Cyber communities

I happened on an interesting site (wish I had found it sooner) that also deals with cyber warfare research. Near the top of the blog pile is an interesting series of posts, which looks at the various Cyber Warfare communities that have a stake in the issue:

• The military community
• The intelligence community
• The corporate community
• The academic community
  

Although there are a lot of good points in there, let me just reiterate one - there are not many publication opportunities for cyber warfare researchers. Sure, you can hook your topic to information security, information operations, or any number of other topics, but still - very few dedicated venues like the upcoming Conference on Cyber Conflict.

I'll now turn back to the Selil blog, to see what else I can find. See you all next year!

Milblogging, ad-hoc cyber militia and science

I read an paper by Sean Lawson, about the debate and conflict [pdf] between the US Army and the Milblogging community (servicemembers who blog about their experience in the military, including combat reports).

While the article focuses on the blogging servicemen, we should also make a note that the same tool is available to everyone. This spontaneous "online, volunteer public affairs or information operations corps" would be a perfect rallying tool for an ad-hoc cyber militia. Consider, that there are numerous blogs on controversial issues (including pro and contra sides for each), which typically have a steady readership, even if it is small. All it takes is for the blogger to post a rally cry (and some instructions) and an ad-hoc cyber militia is formed and ready for action.

Members of such a group are pre(self)selected and have strong feelings about the issue. Therefore, they probably need very little persuasion to join up.

If you have the time and the interest, there is also a link to his Doctoral Dissertation on his web site. It gives a good overview of the development of the science of war, explaining the heritage of terms such as OODA loop and netcentric warfare, as well as providing an overview of the relation between US military and the scientific community. Interesting to read. Nearly 400 pages, however, so be warned.

Russia and Cyber Attacks

A colleague pointed me to an article in the Baltic Security and Defence Review, an annual publication of the Baltic Defence College (international staff college for military officers at OF3-OF5 ranks). MAJ William Ashmore (US Army) writes an overview of recent cyber conflicts with Russia, titled "Impact of Alleged Russian Cyber Attacks" [pdf].

While the article covers a lot of ground it seems that he is not a subject matter expert in cyber conflicts. The quality of the references is relatively weak (mostly public news media) and there are a few simple errors. On the other hand, he has done a fairly broad background check for the legal/doctrinal work done at OSCE, UN etc.

He provides an overview of events in Estonia 2007 and Georgia 2008 among others, and a summary of NATO's activities in setting up cyber defence. He spends some time on Herman Simm's case (highly placed spy for Russians in Estonian MoD, caught 2008), although to me his arguments there seem a bit weak.

He reviews the national and international responses/comments to the Russian cyber campaigns, including potential attribution. There is also a fairly interesting chapter about future trends in Russian cyber activities (including Dr Panarin's recommendations). I think he may be onto something when he says that in Russia, cyber is mostly seen as an offensive capability.

With the US primarily focused on the Chinese cyber threat, the Russian (and other) cyber studies remain in the background. Therefore, it is a refreshing piece of reading, regardless of some issues with depth or quality. As always, read the article for full info.

Happy holidays!

McAfee's Virtual Criminology Report 2009

I set aside some time this week to read the McAfee Virtual Criminology Report 2009 [pdf]. It has a provocative sub-title "Virtually Here: The Age of Cyber Warfare" that caught my eye. So, what was useful in there for me?

As the foreword (by CEO of McAfee) already points out, politically motivated cyber attacks are on the rise and the term cyber crime is not fit to describe them well. The foreword also makes the important point that this report comes from a private sector perspective, unlike the usual government/military perspectives on cyber warfare. As it turns out later, however, it is more of a broad spectrum overview that doesn't really focus on any special sector or issue.

The report gives a short overview of the events in Estonia 2007, Georgia 2008 and US/South Korea 2009. The Georgian overview is based on the US Cyber Consequences Unit overview [pdf], which is the public high-level summary of a more detailed report.

Of more interest is the method for cyber attack attributes that is presented on pages 8-9. Experts will assign values to a cyber conflict in four categories to determine the severity of the event (no reference):

"Source: Was the attack carried out or supported by a nation-state?
Consequence: Did the attack cause harm?
Motivation: Was the attack politically motivated?
Sophistication: Did the attack require customized methods and/or complex planning?"

They have provided a table for assigning values and have applied the model on the three conflicts mentioned earlier, providing a bar graph. I have done similar work in my Master's studies. In retrospect, it is only of limited use, because the values are highly subjective and in the end - it does not prove anything.

The report also mentions many well known issues in cyber conflict, including:

• many nations are preparing for cyber war, but covertly
  
• criminals and politically motivated attackers use the same tools and techniques
• criminal groups may cooperate with governments
• financial and other critical information infrastructure is at high risk
• sharing threat information is good
  
• there is a need for a public debate about the use of cyber weapons
• the attribution problem and a nice intro to the cyber deterrence issue
• the need for updated legal measures
• cyber espionage
• etc.

On one hand, this report should bring little new information for the experts and researchers that focus on the issue. It uses little or no quality (written) references, but this issue is balanced out with the number of expert interviews and direct quotes. Therefore, I thought it was nice to read, but I found nothing really provocative in there.

On the other hand, however, I find that it does a very good job as an introduction to the whole cyber conflict issue for non-specialist readers. If you need to convince your boss or your grandmother that cyber conflicts should be studied - have them read this report.

Abstract on capabilities of novice cyber warriors

Below is an abstract paper idea that I am currently developing. The main idea is to look at the potential actions available for low level attackers - people who have no special training or experience with cyber attacks. The working title is "From pitch forks to laptops: volunteers in cyber conflicts". I would be grateful for any useful references on this topic.

Abstract:

The capability for organized violence in the international setting has normally been the domain of nation states. Cyberspace, however, provides an international arena where almost anyone has the power to attack any target at will. While most of these attacks have little effect, there is often little disincentive to using them, as attribution of cyber attacks and prosecution of attackers is still the exception, instead of the norm. Thus, the 21st century farmers with pitch forks or cyber militia become more than a local force and, if organized well enough, can mount an offensive cyber campaign that could damage the economy or social order of a nation state on the other side of the planet.

In order to test this claim, I will first consider the potential threat from the Internet users who are untrained in hacking techniques and who have very limited resources. In general, there are two types of activities that are open for such persons: supporting the cyber campaign by providing resources, cover and training (among other things) and launching cyber attacks as part of the cyber campaign. It is important to note that the support activities may be more significant than fighting in a People’s War type conflict.

I will proceed by considering the potential threat from advanced hackers or hacker organizations. While there have been many well publicized hactivism campaigns, there are few examples of serious cyber strikes that target critical systems. Therefore, most of this analysis is theoretical, drawing on past examples as appropriate.

In the end, national security planners must face this threat and develop a strategy to counter it. I include some proposals for dealing with the cyber militia problem and discuss the potential merits and pitfalls of farmers with laptops engaging in cyber campaigns both on their own as well as in the service of a state.

Warp speed, Mr Spock!

I realize that Spock is normally not at the helm, but there is method to my madness (I think). Spock is a science officer and therefore a better addressee in the case of academic publishing. The problem with the publishing process in science is that it is ... well ... light speed at best. And light is just way too slow if you want to explore the universe.

Consider this: if the Sun were to mysteriously explode with no warning, we would remain in blissful ignorance of the fact for roughly 8 minutes. So, something better is needed. In case of the Star Trek universe, the answer is Warp Drive, which allows for faster-than-light travel.

Similarly, the publishing process (write abstract, get it accepted, write full paper, get it reviewed, improve it, publish it) usually takes months, sometimes even years. This means that an idea can potentially die of old age before it is given birth (officially). Also, multiple people can work on the same idea and only discover on the eleventh hour that somebody has already beaten them to it (by 2 minutes and 42 seconds). Additionally, peer review is limited to one or two pairs of eyes, instead of the wider community. So, something better is needed.

I guess the best thing we have going for us is the Internet. Posting raw ideas in a blog like this, getting feedback and comments WHILE you develop a paper, not AFTER it is published could potentially be the warp drive that I'm looking for.

