Tuesday, December 29, 2009

Cyber communities

I happened on an interesting site (wish I had found it sooner) that also deals with cyber warfare research. Near the top of the blog pile is an interesting series of posts, which looks at the various Cyber Warfare communities that have a stake in the issue:
Although there are a lot of good points in there, let me just reiterate one - there are not many publication opportunities for cyber warfare researchers. Sure, you can hook your topic to information security, information operations, or any number of other topics, but still - very few dedicated venues like the upcoming Conference on Cyber Conflict.

I'll now turn back to the Selil blog, to see what else I can find. See you all next year!

Monday, December 28, 2009

Milblogging, ad-hoc cyber militia and science

I read an paper by Sean Lawson, about the debate and conflict [pdf] between the US Army and the Milblogging community (servicemembers who blog about their experience in the military, including combat reports).

While the article focuses on the blogging servicemen, we should also make a note that the same tool is available to everyone. This spontaneous "online, volunteer public affairs or information operations corps" would be a perfect rallying tool for an ad-hoc cyber militia. Consider, that there are numerous blogs on controversial issues (including pro and contra sides for each), which typically have a steady readership, even if it is small. All it takes is for the blogger to post a rally cry (and some instructions) and an ad-hoc cyber militia is formed and ready for action.

Members of such a group are pre(self)selected and have strong feelings about the issue. Therefore, they probably need very little persuasion to join up.

If you have the time and the interest, there is also a link to his Doctoral Dissertation on his web site. It gives a good overview of the development of the science of war, explaining the heritage of terms such as OODA loop and netcentric warfare, as well as providing an overview of the relation between US military and the scientific community. Interesting to read. Nearly 400 pages, however, so be warned.

Tuesday, December 22, 2009

Russia and Cyber Attacks

A colleague pointed me to an article in the Baltic Security and Defence Review, an annual publication of the Baltic Defence College (international staff college for military officers at OF3-OF5 ranks). MAJ William Ashmore (US Army) writes an overview of recent cyber conflicts with Russia, titled "Impact of Alleged Russian Cyber Attacks" [pdf].

While the article covers a lot of ground it seems that he is not a subject matter expert in cyber conflicts. The quality of the references is relatively weak (mostly public news media) and there are a few simple errors. On the other hand, he has done a fairly broad background check for the legal/doctrinal work done at OSCE, UN etc.

He provides an overview of events in Estonia 2007 and Georgia 2008 among others, and a summary of NATO's activities in setting up cyber defence. He spends some time on Herman Simm's case (highly placed spy for Russians in Estonian MoD, caught 2008), although to me his arguments there seem a bit weak.

He reviews the national and international responses/comments to the Russian cyber campaigns, including potential attribution. There is also a fairly interesting chapter about future trends in Russian cyber activities (including Dr Panarin's recommendations). I think he may be onto something when he says that in Russia, cyber is mostly seen as an offensive capability.

With the US primarily focused on the Chinese cyber threat, the Russian (and other) cyber studies remain in the background. Therefore, it is a refreshing piece of reading, regardless of some issues with depth or quality. As always, read the article for full info.

Happy holidays!

Friday, December 18, 2009

McAfee's Virtual Criminology Report 2009

I set aside some time this week to read the McAfee Virtual Criminology Report 2009 [pdf]. It has a provocative sub-title "Virtually Here: The Age of Cyber Warfare" that caught my eye. So, what was useful in there for me?

As the foreword (by CEO of McAfee) already points out, politically motivated cyber attacks are on the rise and the term cyber crime is not fit to describe them well. The foreword also makes the important point that this report comes from a private sector perspective, unlike the usual government/military perspectives on cyber warfare. As it turns out later, however, it is more of a broad spectrum overview that doesn't really focus on any special sector or issue.

The report gives a short overview of the events in Estonia 2007, Georgia 2008 and US/South Korea 2009. The Georgian overview is based on the US Cyber Consequences Unit overview [pdf], which is the public high-level summary of a more detailed report.

Of more interest is the method for cyber attack attributes that is presented on pages 8-9. Experts will assign values to a cyber conflict in four categories to determine the severity of the event (no reference):
"Source: Was the attack carried out or supported by a nation-state?
Consequence: Did the attack cause harm?
Motivation: Was the attack politically motivated?
Sophistication: Did the attack require customized methods and/or complex planning?"
They have provided a table for assigning values and have applied the model on the three conflicts mentioned earlier, providing a bar graph. I have done similar work in my Master's studies. In retrospect, it is only of limited use, because the values are highly subjective and in the end - it does not prove anything.

The report also mentions many well known issues in cyber conflict, including:
  • many nations are preparing for cyber war, but covertly
  • criminals and politically motivated attackers use the same tools and techniques
  • criminal groups may cooperate with governments
  • financial and other critical information infrastructure is at high risk
  • sharing threat information is good
  • there is a need for a public debate about the use of cyber weapons
  • the attribution problem and a nice intro to the cyber deterrence issue
  • the need for updated legal measures
  • cyber espionage
  • etc.
On one hand, this report should bring little new information for the experts and researchers that focus on the issue. It uses little or no quality (written) references, but this issue is balanced out with the number of expert interviews and direct quotes. Therefore, I thought it was nice to read, but I found nothing really provocative in there.

