Conflicts in Cyberspace

CFP for CyCon 2012

2011-11-10T17:51:00.002+02:00

The CFP for the fourth International Conference on Cyber Conflict is out. As has been the tradition so far, the conference title has changed yet again - the short version is now CyCon.

Mark your calendars - I hope to see you in Tallinn in June!

DDoS - a legitimate form of protest?

2010-12-15T10:28:00.004+02:00

The cyber attacks against supporters and opponents of Wikileaks have generated a fair bit of debate about whether or not DDoS can be a legitimate form of protest. I tend to side with the "nays" on this one.

Sure, DDoS could be compared to a sit in, but with infinitely lower entry threshold. One does not need to travel anywhere, or actually waste their time "sitting", and very often does not risk dealing with law enforcement - the computer can protest on their behalf all night long. It's more like throwing nails on a freeway and going home.

But my main argument against protest DDoS is that it can then be used for any cause. Attacks against Radio Free Europe? It's cool, they just protestin'! As can be seen from the Wikileaks affair, both sides in there are using cyber attacks to get their message across. Is this truly what we want? I dont like you, so I have the right to DDoS you? I have the right for free speech and the right for making stupid people shut up?

Cyber Security Conference in Georgia

2010-11-19T11:44:00.004+02:00

I was in Tbilisi last week and spoke at the Georgian Cyber Security and IT Innovation conference. The first day focused solely on cyber security topics. Agenda and materials are available here. As expected, the 2008 Russia-Georgia war and its cyber component came up in several presentations.

My talk on Volunteers in Cyber Conflict was based on a number of papers I have written on the subject. While I have focused on the offensive (and illegal) hactivism/patriotic hacking so far, I am in the process of switching gears and focusing on the defencive (and official) use of volunteers. For example, the reserve cyber units in US military, the WARP system in UK and the Cyber Defence League in Estonia. I believe there is great merit in harnessing the skills and resources of security specialists and enthusiasts for a constructive purpose.

What does CCD COE do?

2010-10-25T14:41:00.003+03:00

I get this question a lot.

Well, while there are a lot of things that will not make it into limelight, our people do publish some of the work in public academic conferences and journals.

CFP: International Conference on Cyber Conflict

2010-10-25T14:01:00.003+03:00

Finally, the CFP for our own conference is out. The International Conference on Cyber Conflict is the third conference in the series organized by CCD COE. This year, we also have IEEE as a co-sponsor. The conference will take place 07-10 June 2011 in Tallinn, Estonia.

As for the CFP [pdf]:

In 2011 the conference will focus on the combination of defensive and offensive aspects of Cyber Forces and will combine different views on cyber defense and operations in the current and envisaged threat environments. All this shall not be limited to military perspective.

Legal, strategic and technical submissions are welcome on equal grounds.

Researchers and practicians are encouraged to submit papers covering novel and scientifically significant practical works related to 2011’s topics via our web portal. Accepted papers - after passing the peer-review - will be published in the conference proceedings provided in hard cover and digitally though IEEE Xplore.
Paper submission deadline is 20 JAN 2011.

Article in FutureGov Magazine

2010-10-20T14:00:00.003+03:00

I recently wrote an article for FutureGov Magazine about the events in Estonia in 2007. Although my intent was to tone down the hype surrounding the incident, the final "independent" editing process managed to come up with a intro paragraph about "cyber war", even though I had specifically avoided this term in the article itself. I guess that is the risk one takes with media.

The article is available in the August-September issue [large pdf!], on pages 70-72.

Hacker Halted in Miami

2010-10-15T23:08:00.004+03:00

I have been in Miami this week, attending the Hacker Halted Conference. Among the workshops that closed the conference today was the Cyber Security Forum Initiative (CSFI) event, where I got to speak about my research (Volunteers in Cyber Conflicts) next to some other interesting characters, like Roger Kuhn and Jeff Bardin. The talk went well, which is a good thing as it is based on an early prototype of my upcoming PhD thesis.

Update: Paul de Souza's post on the CSFI workshop

Interview explosion

2010-09-06T13:03:00.005+03:00

I gave an interview to Baltic News Service (BNS) on Friday. Instead of writing it up as one article, they chose to create a bunch of short pieces that are currently flooding some news portals in Estonia. For a casual observer, it looks like I have personally launched a massive frontal assault on cyber awareness issues. Interesting development, although unintentional.

CFP: ECIW 2011

2010-08-26T13:30:00.003+03:00

I am back from my summer hiatus and ready to kick-start another year of cyber conflict studies. Let's start with the CFP to the 10th European Conference on Information Warfare and Security (ECIW). This time it is held in Tallinn, Estonia. It is hosted by the Institute of Cybernetics at Tallinn University of Technology, in collaboration with the CCD COE. I will be serving as the local Program Chair, so I hope to see some of you there.

Please feel free to circulate this CFP:

This is a call for papers for 10th European Conference on Information Warfare and Security being held at The Institute of Cybernetics at the Tallinn University of Technology, Tallinn, Estonia on the 7-8 July 2011.

The 10th European Conference on Information Warfare and Security (ECIW) is an opportunity for academics, practitioners and consultants from Europe and elsewhere who are involved in the study, management, development and implementation of systems and concepts to combat information warfare or to improve information systems security to come together and exchange ideas. There are several strong strands of research and interest that are developing in the area including the understanding of threats and risks to information systems, the development of a strong security culture, as well as incident detection and post incident investigation. This conference is continuing to establish itself as a key event for individuals working in the field from around the world.

Please consider submitting to this conference. We are interested in the entire range of concepts from theory to practice, including case studies, works-in-progress, and conceptual explorations. The conference committee welcomes contributions on a wide range of topics using a range of scholarly approaches including theoretical and empirical papers employing qualitative, quantitative and critical methods.

Case studies and work-in-progress/posters are welcomed approaches. PhD Research, proposals for roundtable discussions, non-academic contributions and product demonstrations based on the main themes are also invited.

You can find calls for papers for these tracks at:

http://academic-conferences.org/eciw/eciw2011/eciw11-call-papers.htm

The ECIW conference proceedings are:

· listed in the Thomson Reuters ISI Index to Scientific and Technical Proceedings (ISTP/ISI Proceedings)

· listed in the Thomson Reuters ISI Index to Social Sciences & Humanities Proceedings (ISSHP)

· listed in the Thomson Reuters ISI Index to Social Sciences & Humanities Proceedings (ISSHP/ISI Proceedings).

· indexed by the Institution of Engineering and Technology in the UK.

Conference publications are submitted for accreditation on publication. Please note that depending on the accreditation body, this process can take several months.

Please feel free to circulate this message to any colleagues or contacts you think may be interested.

Another paper published at ECIW

2010-07-05T12:57:00.004+03:00

Last week I was at the 9th European Conference on Information Warfare and Security (ECIW 2010) in Thessaloniki, Greece. This is an academic conference, so most of the attendants were also speakers. The information about the proceedings is available here. I hosted the Cyber Conflict mini-track, which consisted of five papers, including mine:

Ottis, R. (2010) Proactive Defence Tactics Against On-Line Cyber Militia. In Proceedings of the 9th European Conference on Information Warfare and Security, Thessaloniki, Greece, 01-02 July. Reading: Academic Publishing Limited, p 233-237. [link]

The main idea of my paper was that in order to defeat a loose network of cyber vigilantes (on-line cyber militia), one can potentially adopt a more proactive stance and use various (offensive) information operations. It should be noted that this is only a theoretical exercise, as some of the options considered may be against the laws and regulations of the host country.

If you have any feedback or suggestions for reading material in the similar vein, please let me know.

Two papers published at C6

2010-06-14T11:55:00.005+03:00

I have updated the publications tab with two papers that were published in the proceedings of the upcoming Conference on Cyber Conflict. As is always the case, by the time they went to print I already had some ideas for changing them. Nevertheless, here they are:

Lorents, P. and Ottis, R. (2010) Knowledge Based Framework for Cyber Weapons and Conflict. In Czosseck, C. and Podins, K. (Eds.) Conference on Cyber Conflict. Proceedings 2010. Tallinn: CCD COE Publications, p 129-142.[link]
Ottis, R. (2010) From Pitch Forks to Laptops: Volunteers in Cyber Conflicts. In Czosseck, C. and Podins, K. (Eds.) Conference on Cyber Conflict. Proceedings 2010. Tallinn: CCD COE Publications, p 97-109. [link]

Any comments and feedback welcome.

There are those who know...

2010-06-02T14:33:00.004+03:00

Only two weeks until the Conference on Cyber Conflict! While this and some other projects keep me busy, I wanted to point you to a great story over at ubiwar. This discussion has developed over a few days in various other blogs as well.

The issue is about people with access to classified material making authoritative statements, because they "know how things really are". However, since what they know and how they know it is classified, they will not follow through with argumentation. A person who has no access to the classified material has no way of verifying the correctness of the claim, so he has to take it on faith.

My short stance on this is - if it is classified, shut up about it. One, it is not helpful for the open debate. Two, classified is not equivalent to correct. Three, "classified" may refer to something that does not exist.

CFP: IEEE S&P - Cyber Conflict

2010-05-21T14:06:00.001+03:00

IEEE SECURITY & PRIVACY CALL FOR PAPERS

Special Issue on Cyber Conflict
(Sept./Oct. 2011 issue)

Deadline for abstract submissions: 15 June 2010
Full papers due: 1 October 2010

Guest editors:
Thomas A. Berson (Anagram Laboratories)
Dorothy E. Denning (Naval Postgraduate School)

In 2007, Estonia was the target of massive denial-of-service attacks over the controversial relocation of a Soviet-era war memorial. Although the attacks leveraged botnets scattered all over the world, they were believed to originate in Russia or with persons of Russian descent. The following year, Georgia was the victim of similar attacks in conjunction with a ground confrontation with Russia. Meanwhile, large-scale cyber espionage operations into US military networks, computers belonging to the Dalai Lama and the government of India, critical infrastructures, major companies including Google, and various other targets have been traced back to China.

These incidents offer a glimpse into a future where cyberspace plays a key role in conflicts involving either or both nation-states and non-state actors. Over a hundred countries are reportedly developing capabilities for cyber espionage and cyber attack – capabilities that many individual hackers, criminals, and spies already possess and freely use.

These developments have raised numerous questions, including: What constitutes an act of war in cyberspace? How does the law of armed conflict apply to cyber attacks? Do we need international treaties governing cyber conflict? Can cyber attacks be deterred or pre-empted? Can we detect and analyze cyber attacks with sufficient speed and certainty as to limit their damages and determine attribution? Should states be responsible for attacks conducted by their citizens or using computers in their territory? What are the security implications of cyber conflict? What are the privacy implications?

IEEE Security & Privacy magazine seeks papers on all aspects of cyber conflict, including technology, policy, legal, ethical, operational, and strategic issues, especially as they relate to security and privacy. Papers can provide a broad overview or more in-depth coverage of a specific topic, country, or case study.

Authors should submit abstracts of 100-500 words as plain text or a .pdf file to dedennin@nps.edu by June 15. Authors whose abstracts fall within the scope of the issue will then be invited to submit full papers to the journal for peer-review. Papers will be due October 1 and should not exceed 6,000 words. The writing should be down-to-earth, practical, and original. Articles that are accepted for publication will be professionally copyedited according to the IEEE Computer Society style guide.

Visit www.computer.org/portal/pages/security /author.xml for information about the magazine, including article guidelines.

Hostage Deterrence

2010-05-14T15:58:00.003+03:00

Today I happened to hear yet another discussion about the impossibility of deterrence in cyberspace, when I realized that it may not be entirely true.

While I agree that in the conventional sense, cyberspace does not support the concept of deterrence very well (lack of attribution), I think there is a special case where it might work. Consider a situation, where Nation A develops a credible offensive cyber capability and announces a policy that regardless of attribution, if a critical cyber attack were launched against it, it would automatically launch a critical cyber attack against Nation(s) B(,C,D, ...). In that highly controversial case, Nation A would actually have a deterrent against the other Nation(s) in question.

In other words, Nation B is effectively deterred from launching a critical cyber attack against Nation A.

Obviously, the weak point here is that any Nation X may do a false flag or anonymous attack in order to make Nation A to attack Nation B without cause. That is why it is not normal deterrence, but something you might call "hostage deterrence". Has anyone come across such a thing before, either in theory or in practice?

Baltic Cyber Shield 2010

2010-05-14T15:32:00.005+03:00

I spent the first two days of this week engaged in a multinational distributed cyber defence exercise - Baltic Cyber Shield. It was a tech-centric exercise organized by CCD COE and various Swedish defence organizations, particularly the Swedish National Defence College and the Swedish Defence Research Agency. The Estonian Cyber Defence League, a volunteer cyber defence organization, also provided invaluable support. All in all, about 100 people from about 10 countries took part in the exercise.

According to the scenario, six blue teams (3 Swedish, a Latvian, a Lithuanian and a NATO team) of up to ten experts were deployed to take over compromised and poorly set up networks targeted by an extremist environmental group's "cyber warfare division" (multi-national red team). The exercise was distributed, so the participants performed the defence and attack missions remotely.

I must say it was a lot of fun. As expected, there were all kinds of issues, but in the end, everything went quite well. The attackers were able to maintain a steady push, compromising well over a hundred systems over the two days, while the defenders tried different strategies to maintain their services while locking the attackers out of their networks.