Oh, I am well aware that I am not the first one to gripe about this problem, nor is my solution original in any way. But it is something that I intend to try. So please, feel free to demolish my ideas in the comments section (or contact me directly via e-mail).

Shields up!

LinkedIn

I set up a LinkedIn account yesterday, since some of my friends and colleagues have asked for it. I am still looking for appropriate groups to join in there. Specifically, groups that could provide useful input to my research.

EDIT: if you have any suggestions, please write them in the comments below.

Review: Jose Nazario on Political DDoS Attacks

Time for another review. This time it is Jose Nazario's CWCON paper called "Politically Motivated Denial of Service Attacks." He is looking at DDoS as one of the more visible and popular cyber attack forms and is limiting his sample to the ones with a political motivation (vs the standard criminal motivation - money).

NOTE: The final published version of this paper was accepted after the conference so it includes some more recent examples.

His research is based on data from three sources: ATLAS project at Arbor Networks (basically, ATLAS collects data from sensors to provide an overview of the more visible cyber campaigns), infiltrated botnet C&C servers and border gateway protocol (BGP) routing data.

He starts out with a little overview of major political DDoS campaigns of the past, covering the following events:

• 2001 Hainan Island incident
• 2007 Estonia campaign
• 2008 China v CNN campaign
• 2008 Georgia campaign
• 2008 Burma
• 2007 elections in Russia
• 2008 Radio Free Europe campaign
• 2008 anti-NATO campaign in Ukraine
• 2009 MSK forum DDoS in Kazakhstan
• 2008 DDoS-censoring of Russian opposition websites
• 2009 Israel v Gaza/Hamas
• 2009 Kyrgyzstan - a false positive?
• 2008 Kommersant DDoS
• 2009 Kazakhstan opposition sites under DDoS
• 2009 South Korean/US campaign

It is noticeable how most of these events are known by the target only. In history, conflicts are usually named after both/all participants or at least the participants are known. In cyber conflicts, however, it seems to be the norm that the aggressor remains anonymous. Even if all the circumstantial evidence and opinions point against one entity, rarely is there enough proof to attribute the attack in court.

He continues to describe the attacker type that seem to be behind most of the attacks listed. In general, the attackers are "classic right-wing" supporters of the government and targeting internal or external opposition. He also writes about using propaganda to recruit supporters for a cyber campaign and then training them online - a basic ad-hoc cyber militia. What the militia cannot achieve with finesse and expertise, they make up in numbers (DDoS).

He points out that the classical goals for such attacks are to punish the target, or to show dissent, or to censor the target (especially true for attacks against news outlets and opposition parties). He brings examples of partial attribution: Nashi youth group in Russia, the Chinese Honker Union and StopGeorgia.ru. Note that in all these cases the attackers made the claim - nothing has been proven in court (as far as I know).

He reviews some broad responses to the cyber campaigns listed and finishes with recommendations:

• harness public support and international cooperation
  
• deploy available commercial tools
• be open to commercial offers to help
• develop a more efficient decision making process
• delegate authority
  
• consensus is sometimes not necessary

In conclusion, he also points out that we need to study guerilla and asymmetric warfare in order to succeed on the cyber battlefield.

The paper has numerous examples from recent years and thus gives a good overview of the extent of the problem. However, the examples have different level of detail (often too vague) to be of much help on researching a specific case. I would have expected a more detailed analysis of a limited number of campaigns. As always, read the paper for full value.

Review: Billy Rios on Cyber Attacks

It has been a busy time since last post. I gave a short lecture at the NATO School in Germany last week and I'm preparing some paper ideas for next year. However, I decided to take a short breather and review another paper from the Conference on Cyber Warfare - Billy K. Rios wrote a piece titled "Sun-Tzu Was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack." His work is partially based on the Grey Goose Report I.

The paper tries to map some real cyber operations to equivalent concepts in maneuver warfare, particularly drawing on the Georgia case and the US Marine Corps doctrine. He starts out by describing the essence of maneuver warfare and points out that cyber operations cannot "win a war". Instead, they can break up the enemy's cohesion and allow for exploitation by other (conventional) means. Incidentally, the Chinese seem to have adopted the same idea.

Discussing decentralized command and commanders intent, he brings the example of how a target list of Georgian sites was posted in a forum without clear instructions for action. The forum members then contributed with potential attack plans/instructions and discussed the campaign. As a result, a variety of targets and options became available and the attackers could each choose a course of action suitable for their skill, resources and level of motivation. As a side note, similar behavior was observed a year earlier during the cyber campaign against Estonia.

As an example of combined arms, he brings the example of SQL injection queries for fingerprinting and gaining access to database contents (NB! starting a month before the armed conflict), exploiting this information for intelligence, preparing automated attack tools that are then provided through the forum to anyone interested. I think he could have used a better example, because the link to combined arms is not clearly apparent.

Illustrating the concept of initiative he uses the examples of pre-emtive intrusions to Georgian systems and the sustained pressure to keep initiative on the attacker side, while keeping the Georgians to react. As a result, responding to cyber attacks wasted valuable time.

He also explains the importance of identifying and attacking enemy Centres of Gravity, although he does not connect it to the Georgian case. The important point is that these centres need not be physical fortifications or units, but can also encompass things like morale and resolve. Clearly, cyber attacks are a potential way of attacking the enemy centres of gravity, especially C2 networks and information targets.

He then points out that conventional weapons have physical limitations and the skill of the operator can only have relatively little effect in terms of stretching the effective range, damage etc. For example, a skilled marksman with a M4 carbine can hit a target from several hundred meters with standard sights, but not much more. On the other hand, the cyber warrior's capability to do damage is directly correlated with his skills. I especially like this sentence:

"Creating an offensive cyber capability is less about finding the right hardware and more about finding the right people and skillsets."

He also highlights that it poses a problem for intelligence analysts, as it is very difficult to estimate or track the development of offensive cyber capability, because the key component is the skillset of operators, not the invested money or acquired hardware.

Rios summarizes the paper by emphasizing that

• cyber capability should be incorporated into the overall plan, as it will not win the war on its own.
• Command and Control should be kept decentralized and decisions delegated to the lowest level. [This is in contrast to the Chinese doctrine, which seems to prefer rigid central control and limited use of the cyber strikes. - RO]
• the individual cyber specialist is the weapon system, not his laptop or his sidearm.

The paper is short and to the point. I like the summary, which brings out some good points (even some that do not seem apparent from the main text).

Reminder: CFP for Conference on Cyber Conflict

Reminder: the deadline for the abstracts to the Conference on Cyber Conflict is in ONE week - 30 November. Surely, 300-500 words of pure genius is manageable in a week, so start writing, if you haven't already.

Official CFP website
My earlier CFP post

Cyber Security in Serbia

Last week I participated in the Security in Cyber Space Conference in Belgrade, Serbia (organized by MoD and the Jefferson Institute). I was invited to give a short high-level introduction to patriotic hacking as one of the things that might have national security implications in cyberspace.

The conference covered a lot of ground in a short time, mostly focusing on Serbian experience so far and plans for the future. Other guests represented EUCOM, Middlesex University and Norvegian Defence Research Establishment.

For those of you who have never been to Belgrade, I recommend the Belgrade Fortress, which also includes the Military Museum. Unfortunately, most texts in the museum are in Serbian, but they do have many interesting items on display (ticket roughly 1 EUR).

Shane Harris - The Cyberwar Plan

Shane Harris has an interesting article in the National Journal. The main punchline seems to be that in 2007 US performed a cyber operation against insurgents in Iraq (and is planning to fight in cyberspace in the future, as well). Specifically:

"At the request of his national intelligence director, Bush ordered an NSA cyberattack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The devices allowed the fighters to coordinate their strikes and, later, post videos of the attacks on the Internet to recruit followers. According to a former senior administration official who was present at an Oval Office meeting when the president authorized the attack, the operation helped U.S. forces to commandeer the Iraqi fighters'communications system. With this capability, the Americans could deceive their adversaries with false information, including messages to lead unwitting insurgents into the fire of waiting U.S. soldiers."