On the other hand, however, I find that it does a very good job as an introduction to the whole cyber conflict issue for non-specialist readers. If you need to convince your boss or your grandmother that cyber conflicts should be studied - have them read this report.

Friday, December 11, 2009

Abstract on capabilities of novice cyber warriors

Below is an abstract paper idea that I am currently developing. The main idea is to look at the potential actions available for low level attackers - people who have no special training or experience with cyber attacks. The working title is "From pitch forks to laptops: volunteers in cyber conflicts". I would be grateful for any useful references on this topic.

Abstract:

The capability for organized violence in the international setting has normally been the domain of nation states. Cyberspace, however, provides an international arena where almost anyone has the power to attack any target at will. While most of these attacks have little effect, there is often little disincentive to using them, as attribution of cyber attacks and prosecution of attackers is still the exception, instead of the norm. Thus, the 21st century farmers with pitch forks or cyber militia become more than a local force and, if organized well enough, can mount an offensive cyber campaign that could damage the economy or social order of a nation state on the other side of the planet.

In order to test this claim, I will first consider the potential threat from the Internet users who are untrained in hacking techniques and who have very limited resources. In general, there are two types of activities that are open for such persons: supporting the cyber campaign by providing resources, cover and training (among other things) and launching cyber attacks as part of the cyber campaign. It is important to note that the support activities may be more significant than fighting in a People’s War type conflict.

I will proceed by considering the potential threat from advanced hackers or hacker organizations. While there have been many well publicized hactivism campaigns, there are few examples of serious cyber strikes that target critical systems. Therefore, most of this analysis is theoretical, drawing on past examples as appropriate.

In the end, national security planners must face this threat and develop a strategy to counter it. I include some proposals for dealing with the cyber militia problem and discuss the potential merits and pitfalls of farmers with laptops engaging in cyber campaigns both on their own as well as in the service of a state.

Thursday, December 10, 2009

Warp speed, Mr Spock!

I realize that Spock is normally not at the helm, but there is method to my madness (I think). Spock is a science officer and therefore a better addressee in the case of academic publishing. The problem with the publishing process in science is that it is ... well ... light speed at best. And light is just way too slow if you want to explore the universe.

Consider this: if the Sun were to mysteriously explode with no warning, we would remain in blissful ignorance of the fact for roughly 8 minutes. So, something better is needed. In case of the Star Trek universe, the answer is Warp Drive, which allows for faster-than-light travel.

Similarly, the publishing process (write abstract, get it accepted, write full paper, get it reviewed, improve it, publish it) usually takes months, sometimes even years. This means that an idea can potentially die of old age before it is given birth (officially). Also, multiple people can work on the same idea and only discover on the eleventh hour that somebody has already beaten them to it (by 2 minutes and 42 seconds). Additionally, peer review is limited to one or two pairs of eyes, instead of the wider community. So, something better is needed.

I guess the best thing we have going for us is the Internet. Posting raw ideas in a blog like this, getting feedback and comments WHILE you develop a paper, not AFTER it is published could potentially be the warp drive that I'm looking for.

Oh, I am well aware that I am not the first one to gripe about this problem, nor is my solution original in any way. But it is something that I intend to try. So please, feel free to demolish my ideas in the comments section (or contact me directly via e-mail).

Shields up!

Wednesday, December 9, 2009

LinkedIn

I set up a LinkedIn account yesterday, since some of my friends and colleagues have asked for it. I am still looking for appropriate groups to join in there. Specifically, groups that could provide useful input to my research.

EDIT: if you have any suggestions, please write them in the comments below.

Monday, December 7, 2009

Review: Jose Nazario on Political DDoS Attacks

Time for another review. This time it is Jose Nazario's CWCON paper called "Politically Motivated Denial of Service Attacks." He is looking at DDoS as one of the more visible and popular cyber attack forms and is limiting his sample to the ones with a political motivation (vs the standard criminal motivation - money).

NOTE: The final published version of this paper was accepted after the conference so it includes some more recent examples.

His research is based on data from three sources: ATLAS project at Arbor Networks (basically, ATLAS collects data from sensors to provide an overview of the more visible cyber campaigns), infiltrated botnet C&C servers and border gateway protocol (BGP) routing data.

