Military asserts right to return cyber attacks

Fascinating read from the AP Wire ...

The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.

Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.

The article continues,

U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation's most serious economic and national security challenges.

Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games.

It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.

In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known.

But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful."

Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.

The article concludes,

Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.

Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."

Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.

He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic."

Read the full article here.

Security Incidents Rise In Industrial Control Systems

From Dark Reading ...

While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

As weve discussed in class the ability to attack the critical infrastructure systems that control oil & gas, water, and power is the bridge between cyber warfare and physical warfare. An successful attack on these systems would surely harm our economy and possibly impede our ability to wage war.

Read the full article here.

Projecting Borders into Cyberspace

My Grey Goose colleague Jeffrey Carr makes a compelling argument about the need for nation-states to patrol their own territory in cyberspace. Specifically, Jeffrey writes,

One way to improve our ability to attribute attacks is to require that ISPs and nations exercise greater control. A recent breakfast conversation with a colleague on this topic resulted in what I think is a great way to assign attribution: Structure cyberspace like airspace or territorial waters with designated areas of state responsibility. In other words, each nation controls and is responsible for its own cyberspace.

In the case of airspace and territorial waters, enforcement is by international treaty. Perhaps one solution is to add cyberspace to this body of law as a fourth environment after air, land, and sea. There are penalties for violating a nation’s airspace. It seems logical to apply those penalties to cyberspace as well.

If enacted, this would put the onus on hosting companies licensed to do business in their respective countries to more vigorously enforce anti-piracy software laws, require registrars operating within their borders to make a better effort at validating WHOIS data, and require hosting companies to be more attentive to gross violations by their customers or be subject to civil and criminal penalties.

Ive expressed similar beliefs in previous blog posts on how to develop a cyber deterrence strategy. While there are certainly civil liberty, privacy, and other issues to resolve before we can implement international standards and norms regarding the use of cyberspace, the mounting losses from rampant cyber crime and espionage demonstrate the alternative of an ungoverned Internet is proving itself to be an unsustainable model.

Secrecy and Cyber Deterrence

On Monday, April 27, 2009, the New York Times published the first article in a series on the "growing use of computing power as a weapon." While I applaud the Times for reporting on this important issue, I was disturbed by the backwards thinking of policy makers revealed by the article.

Specifically, the article the touches on the problem of defining a cyber deterrence strategy. This is a topic in which I am extremely interested in and have previously written about here and here. The article states,

But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons.

While I understand the need for secrecy in matters of national security, I am deeply troubled that the culture of secrecy surrounding cyber warfare will negatively impact the United State's ability to create a credible cyber deterrent.

Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

It will be very difficult for the US to convince an adversary that it faces a credible prospect of punishment if our adversaries do not understand our offensive cyber power. I do not believe we need to publicly inventory our cyber weapons arsenal, but it would behoove us to publicly demonstrate our offensive capabilities. Public demonstrations like the Aurora Generator Test are good examples of how we can demonstrate our offensive capabilities to our adversaries.

A policy of publicly demonstrating offensive capabilities is nothing new. During the Cold War, the US military repeatedly tested nuclear weapons and conducted large-scale conventional military exercises. The US used these tests and exercises in part to demonstrate its offensive prowess so that its adversaries, including the Soviet Union, would understand the United State's ability to cause harm. Cyber is just a new domain of warfare and I see no reason to treat it any differently than we have previously treated warfare in the past. As such, it makes sense to publicly demonstrate our offensive capabilities. This will increase our deterrent capacity and help stave off future cyber wars. Excessive secrecy only makes cyber deterrence harder to achieve.

Achieving Cyber Deterrence

Many cyber security experts and national security policy makers assume that it is impossible to achieve a comprehensive cyber deterrence strategy. Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

One reason that cyber deterrence is viewed as impossible because unlike the Cold War there is not one monolithic adversary to deter. During the Cold War the United States only had to worry about deterring nation-states and primarily achieved this goal via the threat of a nuclear retaliation. In today's cyber threat environment there are a number of adversaries including:

• nation-states;
• terrorists;
• patriotic hackers and;
• cyber criminals.
  

