Wednesday, October 28, 2009

Centralized vs de-centralized cyber campaigns

The previous post got me thinking about some of the key tenets of the Chinese approach: the cyber campaign must be centrally controlled, executed by organic forces and have a tightly focused target.

Obviously, this centralized approach provides good command and control opportunities. It also limits collateral damage and I guess, most important of all, eliminates possible interference from volunteer actions (such as someone taking control of one of the key entry points to the enemy network and shutting you out). Historical examples also seem to show that volunteers are more likely to engage visible targets (web sites etc) that have little or no tactical value.

On the other hand, NOT using the volunteers (the de-centralized approach) denies you the use of a potential resource. Odds are that if a country has a developed patriotic hacking community, they will take part in the conflict one way or the other, so you might as well try to guide them to be useful.

The second argument for using volunteers is psychological. It displays public support to your campaign, potentially reinforcing the mindset in other sectors of the society. It also brings in small but visible IW victories, as press covers the "citizen campaign" against the opposing side.

The third argument would be the Fog of War. The patriotic hacking community can provide the smoke screen necessary to execute the important strikes against key nodes. Remember, if the plan is to concentrate your attacks in time and (network) space, they will become immediately visible. However, if you have attacks of various severity levels happening all the time the enemy may not recognize the significance of the critical attack until it is too late.

The fourth argument is that patriotic hackers can "prep the battlefield" before the hostilities commence, provide retaliatory attacks after the hostilities, target third parties and civilian or commercial targets while the state can deny any involvement. This supposes that there is an established patriotic hacker community in place, so the world does not necessarily consider there to be a direct link to the specific conflict.

Finally, political attacks by civilians as part of a larger conflict have no clear regulation and few legal precedents. If the host country is not willing to cooperate with the criminal investigation (not likely in a time of war) the attackers will remain anonymous and protected, while the state still has "formal" deniability.

However, as I have noted before, there is a price for accepting patriotic hacking in a state. Most pressing are the long term rise in cyber crime and the potential that they act against the state. On the other hand, if the decision has been made or if there is already a well-established community in place, one should consider the possible uses of this force. Because whether you plan for (with) them or not, they will participate in the fight.

Monday, October 26, 2009

Cyber Report on China

I got a tip to a new report on Chinese cyber capabilities [pdf] by Northrop Grumman. The report aims to provide "a comprehensive open source assessment of China’s capability to conduct computer network operations (CNO) both during peacetime and periods of conflict."

They start off with an overview of the strategic developments in China. Even though there is no official CNO strategy, the PLA is in fact preparing to fight the cyber battle. I found it interesting that they consider domination in cyber space a prerequisite for air and naval domination. This is a clear indication of its importance in the Chinese thinking. It also explains why the EW/IW/CW issue is seen as the forcing agent behind the "informationization" of the PLA.

Chinese writings identify enemy C4ISR and logistics systems as the primary targets in a military conflict and also point out that IW will fire the opening "shots" in a war. However, there is also indication that IW and conventional techniques can and should be used together for maximum effect. I think this is very important, because I have often seen the mindset that IW is something separate from "real" warfighting. Then again, the Chinese have thousands of years of experience to draw upon, so it is not surprising that they see the value of combining the two.

They also point out that China is very active in developing counter-space weapons (EW, CW, kinetic, directed energy, EMP etc.) in order to fight a potentially tech-heavy oriented opponent such as the US.

Another interesting aspect is targeting. Instead of trying to blanket the battlefield, the Chinese writings suggest taking out key nodes in order to provide opportunities for other forces to exploit the resulting confusion in a specific point in the battlefield. I believe this refers more towards EW and kinetic than cyber, as tactical use of cyber attacks would probably be difficult to implement.

It seems that the PLA is actively training to fight in conditions where CW/IW is a common part of the battle field, including special training centers and a designated Blue Force (OPFOR) regiment. In addition, several universities seem to engage in offensive CW research and education.

There is an interesting note about using EW/CW pre-emptively to deter an enemy or to limit the size of the conflict without much bloodshed. In fact, they seem to consider CW a deterrent second only to nuclear at the strategic level. I like the comment that CW is the PLAs longest range weapon.

Another key point that I agree with is that CNO is useful for damaging/degrading systems, but also for deploying PSYOPS/deception against enemy personnel, enemy supporters and the public in general. I have met some people who consider PR the one and only element of IW and I just disagree. With so many options available under IW, it would be irresponsible to overly limit yourself to use only one.

There is an excellent section about how the Chinese might use CNO against the US (military) in a conflict scenarion. I agree wholeheartedly that the logistics and C2 systems at the theater or higher level would be sensible targets to buy time for the PLA and to cause confusion among US forces. However, as I have noted before, the discussion here is limited to purely military targets (like in the US discussion), but in a total war the commercial sector may be the more important strategic target.