As is the tradition with revelations like this, in the end, there are no easily verifiable facts and the story itself is deniable, if necessary. On the other hand, it does say out loud what many others have omitted to so far and brings a clearly understandable example of the potential use of cyber power.

The article gives a very nice overview of many of the problems in cyber, such as finding and retaining personnel for the cyber force, attributing attacks to a state, potential escalation of the conflict to include third parties, collateral damage etc. One of the problems is the interdependency between civilian and military infrastructure, well illustrated by the quote from an USAF official: "... Iraq didn't do a good job of partitioning between the military and civilian networks." We have seen that human shield tactics work relatively well against western military. Consider then that the mixed infrastructure is like an ultimate human (civilian) shield, which could be used as a deterrent against military cyber attacks.

In a way, this article illustrates the media bias in security studies. We (western media) have long heard stories and laments of Chinese, Russian, Iranian and North Korean evildoing in cyberspace - spying on government leaders, attacking opposition web servers at home and abroad, etc. It is rare to hear someone state the obvious truth that western countries are, in fact, often doing the very same thing. With that out of the way, we can get down to business of analyzing conflicts in cyberspace.

The article briefly covers the Estonia 2007 and Georgia 2008 cyber attacks. Unfortunately, he makes the wide-spread comment of "crippling effects" in the Estonian case, which I have tried to correct and explain here. However, he only uses these cases as examples to illustrate the problems of attribution.

He proceeds by illustrating one of the key reasons why cyber operations have failed to make it into mainstream military use. A briefing on the 1999 Kosovo campaign concluded that:

"... the cyber-operation "could have halved the length of the [air] campaign." Although "all the tools were in place ... only a few were used." The briefing concluded that the cyber-cell had "great people," but they were from the "wrong communities" and "too junior" to have much effect on the overall campaign. The cyber-soldiers were young outsiders, fighting a new kind of warfare that, even the briefing acknowledged, was "not yet understood.""

It is true - cyber warfare is not yet understood. Not even by the experts who are trained to fight it. There are very few examples (often anecdotal) of actual use of cyber operations to achieve military success, and even those are usually restricted to a very narrow part of the grand plan. Therefore, it is too early to say if applying the doctrine in large scale conventional military operations will bring cyber to the dominant position, or supportive, or just annoying. It will probably take a conventional, serious (life-or-death for the state), war between two technologically advanced states to really bring out the benefits and drawbacks of cyber war.

The rest of the article is also a good read, so I highly recommend it. I don't agree with parts of it, such as the MAD doctrine as a useful analogy (I've commented on it here), but it does provide a good introduction to the military cyber issues, especially for those who are new to the topic.

Interview in Eesti Päevaleht

Eesti Päevaleht (a daily newspaper in Estonia) published my interview [in Estonian] on cyber threats and conflicts in cyberspace.

Review: Amit Sharma on Cyber Wars

Time for another review of the articles published in the proceedings of the CCD COE Cyber Warfare Conference. Next up is Amit Sharma from India, who wrote an interesting paper titled "Cyber Wars: A Paradigm Shift from means ot Ends".

He starts out by explaining the idea behind the paper. He hopes to provide a

"framework in which cyber warfare will have a strategic effect by acting as primary means to achieve conventional ends, hence will induce a paradigm shift from the conventional notion of cyber warfare as a tactical force multiplier to the notion of strategic cyber warfare acting as primary means of achieving grand strategic objectives in the contemporary world order. The author will accomplish this objective by deriving the elixir of Clausewitz’s Trinitarian warfare and applying the concepts of Rapid dominance and Parallel warfare in cyber space so as to generate the strategic paralytic effect envisaged in effect based warfare. The author will conclude by shattering the conventional dictum of cyber defence, based on the notion of “defence in layers” and legal aspects of Law of Armed Conflict; by providing the only feasible and viable cyber defence strategy relying on the application of Rational Deterrence Theory (RDT) in general and on the idea of Mutually Assured Destruction (MAD) in particular so as to maintain the strategic status quo."

A tall order by any standard. The paper is written in an artistic and forceful language, painting the scene of an apocalyptic cyber strike that ends all and paralyses the entire state from the government to the citizen by simultaneously disrupting the trinity of government, military and people. I think that this strong emphasis on total paralysis (and total war) is a potential weakness of his approach.

Even though all theoretical model are abstractions, I believe his trinity (imagine a triangle) model is somewhat idealistic and naive. His description of the people corner is exclusively oriented to the liberal western countries (which includes the minority of the world's population and, arguably, are not as liberal or democratic as they may portray themselves). What about the rest of the world? The model's military corner is focused on the network-centric digital troops, which again represent the minority (although a powerful one) in the militaries of the world and even that is not always as networked on the battleground as the doctrine would imply. Last, but not least, the government corner, where governments are charged to provide "a secure, secular and democratic environment" for the people. Well, let's try to name some big countries that fit that idealistic description to the letter in practice, as well as in theory. It won't be easy. So, the model applies in a theoretical ideal case and I agree that in such a case the implications can be extremely dangerous.

The danger comes from simultaneously taking down all three components of the trinity with a parallel cyber campaign, which, as we have just reviewed, is entirely dependent on the assumption that the country is wired beyond the point of safe return. He concedes that in most recent cyber conflicts this parallelism has not taken place and we have seen much more limited campaigns.

He then proceeds with a five step plan for a strategic cyber campaign: "Shape, Deter, Seize initiative, Dominate and Exit". This is a nice and clean model for describing a (cyber) conflict, but I disagree with some of his conclusions.

In discussing the deter stage, he touches on the concept of countervailing, or "making known to the potential adversary that the implication of a nuclear strike would be far greater than the potential gains an adversary can achieve by initiating the first strike." He mentions that the recent cyber attacks against Estonia, Georgia, UK, France etc. may be an example of cyber counterveiling. I do not see it that way, as a key point of countervailing relies on letting the enemy know your capability - and no state has taken responsibility for the attacks listed. Furthermore, the cases he cites are not traditional military conflicts (with the possible exception of the Georgia attacks), but merely harassment or espionage, which do not demonstrate the potential destructive capability of a state. They do serve as reminders that networks are vulnerable, however.

He does make a good point that in order to deter an attack you need a "Cyber Triad capability", which consists of

"Regular defence/military assets and networks, [...] isolated conglomerate of air-gapped networks situated across the friendly nations as part of cooperative defence, which can be initiated as credible second strike option; and [...] a loosely connected network of cyber militia involving patriotic hackers, commercial white hats and private contractors which can be initiated after the initial strike or in case of early warning of a potential strike."

He proceeds by demonstrating that the concept of defense in layers and the Law of Armed Conflict (LoAC) do not work in a strategic cyber campaign. I do not understand his point that a system built on the concept of defense in layers (defence-in-depth) is "as strong as its weakest link." To me, defense in layers means exactly the opposite - you can take out any single node and the system remains secure due to the other layers.

His other argument is that LoAC does not cover strategic cyber warfare. Granted, there have been no successful applications of LoAC to strategic cyber warfare yet, but that is because we have not yet seen a strategic cyber warfare campaign in the armed conflict sense. As mentioned above, we have plenty of hactivism, espionage and other examples that fall outside the LoAC framework, but no state-on-state wars where cyber has played a significant role. Therefore, it is premature to throw LoAC out of the window as it is today. However, I agree that it needs updating to meet modern scenarios and the CCD COE is among the experts that work toward this goal (some discussions on this took place at the Cyber Conflict Law and Policy Conference).

He finishes by arguing that Mutually Assured Destruction (MAD) doctrine is the best way to keep states from engaging in strategic cyber warfare. I would argue that MAD simply does not work well in cyberspace, as

1. attribution of the cyber attack may be impossible,
2. in case attribution can be achieved, there is a question of false-flag operations,
3. in case a second strike is launched, there will be ample collateral damage to third states, which can escalate the conflict further,
   
4. the cyber triad is never ideal and many (most) countries in the world today are almost invulnerable to strategic cyber warfare, because they have little or no reliance on cyberspace,
5. in case a strategic cyber campaign succeeds against a modern military power, they can always retaliate with weapons of mass destruction (missile silos should be air-gapped from the rest of cyberspace, at least I would hope so).