As a member of the referee team, I got another good experience, and learned some things that can contribute to my PhD research (the attackers were, after all, supposedly a non-government volunteer group who engaged in politically motivated cyber attacks). Congratulations are in order to the members of Blue 5, a Swedish expert team, who won the exercise.

Next week I will be at the SMi's Cyber Defence Conference in Tallinn.

Cyber Attacks and NATO Article 5

2010-05-07T11:07:00.004+03:00

I gave a lecture about malicious uses of cyberspace to an international group in Germany yesterday, and one of the attendees asked me if a cyber attack could ever be a trigger for the collective self defense clause of NATO a.k.a. Article 5.

A very good question.

Allow me to answer via analogy:
1. A cyber attack is either malicious use of commonly available technology (computers, software, network infrastructure, ...) or the use of a cyber weapon (something specifically crafted for causing damage/disruption in cyberspace - such as a DoS tool) in order to create a cyber incident.
2. The ONLY time when Article 5 was actually invoked was in response to the malicious use of commonly available technology (passenger aircraft during 9/11).
3. Therefore, it follows that if the cyber attack causes serious enough harm, it can trigger Article 5 action.

The question that remains, then, is what level and type of harm will cross this threshold. In reality, this will never be set in stone. Likely there will be some cases that will automatically trigger it, however, in the end it will be case by case, as it is with "conventional" attacks.

The Law of Armed Conflict in Cyberspace

2010-05-03T13:28:00.004+03:00

Last week I spent three days with a group of law experts, who are trying to figure out how to interpret the current laws of armed conflict (LOAC) for cyberspace. The group is headed by Mike Schmitt, and includes many other heavyweights like Derek Jinks, Ken Watkins, Tom Wingfield and Bill Boothby, just to name a few.

This work is very important, as there are no laws specifically drafted for conflicts in cyberspace or suitable court cases to analyze (to my knowledge). To bridge the gap between the laws written in the (arguably) pre-cyber era and the events that we witness and theorize about today, one needs to make good use of one's imagination. This was my role, I guess - I was one of the "cyber experts" who was tasked to come up with examples and analogies on the spot, while explaining some basic concepts from computer science, informatics, physics, etc. to a crowd who normally deal with the legal issues in the realm of things that kill people and blow stuff up.

I must say it was a wonderful learning experience and I look forward to the next meeting. It also clearly identified some issues that I have not seen discussed (recognized?) by us theoretical/conceptual researchers, who approach the cyber conflict from the de-facto viewpoint (what the technology allows to do and what is actually being done in cyberspace). While we may say that the de-jure viewpoint is outdated and not realistic, we cannot argue that it is, in fact, the law.

Some issues that I personally found interesting (contrasted with the cyber-centric viewpoint) were:

the legal concepts of armed attack, use of (armed) force and armed conflict in cyberspace, and
the legal status of non-military personnel, who perform cyber attacks during wartime.

While this work is still in its infancy, I hope the resulting manual will settle some of the speculative cyber warfare discussions of today.

Corrupted Science

2010-04-21T15:00:00.004+03:00

I recently finished a book by John Grant - Corrupted Science. In it, Grant describes an endless parade of examples where the scientific principles have been violated (sometimes resulting in tragic loss of human life), starting from faking observation data by Ptolemy and Galilei to the illnesses hampering modern science in the US.

I think it should be required reading for aspiring scientists. On the one hand, it demystifies the image of science, which is often seen as something that is absolute, certain (100%) and infallible, while in reality it is often not the case. On the other hand, it urges you to avoid the various pitfalls or mistakes that have happened before, and hopefully make you a better and more moral scientist.

It is especially instructing to see the vast array of examples from recent years. Otherwise, we could just look at the chapter on Hitler's Germany and Stalin's Russia and dismiss it as "ancient" history. However, it is followed by an account of politically corrupted science from the US during the Bush (II) reign.

Volcano Week

2010-04-19T17:45:00.002+03:00

I was supposed to go to a workshop in Hungary this week to discuss where the European cybersecurity research is heading and where it actually should go. It seems that the Norse gods had their own agenda, so the workshop was postponed.

So, for now, I will just point you to the workshop's literature [pdf] page, which includes some interesting references.

Paper on Cyberspace

2010-04-14T11:55:00.004+03:00

I presented a paper [link] at the 5th International Conference on Information Warfare and Security (ICIW) last week. This year the event was hosted by the US Air Force Institute of Technology, at the Wright Patterson AFB, Dayton, Ohio. If you ever get the chance, I recommend to spend a day or two at the Air Force museum in there (yeah, any less will not do).

Our paper (co-authored by Peeter Lorents) presented some of our work on the cyber terminology. Specifically, in the paper we defined cyberspace as "a time-dependent set of interconnected information systems and the human users that interact with these systems".

It was not our intent to come up with a universal definition (which could be useless), but something that provides a background for our future work. So, basically, it is more like a brick destined to become part of a wall, instead of the wall itself.

While we were at it, we came up with a couple of simple implications from our definition, which are explained in more detail in the paper:

both offensive and defensive deployments can take place very rapidly in cyberspace
it is not feasible to map cyberspace accurately
both attackers and defenders must constantly reconnoiter or patrol the potential area of conflict in cyberspace.

The conference itself had some interesting papers from various angles and I look forward to reviewing a few of those here.

P.S. I moved the publications section to a tab at the top. Under that tab is now the full list, with some papers available via Google Docs.

Georgia 2008 and Cyber Neutrality

2010-03-31T16:25:00.001+03:00

I happened across an article [pdf] about neutrality in cyberspace by Korns and Kastenberg. In the article, the authors analyze an aspect of the 2008 Georgia cyber conflict that usually receives little attention: the fact that the Georgian government moved some of its online services to other countries during the war. Specifically, the authors worry about what this means to the neutrality of the host countries.

While they raise an interesting question, I do have some issues.

First, there is the question of whether US lost neutral status in the Russia-Georgia war by hosting some services:

"The fact that American IT companies provided assistance to Georgia, a cyber belligerent, apparently without the knowledge or approval of the US government, illustrates what is likely to become a significant policy issue."

Were Georgian websites under attack? Yes, no doubt. Was this a part of the Russian war campaign? Maybe, but at least officially the Russians deny their involvement. Well, if neither belligerent takes responsibility for the attacks, then we can't really refer to Georgia as a "cyber belligerent" (what does this mean, anyway?). We are left with attacks that do not amount to war, but crime or political hactivism, and I am unaware of any international prohibition on cooperating against criminals or hactivists - even on the business level. Besides, blaming Georgia for this decision is similar to arresting the victim of a street mugger, as the only known party in the criminal act.

Then there is the question of the type of aid that was provided to Georgia (citing a Supreme Court decision):

"If the US government establishes a strict position of neutrality, American industry may provide nonmilitary and humanitarian support to a belligerent, but firms are required to halt all commerce that militarily aids a combatant."

I believe this is undiscovered country. Presumably, the drafters of this document kept in mind the physical goods industry, whereas in cyberspace we are mostly concerned with services. Is hosting a government public relations website "commerce that militarily aids a combatant"? I would argue against that, because otherwise US would have to pull the plug on EVERYTHING every time there is a conflict where US remains neutral (although there is a question whether US was truly neutral in this case, as illustrated in the paper).

"Under a traditional international law rubric, to remain neutral in a cyber conflict a nation cannot originate a cyber attack, and it also has to take action to prevent a cyber attack from transiting its Internet nodes."

Since US is one of the leading nations harboring ISPs with questionable practices, and is also home to a large number of malware infected computers (bots in a botnet), then any time you have a large DDoS attack, US is likely to be on the "attack source" list [to be fair, the authors have also covered this aspect]. I consider it quite likely that at least some US-based computers were used against the Georgian sites during the war. If the Russian Federation was behind the attacks, does this mean that US lost its neutrality and became a belligerent? Again, I would say no. It would be great if US could clean up its part of the Internet, though.

The rest of the paper does a quick analysis of several potentially applicable laws and treaties. Again, while I do not agree with all of their conclusions, they have done a very good job of pulling together thought-provoking concepts. I highly recommend reading it.

These are just some first reactions, but I can see that I need to do some deep thinking on the subject.

Reference:
Korns, S.W., Kastenberg, J.E. (2008) "Georgia’s Cyber Left Hook." Parameters: 38.4 : 60-76. U.S. Army War College. Available at: http://www.carlisle.army.mil/usawc/Parameters/08winter/korns.pdf

C6 preliminary agenda published

2010-03-26T13:16:00.003+02:00

The CCD COE Conference on Cyber Conflict preliminary agenda is now published. Please take a look and see if something interesting catches your eye. If so, the registration is also open and I look forward to seeing you in June.

Eureka! I've discovered ... science blogging?

2010-03-19T10:08:00.006+02:00

Every once in a while you accidentally stumble on something interesting and beneficial, and you can't help but wonder why you had not seen it before. Because these things rarely hide, you just don't look for them.

This is what happened to me when I followed a random series of interesting links and ended up in the ScienceBlogs. Wait, what? Well, obviously, if you come to think about it, such a thing must exist. In multiple forms, even: Wiki, ResearchBlogging, InsideHigherEd, etc. Boy, do I have things to read ...

I think, I'll start with science blogging. [here, here, here, here, for starters]

Unfortunately, as is often the case with walking down these narrow and twisted paths, I no longer remember, which article or post started me down this particular road. However, I hope that the links in this story will help out someone else and I can call it even, in the grand scheme of things.

Cyber Warfare a WMD?

2010-03-16T10:35:00.003+02:00

Some comments on the BBC story on USCybercom, which I picked up from USCybercom Watch:

"Not everyone is convinced of USCybercom's military value. One US official at the London conference said that if cyber warfare was a WMD it was only a weapon of "mass disruption, not destruction"."

Only, indeed. While I agree that the effect of cyber warfare is more disruptive than destructive, I cannot agree with the implication this quote seems to make. Just because you cannot blow things up with something does not mean that it is not important. ENIGMA, anyone? Actually, the example by Professor Kuehl in the beginning (bomb v cyber op) illustrates the benefit of cyber very well.

Secondly, military value does not equal WMD. Infantry is not considered a WMD, so surely it cannot have military value? Clearly, this is nonsense. However, I am afraid I am doing injustice to the unnamed speaker at the conference, who may have had something entirely different in mind.

Thirdly, let's forget about the whole WMD thing. It overly complicates issues by raising emotions from nothing. Cyber operations can and do happen every day and and we do not see "mass destruction" in the headlines. Yes, in theory, a cyber attack could have global and devastating effects (for example, by creating a cascading failure in the power grid), but this is a fringe case. Most cyber operations would be far more limited in scope, aiming for operational/strategic effects through tactical level cyber operations. And as for battlefield damage, cyber operations are perhaps best viewed as a way to maximise the effects of kinetic/thermic/EM weapons.

Cyber Conferences

2010-03-10T09:48:00.003+02:00

Here are some cyber conferences that might be of interest, in chronological order (disclaimer: I will take part in all of them):

The International Conference on Information Warfare and Security (ICIW), April 8-9 in Dayton, Ohio, US. This is an academic conference with peer reviewed proceedings and covers a wide range of topics from PSYOPS to cyber operations. I will be presenting a paper titled "Cyberspace: Defininition and Implications".

The SMi Conference on Cyber Defence, May 17-18 in Tallinn, Estonia. This is a professional conference that is leaning a bit towards military approaches. I am invited to give a talk there.

The CCD COE Conference on Cyber Conflict (C6), June 16-18 in Tallinn, Estonia. The Conference is a mix of academic and professional presentations and will also publish peer reviewed proceedings of the academic content. There are three tracks: Legal, Strategy and Technical Solutions. I will be managing the Strategy track. I have written about this event before in here and here. Registration is now open.

The European Conference on Information Warfare and Security (ECIW), July 1-2 in Thessaloniki, Greece. This is an academic conference with peer reviewed proceedings and covers a wide range of topics from PSYOPS to cyber operations. I will be chairing the Cyber Conflict mini-track and presenting a paper titled "Proactive Defence Tactics Against On-Line Cyber Militia".

Oh yeah, did I mention that the registration is open for the C6?

On offensive operations in cyberspace

2010-03-08T17:09:00.005+02:00

This year started out in full gear for me and it seems that this is the first week where I can take a breath and write down some of my thoughts.

Last week I was invited to give a talk at one of many cyber defence/IA related conferences in Europe. As is often the case, the question of offensive cyber operations came up. It seems that whenever this happens, the automatic (and politically correct) answer is: well, the military can't plan an offensive cyber campaign, because most likely they will not be able to identify the actor behind the incoming cyber attacks (the attribution problem). They are right, counterattacks in cyberspace can be tricky.

However, this misses the point completely. Who says that cyber operations have to be symmetric (targeting only cyber aggressors with cyber ops). There is every reason for the military to plan and prepare offensive cyber operations for various military situations. When a military is deployed to fight someone, then the target should already be identified and is not necessarily limited to cyber operatives.

It makes sense to consider different ways to achieve a military objective: aerial bombardment, naval blockade, precision drone strikes, landing a division of Marines, cutting off C2 with cyber attacks, jamming radio communication with EW, threatening with nukes, etc. In fact, according to the principle of least harm, it is consceivable that the commander should FAVOR cyber attacks over more lethal options, if the end result is the same.

There is no good reason to limit the options of the commanders in the doctrine-writing phase between conflicts. Sure, there are legal issues, attribution issues, collateral damage issues and so on - as is the case with drone strikes, for example. And yet the drones are in the sky today. It just shows that where there is a will, there is also a way.