He starts out with a little overview of major political DDoS campaigns of the past, covering the following events:
  • 2001 Hainan Island incident
  • 2007 Estonia campaign
  • 2008 China v CNN campaign
  • 2008 Georgia campaign
  • 2008 Burma
  • 2007 elections in Russia
  • 2008 Radio Free Europe campaign
  • 2008 anti-NATO campaign in Ukraine
  • 2009 MSK forum DDoS in Kazakhstan
  • 2008 DDoS-censoring of Russian opposition websites
  • 2009 Israel v Gaza/Hamas
  • 2009 Kyrgyzstan - a false positive?
  • 2008 Kommersant DDoS
  • 2009 Kazakhstan opposition sites under DDoS
  • 2009 South Korean/US campaign
It is noticeable how most of these events are known by the target only. In history, conflicts are usually named after both/all participants or at least the participants are known. In cyber conflicts, however, it seems to be the norm that the aggressor remains anonymous. Even if all the circumstantial evidence and opinions point against one entity, rarely is there enough proof to attribute the attack in court.

He continues to describe the attacker type that seem to be behind most of the attacks listed. In general, the attackers are "classic right-wing" supporters of the government and targeting internal or external opposition. He also writes about using propaganda to recruit supporters for a cyber campaign and then training them online - a basic ad-hoc cyber militia. What the militia cannot achieve with finesse and expertise, they make up in numbers (DDoS).

He points out that the classical goals for such attacks are to punish the target, or to show dissent, or to censor the target (especially true for attacks against news outlets and opposition parties). He brings examples of partial attribution: Nashi youth group in Russia, the Chinese Honker Union and StopGeorgia.ru. Note that in all these cases the attackers made the claim - nothing has been proven in court (as far as I know).

He reviews some broad responses to the cyber campaigns listed and finishes with recommendations:
  • harness public support and international cooperation
  • deploy available commercial tools
  • be open to commercial offers to help
  • develop a more efficient decision making process
  • delegate authority
  • consensus is sometimes not necessary
In conclusion, he also points out that we need to study guerilla and asymmetric warfare in order to succeed on the cyber battlefield.

The paper has numerous examples from recent years and thus gives a good overview of the extent of the problem. However, the examples have different level of detail (often too vague) to be of much help on researching a specific case. I would have expected a more detailed analysis of a limited number of campaigns. As always, read the paper for full value.

Wednesday, December 2, 2009

Review: Billy Rios on Cyber Attacks

It has been a busy time since last post. I gave a short lecture at the NATO School in Germany last week and I'm preparing some paper ideas for next year. However, I decided to take a short breather and review another paper from the Conference on Cyber Warfare - Billy K. Rios wrote a piece titled "Sun-Tzu Was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack." His work is partially based on the Grey Goose Report I.

The paper tries to map some real cyber operations to equivalent concepts in maneuver warfare, particularly drawing on the Georgia case and the US Marine Corps doctrine. He starts out by describing the essence of maneuver warfare and points out that cyber operations cannot "win a war". Instead, they can break up the enemy's cohesion and allow for exploitation by other (conventional) means. Incidentally, the Chinese seem to have adopted the same idea.

Discussing decentralized command and commanders intent, he brings the example of how a target list of Georgian sites was posted in a forum without clear instructions for action. The forum members then contributed with potential attack plans/instructions and discussed the campaign. As a result, a variety of targets and options became available and the attackers could each choose a course of action suitable for their skill, resources and level of motivation. As a side note, similar behavior was observed a year earlier during the cyber campaign against Estonia.

As an example of combined arms, he brings the example of SQL injection queries for fingerprinting and gaining access to database contents (NB! starting a month before the armed conflict), exploiting this information for intelligence, preparing automated attack tools that are then provided through the forum to anyone interested. I think he could have used a better example, because the link to combined arms is not clearly apparent.

Illustrating the concept of initiative he uses the examples of pre-emtive intrusions to Georgian systems and the sustained pressure to keep initiative on the attacker side, while keeping the Georgians to react. As a result, responding to cyber attacks wasted valuable time.

He also explains the importance of identifying and attacking enemy Centres of Gravity, although he does not connect it to the Georgian case. The important point is that these centres need not be physical fortifications or units, but can also encompass things like morale and resolve. Clearly, cyber attacks are a potential way of attacking the enemy centres of gravity, especially C2 networks and information targets.

He then points out that conventional weapons have physical limitations and the skill of the operator can only have relatively little effect in terms of stretching the effective range, damage etc. For example, a skilled marksman with a M4 carbine can hit a target from several hundred meters with standard sights, but not much more. On the other hand, the cyber warrior's capability to do damage is directly correlated with his skills. I especially like this sentence:
"Creating an offensive cyber capability is less about finding the right hardware and more about finding the right people and skillsets."
He also highlights that it poses a problem for intelligence analysts, as it is very difficult to estimate or track the development of offensive cyber capability, because the key component is the skillset of operators, not the invested money or acquired hardware.

Rios summarizes the paper by emphasizing that
  • cyber capability should be incorporated into the overall plan, as it will not win the war on its own.
  • Command and Control should be kept decentralized and decisions delegated to the lowest level. [This is in contrast to the Chinese doctrine, which seems to prefer rigid central control and limited use of the cyber strikes. - RO]
  • the individual cyber specialist is the weapon system, not his laptop or his sidearm.
The paper is short and to the point. I like the summary, which brings out some good points (even some that do not seem apparent from the main text).