Overall, the paper has a lot of provocative thoughts and arguments and I enjoyed reading it (what would be the point of reading things that do not raise a single question or counterargument). I have not covered some of his points that I agree with and, as always, I recommend reading the full paper. We met briefly at the Conference in June and discussed some of the points above, and in the end agreed to disagree on some of them. I wish him luck in his research, as he definitely rocks the boat.

CFP: Conference on Cyber Conflict

The Call for Papers is out for the CCD COE Conference on Cyber Conflict. The event will take place in Tallinn from 16-18 June 2010 and it combines the two conferences that the Centre organized in 2009 (You can read summaries here and here). There will be a separate training day on June 15th.

Bruce Schneier will give the keynote address and judging from the experience of the this year's events we expect many other interesting talks and papers as well.

The conference is split into three tracks: Technical, Concepts and Strategy, and Legal and Policy. Paper submissions are welcome to all tracks. Note that the deadline for abstract submission is a mere four weeks away!

Key dates
Abstract due: 30 November
Paper due: 01 March 2010
Conference: 16-18 June 2010

Centralized vs de-centralized cyber campaigns

The previous post got me thinking about some of the key tenets of the Chinese approach: the cyber campaign must be centrally controlled, executed by organic forces and have a tightly focused target.

Obviously, this centralized approach provides good command and control opportunities. It also limits collateral damage and I guess, most important of all, eliminates possible interference from volunteer actions (such as someone taking control of one of the key entry points to the enemy network and shutting you out). Historical examples also seem to show that volunteers are more likely to engage visible targets (web sites etc) that have little or no tactical value.

On the other hand, NOT using the volunteers (the de-centralized approach) denies you the use of a potential resource. Odds are that if a country has a developed patriotic hacking community, they will take part in the conflict one way or the other, so you might as well try to guide them to be useful.

The second argument for using volunteers is psychological. It displays public support to your campaign, potentially reinforcing the mindset in other sectors of the society. It also brings in small but visible IW victories, as press covers the "citizen campaign" against the opposing side.

The third argument would be the Fog of War. The patriotic hacking community can provide the smoke screen necessary to execute the important strikes against key nodes. Remember, if the plan is to concentrate your attacks in time and (network) space, they will become immediately visible. However, if you have attacks of various severity levels happening all the time the enemy may not recognize the significance of the critical attack until it is too late.

The fourth argument is that patriotic hackers can "prep the battlefield" before the hostilities commence, provide retaliatory attacks after the hostilities, target third parties and civilian or commercial targets while the state can deny any involvement. This supposes that there is an established patriotic hacker community in place, so the world does not necessarily consider there to be a direct link to the specific conflict.

Finally, political attacks by civilians as part of a larger conflict have no clear regulation and few legal precedents. If the host country is not willing to cooperate with the criminal investigation (not likely in a time of war) the attackers will remain anonymous and protected, while the state still has "formal" deniability.

However, as I have noted before, there is a price for accepting patriotic hacking in a state. Most pressing are the long term rise in cyber crime and the potential that they act against the state. On the other hand, if the decision has been made or if there is already a well-established community in place, one should consider the possible uses of this force. Because whether you plan for (with) them or not, they will participate in the fight.

Cyber Report on China

I got a tip to a new report on Chinese cyber capabilities [pdf] by Northrop Grumman. The report aims to provide "a comprehensive open source assessment of China’s capability to conduct computer network operations (CNO) both during peacetime and periods of conflict."

They start off with an overview of the strategic developments in China. Even though there is no official CNO strategy, the PLA is in fact preparing to fight the cyber battle. I found it interesting that they consider domination in cyber space a prerequisite for air and naval domination. This is a clear indication of its importance in the Chinese thinking. It also explains why the EW/IW/CW issue is seen as the forcing agent behind the "informationization" of the PLA.

Chinese writings identify enemy C4ISR and logistics systems as the primary targets in a military conflict and also point out that IW will fire the opening "shots" in a war. However, there is also indication that IW and conventional techniques can and should be used together for maximum effect. I think this is very important, because I have often seen the mindset that IW is something separate from "real" warfighting. Then again, the Chinese have thousands of years of experience to draw upon, so it is not surprising that they see the value of combining the two.

They also point out that China is very active in developing counter-space weapons (EW, CW, kinetic, directed energy, EMP etc.) in order to fight a potentially tech-heavy oriented opponent such as the US.

Another interesting aspect is targeting. Instead of trying to blanket the battlefield, the Chinese writings suggest taking out key nodes in order to provide opportunities for other forces to exploit the resulting confusion in a specific point in the battlefield. I believe this refers more towards EW and kinetic than cyber, as tactical use of cyber attacks would probably be difficult to implement.

It seems that the PLA is actively training to fight in conditions where CW/IW is a common part of the battle field, including special training centers and a designated Blue Force (OPFOR) regiment. In addition, several universities seem to engage in offensive CW research and education.

There is an interesting note about using EW/CW pre-emptively to deter an enemy or to limit the size of the conflict without much bloodshed. In fact, they seem to consider CW a deterrent second only to nuclear at the strategic level. I like the comment that CW is the PLAs longest range weapon.

Another key point that I agree with is that CNO is useful for damaging/degrading systems, but also for deploying PSYOPS/deception against enemy personnel, enemy supporters and the public in general. I have met some people who consider PR the one and only element of IW and I just disagree. With so many options available under IW, it would be irresponsible to overly limit yourself to use only one.

There is an excellent section about how the Chinese might use CNO against the US (military) in a conflict scenarion. I agree wholeheartedly that the logistics and C2 systems at the theater or higher level would be sensible targets to buy time for the PLA and to cause confusion among US forces. However, as I have noted before, the discussion here is limited to purely military targets (like in the US discussion), but in a total war the commercial sector may be the more important strategic target.

The following section gives a broad overview of what is publicly known about the Chinese CW structure. Of particular interest for me are the PLA IW militia units, which seem to be drafted from commercial and academic entities to supplement PLAs integral capabilities. The idea of using telcos and universities (for example) to create sub-units for the militia is perhaps not intuitive for the westerners, but it does make sense. You have people with the right skills, established relationships and access to networks and systems - all they need is a mission.

The second interesting bit is that some militia sub-units seem to focus purely on R&D. In order to understand the significance, consider if infantry (militia) battalion is likely to have a dedicated infantry tactics research and development platoon. This highlights the difference between the information warriors and the traditional fighters. The report also mentions discussions about setting a different standard (age limit, physical condition) for the cyber warrior, something that was also debated here.

Moving on to the independent Chinese (patriotic) hacker community, the report claims that around 2002-2004 the state reversed its previously favorable stance towards patriotic hactivism and as a result the movement has died down. This was not the notion I got in Stockholm in May, where Dr Xu Wu from Arizona State University talked about Chinese cyber nationalism. According to him, the patriotic hacker community is alive and well, albeit somewhat underground. He also claimed that the state was having difficulties deciding what to do with this resource, as it is difficult to control - something that I also predicted in my paper about volunteer cyber attackers. Dr Wu compared it to a double-edged sword, which can cut both ways. It is possible, however, that this discrepancy does not exist and the official cyber militias have incorporated a significant part of the patriotic hacker community.

The report then provides a couple of examples of recent attacks probably originating from China. There are also various examples of relations between the state and the hacker community, including state recruitment in the hacker forums. One of the more interesting examples is how a java language user group transformed into a patriotic hacker group over the EP-3 incident. This is an excellent illustration of how "cyber tribes" can very quickly develop into cyber militias.

In the following section, cyber espionage is investigated from the US perspective. The report points out that potential Chinese espionage efforts are a great concern for the US counter-intelligence community, especially in the light of the reactive cyber defense paradigms in place. They claim that there is a strong case for state-sponsored attacks, although it is often difficult to fully attribute the attack to a state.