The only real counterargument for offensive cyber is that we don't want to see it on the battlefield (like nukes, bio and chem). However, clearly this is a Genie that we cannot force back into a bottle. Potential adversaries, both state and non-state are already using cyber attacks on a daily basis. Therefore, it makes sense to include this option in the play book of the commanders of the future.

It should be noted that I am not advocating military use of cyber attacks on a daily basis, but only in conflict situations and against "legal" targets. I am also aware that the whole "legal" issue is far from solved and most likely will not be solved in any reasonable timeframe.

Who is writing your e-mail?

2010-02-18T17:15:00.002+02:00

It seems that 2010 is going to be an interesting year. First, the Google-China controversy, and now this from NetWitness (also covered in here and here, among other places).

The numbers: 75000 computers compromised in 2500 companies located in 196 countries.

Why Science? Because it works! Kind of ...

2010-02-03T11:29:00.004+02:00

Every once in a while I get into a discussion on whether or not it is difficult to enter the scientific community. My theory is that it rests mostly on motivation and self confidence, as is excellently demonstrated by the example of professors Zola and Charlie Chrobak.

I am not really familiar with their current work [pdf], but I have a feeling that it is related to some previous research on Artificial Intelligence.

Thanks to Dr Risto Vaarandi for pointing me to this wonderful story of the underdogs in science.

Jeffrey Carr Inside Cyber Warfare

2010-01-28T16:11:00.003+02:00

Jeffrey Carr's new book, Inside Cyber Warfare came out late last year and is an interesting resource for the cyber researcher. If you are familiar with the Grey Goose Reports I and II and have been reading Jeff's blog at IntelFusion, then a lot of the material will look familiar.

The book covers a lot of ground (pretty much all of it), but this is also its weakness. The principle of universality vs effectiveness states that there can't be both at the same time. Therefore, the book feels at times like a train ride - interesting scenery is rushing by, but you do not catch the full richness of it, just glimpses.

I found the Grey Goose Reports an interesting read, although somewhat rough around the edges. Granted, they were done under serious time constraints and included input from many people, so it was to be expected. I'm glad to see that Jeff has polished away a lot of that.

Jeff goes through a host of examples of recent cyber conflicts, specifically looking at potential state-sponsored events like the Russia-Georgia (cyber) conflict of 2008. He includes a lot of small facts and stories that may not have caught your attention before, so it pays to read the book instead of just scanning over it quickly.

On the other hand, however, I find that the biggest problem with Grey Goose and this book is that in the end, they are just stories with a plausible explanation. To me, there is still no concrete PROOF of state involvement in Georgia 2008, even though there are a thousand circumstantial evidence arrows pointing at it. So we are stuck with the attribution question, again.

This brings me back to my own research - understanding "independent" online cyber militia and looking for ways to deal with the phenomenon. I'll have a post on some potential tactics soon.

As I said above, the book definitely contains a lot of interesting information and may provide you with the interesting fact or angle that was missing, if you are researching cyber conflicts. So, if you get the chance, read it.

CFP: ICGS3 - Braga, Portugal

2010-01-25T13:28:00.003+02:00

There is a CFP for the 6th International Conference on Global Security, Safety, and Sustainability (ICGS3). The conference will take place 1-3 September in Braga, Portugal. Papers will be published by Springer.

I have not been to this conference before, but I am considering giving it a try. From the website:

"This Annual International Conference is a established platform in which security, safety and sustainability issues can be examined from several global perspectives through dialogue between academics, students, government representatives, chief executives, security professionals, and research scientists from the United Kingdom and from around the globe."

What are your thoughts on this? Have you been there in the past?

The Schmitt analysis, Part II

2010-01-21T16:42:00.007+02:00

This is my second post that looks at the legal aspects of cyber conflicts. As Sean pointed out, Schmitt also wrote a piece in 1999 that gives a framework for evaluating whether or not jus ad bellum applies to cyber conflict. The text is available here [pdf]. Note that the last post was about jus in bello and this one is on jus ad bellum, which the author defines as:

"... that body of international law governing the resort to force as an instrument of national policy ..."

... or in other words, when is it ok to go to war. The article limits the scope to CNA between state actors, which is good, because applying the laws of war on non-state actors is always tricky. In the end, however, it needs to be done, because many of the actors in the cyber conflicts of today are definitely not state actors. Schmitt poses two generic scenarios of interest:

"In the first, State A conducts CNA operations against State B with no intention of ever escalating the conflict to the level of armed engagement. The advantages gained through the CNA are ends in themselves. In the second scenario, State A conducts CNA operations in order to prepare the battle space for a conventional attack. The goal is to disorient, disrupt, blind, or mislead State B so as to enhance the likelihood that conventional military operations will prove successful."

He again stumbles on the issue of whether or not CNA constitutes "use of force" if the legal text is interpreted the traditional way. He then brings counterexamples of "lawful" use of force, which require a different analysis approach. Schmitt analyzes the text, looks at the history behind it, and shows how the application of law has evolved over time with court cases. He arrives to the conclusion that in the end, what matter are the consequenses.

He provides a list of criteria to be analyzed in order to check whether a cyber attack could be considered "use of force" in terms of international law. Here they are:

"1) Severity: Armed attacks threaten physical injury or destruction of property to a much greater degree than other forms of coercion. Physical well-being usually occupies the apex of the human hierarchy of need.
2) Immediacy: The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Thus, the opportunity for the target state or the international community to seek peaceful accommodation is hampered in the former case.
3) Directness: The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate. Thus, the prohibition on force precludes negative consequences with greater certainty.
4) Invasiveness: In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.
5) Measurability: While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.
6) Presumptive Legitimacy: In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere--are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive. Thus, the consequences of armed coercion are presumptively impermissible, whereas those of other coercive acts are not (as a very generalized rule)."

An example of the use of the Schmitt analysis in a more quantitative form is available here [pdf].

He spends a fair amount of time analysizing what actions could be taken in response to CNA. He comes up with a relatively simple decision procedure:

"1) Is the technique employed in the CNA a use of armed force? It is if the attack is intended to directly cause physical damage to tangible objects or injury to human beings.
2) If it is not armed force, is the CNA nevertheless a use of force as contemplated in the U.N. Charter? It is if the nature of its consequences track those consequence commonalities which characterize armed force.
3) If the CNA is a use of force (armed or otherwise), is that force applied consistent with Chapter VII, the principle of self-defense, or operational code norms permitting its use in the attendant circumstances?
a) If so, the operation is likely to be judged legitimate.
b) If not and the operation constitutes a use of armed force, the CNA will violate Article 2(4), as well as the customary international law prohibition on the use of force.
c) If not and the operation constitutes a use of force, but not armed force, the CNA will violate Article 2(4).
4) If the CNA does not rise to the level of the use of force, is there another prohibition in international law that would preclude its use? The most likely candidate, albeit not the only one, would be the prohibition on intervening in the affairs of other States."

A second decision procedure is available for determining whether or not a response with armed force is applicable:

"1) If the computer network attack amounts to a use of armed force, then the Security Council may characterize it as an act of aggression or breach of peace and authorize a forceful response under Article 42 of the Charter. To constitute an armed attack, the CNA must be intended to directly cause physical damage to tangible objects or injury to human beings.
2) If the CNA does not constitute an armed attack, the Security Council may nevertheless find it to threaten the peace (the absence of inter-state violence) and authorize a use of force to prevent a subsequent breach of peace. The CNA need not amount to a use of force before the Council may determine that it threatens peace.
3) States, acting individually or collectively, may respond to a CNA amounting to armed attack with the use of force pursuant to Article 51 and the inherent right of self-defense.
4) States, acting individually or collectively, may respond to a CNA not amounting to armed attack, but which is an integral part of an operation intended to culminate in armed attack when:
a) The acts in self-defense occur during the last possible window of opportunity available to effectively counter the attack; and
b) The CNA is an irrevocable step in an imminent (near-term) and probably unavoidable attack."

The paper contains a lot of insight (at least to an outsider like me) of how the international law works and what may be the questions asked after the first real cyber war. I highly recommend reading this paper in full to get the picture. I know the author is currently working on updating the analysis, but until then, we must wait.

The Schmitt analysis

2010-01-14T15:47:00.008+02:00

Here is a bit of reading from 2002 that is still relevant today. Michael N. Schmitt wrote an article called "Wired warfare: Computer network attack and jus in bello" [pdf], where he explored what the international humanitarian law has to say about CNA. It should be required reading for all of us cyber conflict researchers, as sooner or later we will have to tackle with showing how our theories work (or not) in the framework of existing laws. And the article shows, that lawyers' concerns are often a bit different from what we might expect.

As an anecdote, I found it very funny when Richard Nixon's head (President of Earth in Futurama), faced with a legal obstacle, says something along the lines of: "Well, I know a place where the Constitution doesn't mean squat!" and the camera zooms to the Supreme Court. [from memory, so it may be a little inaccurate]

For those who are a unsure what jus in bello means, he provides a definition:

"... that body of law concerned with what is permissible, or not, during hostilities, irrespective of the legality of the initial resort to force by the belligerents."

With that clear, let's move on. He quickly analyzes whether the international humanitarian law applies to CNA at all and finds that yes it does, if it can be classified as 'armed conflict'. That, in turn, requires that 'armed forces' are engaged in the conflict. However, the link between CNA and armed forces is not very strong, so he analyzes the contradictions in the text of the law and its application to conclude that:

"... humanitarian law principles apply whenever computer network attacks can be ascribed to a State are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable."

Obviously, the biggest problem here is the attribution. Cyber is very much a silent service when it comes to taking credit for the really complicated and high profile attacks. Government A could very well pull off a 'cyber war' and remain anonymous. Better yet, make it look like it came from Govt. B.

Since direct injury and death is presumably difficult to reach with cyber, let's discuss the other two. Would financial loss be enough to evoke the damage criteria? If so, how much loss are we talking about? Does destruction only apply to physical objects or is information also on the menu? What if an attacker drops all tables in the national registry of [CLASSIFIED] and manages to mess up the backups as well? The truth is out there...

Schmitt follows a trail of deductions similar with the 'armed conflict' with the concepts of 'targeting' and 'attack' in the law. He also touches the classification of targets to combatants and military objectives, civilians and civilian objects, as well as dual use objects. He discusses targeting economic systems (stock market, banks etc) as military targets and once again returns to the threshold of 'injury, death, damage or destruction'.

The civilian section includes an interesting bit about contractors or civilians who perform cyber attacks. He points out that those civilians (and contractors) with an official tie to the military could still be targeted and could be considered prisoner of war (because they are 'accompanying the armed forces'), if captured. On the other hand, if civilians launch the attack and they do not have an official connection, they would be 'illegal combatants' (who may still be attacked). This is only in case where the cyber attacks are severe enough to pass the threshold mentioned above.

Unfortunately his section on dual use objects is relatively short. I think the dual use category is extremely important in cyber context, as one could argue that most systems could potentially be dual use (Internet, for example, can serve as a backup communication system for the military and it is most likely going to be the main battlefield of cyber conflict). This is definitely one aspect that merits further study.

He shows that the legal framework actually supports cyber attacks over kinetic in some cases, such as shutting down dams and nuclear power stations (which you should not do with kinetics).

He analyzes several aspects of CNA targeting, including discrimination, distinction, proportionality, collateral damage, incidental injury and perfidy. I think the difference between a perfidy and a ruse is what would often get IT guys in trouble.

Overall, he covers a lot of ground and to my knowledge, there is still no better, definite answer on what is and is not allowed in cyber space. As always, read the paper for full info.

First post

2010-01-11T17:25:00.002+02:00

...of 2010. This year has actually started with a flurry of activity and I seem to be quite busy for at least the next five weeks or so. I guess this is good, as most of the activity is centered around my research.

This year will be important for my PhD studies. I plan to research and publish some core pieces of my thesis in preparation for the write-up and defense in 2011. Specifically, I want to address the structure, capabilities and weaknesses of volunteer cyber militia. Tackling those issues will not be easy, requiring me to revisit some concepts that I haven't looked at in years.

Cyber communities

2009-12-29T17:15:00.003+02:00

I happened on an interesting site (wish I had found it sooner) that also deals with cyber warfare research. Near the top of the blog pile is an interesting series of posts, which looks at the various Cyber Warfare communities that have a stake in the issue:

Although there are a lot of good points in there, let me just reiterate one - there are not many publication opportunities for cyber warfare researchers. Sure, you can hook your topic to information security, information operations, or any number of other topics, but still - very few dedicated venues like the upcoming Conference on Cyber Conflict.

I'll now turn back to the Selil blog, to see what else I can find. See you all next year!

Milblogging, ad-hoc cyber militia and science

2009-12-28T14:40:00.004+02:00

I read an paper by Sean Lawson, about the debate and conflict [pdf] between the US Army and the Milblogging community (servicemembers who blog about their experience in the military, including combat reports).

While the article focuses on the blogging servicemen, we should also make a note that the same tool is available to everyone. This spontaneous "online, volunteer public affairs or information operations corps" would be a perfect rallying tool for an ad-hoc cyber militia. Consider, that there are numerous blogs on controversial issues (including pro and contra sides for each), which typically have a steady readership, even if it is small. All it takes is for the blogger to post a rally cry (and some instructions) and an ad-hoc cyber militia is formed and ready for action.

Members of such a group are pre(self)selected and have strong feelings about the issue. Therefore, they probably need very little persuasion to join up.