The following section gives a broad overview of what is publicly known about the Chinese CW structure. Of particular interest for me are the PLA IW militia units, which seem to be drafted from commercial and academic entities to supplement PLAs integral capabilities. The idea of using telcos and universities (for example) to create sub-units for the militia is perhaps not intuitive for the westerners, but it does make sense. You have people with the right skills, established relationships and access to networks and systems - all they need is a mission.

The second interesting bit is that some militia sub-units seem to focus purely on R&D. In order to understand the significance, consider if infantry (militia) battalion is likely to have a dedicated infantry tactics research and development platoon. This highlights the difference between the information warriors and the traditional fighters. The report also mentions discussions about setting a different standard (age limit, physical condition) for the cyber warrior, something that was also debated here.

Moving on to the independent Chinese (patriotic) hacker community, the report claims that around 2002-2004 the state reversed its previously favorable stance towards patriotic hactivism and as a result the movement has died down. This was not the notion I got in Stockholm in May, where Dr Xu Wu from Arizona State University talked about Chinese cyber nationalism. According to him, the patriotic hacker community is alive and well, albeit somewhat underground. He also claimed that the state was having difficulties deciding what to do with this resource, as it is difficult to control - something that I also predicted in my paper about volunteer cyber attackers. Dr Wu compared it to a double-edged sword, which can cut both ways. It is possible, however, that this discrepancy does not exist and the official cyber militias have incorporated a significant part of the patriotic hacker community.

The report then provides a couple of examples of recent attacks probably originating from China. There are also various examples of relations between the state and the hacker community, including state recruitment in the hacker forums. One of the more interesting examples is how a java language user group transformed into a patriotic hacker group over the EP-3 incident. This is an excellent illustration of how "cyber tribes" can very quickly develop into cyber militias.

In the following section, cyber espionage is investigated from the US perspective. The report points out that potential Chinese espionage efforts are a great concern for the US counter-intelligence community, especially in the light of the reactive cyber defense paradigms in place. They claim that there is a strong case for state-sponsored attacks, although it is often difficult to fully attribute the attack to a state.

The report includes a nice explanation of a targeted attack via e-mail to get access to the organization's systems. However, they include an even more interesting case study of a large data heist in a US firm. It provides a simple description of the time line and activities uncovered by the forensic team.

The report concludes with a comprehensive list of China-related cyber events between 1999 and 2009.

Overall, the report is easy to read and low-tech. It covers many interesting aspects of the Chinese cyber issues. However, since this is a public and open-source report, it does not go into too much detail and it may inadvertently include some deception information. All-in-all, I enjoyed it and it provided me with a lot of things to think about. It also confirms some of my own theories and thoughts.

As always, read the report for full detail.

Thursday, October 22, 2009

Review: Analogies and Cyber Security

Here is a short review of the paper "What Analogies Can Tell Us About the Future of Cyber Security" by David Sulek and Ned Moran, published in the proceedings of the CCD COE Cyber Warfare Conference.

In the paper they explore the potential dangers that come with using colorful analogies like cyber Pearl Harbor, cyber Katrina, cyber 9/11 etc. In order to deal with these dangers they propose to start with developing a detailed issue history. A well written issue history helps determine which analogies apply. They give a short example in the form of the cyber issue history that, among other things, lists what is known, what is unclear and what is presumed about the topic.

They then provide a framework for exploring cyber analogies. It consists of two dimensions: one axis representing inspiration (hope and possibility) vs desperation (fear and danger) and the other systemic (evolution) vs disruptive (revolution). They give some examples for each: invention of the telegraph was an inspiring event, as it created new possibilities to communicate. On the other hand, the Y2K bug represented a potential danger to the computer systems. World War I was a linear, systemic result of military build-up, whereas 9/11 was a disruptive, revolutionary event. I think the first pair of examples is a good fit, but I am not so sure about the second. One could argue that there is an evolutionary line of developments that lead to both tragedies, we just haven't taken the time to really reflect on the reasons for, the facts of and the aftershocks of the 9/11 attacks. But I digress.

They spend the rest of the paper analyzing four cases from each quadrant of the model as a potential fit for cyber security. The four cases are the Strategic Defence Initiative (inspiration, evolution), the Cold War (desperation, evolution), the [US] National Highway System (inspiration, revolution) and finally, Pearl Harbor (desperation, revolution). Each case reveals interesting overlaps with cyber. However, each also has its discrepancies, so no clear match emerges.

They sum up their analysis in four points:
  1. There is no single analogy that works for cyber.
  2. Cases that balance inspiration and desperation leave the strongest impression on history.
  3. Many analogies used today are at the extreme ends of the model.
  4. It is important to build a good timeline for an issue, in order to understand the reasons for events.
Overall, it is a nice read and an interesting analysis of the four cases. I may not agree with the interpretation of historical events, but then again, the model is meant to be an abstract tool to describe analogies. As such, there will always be opportunities to interpret events in different ways.