The report includes a nice explanation of a targeted attack via e-mail to get access to the organization's systems. However, they include an even more interesting case study of a large data heist in a US firm. It provides a simple description of the time line and activities uncovered by the forensic team.

The report concludes with a comprehensive list of China-related cyber events between 1999 and 2009.

Overall, the report is easy to read and low-tech. It covers many interesting aspects of the Chinese cyber issues. However, since this is a public and open-source report, it does not go into too much detail and it may inadvertently include some deception information. All-in-all, I enjoyed it and it provided me with a lot of things to think about. It also confirms some of my own theories and thoughts.

As always, read the report for full detail.

Review: Analogies and Cyber Security

Here is a short review of the paper "What Analogies Can Tell Us About the Future of Cyber Security" by David Sulek and Ned Moran, published in the proceedings of the CCD COE Cyber Warfare Conference.

In the paper they explore the potential dangers that come with using colorful analogies like cyber Pearl Harbor, cyber Katrina, cyber 9/11 etc. In order to deal with these dangers they propose to start with developing a detailed issue history. A well written issue history helps determine which analogies apply. They give a short example in the form of the cyber issue history that, among other things, lists what is known, what is unclear and what is presumed about the topic.

They then provide a framework for exploring cyber analogies. It consists of two dimensions: one axis representing inspiration (hope and possibility) vs desperation (fear and danger) and the other systemic (evolution) vs disruptive (revolution). They give some examples for each: invention of the telegraph was an inspiring event, as it created new possibilities to communicate. On the other hand, the Y2K bug represented a potential danger to the computer systems. World War I was a linear, systemic result of military build-up, whereas 9/11 was a disruptive, revolutionary event. I think the first pair of examples is a good fit, but I am not so sure about the second. One could argue that there is an evolutionary line of developments that lead to both tragedies, we just haven't taken the time to really reflect on the reasons for, the facts of and the aftershocks of the 9/11 attacks. But I digress.

They spend the rest of the paper analyzing four cases from each quadrant of the model as a potential fit for cyber security. The four cases are the Strategic Defence Initiative (inspiration, evolution), the Cold War (desperation, evolution), the [US] National Highway System (inspiration, revolution) and finally, Pearl Harbor (desperation, revolution). Each case reveals interesting overlaps with cyber. However, each also has its discrepancies, so no clear match emerges.

They sum up their analysis in four points:

1. There is no single analogy that works for cyber.
2. Cases that balance inspiration and desperation leave the strongest impression on history.
3. Many analogies used today are at the extreme ends of the model.
4. It is important to build a good timeline for an issue, in order to understand the reasons for events.

Overall, it is a nice read and an interesting analysis of the four cases. I may not agree with the interpretation of historical events, but then again, the model is meant to be an abstract tool to describe analogies. As such, there will always be opportunities to interpret events in different ways.

The main point for me is to review the cyber analogies that I have used in the past. The analysis of the four cases has given me some food for thought and hopefully, next time I blurt out with something, I remember to also offer caveats.

As always, the paper itself is much more detailed and I recommend reading it in full.

CWCON '09 proceedings available

Yep, they are finally here. The proceedings of the CCD COE Conference on Cyber Warfare, which took place in June, have now been published with the help of IOS Press. Titled "The Virtual Battlefield: Perspectives on Cyber Warfare" it appears as book three in the Cryptology and Information Security Series, and is edited by Christian Czosseck and Kenneth Geers of the Centre.

It's 300 pages contain 21 peer-reviewed papers presented at the conference. In the coming weeks I hope to follow through on my promise and write reviews for the ones that are of most interest for me.

On the same note, the call for papers for the next year's conference is due out shortly, so start warming up your paper ideas.

CFP: ECIW 2010

The call for papers is out for the 9th European Conference on Information Warfare and Security. The event takes place on 1-2 July 2010 in Thessaloniki, Greece.

I have been to the conference three times now and I can recommend it for it's relaxed atmosphere, interesting sights, and obviously - some interesting papers and talks.

This year I am hosting a mini-track on Cyber Conflict, so please feel free to submit papers for that track. I would be glad to hear your thoughts on conflicts in cyberspace, among other things.

Key dates:

Abstract submission deadline:	10 December 2009
Notification of abstract acceptance:	17 December 2009
Full paper due for review:	28 January 2010
Notification of paper (acceptance with any requested changes)	8 April 2010
Earlybird registration closes	22 May 2010

Botnets and Proactive System Defense

I finally took the time to sit down again and read an article with the provocative title "Botnets and Proactive System Defense" (2008, Springer Link) by John Bambenek and Agnes Klus. From the title I assumed it would be about using botnets as weapons for a proactive defense strategy, but I was mistaken.

Instead, they start off with a nice survey on how commerce has moved to the web and why the old security measures no longer protect the consumers. They touch upon the problems with making transactions with credit card and social security numbers (basically, single factor authentication), as well as several other computer security issues like the reactive patch cycle. Next they review the growth and development of malware, using the Shadowserver graphs to illustrate their point. All this is not new, but it does a good job of surveying the problem.

Getting to more interesting bits, they propose that an ideal botnet strives to maximise six key properties: "high capacity, low overhead, fast responding, flexible, anonymifying [anonymizing?] and quiet." They show how IRC meets these requirements and point out that other technologies, such as RSS, will replace the IRC bot as more and more network administrators grow suspicious of IRC traffic.

For proactive defense, they consider offering the consumer free security software and encrypting their sensitive traffic. Another proposal is to switch from "allow all" to "deny all" or "deny most" principle in terms of antivirus software default settings for running programs. They assume that signing software would solve this problem, as

"There are a finite number of reputable software vendors and applications out there and far more disreputable software vendors and applications."

Not sure I agree with what this claim implies. You cannot have a complete list of "good guys" that will keep you safe from malware. If that were true, we could also say that there are a finite number of reputable ISP-s, so we can just drop all packets that come from the jungle. Unfortunately, this is not true in either case. Reputable businesses have engaged in malicious activity (Sony rootkit, for example) and a lot of cyber attacks come from the networks of reputable ISP's (by default, a potential malware victim would sign a contract with a "reputable" ISP to get access to the net).

One more proposal for making the defense more proactive is to enable remote security validation on computers. While this may sound good in theory and there are even ways of doing this, I do not see it passed into law or practice due to privacy concerns.

Finally, they point out that the great debate over the need for a national ID in US may be moot, as the social security number already acts as one, and a poor one at that.

They conclude by reiterating that the main strategy against botnets is to make them economically nonviable for the criminals. While a nice overview and an easy read, I did not find much new in the paper, however. What I did find is an interesting example of how parts of the US sometimes seem to lag behind in adopting technology:

"Banks already are starting ... requiring one-time passwords with keyring tokens or other devices so that even if an attacker gets the one-time password, they cannot compromise the account."

In many parts of the world, one-time passwords and passcode generators have been the norm for on-line banking for years. In Estonia, for example, the lowest level authentication still in use by the general banking sector uses a set of 20-30 randomly repeating passcodes. This is not safe, sure, and that is why the clients using this method have a ~300 USD daily transaction limit (the system itself is being phased out). If you want more, you need either a passcode generator or the national ID card with valid certificates. In both cases, you need to know something (pin) and have something in order to carry out your transaction.

"Where Computer Security Meets National Security"

I read an interesting article by Helen Nissenbaum, on "Where Computer Security Meets National Security" (2005) [pdf, Springer link] .

She starts with a good point that the "traditional" computer security, developed in the technical community and focused on the protection of a computer (system) is difficult to port into national security terms, where damage to life, economy, morale and reputation is the core worry. She argues that the "technical computer security" focuses primarily on ensuring confidentiality, integrity and availability, even though there is a push to extend this to ensuring overall "trustworthiness" of a computer system (including resilience etc.).