If you have the time and the interest, there is also a link to his Doctoral Dissertation on his web site. It gives a good overview of the development of the science of war, explaining the heritage of terms such as OODA loop and netcentric warfare, as well as providing an overview of the relation between US military and the scientific community. Interesting to read. Nearly 400 pages, however, so be warned.

Russia and Cyber Attacks

2009-12-22T12:07:00.006+02:00

A colleague pointed me to an article in the Baltic Security and Defence Review, an annual publication of the Baltic Defence College (international staff college for military officers at OF3-OF5 ranks). MAJ William Ashmore (US Army) writes an overview of recent cyber conflicts with Russia, titled "Impact of Alleged Russian Cyber Attacks" [pdf].

While the article covers a lot of ground it seems that he is not a subject matter expert in cyber conflicts. The quality of the references is relatively weak (mostly public news media) and there are a few simple errors. On the other hand, he has done a fairly broad background check for the legal/doctrinal work done at OSCE, UN etc.

He provides an overview of events in Estonia 2007 and Georgia 2008 among others, and a summary of NATO's activities in setting up cyber defence. He spends some time on Herman Simm's case (highly placed spy for Russians in Estonian MoD, caught 2008), although to me his arguments there seem a bit weak.

He reviews the national and international responses/comments to the Russian cyber campaigns, including potential attribution. There is also a fairly interesting chapter about future trends in Russian cyber activities (including Dr Panarin's recommendations). I think he may be onto something when he says that in Russia, cyber is mostly seen as an offensive capability.

With the US primarily focused on the Chinese cyber threat, the Russian (and other) cyber studies remain in the background. Therefore, it is a refreshing piece of reading, regardless of some issues with depth or quality. As always, read the article for full info.

Happy holidays!

McAfee's Virtual Criminology Report 2009

2009-12-18T11:19:00.004+02:00

I set aside some time this week to read the McAfee Virtual Criminology Report 2009 [pdf]. It has a provocative sub-title "Virtually Here: The Age of Cyber Warfare" that caught my eye. So, what was useful in there for me?

As the foreword (by CEO of McAfee) already points out, politically motivated cyber attacks are on the rise and the term cyber crime is not fit to describe them well. The foreword also makes the important point that this report comes from a private sector perspective, unlike the usual government/military perspectives on cyber warfare. As it turns out later, however, it is more of a broad spectrum overview that doesn't really focus on any special sector or issue.

The report gives a short overview of the events in Estonia 2007, Georgia 2008 and US/South Korea 2009. The Georgian overview is based on the US Cyber Consequences Unit overview [pdf], which is the public high-level summary of a more detailed report.

Of more interest is the method for cyber attack attributes that is presented on pages 8-9. Experts will assign values to a cyber conflict in four categories to determine the severity of the event (no reference):

"Source: Was the attack carried out or supported by a nation-state?
Consequence: Did the attack cause harm?
Motivation: Was the attack politically motivated?
Sophistication: Did the attack require customized methods and/or complex planning?"

They have provided a table for assigning values and have applied the model on the three conflicts mentioned earlier, providing a bar graph. I have done similar work in my Master's studies. In retrospect, it is only of limited use, because the values are highly subjective and in the end - it does not prove anything.

The report also mentions many well known issues in cyber conflict, including:

many nations are preparing for cyber war, but covertly
criminals and politically motivated attackers use the same tools and techniques
criminal groups may cooperate with governments
financial and other critical information infrastructure is at high risk
sharing threat information is good
there is a need for a public debate about the use of cyber weapons
the attribution problem and a nice intro to the cyber deterrence issue
the need for updated legal measures
cyber espionage
etc.

On one hand, this report should bring little new information for the experts and researchers that focus on the issue. It uses little or no quality (written) references, but this issue is balanced out with the number of expert interviews and direct quotes. Therefore, I thought it was nice to read, but I found nothing really provocative in there.

On the other hand, however, I find that it does a very good job as an introduction to the whole cyber conflict issue for non-specialist readers. If you need to convince your boss or your grandmother that cyber conflicts should be studied - have them read this report.

Abstract on capabilities of novice cyber warriors

2009-12-11T11:13:00.001+02:00

Below is an abstract paper idea that I am currently developing. The main idea is to look at the potential actions available for low level attackers - people who have no special training or experience with cyber attacks. The working title is "From pitch forks to laptops: volunteers in cyber conflicts". I would be grateful for any useful references on this topic.

Abstract:

The capability for organized violence in the international setting has normally been the domain of nation states. Cyberspace, however, provides an international arena where almost anyone has the power to attack any target at will. While most of these attacks have little effect, there is often little disincentive to using them, as attribution of cyber attacks and prosecution of attackers is still the exception, instead of the norm. Thus, the 21st century farmers with pitch forks or cyber militia become more than a local force and, if organized well enough, can mount an offensive cyber campaign that could damage the economy or social order of a nation state on the other side of the planet.

In order to test this claim, I will first consider the potential threat from the Internet users who are untrained in hacking techniques and who have very limited resources. In general, there are two types of activities that are open for such persons: supporting the cyber campaign by providing resources, cover and training (among other things) and launching cyber attacks as part of the cyber campaign. It is important to note that the support activities may be more significant than fighting in a People’s War type conflict.

I will proceed by considering the potential threat from advanced hackers or hacker organizations. While there have been many well publicized hactivism campaigns, there are few examples of serious cyber strikes that target critical systems. Therefore, most of this analysis is theoretical, drawing on past examples as appropriate.

In the end, national security planners must face this threat and develop a strategy to counter it. I include some proposals for dealing with the cyber militia problem and discuss the potential merits and pitfalls of farmers with laptops engaging in cyber campaigns both on their own as well as in the service of a state.

Warp speed, Mr Spock!

2009-12-10T17:30:00.003+02:00

I realize that Spock is normally not at the helm, but there is method to my madness (I think). Spock is a science officer and therefore a better addressee in the case of academic publishing. The problem with the publishing process in science is that it is ... well ... light speed at best. And light is just way too slow if you want to explore the universe.

Consider this: if the Sun were to mysteriously explode with no warning, we would remain in blissful ignorance of the fact for roughly 8 minutes. So, something better is needed. In case of the Star Trek universe, the answer is Warp Drive, which allows for faster-than-light travel.

Similarly, the publishing process (write abstract, get it accepted, write full paper, get it reviewed, improve it, publish it) usually takes months, sometimes even years. This means that an idea can potentially die of old age before it is given birth (officially). Also, multiple people can work on the same idea and only discover on the eleventh hour that somebody has already beaten them to it (by 2 minutes and 42 seconds). Additionally, peer review is limited to one or two pairs of eyes, instead of the wider community. So, something better is needed.

I guess the best thing we have going for us is the Internet. Posting raw ideas in a blog like this, getting feedback and comments WHILE you develop a paper, not AFTER it is published could potentially be the warp drive that I'm looking for.

Oh, I am well aware that I am not the first one to gripe about this problem, nor is my solution original in any way. But it is something that I intend to try. So please, feel free to demolish my ideas in the comments section (or contact me directly via e-mail).

Shields up!

2009-12-09T13:06:00.003+02:00

I set up a LinkedIn account yesterday, since some of my friends and colleagues have asked for it. I am still looking for appropriate groups to join in there. Specifically, groups that could provide useful input to my research.

EDIT: if you have any suggestions, please write them in the comments below.

Review: Jose Nazario on Political DDoS Attacks

2009-12-07T16:23:00.009+02:00

Time for another review. This time it is Jose Nazario's CWCON paper called "Politically Motivated Denial of Service Attacks." He is looking at DDoS as one of the more visible and popular cyber attack forms and is limiting his sample to the ones with a political motivation (vs the standard criminal motivation - money).

NOTE: The final published version of this paper was accepted after the conference so it includes some more recent examples.

His research is based on data from three sources: ATLAS project at Arbor Networks (basically, ATLAS collects data from sensors to provide an overview of the more visible cyber campaigns), infiltrated botnet C&C servers and border gateway protocol (BGP) routing data.

He starts out with a little overview of major political DDoS campaigns of the past, covering the following events:

2001 Hainan Island incident
2007 Estonia campaign
2008 China v CNN campaign
2008 Georgia campaign
2008 Burma
2007 elections in Russia
2008 Radio Free Europe campaign
2008 anti-NATO campaign in Ukraine
2009 MSK forum DDoS in Kazakhstan
2008 DDoS-censoring of Russian opposition websites
2009 Israel v Gaza/Hamas
2009 Kyrgyzstan - a false positive?
2008 Kommersant DDoS
2009 Kazakhstan opposition sites under DDoS
2009 South Korean/US campaign

It is noticeable how most of these events are known by the target only. In history, conflicts are usually named after both/all participants or at least the participants are known. In cyber conflicts, however, it seems to be the norm that the aggressor remains anonymous. Even if all the circumstantial evidence and opinions point against one entity, rarely is there enough proof to attribute the attack in court.

He continues to describe the attacker type that seem to be behind most of the attacks listed. In general, the attackers are "classic right-wing" supporters of the government and targeting internal or external opposition. He also writes about using propaganda to recruit supporters for a cyber campaign and then training them online - a basic ad-hoc cyber militia. What the militia cannot achieve with finesse and expertise, they make up in numbers (DDoS).

He points out that the classical goals for such attacks are to punish the target, or to show dissent, or to censor the target (especially true for attacks against news outlets and opposition parties). He brings examples of partial attribution: Nashi youth group in Russia, the Chinese Honker Union and StopGeorgia.ru. Note that in all these cases the attackers made the claim - nothing has been proven in court (as far as I know).

He reviews some broad responses to the cyber campaigns listed and finishes with recommendations:

harness public support and international cooperation
deploy available commercial tools
be open to commercial offers to help
develop a more efficient decision making process
delegate authority
consensus is sometimes not necessary

In conclusion, he also points out that we need to study guerilla and asymmetric warfare in order to succeed on the cyber battlefield.

The paper has numerous examples from recent years and thus gives a good overview of the extent of the problem. However, the examples have different level of detail (often too vague) to be of much help on researching a specific case. I would have expected a more detailed analysis of a limited number of campaigns. As always, read the paper for full value.

Review: Billy Rios on Cyber Attacks

2009-12-02T12:03:00.007+02:00

It has been a busy time since last post. I gave a short lecture at the NATO School in Germany last week and I'm preparing some paper ideas for next year. However, I decided to take a short breather and review another paper from the Conference on Cyber Warfare - Billy K. Rios wrote a piece titled "Sun-Tzu Was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack." His work is partially based on the Grey Goose Report I.

The paper tries to map some real cyber operations to equivalent concepts in maneuver warfare, particularly drawing on the Georgia case and the US Marine Corps doctrine. He starts out by describing the essence of maneuver warfare and points out that cyber operations cannot "win a war". Instead, they can break up the enemy's cohesion and allow for exploitation by other (conventional) means. Incidentally, the Chinese seem to have adopted the same idea.

Discussing decentralized command and commanders intent, he brings the example of how a target list of Georgian sites was posted in a forum without clear instructions for action. The forum members then contributed with potential attack plans/instructions and discussed the campaign. As a result, a variety of targets and options became available and the attackers could each choose a course of action suitable for their skill, resources and level of motivation. As a side note, similar behavior was observed a year earlier during the cyber campaign against Estonia.

As an example of combined arms, he brings the example of SQL injection queries for fingerprinting and gaining access to database contents (NB! starting a month before the armed conflict), exploiting this information for intelligence, preparing automated attack tools that are then provided through the forum to anyone interested. I think he could have used a better example, because the link to combined arms is not clearly apparent.

Illustrating the concept of initiative he uses the examples of pre-emtive intrusions to Georgian systems and the sustained pressure to keep initiative on the attacker side, while keeping the Georgians to react. As a result, responding to cyber attacks wasted valuable time.

He also explains the importance of identifying and attacking enemy Centres of Gravity, although he does not connect it to the Georgian case. The important point is that these centres need not be physical fortifications or units, but can also encompass things like morale and resolve. Clearly, cyber attacks are a potential way of attacking the enemy centres of gravity, especially C2 networks and information targets.

He then points out that conventional weapons have physical limitations and the skill of the operator can only have relatively little effect in terms of stretching the effective range, damage etc. For example, a skilled marksman with a M4 carbine can hit a target from several hundred meters with standard sights, but not much more. On the other hand, the cyber warrior's capability to do damage is directly correlated with his skills. I especially like this sentence:

"Creating an offensive cyber capability is less about finding the right hardware and more about finding the right people and skillsets."

He also highlights that it poses a problem for intelligence analysts, as it is very difficult to estimate or track the development of offensive cyber capability, because the key component is the skillset of operators, not the invested money or acquired hardware.

Rios summarizes the paper by emphasizing that

cyber capability should be incorporated into the overall plan, as it will not win the war on its own.
Command and Control should be kept decentralized and decisions delegated to the lowest level. [This is in contrast to the Chinese doctrine, which seems to prefer rigid central control and limited use of the cyber strikes. - RO]
the individual cyber specialist is the weapon system, not his laptop or his sidearm.

The paper is short and to the point. I like the summary, which brings out some good points (even some that do not seem apparent from the main text).

Reminder: CFP for Conference on Cyber Conflict

2009-11-23T15:14:00.002+02:00

Reminder: the deadline for the abstracts to the Conference on Cyber Conflict is in ONE week - 30 November. Surely, 300-500 words of pure genius is manageable in a week, so start writing, if you haven't already.