Each of these adversaries have different interests and objectives. Further, some of these adversaries, like terrorists, believe they have nothing to lose and therefore are not threatened by the use of force - digital or physical.

Accordingly, cyber security experts and policy makers believe it is difficult to develop a deterrent strategy to address all of these adversaries. While it is certainly more difficult to develop individual deterrence strategies for the above adversaries rather than the one deterrent strategy needed to counter the Soviet Union during the Cold War, it is by no means impossible. A closer examination of the various adversaries capabilities and intentions reveals the United States can easily develop a credible cyber deterrent strategy for its adversary.

Deterring nation-states is relatively straight forward. The United States still possesses its nuclear deterrent used to counter the Soviet Union during the Cold War. This deterrent capability can still be used to deter nation-state adversaries from launching devastating cyber attacks on critical infrastructure targets.

Deterring terrorists, patriotic hackers, and cyber criminals is a more difficult challenge. Currently, terrorist groups have demonstrated intent but not the capability to launch crippling cyber attacks against critical infrastructure targets. Therefore, in order to successfully deter terrorist from pursuing cyber warfare the United States should focus on improving its cyber security and resiliency. Improved defense may convince terrorist groups that the execution of a successful cyber attack is well beyond its capabilities. Additionally, improved resiliency may convince terrorist groups that even if successful a cyber attack may not have the desired crippling effect. Improved resiliency, via the use of redundant systems, can be designed to prevent devastating and cascading failures in critical systems. A terrorist group may be less likely to waste precious resources attacking a target they perceive to be invulnerable to attack.

Patriotic hackers have demonstrated the capability and intent to launch successful cyber attacks against critical infrastructure targets. For example, Chinese patriotic hackers are believed to be responsible for an ongoing series of cyber espionage attacks against various targets within the Defense Industrial Base sector. According to media reports, untold amounts of valuable intellectual property and military logistics data were lost in these attacks. Given the patriotic hackers de facto connection to a nation-state it is reasonable to treat this adversary as an extension of its patron nation-state. The United States should carefully articulate its belief that attacks carried out by patriotic hackers will be treated as attacks sponsored by the hacker's patron nation-state. As such, the United States should threaten the patron nation-state with retaliation in an effort to deter attacks launched by patriotic hackers. Ideally, nation-states will find this threat credible and seek to control and limit attacks emanating from patriotic hackers within their borders.

Cyber criminals have also demonstrated the capability and intent to launch cyber attacks against critical infrastructure targets. Cyber criminals have launched successful attacks against various targets in the financial sector. Additionally, CIA analyst Tom Donohoe publicly stated that presumed cyber criminals caused blackouts overseas. Donohoe said, "we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." Cyber criminals appear to be the most difficult adversary to deter due to their perceived capability to overcome advanced defenses as well as the inability to tie them directly to a patron nation-state. While difficult, the United States can deter cyber criminals by improving its attribution capabilities. Improved technical attribution coupled with effective intelligence gathering and increased information sharing by international law enforcement partners will enable the United States to more accurately identify the sources of a cyber attack. Once identified the United States should use traditional law enforcement strategies to pursue and arrest cyber criminals. Improved attribution and an effective response from law enforcement will likely discourage cyber criminals from launching high profile attacks on critical infrastructure targets like the power grid.

Developing a comprehensive cyber deterrence will by no means be easy to achieve and will take lots of patient work. Just because our Cold War deterrent strategy is no longer applicable and a replacement is not immediately obvious it does not mean we should conclude that cyber deterrence is impossible. After World War II and the introduction of nuclear weapons, policy makers took time to develop the sustainable framework of mutually assured destruction. This strategy was not immediately obviously at the dawn of the Cold War and we should therefore not expect that a cyber deterrent strategy will also be immediately obviously.