She calls the competing national security conception cyber security (a term that has grown more popular since then). According to her, cyber security is most concerned with three problems:

• using computer networks "as a medium or staging ground for antisocial, disruptive, or dangerous organizations and communications." In other words, propaganda, phishing and a host of other soft threats;
• using computer networks to attack the critical societal (information) infrastructure, or the hard threats; and
  
• using computer networks against computer networks. I may misunderstand her reasoning, but I think computer networks in the larger sense (Internet infrastructure, SCADA systems, public services on the internet) are also part of the critical information infrastructure, and I would combine the last two categories into one.

I found it interesting that she illustrates how computer security can be used in various moral (protect users from harm) and immoral ways (protect the interests of the company, while limiting the usefulness of the product to the end user).

She then reviews the concept of "securitization" by the Copenhagen School. Essentially, it means that unlike "realist" methods, there are more threats than just military aggression and there are more targets as well (state + religion, economy, environment etc.). Furthermore, securitization is a process of making something into a security issue (especially in the eyes of the public). In her words: "In general, to securitize an activity or state-of affairs is to present it as an urgent, imminent, extensive, and existential threat to a significant collective."
[Note: An interesting concept and something to be studied later.]

The next chapter shows some steps how cyber security has been securitized, including a funny interlude about how the music and film industry is trying to securitize the P2P threat against their obsolete business model. She also covers some examples of cyber space shown as a potential battle space and it's asymmetric nature.

Getting to the meat of the issue, she compares the two approaches:

• Computer security recognizes a broad range of the degree and type of harm, while the cyber security assumes that the threats are dire or existential.
• Computer security focuses on protecting the "individual nodes" (people, computers), while cyber security looks at "collective security."
• Computer security rests on the moral foundation of protecting from harm, while the moral aspects of cyber security can vary depending on the securitization process.
  

An important question she brings up is when is securitization warranted? When is a threat dire enough to become a national security issue that is handled in secrecy, and potentially in ways not common to a democratic state? She argues that there is lack of reliable data on the size of the threat from the computer security perspective, as research is focused on (potential) vulnerabilities, while reporting of actual incidents is hap-hazard at best. She also touches on the issue that the same attack can be viewed in many different contexts (criminal, national defence, activism etc.).

She concludes that in the end, the "technical computer security" approach might be better, as it provides security at the user level and thus still allows us to use the net for the core purpose of sharing information and ideas. The highly securitized state controlled approach, on the other hand, raises questions about privacy, freedom of speech etc.

To sum up, a very interesting article with much food for thought. I found several interesting insights here and I am sure that more will pop up later. If anything caught your eye, I recommend reading the article in full, as there are many details that I did not cover.

Article in Akadeemia

One of my articles (Conflicts in the information age - cyber attacks and the citizen society) was published in the Estonian academic journal called Akadeemia (2009, nr 9, Special Edition on War and Peace) a few days ago.

In the article, I revisit the own forces/hired guns/volunteers categories and focus on the latter. I try to explain some interesting aspects of using volunteers, such as the parallel rise in crime and the need to "exercise" the volunteers regularly. I also try to look at why ordinary people from the street may become belligerents in cyber space, specifically addressing radicalization through Internet and formulation of cyber tribes. I end the article with a positive note, that volunteers can be harnessed for good, as well as evil. Consider, for example, defensive volunteer organizations, such as the WARP network in UK. In addition, I touch upon the personal responsibility of today's netizens - we all have a part to play in developing a safer cyber society.

Cyber Conflict Law and Policy Conference

As mentioned earlier, I attended the Cyber Conflict Law and Policy Conference in Tallinn last week. The event was organized by the CCD COE and took place in Swissotel from 9-11 September. About 150 attendees from about two dozen countries discussed issues like the applicability of the Law of Armed Conflict, legal frameworks etc. I will try to briefly summarize by sessions.

Setting the Stage

The conference opened with a keynote speech by the President of Estonia, Mr Toomas Hendrik Ilves. He stressed the need to adapt the defense thinking (including legal frameworks) to the changes in technology. He illustrated the point with medieval defensive structures in Tallinn, which were useless in fending off air raids during WWII. He also talked about the need for collective cyber defence. An important idea was that in NATO, as far as cyber defence is concerned, we should focus more on Article 4 (consultation among nations) today, so that if and when Article 5 (collective self-defence) is ever needed, there is already some consensus.

Next speaker was MG Glynne Hines, Director of NATO HQ C3 Staff. He pointed out the need for consistent legal advice and the usefulness of embedding lawyers in a cyber defence organization. He alsp briefly touched upon some changes in NATO that were initiated by the lessons learned from the 2007 cyber attacks against Estonia: adoption of NATO cyber defence policy and concept, accelerated development of NCIRC and the NATO cyber defence exercise.

Ms Eneken Tikk of the CCD COE, the content organizer for the conference, introduced a draft Framework for International Cyber Security (FICS), which was developed in cooperation with George Mason University Center for Infrastructure Protection (GMU CIP). Basically, they are a collection of abstract models/slides that should be helpful in reaching a common understanding about the issue.

Country Reports on Cyber Security Strategy

Ms Heli Tiirmaa-Klaar from Estonian MoD gave a brief overview of the 2007 April-May events, as well as the pervasiveness of e-services in Estonia. She then proceeded to introduce the Estonian Cyber Security Strategy. Some more points from her talk: cyber attacks pose a new asymmetric threat against critical infrastructure and the development of cyber defence capabilities is very uneven across different states.

Dr Per Oscarson from the Swedish Civil Contingencies Agency gave an overview about his organisation and the Swedish approach to national cyber security. It seems the Swedes have at least in theory a model for planning cyber security, consisting of two main parts: the strategy (vision and strategic directions) and the action plan (explicit objectives and measures).

WCDR Adrian Frost from UK MoD proceeded by giving a quick overview of the British approach. Apparently, UK considers cyber as one of the five domains (air, land, sea, space and cyber), similar to some thoughts I have heard from USAF in recent years. He briefly introduced the UK Cyber Security Strategy (approved 23 June), which aims to secure UK advantage in cyberspace by reducing risk (public), exploiting opportunities (industry) and improving knowledge, capabilities and decision-making (international).

Autopsy of a Cyber Conflict

Professor Daniel Ryan from the US National Defense University gave an interesting talk about the lawyer's look at a cyber incident. Specifically, he addressed the issue that there are regular incidents (handled as per SOP or ignored) and then there are INCIDENTs that really matter. In the latter case, one needs to determine if it is an attack (or accident, technical failure etc.), who is behind the attack (attribution) and who can/should respond to the attack (law enforcement, intelligence, military, lawyers).

Next, Dr Bret Michael from the US Naval Postgraduate School addressed various cyber conflict issues from a more technical viewpoint. Among his points was the claim that cloud computing will change the way we work and will introduce new security challenges. An interesting thought was the martial arts analogy - in cyber defence we should not focus on rigid and forceful response (karate), but rely more on the flexibility and use of the opponent's strength (aikido).

Unfortunately I had to leave early that day and I didn't catch Mr Joe Weiss' (Industry Expert and Control Systems) talk on industrial control systems, but I heard that he gave an insightful presentation on the vulnerabilities associated with the systems that uphold modern society.

Cyber Security Institutionalized - Pieces of an Effective Defence Model

The second day started with Ms Eneken Tikk's talk on international organization's legal and policy approaches to cyber incidents. Sha listed the numerous laws, regulations and directives that various IOs have produced to deal with cyber security matters. To limit the scope, she briefly examined the documents that focus on data protection and concluded that while there are a lot of regulations in place, they tend to be stovepiped and there is not enough practice in using the breadth of tools available. She also discussed the different approaches that have been taken in various EU countries on data protection.

Ms Yurie Ito from ICANN, formerly of JP-CERT gave a presentation about recent developments in ICANN, with regard to security. Unfortunately she did not have enough time to delve deeper into her slides on Conficker, as I am sure her insight would have been valuable.

Ms Maeve Dion from GMU CIP addressed public-private partnerships and national input to international cyber security. She touched various points, including the many areas of law that deal with aspects of cyber, informal vs formal networks in cyber defence, developing strategy and risk analysis methodologies.