Official CFP website
My earlier CFP post

Cyber Security in Serbia

2009-11-23T14:09:00.002+02:00

Last week I participated in the Security in Cyber Space Conference in Belgrade, Serbia (organized by MoD and the Jefferson Institute). I was invited to give a short high-level introduction to patriotic hacking as one of the things that might have national security implications in cyberspace.

The conference covered a lot of ground in a short time, mostly focusing on Serbian experience so far and plans for the future. Other guests represented EUCOM, Middlesex University and Norvegian Defence Research Establishment.

For those of you who have never been to Belgrade, I recommend the Belgrade Fortress, which also includes the Military Museum. Unfortunately, most texts in the museum are in Serbian, but they do have many interesting items on display (ticket roughly 1 EUR).

Shane Harris - The Cyberwar Plan

2009-11-16T11:03:00.004+02:00

Shane Harris has an interesting article in the National Journal. The main punchline seems to be that in 2007 US performed a cyber operation against insurgents in Iraq (and is planning to fight in cyberspace in the future, as well). Specifically:

"At the request of his national intelligence director, Bush ordered an NSA cyberattack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The devices allowed the fighters to coordinate their strikes and, later, post videos of the attacks on the Internet to recruit followers. According to a former senior administration official who was present at an Oval Office meeting when the president authorized the attack, the operation helped U.S. forces to commandeer the Iraqi fighters'communications system. With this capability, the Americans could deceive their adversaries with false information, including messages to lead unwitting insurgents into the fire of waiting U.S. soldiers."

As is the tradition with revelations like this, in the end, there are no easily verifiable facts and the story itself is deniable, if necessary. On the other hand, it does say out loud what many others have omitted to so far and brings a clearly understandable example of the potential use of cyber power.

The article gives a very nice overview of many of the problems in cyber, such as finding and retaining personnel for the cyber force, attributing attacks to a state, potential escalation of the conflict to include third parties, collateral damage etc. One of the problems is the interdependency between civilian and military infrastructure, well illustrated by the quote from an USAF official: "... Iraq didn't do a good job of partitioning between the military and civilian networks." We have seen that human shield tactics work relatively well against western military. Consider then that the mixed infrastructure is like an ultimate human (civilian) shield, which could be used as a deterrent against military cyber attacks.

In a way, this article illustrates the media bias in security studies. We (western media) have long heard stories and laments of Chinese, Russian, Iranian and North Korean evildoing in cyberspace - spying on government leaders, attacking opposition web servers at home and abroad, etc. It is rare to hear someone state the obvious truth that western countries are, in fact, often doing the very same thing. With that out of the way, we can get down to business of analyzing conflicts in cyberspace.

The article briefly covers the Estonia 2007 and Georgia 2008 cyber attacks. Unfortunately, he makes the wide-spread comment of "crippling effects" in the Estonian case, which I have tried to correct and explain here. However, he only uses these cases as examples to illustrate the problems of attribution.

He proceeds by illustrating one of the key reasons why cyber operations have failed to make it into mainstream military use. A briefing on the 1999 Kosovo campaign concluded that:

"... the cyber-operation "could have halved the length of the [air] campaign." Although "all the tools were in place ... only a few were used." The briefing concluded that the cyber-cell had "great people," but they were from the "wrong communities" and "too junior" to have much effect on the overall campaign. The cyber-soldiers were young outsiders, fighting a new kind of warfare that, even the briefing acknowledged, was "not yet understood.""

It is true - cyber warfare is not yet understood. Not even by the experts who are trained to fight it. There are very few examples (often anecdotal) of actual use of cyber operations to achieve military success, and even those are usually restricted to a very narrow part of the grand plan. Therefore, it is too early to say if applying the doctrine in large scale conventional military operations will bring cyber to the dominant position, or supportive, or just annoying. It will probably take a conventional, serious (life-or-death for the state), war between two technologically advanced states to really bring out the benefits and drawbacks of cyber war.

The rest of the article is also a good read, so I highly recommend it. I don't agree with parts of it, such as the MAD doctrine as a useful analogy (I've commented on it here), but it does provide a good introduction to the military cyber issues, especially for those who are new to the topic.

Interview in Eesti Päevaleht

2009-11-14T12:15:00.003+02:00

Eesti Päevaleht (a daily newspaper in Estonia) published my interview [in Estonian] on cyber threats and conflicts in cyberspace.

Review: Amit Sharma on Cyber Wars

2009-11-09T11:01:00.004+02:00

Time for another review of the articles published in the proceedings of the CCD COE Cyber Warfare Conference. Next up is Amit Sharma from India, who wrote an interesting paper titled "Cyber Wars: A Paradigm Shift from means ot Ends".

He starts out by explaining the idea behind the paper. He hopes to provide a

"framework in which cyber warfare will have a strategic effect by acting as primary means to achieve conventional ends, hence will induce a paradigm shift from the conventional notion of cyber warfare as a tactical force multiplier to the notion of strategic cyber warfare acting as primary means of achieving grand strategic objectives in the contemporary world order. The author will accomplish this objective by deriving the elixir of Clausewitz’s Trinitarian warfare and applying the concepts of Rapid dominance and Parallel warfare in cyber space so as to generate the strategic paralytic effect envisaged in effect based warfare. The author will conclude by shattering the conventional dictum of cyber defence, based on the notion of “defence in layers” and legal aspects of Law of Armed Conflict; by providing the only feasible and viable cyber defence strategy relying on the application of Rational Deterrence Theory (RDT) in general and on the idea of Mutually Assured Destruction (MAD) in particular so as to maintain the strategic status quo."

A tall order by any standard. The paper is written in an artistic and forceful language, painting the scene of an apocalyptic cyber strike that ends all and paralyses the entire state from the government to the citizen by simultaneously disrupting the trinity of government, military and people. I think that this strong emphasis on total paralysis (and total war) is a potential weakness of his approach.

Even though all theoretical model are abstractions, I believe his trinity (imagine a triangle) model is somewhat idealistic and naive. His description of the people corner is exclusively oriented to the liberal western countries (which includes the minority of the world's population and, arguably, are not as liberal or democratic as they may portray themselves). What about the rest of the world? The model's military corner is focused on the network-centric digital troops, which again represent the minority (although a powerful one) in the militaries of the world and even that is not always as networked on the battleground as the doctrine would imply. Last, but not least, the government corner, where governments are charged to provide "a secure, secular and democratic environment" for the people. Well, let's try to name some big countries that fit that idealistic description to the letter in practice, as well as in theory. It won't be easy. So, the model applies in a theoretical ideal case and I agree that in such a case the implications can be extremely dangerous.

The danger comes from simultaneously taking down all three components of the trinity with a parallel cyber campaign, which, as we have just reviewed, is entirely dependent on the assumption that the country is wired beyond the point of safe return. He concedes that in most recent cyber conflicts this parallelism has not taken place and we have seen much more limited campaigns.

He then proceeds with a five step plan for a strategic cyber campaign: "Shape, Deter, Seize initiative, Dominate and Exit". This is a nice and clean model for describing a (cyber) conflict, but I disagree with some of his conclusions.

In discussing the deter stage, he touches on the concept of countervailing, or "making known to the potential adversary that the implication of a nuclear strike would be far greater than the potential gains an adversary can achieve by initiating the first strike." He mentions that the recent cyber attacks against Estonia, Georgia, UK, France etc. may be an example of cyber counterveiling. I do not see it that way, as a key point of countervailing relies on letting the enemy know your capability - and no state has taken responsibility for the attacks listed. Furthermore, the cases he cites are not traditional military conflicts (with the possible exception of the Georgia attacks), but merely harassment or espionage, which do not demonstrate the potential destructive capability of a state. They do serve as reminders that networks are vulnerable, however.

He does make a good point that in order to deter an attack you need a "Cyber Triad capability", which consists of

"Regular defence/military assets and networks, [...] isolated conglomerate of air-gapped networks situated across the friendly nations as part of cooperative defence, which can be initiated as credible second strike option; and [...] a loosely connected network of cyber militia involving patriotic hackers, commercial white hats and private contractors which can be initiated after the initial strike or in case of early warning of a potential strike."

He proceeds by demonstrating that the concept of defense in layers and the Law of Armed Conflict (LoAC) do not work in a strategic cyber campaign. I do not understand his point that a system built on the concept of defense in layers (defence-in-depth) is "as strong as its weakest link." To me, defense in layers means exactly the opposite - you can take out any single node and the system remains secure due to the other layers.

His other argument is that LoAC does not cover strategic cyber warfare. Granted, there have been no successful applications of LoAC to strategic cyber warfare yet, but that is because we have not yet seen a strategic cyber warfare campaign in the armed conflict sense. As mentioned above, we have plenty of hactivism, espionage and other examples that fall outside the LoAC framework, but no state-on-state wars where cyber has played a significant role. Therefore, it is premature to throw LoAC out of the window as it is today. However, I agree that it needs updating to meet modern scenarios and the CCD COE is among the experts that work toward this goal (some discussions on this took place at the Cyber Conflict Law and Policy Conference).

He finishes by arguing that Mutually Assured Destruction (MAD) doctrine is the best way to keep states from engaging in strategic cyber warfare. I would argue that MAD simply does not work well in cyberspace, as

attribution of the cyber attack may be impossible,
in case attribution can be achieved, there is a question of false-flag operations,
in case a second strike is launched, there will be ample collateral damage to third states, which can escalate the conflict further,
the cyber triad is never ideal and many (most) countries in the world today are almost invulnerable to strategic cyber warfare, because they have little or no reliance on cyberspace,
in case a strategic cyber campaign succeeds against a modern military power, they can always retaliate with weapons of mass destruction (missile silos should be air-gapped from the rest of cyberspace, at least I would hope so).

Overall, the paper has a lot of provocative thoughts and arguments and I enjoyed reading it (what would be the point of reading things that do not raise a single question or counterargument). I have not covered some of his points that I agree with and, as always, I recommend reading the full paper. We met briefly at the Conference in June and discussed some of the points above, and in the end agreed to disagree on some of them. I wish him luck in his research, as he definitely rocks the boat.

CFP: Conference on Cyber Conflict

2009-11-04T12:44:00.000+02:00

The Call for Papers is out for the CCD COE Conference on Cyber Conflict. The event will take place in Tallinn from 16-18 June 2010 and it combines the two conferences that the Centre organized in 2009 (You can read summaries here and here). There will be a separate training day on June 15th.

Bruce Schneier will give the keynote address and judging from the experience of the this year's events we expect many other interesting talks and papers as well.

The conference is split into three tracks: Technical, Concepts and Strategy, and Legal and Policy. Paper submissions are welcome to all tracks. Note that the deadline for abstract submission is a mere four weeks away!

Key dates
Abstract due: 30 November
Paper due: 01 March 2010
Conference: 16-18 June 2010

Centralized vs de-centralized cyber campaigns

2009-10-28T11:47:00.003+02:00

The previous post got me thinking about some of the key tenets of the Chinese approach: the cyber campaign must be centrally controlled, executed by organic forces and have a tightly focused target.

Obviously, this centralized approach provides good command and control opportunities. It also limits collateral damage and I guess, most important of all, eliminates possible interference from volunteer actions (such as someone taking control of one of the key entry points to the enemy network and shutting you out). Historical examples also seem to show that volunteers are more likely to engage visible targets (web sites etc) that have little or no tactical value.

On the other hand, NOT using the volunteers (the de-centralized approach) denies you the use of a potential resource. Odds are that if a country has a developed patriotic hacking community, they will take part in the conflict one way or the other, so you might as well try to guide them to be useful.

The second argument for using volunteers is psychological. It displays public support to your campaign, potentially reinforcing the mindset in other sectors of the society. It also brings in small but visible IW victories, as press covers the "citizen campaign" against the opposing side.

The third argument would be the Fog of War. The patriotic hacking community can provide the smoke screen necessary to execute the important strikes against key nodes. Remember, if the plan is to concentrate your attacks in time and (network) space, they will become immediately visible. However, if you have attacks of various severity levels happening all the time the enemy may not recognize the significance of the critical attack until it is too late.

The fourth argument is that patriotic hackers can "prep the battlefield" before the hostilities commence, provide retaliatory attacks after the hostilities, target third parties and civilian or commercial targets while the state can deny any involvement. This supposes that there is an established patriotic hacker community in place, so the world does not necessarily consider there to be a direct link to the specific conflict.

Finally, political attacks by civilians as part of a larger conflict have no clear regulation and few legal precedents. If the host country is not willing to cooperate with the criminal investigation (not likely in a time of war) the attackers will remain anonymous and protected, while the state still has "formal" deniability.

However, as I have noted before, there is a price for accepting patriotic hacking in a state. Most pressing are the long term rise in cyber crime and the potential that they act against the state. On the other hand, if the decision has been made or if there is already a well-established community in place, one should consider the possible uses of this force. Because whether you plan for (with) them or not, they will participate in the fight.

Cyber Report on China

2009-10-26T12:42:00.007+02:00

I got a tip to a new report on Chinese cyber capabilities [pdf] by Northrop Grumman. The report aims to provide "a comprehensive open source assessment of China’s capability to conduct computer network operations (CNO) both during peacetime and periods of conflict."

They start off with an overview of the strategic developments in China. Even though there is no official CNO strategy, the PLA is in fact preparing to fight the cyber battle. I found it interesting that they consider domination in cyber space a prerequisite for air and naval domination. This is a clear indication of its importance in the Chinese thinking. It also explains why the EW/IW/CW issue is seen as the forcing agent behind the "informationization" of the PLA.