The main point for me is to review the cyber analogies that I have used in the past. The analysis of the four cases has given me some food for thought and hopefully, next time I blurt out with something, I remember to also offer caveats.

As always, the paper itself is much more detailed and I recommend reading it in full.

Monday, October 19, 2009

CWCON '09 proceedings available

Yep, they are finally here. The proceedings of the CCD COE Conference on Cyber Warfare, which took place in June, have now been published with the help of IOS Press. Titled "The Virtual Battlefield: Perspectives on Cyber Warfare" it appears as book three in the Cryptology and Information Security Series, and is edited by Christian Czosseck and Kenneth Geers of the Centre.

It's 300 pages contain 21 peer-reviewed papers presented at the conference. In the coming weeks I hope to follow through on my promise and write reviews for the ones that are of most interest for me.

On the same note, the call for papers for the next year's conference is due out shortly, so start warming up your paper ideas.

Friday, October 16, 2009

CFP: ECIW 2010

The call for papers is out for the 9th European Conference on Information Warfare and Security. The event takes place on 1-2 July 2010 in Thessaloniki, Greece.

I have been to the conference three times now and I can recommend it for it's relaxed atmosphere, interesting sights, and obviously - some interesting papers and talks.

This year I am hosting a mini-track on Cyber Conflict, so please feel free to submit papers for that track. I would be glad to hear your thoughts on conflicts in cyberspace, among other things.

Key dates:

Abstract submission deadline:

10 December 2009

Notification of abstract acceptance:

17 December 2009

Full paper due for review:

28 January 2010

Notification of paper (acceptance with any requested changes)

8 April 2010

Earlybird registration closes

22 May 2010

Monday, October 12, 2009

Botnets and Proactive System Defense

I finally took the time to sit down again and read an article with the provocative title "Botnets and Proactive System Defense" (2008, Springer Link) by John Bambenek and Agnes Klus. From the title I assumed it would be about using botnets as weapons for a proactive defense strategy, but I was mistaken.

Instead, they start off with a nice survey on how commerce has moved to the web and why the old security measures no longer protect the consumers. They touch upon the problems with making transactions with credit card and social security numbers (basically, single factor authentication), as well as several other computer security issues like the reactive patch cycle. Next they review the growth and development of malware, using the Shadowserver graphs to illustrate their point. All this is not new, but it does a good job of surveying the problem.

Getting to more interesting bits, they propose that an ideal botnet strives to maximise six key properties: "high capacity, low overhead, fast responding, flexible, anonymifying [anonymizing?] and quiet." They show how IRC meets these requirements and point out that other technologies, such as RSS, will replace the IRC bot as more and more network administrators grow suspicious of IRC traffic.

For proactive defense, they consider offering the consumer free security software and encrypting their sensitive traffic. Another proposal is to switch from "allow all" to "deny all" or "deny most" principle in terms of antivirus software default settings for running programs. They assume that signing software would solve this problem, as
"There are a finite number of reputable software vendors and applications out there and far more disreputable software vendors and applications."
Not sure I agree with what this claim implies. You cannot have a complete list of "good guys" that will keep you safe from malware. If that were true, we could also say that there are a finite number of reputable ISP-s, so we can just drop all packets that come from the jungle. Unfortunately, this is not true in either case. Reputable businesses have engaged in malicious activity (Sony rootkit, for example) and a lot of cyber attacks come from the networks of reputable ISP's (by default, a potential malware victim would sign a contract with a "reputable" ISP to get access to the net).

One more proposal for making the defense more proactive is to enable remote security validation on computers. While this may sound good in theory and there are even ways of doing this, I do not see it passed into law or practice due to privacy concerns.

Finally, they point out that the great debate over the need for a national ID in US may be moot, as the social security number already acts as one, and a poor one at that.

They conclude by reiterating that the main strategy against botnets is to make them economically nonviable for the criminals. While a nice overview and an easy read, I did not find much new in the paper, however. What I did find is an interesting example of how parts of the US sometimes seem to lag behind in adopting technology:
"Banks already are starting ... requiring one-time passwords with keyring tokens or other devices so that even if an attacker gets the one-time password, they cannot compromise the account."
In many parts of the world, one-time passwords and passcode generators have been the norm for on-line banking for years. In Estonia, for example, the lowest level authentication still in use by the general banking sector uses a set of 20-30 randomly repeating passcodes. This is not safe, sure, and that is why the clients using this method have a ~300 USD daily transaction limit (the system itself is being phased out). If you want more, you need either a passcode generator or the national ID card with valid certificates. In both cases, you need to know something (pin) and have something in order to carry out your transaction.