The day ended with three working groups that discussed FICS and cyber law/policy issues.

Enhanced FICS

The final day started with Professor Derek Jinks from US Naval War College. His talk was on the Law of Armed Conflict (LoAC) and the military perspective. He pointed out that LoAC is not there to minimize "war" as an official status of affairs, but to minimize organized violence. Another good point was that "armed" does not imply any physical properties or mechanics, but rather organized application of violence. He further explored the concept of armed attack, as it is often used in the definition of armed conflict. He noted that armed attack is subject to various conditions, such as severity (death or substantial destruction of property), status of the attacker (according to UN terms, attacker is state, but in practice it is often a non-state actor that may or may not have state sponsorship), status of the target (again, old rules dictate the state as target, whereas in practice, any entity that the state can claim sovereignty over, incl. citizens), necessity, proportionality, time-proximity etc. He also raised some interesting questions about new concepts like cyber occupation (displacing civil authority by means of cyber attacks). A very good talk indeed, even though he did not have enough time to go into all the details.

Next came Dr Thomas Ramsauer from German Ministry of Interior. His talk focused on the law enforcement perspective, but he also revisited some LoAC questions. He used a nice model of cyber conflicts, where you have the damage to target on one axis and organization of the attackers on the other. Then, as damage and level of organization increase, one progresses from cyber crime to cyber terrorism to cyber war. While I don't think it is that simple, it is a nice and visual way of presenting the idea. He also briefly touched the Schmitt test and the concept of attributing "private attacks" to a state actor. An interesting thought was that in order to limit collateral damage to civilians, commanders in future wars may be obliged to prefer cyber attacks over traditional means of warfare.

Mr Lauri Almann from Aare Raig Attorneys-at-Law (former undersecretary of defence of Estonia) gave a talk on national defence law from the government perspective. He focused on factors of decision making, which consisted of four one-dimensional axis': secret-public, fast-slow, international-national and professional-emotional. He proposed that in cyber conflicts, the first of all these pairs is the relevant (used) property. I am not sure I agree. Secrecy in international environments seems to exlude the fast property and often the professional property as well. He closed by noting that there is not much need to exercise the technical community (as they perform the cyber defence mission daily), but educate and train the legal and political community, who only get involved when things get hot [and potentially profitable - author's note].

Professor Lilian Edwards from University of Sheffield provided a brief glimpse into the information society law and the user perspective. She noted that laws should always set a balance between security and privacy. The problems appear when the balance varies from law to law and over different jurisdictions.

The conference ended by comments of the observers as well as summaries of the working group results. A couple of points that stuck were the slide on the spectrum of state-sponsorship by Jason Healey (US Cyber Conflict Studies Association) and the idea that some sort of International Cyber Tribunal may be needed [not sure how much success other international tribunals have had].

Finally, Mr John Bumgarner from the US Cyber Consequences Unit gave a short overview of their recent report on the lessons learned from the Georgia cyber attacks in 2008. Unfortunately, the report is not public, so his notes were fairly general and added little new insight to the events in Georgia. It's a shame, as he possesses a wealth of knowledge on the subject. I understand his position, but it is yet another example of classification issues diminishing the value of research.

Disclaimer: I hope I did not do injustice to anyone by misunderstanding or missing key issues in their talk.

Overall, the conference was a success and I am looking forward to the next one. I had the chance to talk to many interesting people on the sidelines and I also met some old friends. The cyber scene is very small indeed.

Blog launch

In order to conserve my memory, I have decided to open my blog to the public today, on 09.09.09.

I hope this will result in good quality feedback and interesting new contacts, as well as facilitate discussion in the area of cyber conflicts.

Without further ramblings, here it is. I hope you enjoy it as much as I do.

Regaining strategic competence

And now for something different...

I happened across a study about Regaining Strategic Competence [pdf] in the US [thanks to The Best Defense blog for the link]. It consists of four parts: discussing the deterioration of US strategic competence, defining strategy, illustrating the importance of good strategy and finally debating the common mistakes.

The strategy chapter brings out a good point that strategy is applicable to many pursuits, not just military. I also like their definition of strategy:

"Strategy is fundamentally about identifying or creating asymmetric advantages that can be exploited to help achieve one’s ultimate objectives despite resource and other constraints, most importantly the opposing efforts of adversaries or competitors and the inherent unpredictability of strategic outcomes."

The only problem I see in it is that it does not explicitly state that strategy is usually a 'grand' affair, with long term and/or wide spread effects, versus the tactical gains of here and now.

As far as historical analysis is concerned, I am not sure I agree with some of their facts (Soviet soldiers happy to die en masse for the Rodina) and conclusions. The argument that in 1942 Western Allies could have launched a cross-channel invasion into occupied France, that is - before Germans had been overextended in the East and before Allies had enough troops, weapons and supplies for a full campaign in Europe - seems a bit far fetched. I would guess that the Torch landings would have produced a very different outcome for the Allies, had they been directed at France, instead of North Africa.

The final chapter addresses many typical mistakes that lead to bad strategic decisions.

Upcoming Conference

This week I will participate in the Cyber Conflict Legal and Policy Conference, in Tallinn. Organized by CCD COE, it aims to build some common ground in understanding the legal issues of cyber defence. More on the conference next week.

Paper on Cyber Society

I co-authored a paper with Peeter Lorents and Raul Rikk that was published in the 13th International Conference on Human-Computer Interaction, San Diego, in July. You can also find the paper in LNCS 5623, pp. 180-186.

The paper is titled Cyber Society and Cooperative Cyber Defence. In it, we explore the concept of cyber society, which we define as "a society where computerized information transfer and information processing is (near) ubiquitous and where the normal functioning of this society is severely degraded or altogether impossible if the computerized systems no longer function correctly."

We then examine Estonia as an early form of a cyber society and illustrate it's potential vulnerabilities with the events of April-May 2007. We conclude the paper with the foundations behind the establishment of the Cooperative Cyber Defence Centre of Excellence.

This was my first co-authored paper and as such a new experience. One of the problems of having multiple authors is to write a consistent paper - something that could be improved in this case. However, I think it does convey the ideas that we wanted.

Asymmetry in Cyberspace

The other day I started to ponder about what constitutes a fight in cyberspace. I find that it is fundamentally different from what could be termed conventional fighting (in a military sense) - tank engagements, infantry ambushes etc.

The issue is really about the asymmetry between attackers and defenders. A cyber attacker needs to find just one opening, while the defender needs to cover every conceivable (and inconceivable) weakness. This is a critical mismatch in terms of resources.

Another asymmetric aspect is the fact that in a "cyber battle", attackers rarely present a target themselves, because they are difficult to identify. Even if the attack can be attributed, there is little that can be done with a cyber retaliation. An attacker does not "own" critical technical infrastructure, which could be taken out. They just use the public communication infrastructure as a service provider and a "human shield".

In a potential two-way cyber engagement this works both ways. A practical example would be to use red teams to knock out critical infrastructure targets on the other side, while "ignoring" the attackers from the other side and relying on the quality of one's defence.

Blog reset

I am back from my summer hiatus. As promised, I will continue to throw my ideas and thoughts in here.

I have often found it interesting how some people fear the offensive side of cyber. 'Defense only' is the politically correct way of putting things, even though it is pure nonsense. Skills and knowledge to be a good defender is largely dual-use.

Look at it this way. Imagine briefing a general: "Sir, our defensive infantry brigades have dug in around the city, we can now deploy our offensive infantry regiment to attack the enemy." True, some units are better equipped and trained for offensive or defensive missions, but that does not mean that they lack the capability to do both.

Summer hiatus

I am taking some time off over the next month or so, enjoying the summer weather and gathering new ideas for the coming year. Therefore, posting will probably be hectic at best. Regular posting will resume in late August.

PowerPoint them!

There is an excellent essay at Don Vandergriff's blog about a horrible cyber weapon - the PowerPoint slide. In the essay T.X. Hammes analyzes how PowerPoint has weakened the [military] decision making process, as well as the ability to reason and write coherently. The main argument is that previously, staff had to provide a short, concise decision paper for the leader to read, think, discuss and decide, now the leader gets a barrage of information, very little time to think and discuss, and finally has to shoot a decision from the hip. However, he also makes a distinction that PP can serve as a very useful teaching tool.