Chinese writings identify enemy C4ISR and logistics systems as the primary targets in a military conflict and also point out that IW will fire the opening "shots" in a war. However, there is also indication that IW and conventional techniques can and should be used together for maximum effect. I think this is very important, because I have often seen the mindset that IW is something separate from "real" warfighting. Then again, the Chinese have thousands of years of experience to draw upon, so it is not surprising that they see the value of combining the two.

They also point out that China is very active in developing counter-space weapons (EW, CW, kinetic, directed energy, EMP etc.) in order to fight a potentially tech-heavy oriented opponent such as the US.

Another interesting aspect is targeting. Instead of trying to blanket the battlefield, the Chinese writings suggest taking out key nodes in order to provide opportunities for other forces to exploit the resulting confusion in a specific point in the battlefield. I believe this refers more towards EW and kinetic than cyber, as tactical use of cyber attacks would probably be difficult to implement.

It seems that the PLA is actively training to fight in conditions where CW/IW is a common part of the battle field, including special training centers and a designated Blue Force (OPFOR) regiment. In addition, several universities seem to engage in offensive CW research and education.

There is an interesting note about using EW/CW pre-emptively to deter an enemy or to limit the size of the conflict without much bloodshed. In fact, they seem to consider CW a deterrent second only to nuclear at the strategic level. I like the comment that CW is the PLAs longest range weapon.

Another key point that I agree with is that CNO is useful for damaging/degrading systems, but also for deploying PSYOPS/deception against enemy personnel, enemy supporters and the public in general. I have met some people who consider PR the one and only element of IW and I just disagree. With so many options available under IW, it would be irresponsible to overly limit yourself to use only one.

There is an excellent section about how the Chinese might use CNO against the US (military) in a conflict scenarion. I agree wholeheartedly that the logistics and C2 systems at the theater or higher level would be sensible targets to buy time for the PLA and to cause confusion among US forces. However, as I have noted before, the discussion here is limited to purely military targets (like in the US discussion), but in a total war the commercial sector may be the more important strategic target.

The following section gives a broad overview of what is publicly known about the Chinese CW structure. Of particular interest for me are the PLA IW militia units, which seem to be drafted from commercial and academic entities to supplement PLAs integral capabilities. The idea of using telcos and universities (for example) to create sub-units for the militia is perhaps not intuitive for the westerners, but it does make sense. You have people with the right skills, established relationships and access to networks and systems - all they need is a mission.

The second interesting bit is that some militia sub-units seem to focus purely on R&D. In order to understand the significance, consider if infantry (militia) battalion is likely to have a dedicated infantry tactics research and development platoon. This highlights the difference between the information warriors and the traditional fighters. The report also mentions discussions about setting a different standard (age limit, physical condition) for the cyber warrior, something that was also debated here.

Moving on to the independent Chinese (patriotic) hacker community, the report claims that around 2002-2004 the state reversed its previously favorable stance towards patriotic hactivism and as a result the movement has died down. This was not the notion I got in Stockholm in May, where Dr Xu Wu from Arizona State University talked about Chinese cyber nationalism. According to him, the patriotic hacker community is alive and well, albeit somewhat underground. He also claimed that the state was having difficulties deciding what to do with this resource, as it is difficult to control - something that I also predicted in my paper about volunteer cyber attackers. Dr Wu compared it to a double-edged sword, which can cut both ways. It is possible, however, that this discrepancy does not exist and the official cyber militias have incorporated a significant part of the patriotic hacker community.

The report then provides a couple of examples of recent attacks probably originating from China. There are also various examples of relations between the state and the hacker community, including state recruitment in the hacker forums. One of the more interesting examples is how a java language user group transformed into a patriotic hacker group over the EP-3 incident. This is an excellent illustration of how "cyber tribes" can very quickly develop into cyber militias.

In the following section, cyber espionage is investigated from the US perspective. The report points out that potential Chinese espionage efforts are a great concern for the US counter-intelligence community, especially in the light of the reactive cyber defense paradigms in place. They claim that there is a strong case for state-sponsored attacks, although it is often difficult to fully attribute the attack to a state.

The report includes a nice explanation of a targeted attack via e-mail to get access to the organization's systems. However, they include an even more interesting case study of a large data heist in a US firm. It provides a simple description of the time line and activities uncovered by the forensic team.

The report concludes with a comprehensive list of China-related cyber events between 1999 and 2009.

Overall, the report is easy to read and low-tech. It covers many interesting aspects of the Chinese cyber issues. However, since this is a public and open-source report, it does not go into too much detail and it may inadvertently include some deception information. All-in-all, I enjoyed it and it provided me with a lot of things to think about. It also confirms some of my own theories and thoughts.

As always, read the report for full detail.

Review: Analogies and Cyber Security

2009-10-22T15:42:00.003+03:00

Here is a short review of the paper "What Analogies Can Tell Us About the Future of Cyber Security" by David Sulek and Ned Moran, published in the proceedings of the CCD COE Cyber Warfare Conference.

In the paper they explore the potential dangers that come with using colorful analogies like cyber Pearl Harbor, cyber Katrina, cyber 9/11 etc. In order to deal with these dangers they propose to start with developing a detailed issue history. A well written issue history helps determine which analogies apply. They give a short example in the form of the cyber issue history that, among other things, lists what is known, what is unclear and what is presumed about the topic.

They then provide a framework for exploring cyber analogies. It consists of two dimensions: one axis representing inspiration (hope and possibility) vs desperation (fear and danger) and the other systemic (evolution) vs disruptive (revolution). They give some examples for each: invention of the telegraph was an inspiring event, as it created new possibilities to communicate. On the other hand, the Y2K bug represented a potential danger to the computer systems. World War I was a linear, systemic result of military build-up, whereas 9/11 was a disruptive, revolutionary event. I think the first pair of examples is a good fit, but I am not so sure about the second. One could argue that there is an evolutionary line of developments that lead to both tragedies, we just haven't taken the time to really reflect on the reasons for, the facts of and the aftershocks of the 9/11 attacks. But I digress.

They spend the rest of the paper analyzing four cases from each quadrant of the model as a potential fit for cyber security. The four cases are the Strategic Defence Initiative (inspiration, evolution), the Cold War (desperation, evolution), the [US] National Highway System (inspiration, revolution) and finally, Pearl Harbor (desperation, revolution). Each case reveals interesting overlaps with cyber. However, each also has its discrepancies, so no clear match emerges.

They sum up their analysis in four points:

There is no single analogy that works for cyber.
Cases that balance inspiration and desperation leave the strongest impression on history.
Many analogies used today are at the extreme ends of the model.
It is important to build a good timeline for an issue, in order to understand the reasons for events.

Overall, it is a nice read and an interesting analysis of the four cases. I may not agree with the interpretation of historical events, but then again, the model is meant to be an abstract tool to describe analogies. As such, there will always be opportunities to interpret events in different ways.

The main point for me is to review the cyber analogies that I have used in the past. The analysis of the four cases has given me some food for thought and hopefully, next time I blurt out with something, I remember to also offer caveats.

As always, the paper itself is much more detailed and I recommend reading it in full.

CWCON '09 proceedings available

2009-10-19T15:55:00.005+03:00

Yep, they are finally here. The proceedings of the CCD COE Conference on Cyber Warfare, which took place in June, have now been published with the help of IOS Press. Titled "The Virtual Battlefield: Perspectives on Cyber Warfare" it appears as book three in the Cryptology and Information Security Series, and is edited by Christian Czosseck and Kenneth Geers of the Centre.

It's 300 pages contain 21 peer-reviewed papers presented at the conference. In the coming weeks I hope to follow through on my promise and write reviews for the ones that are of most interest for me.

On the same note, the call for papers for the next year's conference is due out shortly, so start warming up your paper ideas.

CFP: ECIW 2010

2009-10-16T18:02:00.003+03:00

The call for papers is out for the 9th European Conference on Information Warfare and Security. The event takes place on 1-2 July 2010 in Thessaloniki, Greece.

I have been to the conference three times now and I can recommend it for it's relaxed atmosphere, interesting sights, and obviously - some interesting papers and talks.

This year I am hosting a mini-track on Cyber Conflict, so please feel free to submit papers for that track. I would be glad to hear your thoughts on conflicts in cyberspace, among other things.

Key dates:

Abstract submission deadline:	10 December 2009
Notification of abstract acceptance:	17 December 2009
Full paper due for review:	28 January 2010
Notification of paper (acceptance with any requested changes)	8 April 2010
Earlybird registration closes	22 May 2010

Botnets and Proactive System Defense

2009-10-12T12:15:00.004+03:00

I finally took the time to sit down again and read an article with the provocative title "Botnets and Proactive System Defense" (2008, Springer Link) by John Bambenek and Agnes Klus. From the title I assumed it would be about using botnets as weapons for a proactive defense strategy, but I was mistaken.

Instead, they start off with a nice survey on how commerce has moved to the web and why the old security measures no longer protect the consumers. They touch upon the problems with making transactions with credit card and social security numbers (basically, single factor authentication), as well as several other computer security issues like the reactive patch cycle. Next they review the growth and development of malware, using the Shadowserver graphs to illustrate their point. All this is not new, but it does a good job of surveying the problem.

Getting to more interesting bits, they propose that an ideal botnet strives to maximise six key properties: "high capacity, low overhead, fast responding, flexible, anonymifying [anonymizing?] and quiet." They show how IRC meets these requirements and point out that other technologies, such as RSS, will replace the IRC bot as more and more network administrators grow suspicious of IRC traffic.

For proactive defense, they consider offering the consumer free security software and encrypting their sensitive traffic. Another proposal is to switch from "allow all" to "deny all" or "deny most" principle in terms of antivirus software default settings for running programs. They assume that signing software would solve this problem, as

"There are a finite number of reputable software vendors and applications out there and far more disreputable software vendors and applications."

Not sure I agree with what this claim implies. You cannot have a complete list of "good guys" that will keep you safe from malware. If that were true, we could also say that there are a finite number of reputable ISP-s, so we can just drop all packets that come from the jungle. Unfortunately, this is not true in either case. Reputable businesses have engaged in malicious activity (Sony rootkit, for example) and a lot of cyber attacks come from the networks of reputable ISP's (by default, a potential malware victim would sign a contract with a "reputable" ISP to get access to the net).

One more proposal for making the defense more proactive is to enable remote security validation on computers. While this may sound good in theory and there are even ways of doing this, I do not see it passed into law or practice due to privacy concerns.

Finally, they point out that the great debate over the need for a national ID in US may be moot, as the social security number already acts as one, and a poor one at that.

They conclude by reiterating that the main strategy against botnets is to make them economically nonviable for the criminals. While a nice overview and an easy read, I did not find much new in the paper, however. What I did find is an interesting example of how parts of the US sometimes seem to lag behind in adopting technology:

"Banks already are starting ... requiring one-time passwords with keyring tokens or other devices so that even if an attacker gets the one-time password, they cannot compromise the account."

In many parts of the world, one-time passwords and passcode generators have been the norm for on-line banking for years. In Estonia, for example, the lowest level authentication still in use by the general banking sector uses a set of 20-30 randomly repeating passcodes. This is not safe, sure, and that is why the clients using this method have a ~300 USD daily transaction limit (the system itself is being phased out). If you want more, you need either a passcode generator or the national ID card with valid certificates. In both cases, you need to know something (pin) and have something in order to carry out your transaction.

"Where Computer Security Meets National Security"

2009-09-29T15:03:00.008+03:00

I read an interesting article by Helen Nissenbaum, on "Where Computer Security Meets National Security" (2005) [pdf, Springer link] .

She starts with a good point that the "traditional" computer security, developed in the technical community and focused on the protection of a computer (system) is difficult to port into national security terms, where damage to life, economy, morale and reputation is the core worry. She argues that the "technical computer security" focuses primarily on ensuring confidentiality, integrity and availability, even though there is a push to extend this to ensuring overall "trustworthiness" of a computer system (including resilience etc.).

She calls the competing national security conception cyber security (a term that has grown more popular since then). According to her, cyber security is most concerned with three problems:

using computer networks "as a medium or staging ground for antisocial, disruptive, or dangerous organizations and communications." In other words, propaganda, phishing and a host of other soft threats;
using computer networks to attack the critical societal (information) infrastructure, or the hard threats; and
using computer networks against computer networks. I may misunderstand her reasoning, but I think computer networks in the larger sense (Internet infrastructure, SCADA systems, public services on the internet) are also part of the critical information infrastructure, and I would combine the last two categories into one.

I found it interesting that she illustrates how computer security can be used in various moral (protect users from harm) and immoral ways (protect the interests of the company, while limiting the usefulness of the product to the end user).

She then reviews the concept of "securitization" by the Copenhagen School. Essentially, it means that unlike "realist" methods, there are more threats than just military aggression and there are more targets as well (state + religion, economy, environment etc.). Furthermore, securitization is a process of making something into a security issue (especially in the eyes of the public). In her words: "In general, to securitize an activity or state-of affairs is to present it as an urgent, imminent, extensive, and existential threat to a significant collective."
[Note: An interesting concept and something to be studied later.]

The next chapter shows some steps how cyber security has been securitized, including a funny interlude about how the music and film industry is trying to securitize the P2P threat against their obsolete business model. She also covers some examples of cyber space shown as a potential battle space and it's asymmetric nature.

Getting to the meat of the issue, she compares the two approaches:

Computer security recognizes a broad range of the degree and type of harm, while the cyber security assumes that the threats are dire or existential.
Computer security focuses on protecting the "individual nodes" (people, computers), while cyber security looks at "collective security."
Computer security rests on the moral foundation of protecting from harm, while the moral aspects of cyber security can vary depending on the securitization process.

