indeed, harnessing the private sector’s innovative spirit and level of efficiency that are often superior to organizations that are directly under the purview of the government serves to both contribute to private sector enterprises as well as buttress national interests. This convergence of private sector and national interests can facilitate conditions that are conducive to ensuring that the best and brightest minds in both the government and the private sector are actively and intensively focused on a singular goal: protecting the nation and U.S. interests from cybeterrorism attacks.

Sarah Gormley said...

It is extremely interesting to examine in greater detail the language which Kent Anderson chooses to use in his Wall Street Journal report on the possibility of Chinese and Russian hackers and the danger they present to the U.S. power grid. Though sentences in the beginning of the article claimed that the hackers had not yet sought to damage the power grid, it is later revealed that the hackers have indeed installed software tools which threaten the integrity of the information. As a result, it is clear that the language surrounding information privacy and cyber attacks in the media has an intense effect on how we ourselves may define those terms. Though the National Institutes of Standards and Technology defines a loss of integrity as “the unauthorized modification or destruction of information”, which is clearly being done with the recent installations, this particular article seeks to claim that a cyber attack must go beyond a loss of integrity and instead accumulate in “physical damage or economic damage”, as Ned rightly summarized in his response.
However, I believe that to raise the threshold of what defines a cyber attack to something of this more tangible nature is extremely problematic in that it excludes various crucial actions related to information privacy and security from the realm of what is threatening, and what we must seek to protect ourselves from. The installation of these “software tools” by foreign hackers is indeed a cyber attack in the form of an attack on integrity by the definition provided above, and must be treated as such. It is extremely important to be wary of the media’s ability to shape our opinions, and potentially our actions, in relation to cyber security and attack, and continue to educate ourselves on the many ways in which cyber attacks can present themselves, so that we may be able to identify small actions in our technological world as part of a potentially greater threat to information security.