I think the essay makes a valid point.

On definitions

A big problem in the field of cyber is the lack of commonly agreed definitions. I think cyber war and cyber terrorism are the worst, each having numerous conflicting definitions. So, in order to clarify my own thoughts, here is my attempt to pin down the meaning of some popular phrases in the context of national security:

• cyber attack - malicious use of information systems in order to influence the information, systems, processes, actions or decisions of the target without their consent,
• cyber conflict - a confrontation between two or more parties, where at least one party uses cyber attacks against the other(s),
• cyber war - a cyber conflict between state actors, where the critical information infrastructure is attacked,
  
• cyber terrorism - a cyber conflict where one party is using cyber attacks to cause fear, physical damage, and/or death among the civilian population of the other party.

Note that information collection, an activity usually limited to espionage, intelligence gathering and crime, is not included in the cyber attack definition. [TO DO: better explanation of the concept]

I am sure these definitions will change as my understanding of the topic grows.

ECIW 09 in Lisbon

I just got back from Lisbon and the 8th European Conference on Information Warfare and Security. This annual conference brings together 60-100 academics from across the world to present and discuss their research during the two-day event.

A paper that I wrote for the conference in the winter got published in the proceedings (see publications). The main idea of the paper is that there are three general ways to create an offensive capability in cyberspace:

• establish a unit/agency for that mission ("conventional" own forces approach)
• outsource the problem by hiring digital mercenaries, cyber criminals and the like
• develop or hijack a volunteer force, or a cyber militia, to attack convenient targets with little or no attribution for the state.

In reality, a combination of two or three is potentially more powerful than any single approach.

While thinking about the last two approaches, I came to some interesting conclusions. First, if a government uses volunteers or mercenaries to conduct an "illegal", or at least unethical, campaign against its political enemies, then there will be a rise in (cyber) crime in the state. This happens because the government cannot alienate the "friendly" attackers by arresting them for non-political crimes (such as sending spam, stealing credit card information or DDoSing commercial sites for blackmail). This also explains why cyber criminals seem to flourish in some states that also seem to have an aggressive stance in cyberspace.

The second idea was that in case of volunteer forces, the government would have to "exercise" these forces once or twice a year, in order to keep them "on mission". A volunteer offensive cyber militia will likely disband for more interesting pursuits, if they are not called to arms for several years. This means that the state would have to provide a steady stream of external or internal "enemies" to keep the militia occupied.

A time for a Cyber Service of the Military?

I stumbled on an article by COL Surdu and LTC Conti, which was published earlier this year in the IA Newsletter [Vol 12, No 1, 2009 - pdf]. In the article, they argue that US needs a new military service that would handle the cyber warfare mission.

Currently, each service already has small elements dispersed in the structure, but they are not coordinated, nor are they integrated into the bigger picture. I think they bring out a good point that the US military (in fact, other militaries as well) is not fit to fight a cyber war, as its leadership, processes and culture are fundamentally incapable to understand it.

The main problem is that the military does not place enough emphasis on technical expertise, or as they put it:

"Today’s militaries excel at their respective missions of fighting and winning in ground, sea, and air conflict; however, the core skills each institution values are intrinsically different from those skills required to engage in cyberwarfare.
...
To understand the culture clash evident in today’s existing militaries, it is useful to examine what these services hold dear—skills such as marksmanship, physical strength, and the ability to jump out of airplanes and lead combat units under enemy fire. Accolades are heaped upon those who excel in these areas. Unfortunately, these skills are irrelevant in cyberwarfare.
...
Consider the awards, decorations, badges, patches, tabs, and other accoutrements authorized for wear by each service. Absent is recognition for technical expertise. Echoes of this ethos are also found in disadvantaged assignments, promotions, school selection, and career progression for those who pursue cyberwarfare expertise, positions, and accomplishments."

I wholeheartedly agree with their arguments, having come to a similar conclusion some time ago. Their proposal to deal with this issue is to create a new service that would be on equal status with the kinetic services. However, I am not so convinced that a transition so profound can be made in one step. Perhaps it would be better to use the USAF model and first create cyber commands (historical Army Air Corps) within the services, then integrate them, and then, maybe, raise them into a new service.

They are right, however, that the root of the problem lies with the personnel management in the military. One could say that a techie should stay in the service, become the top dog and change it from within, but that discounts the fact that techies do not get promoted to top dog. In fact, there are precious little positions near the top that have anything to do with technology. Therefore, a techie must either be a multi-talent or forget his tech aspirations and plod up the traditional leadership/management track. Meanwhile, people who have a talent for tech positions will not be promoted and more than likely get rotated to (technologically) meaningless positions... or they get out. Therefore, any step that will accommodate the requirements and skills of the tech oriented service members while not undermining the traditional services, is a step in the right direction.

Blog open for comments

Greetings!

If you read this then I was successful in opening the blog for a test run among friends and colleagues. It is currently open for invitees only, in order to tweak and fine tune it based on YOUR feedback. So please, let me know what you think by way of comments or e-mail.

At some point I plan on going public with this blog, so your feedback is very important.

EDIT: Unfortunately, Google does not allow for a personalized invitation message, so I fear the more security conscious addressees will never reach this message. Ironic, eh?

Evgeny Morozov on Cyber Myths

Evgeny Morozov of the Open Society Institute has an interesting essay in the Boston Review about myths in cyberspace. Specifically, he addresses the scaremongering and vague threat information that is used to get access to funding, fame or power.

He points out many official statements that exaggerate the threat from cyber terrorism and cyber war and asks the question: is there any evidence to back up these claims? No, at least not in the public realm. He also makes a point that the threat from the net information is produced by intelligence/defence organizations and information security companies that benefit from the increased funding. I think he is right in the sense that there are very few facts available, so we are left with hypotheses and conjecture. Honestly, I am partly to blame, as I have presented similar worst case scenarios in numerous conferences, in order to raise awareness of the topic.

He also touches the foggy quagmire that is the international legal definition of cyber warfare and what, if anything can and should be done if one breaks out. I think we will not have a clear answer on this in the near future, but at least the topic is also addressed by professionals.

In terms of how useful cyber attacks are for the military, Morozov refers the opinion that superpowers do not need cyber power, as they have more conventional means to crush the enemy. While that may be true, the question of attribution once again comes up - who will the superpower nuke, if they cannot identify the source of the cyber attack?

On the other hand, his conclusion that we should focus more on the threats from cyber crime and cyber-espionage is correct. However, it is not correct because cyber war is improbable, but because the tools used in cyber war will be very similar to the ones used in crime and espionage. The same piece of malware can be used to steal your personal data, collect intelligence on your organization or to disrupt your networks in preparation for a war. Thus, better defense against crimeware will also mean better defense in war.

A comment on Estonia

Unfortunately, Morozov uses unclear wording that may suggest that Estonia was off-line for nearly a month in 2007. It would be more correct to say that Estonia was under attack for about three weeks in 2007, but only a few critical on-line services (like banks) were affected for clients inside Estonia. One of the options, a white-list based "island Estonia" defence meant that the vast majority of the attacks could be easily blocked while maintaining service to the vast majority of the clients. As a result, clients of the two biggest banks in Estonia saw only a 45-90 minute interruption of service at the start of the attacks and that only affected the web interface of the banks. What is worrying, however, that these were critical "civilian" targets in a political conflict.

Sure, non-critical services (public government websites and news sites, for example) did suffer longer service outages due to cyber attacks (mostly simple DDoS), but in my opinion this was not a big issue for the state as a whole. The biggest effect would be potential information blockade, as local news sites or press sites are off-line, but that can easily be remedied by using other means of communication to push the message out (remember, e-mail works, phones work, faxes work, radio and TV are still on air, and even the postman makes his rounds). I personally had no problems communicating with friends and colleagues abroad throughout the period.