An important question she brings up is when is securitization warranted? When is a threat dire enough to become a national security issue that is handled in secrecy, and potentially in ways not common to a democratic state? She argues that there is lack of reliable data on the size of the threat from the computer security perspective, as research is focused on (potential) vulnerabilities, while reporting of actual incidents is hap-hazard at best. She also touches on the issue that the same attack can be viewed in many different contexts (criminal, national defence, activism etc.).

She concludes that in the end, the "technical computer security" approach might be better, as it provides security at the user level and thus still allows us to use the net for the core purpose of sharing information and ideas. The highly securitized state controlled approach, on the other hand, raises questions about privacy, freedom of speech etc.

To sum up, a very interesting article with much food for thought. I found several interesting insights here and I am sure that more will pop up later. If anything caught your eye, I recommend reading the article in full, as there are many details that I did not cover.

Article in Akadeemia

2009-09-17T16:20:00.004+03:00

One of my articles (Conflicts in the information age - cyber attacks and the citizen society) was published in the Estonian academic journal called Akadeemia (2009, nr 9, Special Edition on War and Peace) a few days ago.

In the article, I revisit the own forces/hired guns/volunteers categories and focus on the latter. I try to explain some interesting aspects of using volunteers, such as the parallel rise in crime and the need to "exercise" the volunteers regularly. I also try to look at why ordinary people from the street may become belligerents in cyber space, specifically addressing radicalization through Internet and formulation of cyber tribes. I end the article with a positive note, that volunteers can be harnessed for good, as well as evil. Consider, for example, defensive volunteer organizations, such as the WARP network in UK. In addition, I touch upon the personal responsibility of today's netizens - we all have a part to play in developing a safer cyber society.

Cyber Conflict Law and Policy Conference

2009-09-14T15:45:00.001+03:00

As mentioned earlier, I attended the Cyber Conflict Law and Policy Conference in Tallinn last week. The event was organized by the CCD COE and took place in Swissotel from 9-11 September. About 150 attendees from about two dozen countries discussed issues like the applicability of the Law of Armed Conflict, legal frameworks etc. I will try to briefly summarize by sessions.

Setting the Stage

The conference opened with a keynote speech by the President of Estonia, Mr Toomas Hendrik Ilves. He stressed the need to adapt the defense thinking (including legal frameworks) to the changes in technology. He illustrated the point with medieval defensive structures in Tallinn, which were useless in fending off air raids during WWII. He also talked about the need for collective cyber defence. An important idea was that in NATO, as far as cyber defence is concerned, we should focus more on Article 4 (consultation among nations) today, so that if and when Article 5 (collective self-defence) is ever needed, there is already some consensus.

Next speaker was MG Glynne Hines, Director of NATO HQ C3 Staff. He pointed out the need for consistent legal advice and the usefulness of embedding lawyers in a cyber defence organization. He alsp briefly touched upon some changes in NATO that were initiated by the lessons learned from the 2007 cyber attacks against Estonia: adoption of NATO cyber defence policy and concept, accelerated development of NCIRC and the NATO cyber defence exercise.

Ms Eneken Tikk of the CCD COE, the content organizer for the conference, introduced a draft Framework for International Cyber Security (FICS), which was developed in cooperation with George Mason University Center for Infrastructure Protection (GMU CIP). Basically, they are a collection of abstract models/slides that should be helpful in reaching a common understanding about the issue.

Country Reports on Cyber Security Strategy

Ms Heli Tiirmaa-Klaar from Estonian MoD gave a brief overview of the 2007 April-May events, as well as the pervasiveness of e-services in Estonia. She then proceeded to introduce the Estonian Cyber Security Strategy. Some more points from her talk: cyber attacks pose a new asymmetric threat against critical infrastructure and the development of cyber defence capabilities is very uneven across different states.

Dr Per Oscarson from the Swedish Civil Contingencies Agency gave an overview about his organisation and the Swedish approach to national cyber security. It seems the Swedes have at least in theory a model for planning cyber security, consisting of two main parts: the strategy (vision and strategic directions) and the action plan (explicit objectives and measures).

WCDR Adrian Frost from UK MoD proceeded by giving a quick overview of the British approach. Apparently, UK considers cyber as one of the five domains (air, land, sea, space and cyber), similar to some thoughts I have heard from USAF in recent years. He briefly introduced the UK Cyber Security Strategy (approved 23 June), which aims to secure UK advantage in cyberspace by reducing risk (public), exploiting opportunities (industry) and improving knowledge, capabilities and decision-making (international).

Autopsy of a Cyber Conflict

Professor Daniel Ryan from the US National Defense University gave an interesting talk about the lawyer's look at a cyber incident. Specifically, he addressed the issue that there are regular incidents (handled as per SOP or ignored) and then there are INCIDENTs that really matter. In the latter case, one needs to determine if it is an attack (or accident, technical failure etc.), who is behind the attack (attribution) and who can/should respond to the attack (law enforcement, intelligence, military, lawyers).

Next, Dr Bret Michael from the US Naval Postgraduate School addressed various cyber conflict issues from a more technical viewpoint. Among his points was the claim that cloud computing will change the way we work and will introduce new security challenges. An interesting thought was the martial arts analogy - in cyber defence we should not focus on rigid and forceful response (karate), but rely more on the flexibility and use of the opponent's strength (aikido).

Unfortunately I had to leave early that day and I didn't catch Mr Joe Weiss' (Industry Expert and Control Systems) talk on industrial control systems, but I heard that he gave an insightful presentation on the vulnerabilities associated with the systems that uphold modern society.

Cyber Security Institutionalized - Pieces of an Effective Defence Model

The second day started with Ms Eneken Tikk's talk on international organization's legal and policy approaches to cyber incidents. Sha listed the numerous laws, regulations and directives that various IOs have produced to deal with cyber security matters. To limit the scope, she briefly examined the documents that focus on data protection and concluded that while there are a lot of regulations in place, they tend to be stovepiped and there is not enough practice in using the breadth of tools available. She also discussed the different approaches that have been taken in various EU countries on data protection.

Ms Yurie Ito from ICANN, formerly of JP-CERT gave a presentation about recent developments in ICANN, with regard to security. Unfortunately she did not have enough time to delve deeper into her slides on Conficker, as I am sure her insight would have been valuable.

Ms Maeve Dion from GMU CIP addressed public-private partnerships and national input to international cyber security. She touched various points, including the many areas of law that deal with aspects of cyber, informal vs formal networks in cyber defence, developing strategy and risk analysis methodologies.

The day ended with three working groups that discussed FICS and cyber law/policy issues.

Enhanced FICS

The final day started with Professor Derek Jinks from US Naval War College. His talk was on the Law of Armed Conflict (LoAC) and the military perspective. He pointed out that LoAC is not there to minimize "war" as an official status of affairs, but to minimize organized violence. Another good point was that "armed" does not imply any physical properties or mechanics, but rather organized application of violence. He further explored the concept of armed attack, as it is often used in the definition of armed conflict. He noted that armed attack is subject to various conditions, such as severity (death or substantial destruction of property), status of the attacker (according to UN terms, attacker is state, but in practice it is often a non-state actor that may or may not have state sponsorship), status of the target (again, old rules dictate the state as target, whereas in practice, any entity that the state can claim sovereignty over, incl. citizens), necessity, proportionality, time-proximity etc. He also raised some interesting questions about new concepts like cyber occupation (displacing civil authority by means of cyber attacks). A very good talk indeed, even though he did not have enough time to go into all the details.

Next came Dr Thomas Ramsauer from German Ministry of Interior. His talk focused on the law enforcement perspective, but he also revisited some LoAC questions. He used a nice model of cyber conflicts, where you have the damage to target on one axis and organization of the attackers on the other. Then, as damage and level of organization increase, one progresses from cyber crime to cyber terrorism to cyber war. While I don't think it is that simple, it is a nice and visual way of presenting the idea. He also briefly touched the Schmitt test and the concept of attributing "private attacks" to a state actor. An interesting thought was that in order to limit collateral damage to civilians, commanders in future wars may be obliged to prefer cyber attacks over traditional means of warfare.

Mr Lauri Almann from Aare Raig Attorneys-at-Law (former undersecretary of defence of Estonia) gave a talk on national defence law from the government perspective. He focused on factors of decision making, which consisted of four one-dimensional axis': secret-public, fast-slow, international-national and professional-emotional. He proposed that in cyber conflicts, the first of all these pairs is the relevant (used) property. I am not sure I agree. Secrecy in international environments seems to exlude the fast property and often the professional property as well. He closed by noting that there is not much need to exercise the technical community (as they perform the cyber defence mission daily), but educate and train the legal and political community, who only get involved when things get hot [and potentially profitable - author's note].

Professor Lilian Edwards from University of Sheffield provided a brief glimpse into the information society law and the user perspective. She noted that laws should always set a balance between security and privacy. The problems appear when the balance varies from law to law and over different jurisdictions.

The conference ended by comments of the observers as well as summaries of the working group results. A couple of points that stuck were the slide on the spectrum of state-sponsorship by Jason Healey (US Cyber Conflict Studies Association) and the idea that some sort of International Cyber Tribunal may be needed [not sure how much success other international tribunals have had].

Finally, Mr John Bumgarner from the US Cyber Consequences Unit gave a short overview of their recent report on the lessons learned from the Georgia cyber attacks in 2008. Unfortunately, the report is not public, so his notes were fairly general and added little new insight to the events in Georgia. It's a shame, as he possesses a wealth of knowledge on the subject. I understand his position, but it is yet another example of classification issues diminishing the value of research.

Disclaimer: I hope I did not do injustice to anyone by misunderstanding or missing key issues in their talk.

Overall, the conference was a success and I am looking forward to the next one. I had the chance to talk to many interesting people on the sidelines and I also met some old friends. The cyber scene is very small indeed.

Blog launch

2009-09-09T15:22:00.003+03:00

In order to conserve my memory, I have decided to open my blog to the public today, on 09.09.09.

I hope this will result in good quality feedback and interesting new contacts, as well as facilitate discussion in the area of cyber conflicts.

Without further ramblings, here it is. I hope you enjoy it as much as I do.

Regaining strategic competence

2009-09-08T16:28:00.000+03:00

And now for something different...

I happened across a study about Regaining Strategic Competence [pdf] in the US [thanks to The Best Defense blog for the link]. It consists of four parts: discussing the deterioration of US strategic competence, defining strategy, illustrating the importance of good strategy and finally debating the common mistakes.

The strategy chapter brings out a good point that strategy is applicable to many pursuits, not just military. I also like their definition of strategy:

"Strategy is fundamentally about identifying or creating asymmetric advantages that can be exploited to help achieve one’s ultimate objectives despite resource and other constraints, most importantly the opposing efforts of adversaries or competitors and the inherent unpredictability of strategic outcomes."

The only problem I see in it is that it does not explicitly state that strategy is usually a 'grand' affair, with long term and/or wide spread effects, versus the tactical gains of here and now.

As far as historical analysis is concerned, I am not sure I agree with some of their facts (Soviet soldiers happy to die en masse for the Rodina) and conclusions. The argument that in 1942 Western Allies could have launched a cross-channel invasion into occupied France, that is - before Germans had been overextended in the East and before Allies had enough troops, weapons and supplies for a full campaign in Europe - seems a bit far fetched. I would guess that the Torch landings would have produced a very different outcome for the Allies, had they been directed at France, instead of North Africa.

The final chapter addresses many typical mistakes that lead to bad strategic decisions.

Upcoming Conference

2009-09-08T12:46:00.002+03:00

This week I will participate in the Cyber Conflict Legal and Policy Conference, in Tallinn. Organized by CCD COE, it aims to build some common ground in understanding the legal issues of cyber defence. More on the conference next week.

Paper on Cyber Society

2009-09-04T14:55:00.005+03:00

I co-authored a paper with Peeter Lorents and Raul Rikk that was published in the 13th International Conference on Human-Computer Interaction, San Diego, in July. You can also find the paper in LNCS 5623, pp. 180-186.

The paper is titled Cyber Society and Cooperative Cyber Defence. In it, we explore the concept of cyber society, which we define as "a society where computerized information transfer and information processing is (near) ubiquitous and where the normal functioning of this society is severely degraded or altogether impossible if the computerized systems no longer function correctly."

We then examine Estonia as an early form of a cyber society and illustrate it's potential vulnerabilities with the events of April-May 2007. We conclude the paper with the foundations behind the establishment of the Cooperative Cyber Defence Centre of Excellence.

This was my first co-authored paper and as such a new experience. One of the problems of having multiple authors is to write a consistent paper - something that could be improved in this case. However, I think it does convey the ideas that we wanted.

Asymmetry in Cyberspace

2009-09-02T17:25:00.001+03:00

The other day I started to ponder about what constitutes a fight in cyberspace. I find that it is fundamentally different from what could be termed conventional fighting (in a military sense) - tank engagements, infantry ambushes etc.

The issue is really about the asymmetry between attackers and defenders. A cyber attacker needs to find just one opening, while the defender needs to cover every conceivable (and inconceivable) weakness. This is a critical mismatch in terms of resources.

Another asymmetric aspect is the fact that in a "cyber battle", attackers rarely present a target themselves, because they are difficult to identify. Even if the attack can be attributed, there is little that can be done with a cyber retaliation. An attacker does not "own" critical technical infrastructure, which could be taken out. They just use the public communication infrastructure as a service provider and a "human shield".