Deconstructing Attribution

Conventional wisdom dictates that it is nearly impossible to assign attribution of a cyber attacker. According to this school of thought the open nature of the Internet allows an attacker to spoof their IP address and obfuscate their identity by routing through a series of proxy servers or utilizing a botnet. Further, it is believed that even with the technical capacity to accurately trace the origin of an attack, it is impossible with current technology to know who is at the keyboard executing the attack.

As the attribution problem is central to a number of vexing cyber security predicaments, it is important to study and validate the assumption that attribution is nearly impossible. While it is technically difficult to trace the origin of attack through a confusing maze of proxy servers or infected bots, attribution is not solely dependent on the technology needed to identify an accurate IP address.

A number of others technical and non-technical data points can help identify the source of an attack. For example, if the source of an attack is a bot investigators can attempt to identify who wrote the bot code and who currently controls the bot. In the summer of 2008 a large botnet was used to launch DDoS attacks against targets in Georgia. While the use of a botnet appeared to complicate the task of identifying those responsible for the attack, a closer examination revealed that the botnet used during the attack was known as "Machbot". According to Arbor Network's Danny McPherson, "Machbot is primarily a Web-based Russian DDOS botnet written in Russian, used by several different groups, but not widely available." While the identification of the botnet used for the attacks on Georgia does not provide irrefutable proof of Russia's responsibility for the attacks, it certainly does provide compelling evidence that Russian nationalist hackers and possibly the Russian government were involved in these attacks.

Additionally, analyzing the attacker's target may help reveal his or her identity. The target of the attack reveals information about the intentions of the attacker and can therefore aid in attribution. Returning to the example of the cyber attacks against Georgia, the corresponding phsyical conflict between Russian and Georgian troops in South Ossetia led many analyst to suspect that Russian nationalist hackers, possibly at the direction of the Russian Government, were responsible for the DDoS against Georgian websites.

Finally, patient and clever cyber intelligence gathering can reveal a tremendous amount of information the individuals or entities responsible for an attack. After the presence of the Ghostnet cyber espionage network was revealed, Heike and Jumper from the Dark Visitor blog demonstrated that patient cyber intelligence gathering can aid in attribution. Specifically, via clever analysis of whois registration data and patient trolling of chinese hacker forums, Heike and Jumper were able to identify at least one individual believed to be responsible for the Ghostnet cyber espionage network.

In short, it vitally important to understand that attribution is difficult, but not impossible. There may not be fancy technology that can discover the origination point of an attack and identify the individual at the keyboard. However, through patience and old school detective work it is possible to identify the hackers, criminals, spies, or terrorists responsible for a cyber attack.

Weekly Roundup

• No training camps. No Problem. Jihadist training in cyberspace.
• Why are malicious insiders a threat? They know where the vulnerabilities and how to exploit them.
• The Internet is only a little bit broken.
• Are we militarizing cyberspace?
• Do you trust that the websites you visit won't infect you?
• Does al-Qaeda want to bring down the Internet?
  

Defining Cyberwar

On December 8th 2008, the CSIS Commission on Cybersecurity for the 44th Presidency released a report entitled Securing Cyberspace for the 44th Presidency.. The Commission's three major findings are:

1. Cybersecurity is now one of the major national security problems facing the United States;
2. Decisions and actions must respect American values related to privacy and civil liberties; and
3. Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.

Of equal importance, the Commission notes many important questions that need to be answered in order to create a unified and effective cybersecurity policy. One important question posed by the commission is "at what point does a cyberattack constitute an act of war or a violation severe enough to justify a response?"

This question is critical importance as it must be answered in order for the United States federal government to create a cyber deterrent policy. Any deterrent strategy must be based on clear red lines that articulate what actions are considered an acts of war. Further retribution strategies must be delineated so any adversary understands that malicious acts crossing defined red lines will be meet with punishment. Without clearly defined red lines or the threat of punishment adversaries will not be deterred from conducting withering attacks.