Tuesday, June 30, 2009

Blog open for comments


If you read this then I was successful in opening the blog for a test run among friends and colleagues. It is currently open for invitees only, in order to tweak and fine tune it based on YOUR feedback. So please, let me know what you think by way of comments or e-mail.

At some point I plan on going public with this blog, so your feedback is very important.

EDIT: Unfortunately, Google does not allow for a personalized invitation message, so I fear the more security conscious addressees will never reach this message. Ironic, eh?

Friday, June 26, 2009

Evgeny Morozov on Cyber Myths

Evgeny Morozov of the Open Society Institute has an interesting essay in the Boston Review about myths in cyberspace. Specifically, he addresses the scaremongering and vague threat information that is used to get access to funding, fame or power.

He points out many official statements that exaggerate the threat from cyber terrorism and cyber war and asks the question: is there any evidence to back up these claims? No, at least not in the public realm. He also makes a point that the threat from the net information is produced by intelligence/defence organizations and information security companies that benefit from the increased funding. I think he is right in the sense that there are very few facts available, so we are left with hypotheses and conjecture. Honestly, I am partly to blame, as I have presented similar worst case scenarios in numerous conferences, in order to raise awareness of the topic.

He also touches the foggy quagmire that is the international legal definition of cyber warfare and what, if anything can and should be done if one breaks out. I think we will not have a clear answer on this in the near future, but at least the topic is also addressed by professionals.

In terms of how useful cyber attacks are for the military, Morozov refers the opinion that superpowers do not need cyber power, as they have more conventional means to crush the enemy. While that may be true, the question of attribution once again comes up - who will the superpower nuke, if they cannot identify the source of the cyber attack?

On the other hand, his conclusion that we should focus more on the threats from cyber crime and cyber-espionage is correct. However, it is not correct because cyber war is improbable, but because the tools used in cyber war will be very similar to the ones used in crime and espionage. The same piece of malware can be used to steal your personal data, collect intelligence on your organization or to disrupt your networks in preparation for a war. Thus, better defense against crimeware will also mean better defense in war.

A comment on Estonia

Unfortunately, Morozov uses unclear wording that may suggest that Estonia was off-line for nearly a month in 2007. It would be more correct to say that Estonia was under attack for about three weeks in 2007, but only a few critical on-line services (like banks) were affected for clients inside Estonia. One of the options, a white-list based "island Estonia" defence meant that the vast majority of the attacks could be easily blocked while maintaining service to the vast majority of the clients. As a result, clients of the two biggest banks in Estonia saw only a 45-90 minute interruption of service at the start of the attacks and that only affected the web interface of the banks. What is worrying, however, that these were critical "civilian" targets in a political conflict.

Sure, non-critical services (public government websites and news sites, for example) did suffer longer service outages due to cyber attacks (mostly simple DDoS), but in my opinion this was not a big issue for the state as a whole. The biggest effect would be potential information blockade, as local news sites or press sites are off-line, but that can easily be remedied by using other means of communication to push the message out (remember, e-mail works, phones work, faxes work, radio and TV are still on air, and even the postman makes his rounds). I personally had no problems communicating with friends and colleagues abroad throughout the period.

Thursday, June 25, 2009

Cyber attacks in Estonia, 2007

My first academic paper was published last year in the Proceedings of the 7th European Conference on Information Warfare and Security, Plymouth. An annual event, this conference brings together people with very different perspectives on information warfare, from psychological to cyber.

My paper was titled Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective (see Publications for more information). In the paper, I analyze the Estonian case by posing three hypotheses and then arguing for and against each of them to find if any of them are plausible.

The first hypothesis is that the event was a Russian information operation, the second is that the event was a false flag operation to discredit Russia, and the last one is that it was a spontaneous grass roots response to Estonian government policy.

The false flag hypothesis is not plausible, considering the amount of circumstantial evidence against Russia (and only Russia) while the Russian government made no effort to stop the attacks or expose the attackers.

A true grass roots movement is also not plausible, as at the very least, passive government support (Russian authorities refusing legal cooperation) seems evident.
NOTE: Interestingly enough, a member of the Russian parliament later claimed that one of his aides was actively involved in the cyber campaign. This fact (?) emerged after publishing, so it is not included in the analysis.

That leaves us with the state information operation scenario. Specifically, it matches a Chinese concept of People's War, where people fight with their own resources and organization, for the interests of the state. That explains hostile rhetoric by politicians, the relatively high number of people involved, as well as lack of interest by the state to identify the attackers.

Unfortunately, the analysis can not attribute the attacks to any specific person, organization, or state. Instead, I find that of the three hypotheses considered, only the information operation scenario was plausible.

In hindsight, I do not consider it a very good paper, as it provides no definitive answer and devotes more detailed analysis to one of the hypotheses. In addition, I had just started my research on the topic, so my understanding of concepts like cyber militias and People's War was still very tentative. On the other hand, even though I notice many things I would write differently today, the conclusion would still remain the same.

Origins of my research interests

In the spring of 2007 I was just finishing my Master's in TUT when the cyber attacks against Estonia started. Since then I have tried to understand these attacks in particular and political large scale cyber attacks in general as part of my PhD studies.

I have found that the Internet, while being the great information equalizer for the common man, is also a convenient information weapon for the common man. In case of recent conflicts we hear with increasing frequency about their prelude, reflection, and aftermath in cyberspace. More likely than not, these attacks are not committed by state run organizations, but people who share or oppose the view of at least one side of the conflict.

While state sponsored attacks undoubtedly exist, I believe they currently keep a much lower profile and are usually in the role of intelligence/counter intelligence operations. There is little or no credible information on state sponsored attacks to harm or disrupt the opponent's systems, even though many nations are actively building such capabilities. It should follow that the next time that two technologically advanced states fight a full conventional war (not a border skirmish), cyber attacks will be used. Until then, however, we can merely speculate and simulate.

Therefore, even though I am also interested in state level cyber conflicts, I mainly focus my research on sub-state actors, as they are more visible and relevant in today's conflicts. I am interested in how they recruit, organize, and fight, as well as what potential effect they can have on their targets.

Sunday, June 21, 2009

CWCON 2009 in Tallinn

This week I attended the first Cyber Warfare Conference in Tallinn, organized by the CCD COE. In fact, I was the moderator for the Strategy track, which included many interesting talks on the emerging field of cyber conflicts. CWCON provides an academic publication opportunity for the scientists, but it also includes presentations by the professional community.

Mikko Hypponen from F-Secure gave a nice overview of the evolution of malware in his keynote speech, while Nart Villeneuve from the Information Warfare Monitor talked about their findings about GhostNet.

Other interesting presentations included Amit Sharma on Strategic Cyber Warfare, Ned Moran on analogies and cyberspace, Cyrus Farivar on the media coverage of cyber events, and Maj Julian Charvat on terrorist use of cyberspace.

I plan on providing a more detailed overview of some of the papers within the next few weeks.

EDIT: The proceedings took longer than expected to print, but I have finally received a copy and have started with the reviews (first ones here and here).

Saturday, June 20, 2009

Why blog?

The purpose of my blogging effort is primarily to help me in my research. It is sometimes difficult to keep track of all the interesting articles, books, meetings, presentations and conferences, let alone random ideas that emerge out of nowhere. A blog will hopefully be a valuable tool in organizing my own thoughts, as well as for getting valuable feedback from others.

Here goes...