In a potential two-way cyber engagement this works both ways. A practical example would be to use red teams to knock out critical infrastructure targets on the other side, while "ignoring" the attackers from the other side and relying on the quality of one's defence.

Blog reset

2009-08-25T15:13:00.004+03:00

I am back from my summer hiatus. As promised, I will continue to throw my ideas and thoughts in here.

I have often found it interesting how some people fear the offensive side of cyber. 'Defense only' is the politically correct way of putting things, even though it is pure nonsense. Skills and knowledge to be a good defender is largely dual-use.

Look at it this way. Imagine briefing a general: "Sir, our defensive infantry brigades have dug in around the city, we can now deploy our offensive infantry regiment to attack the enemy." True, some units are better equipped and trained for offensive or defensive missions, but that does not mean that they lack the capability to do both.

Summer hiatus

2009-07-17T13:27:00.003+03:00

I am taking some time off over the next month or so, enjoying the summer weather and gathering new ideas for the coming year. Therefore, posting will probably be hectic at best. Regular posting will resume in late August.

PowerPoint them!

2009-07-16T14:15:00.001+03:00

There is an excellent essay at Don Vandergriff's blog about a horrible cyber weapon - the PowerPoint slide. In the essay T.X. Hammes analyzes how PowerPoint has weakened the [military] decision making process, as well as the ability to reason and write coherently. The main argument is that previously, staff had to provide a short, concise decision paper for the leader to read, think, discuss and decide, now the leader gets a barrage of information, very little time to think and discuss, and finally has to shoot a decision from the hip. However, he also makes a distinction that PP can serve as a very useful teaching tool.

I think the essay makes a valid point.

On definitions

2009-07-14T10:56:00.016+03:00

A big problem in the field of cyber is the lack of commonly agreed definitions. I think cyber war and cyber terrorism are the worst, each having numerous conflicting definitions. So, in order to clarify my own thoughts, here is my attempt to pin down the meaning of some popular phrases in the context of national security:

cyber attack - malicious use of information systems in order to influence the information, systems, processes, actions or decisions of the target without their consent,
cyber conflict - a confrontation between two or more parties, where at least one party uses cyber attacks against the other(s),
cyber war - a cyber conflict between state actors, where the critical information infrastructure is attacked,
cyber terrorism - a cyber conflict where one party is using cyber attacks to cause fear, physical damage, and/or death among the civilian population of the other party.

Note that information collection, an activity usually limited to espionage, intelligence gathering and crime, is not included in the cyber attack definition. [TO DO: better explanation of the concept]

I am sure these definitions will change as my understanding of the topic grows.

ECIW 09 in Lisbon

2009-07-09T14:41:00.006+03:00

I just got back from Lisbon and the 8th European Conference on Information Warfare and Security. This annual conference brings together 60-100 academics from across the world to present and discuss their research during the two-day event.

A paper that I wrote for the conference in the winter got published in the proceedings (see publications). The main idea of the paper is that there are three general ways to create an offensive capability in cyberspace:

establish a unit/agency for that mission ("conventional" own forces approach)
outsource the problem by hiring digital mercenaries, cyber criminals and the like
develop or hijack a volunteer force, or a cyber militia, to attack convenient targets with little or no attribution for the state.

In reality, a combination of two or three is potentially more powerful than any single approach.

While thinking about the last two approaches, I came to some interesting conclusions. First, if a government uses volunteers or mercenaries to conduct an "illegal", or at least unethical, campaign against its political enemies, then there will be a rise in (cyber) crime in the state. This happens because the government cannot alienate the "friendly" attackers by arresting them for non-political crimes (such as sending spam, stealing credit card information or DDoSing commercial sites for blackmail). This also explains why cyber criminals seem to flourish in some states that also seem to have an aggressive stance in cyberspace.

The second idea was that in case of volunteer forces, the government would have to "exercise" these forces once or twice a year, in order to keep them "on mission". A volunteer offensive cyber militia will likely disband for more interesting pursuits, if they are not called to arms for several years. This means that the state would have to provide a steady stream of external or internal "enemies" to keep the militia occupied.

A time for a Cyber Service of the Military?

2009-07-02T14:23:00.007+03:00

I stumbled on an article by COL Surdu and LTC Conti, which was published earlier this year in the IA Newsletter [Vol 12, No 1, 2009 - pdf]. In the article, they argue that US needs a new military service that would handle the cyber warfare mission.

Currently, each service already has small elements dispersed in the structure, but they are not coordinated, nor are they integrated into the bigger picture. I think they bring out a good point that the US military (in fact, other militaries as well) is not fit to fight a cyber war, as its leadership, processes and culture are fundamentally incapable to understand it.

The main problem is that the military does not place enough emphasis on technical expertise, or as they put it:

"Today’s militaries excel at their respective missions of fighting and winning in ground, sea, and air conflict; however, the core skills each institution values are intrinsically different from those skills required to engage in cyberwarfare.
...
To understand the culture clash evident in today’s existing militaries, it is useful to examine what these services hold dear—skills such as marksmanship, physical strength, and the ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in these areas. Unfortunately, these skills are irrelevant in cyberwarfare.
...
Consider the awards, decorations, badges, patches, tabs, and other accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments."

I wholeheartedly agree with their arguments, having come to a similar conclusion some time ago. Their proposal to deal with this issue is to create a new service that would be on equal status with the kinetic services. However, I am not so convinced that a transition so profound can be made in one step. Perhaps it would be better to use the USAF model and first create cyber commands (historical Army Air Corps) within the services, then integrate them, and then, maybe, raise them into a new service.

They are right, however, that the root of the problem lies with the personnel management in the military. One could say that a techie should stay in the service, become the top dog and change it from within, but that discounts the fact that techies do not get promoted to top dog. In fact, there are precious little positions near the top that have anything to do with technology. Therefore, a techie must either be a multi-talent or forget his tech aspirations and plod up the traditional leadership/management track. Meanwhile, people who have a talent for tech positions will not be promoted and more than likely get rotated to (technologically) meaningless positions... or they get out. Therefore, any step that will accommodate the requirements and skills of the tech oriented service members while not undermining the traditional services, is a step in the right direction.

Blog open for comments

2009-06-30T11:33:00.003+03:00

Greetings!

If you read this then I was successful in opening the blog for a test run among friends and colleagues. It is currently open for invitees only, in order to tweak and fine tune it based on YOUR feedback. So please, let me know what you think by way of comments or e-mail.

At some point I plan on going public with this blog, so your feedback is very important.

EDIT: Unfortunately, Google does not allow for a personalized invitation message, so I fear the more security conscious addressees will never reach this message. Ironic, eh?

Evgeny Morozov on Cyber Myths

2009-06-26T12:49:00.008+03:00

Evgeny Morozov of the Open Society Institute has an interesting essay in the Boston Review about myths in cyberspace. Specifically, he addresses the scaremongering and vague threat information that is used to get access to funding, fame or power.

He points out many official statements that exaggerate the threat from cyber terrorism and cyber war and asks the question: is there any evidence to back up these claims? No, at least not in the public realm. He also makes a point that the threat from the net information is produced by intelligence/defence organizations and information security companies that benefit from the increased funding. I think he is right in the sense that there are very few facts available, so we are left with hypotheses and conjecture. Honestly, I am partly to blame, as I have presented similar worst case scenarios in numerous conferences, in order to raise awareness of the topic.

He also touches the foggy quagmire that is the international legal definition of cyber warfare and what, if anything can and should be done if one breaks out. I think we will not have a clear answer on this in the near future, but at least the topic is also addressed by professionals.

In terms of how useful cyber attacks are for the military, Morozov refers the opinion that superpowers do not need cyber power, as they have more conventional means to crush the enemy. While that may be true, the question of attribution once again comes up - who will the superpower nuke, if they cannot identify the source of the cyber attack?

On the other hand, his conclusion that we should focus more on the threats from cyber crime and cyber-espionage is correct. However, it is not correct because cyber war is improbable, but because the tools used in cyber war will be very similar to the ones used in crime and espionage. The same piece of malware can be used to steal your personal data, collect intelligence on your organization or to disrupt your networks in preparation for a war. Thus, better defense against crimeware will also mean better defense in war.

A comment on Estonia

Unfortunately, Morozov uses unclear wording that may suggest that Estonia was off-line for nearly a month in 2007. It would be more correct to say that Estonia was under attack for about three weeks in 2007, but only a few critical on-line services (like banks) were affected for clients inside Estonia. One of the options, a white-list based "island Estonia" defence meant that the vast majority of the attacks could be easily blocked while maintaining service to the vast majority of the clients. As a result, clients of the two biggest banks in Estonia saw only a 45-90 minute interruption of service at the start of the attacks and that only affected the web interface of the banks. What is worrying, however, that these were critical "civilian" targets in a political conflict.

Sure, non-critical services (public government websites and news sites, for example) did suffer longer service outages due to cyber attacks (mostly simple DDoS), but in my opinion this was not a big issue for the state as a whole. The biggest effect would be potential information blockade, as local news sites or press sites are off-line, but that can easily be remedied by using other means of communication to push the message out (remember, e-mail works, phones work, faxes work, radio and TV are still on air, and even the postman makes his rounds). I personally had no problems communicating with friends and colleagues abroad throughout the period.

Cyber attacks in Estonia, 2007

2009-06-25T15:30:00.010+03:00

My first academic paper was published last year in the Proceedings of the 7th European Conference on Information Warfare and Security, Plymouth. An annual event, this conference brings together people with very different perspectives on information warfare, from psychological to cyber.

My paper was titled Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective (see Publications for more information). In the paper, I analyze the Estonian case by posing three hypotheses and then arguing for and against each of them to find if any of them are plausible.

The first hypothesis is that the event was a Russian information operation, the second is that the event was a false flag operation to discredit Russia, and the last one is that it was a spontaneous grass roots response to Estonian government policy.

The false flag hypothesis is not plausible, considering the amount of circumstantial evidence against Russia (and only Russia) while the Russian government made no effort to stop the attacks or expose the attackers.

A true grass roots movement is also not plausible, as at the very least, passive government support (Russian authorities refusing legal cooperation) seems evident.
NOTE: Interestingly enough, a member of the Russian parliament later claimed that one of his aides was actively involved in the cyber campaign. This fact (?) emerged after publishing, so it is not included in the analysis.

That leaves us with the state information operation scenario. Specifically, it matches a Chinese concept of People's War, where people fight with their own resources and organization, for the interests of the state. That explains hostile rhetoric by politicians, the relatively high number of people involved, as well as lack of interest by the state to identify the attackers.

Unfortunately, the analysis can not attribute the attacks to any specific person, organization, or state. Instead, I find that of the three hypotheses considered, only the information operation scenario was plausible.

In hindsight, I do not consider it a very good paper, as it provides no definitive answer and devotes more detailed analysis to one of the hypotheses. In addition, I had just started my research on the topic, so my understanding of concepts like cyber militias and People's War was still very tentative. On the other hand, even though I notice many things I would write differently today, the conclusion would still remain the same.

Origins of my research interests

2009-06-25T13:14:00.003+03:00

In the spring of 2007 I was just finishing my Master's in TUT when the cyber attacks against Estonia started. Since then I have tried to understand these attacks in particular and political large scale cyber attacks in general as part of my PhD studies.

I have found that the Internet, while being the great information equalizer for the common man, is also a convenient information weapon for the common man. In case of recent conflicts we hear with increasing frequency about their prelude, reflection, and aftermath in cyberspace. More likely than not, these attacks are not committed by state run organizations, but people who share or oppose the view of at least one side of the conflict.

While state sponsored attacks undoubtedly exist, I believe they currently keep a much lower profile and are usually in the role of intelligence/counter intelligence operations. There is little or no credible information on state sponsored attacks to harm or disrupt the opponent's systems, even though many nations are actively building such capabilities. It should follow that the next time that two technologically advanced states fight a full conventional war (not a border skirmish), cyber attacks will be used. Until then, however, we can merely speculate and simulate.

Therefore, even though I am also interested in state level cyber conflicts, I mainly focus my research on sub-state actors, as they are more visible and relevant in today's conflicts. I am interested in how they recruit, organize, and fight, as well as what potential effect they can have on their targets.

CWCON 2009 in Tallinn

2009-06-21T16:34:00.008+03:00

This week I attended the first Cyber Warfare Conference in Tallinn, organized by the CCD COE. In fact, I was the moderator for the Strategy track, which included many interesting talks on the emerging field of cyber conflicts. CWCON provides an academic publication opportunity for the scientists, but it also includes presentations by the professional community.

Mikko Hypponen from F-Secure gave a nice overview of the evolution of malware in his keynote speech, while Nart Villeneuve from the Information Warfare Monitor talked about their findings about GhostNet.

Other interesting presentations included Amit Sharma on Strategic Cyber Warfare, Ned Moran on analogies and cyberspace, Cyrus Farivar on the media coverage of cyber events, and Maj Julian Charvat on terrorist use of cyberspace.

I plan on providing a more detailed overview of some of the papers within the next few weeks.

EDIT: The proceedings took longer than expected to print, but I have finally received a copy and have started with the reviews (first ones here and here).

Why blog?

2009-06-20T15:19:00.002+03:00

The purpose of my blogging effort is primarily to help me in my research. It is sometimes difficult to keep track of all the interesting articles, books, meetings, presentations and conferences, let alone random ideas that emerge out of nowhere. A blog will hopefully be a valuable tool in organizing my own thoughts, as well as for getting valuable feedback from others.

Here goes...