Cyberwar! Let’s Work Through This, Shall We...

Tuesday, August 28, 2012

Joel Harding


Cyberwar!  I have a Google Alert for this as both “Cyberwar” and “Cyber War“.  

These terms have been thrown around like a ninja throwing star, various newspapers and even quite a few of our leaders are using the term liberally and it scares the snot out of little kids like a story about the Boogie Man.  *Harumph* I say, harumph.

Military theorists are going to shoot anyone down who uses the term “cyber war” because there is no such thing as “Land war” or “Sea War” or even “Air War”.  It’s war fought in different domains, which happen to include air, sea, land, space and now cyber.  It’s just another domain.  Get used to it.

Now let’s talk about ‘warfare in cyberspace’.  First we all thought that the conflict between Russia and Estonia was a cyberwar, but since then we’ve evolved our perception. 

The facts are that ‘someone’ (think Russia) decided to attack the Estonian banking industry when a statue commemorating a Russian soldier was removed.  The highly wired and interconnected Estonian banking industry and much of the government was shut down for a brief period. 

But nobody died, no military targets were destroyed and..  *gasp* there were no long term effects. Is that war? No.  Is that a cyberwar?  Good gracious, no.

2008, Russia attacks South Ossetia, a part of the country of Georgia, to protect Russian interests in that region.  In conjunction with a conventional Russian attack there was a call for assistance to close down various Georgian websites.  A target list was produced, tools/weapons were made available and a time schedule was provided.  This was pretty darned close to being a cyberwar, but it was just warfare in cyberspace as part of a larger war.

So what is cyberwar?  I imagine most people feel that some country is going to launch weapons or tools against another country, trying to blind their military, mute the other government and make life incredibly miserable for many of their citizens. 

The Geneva Convention will probably be ignored; civilian targets, including private businesses, critical infrastructure and even private citizens, will be affected, either directly or indirectly.  If the attacker is successful, a simple reboot of the target computers will not regenerate functionality and a part of the economic base of the targeted country will probably be permanently destroyed (although many dispute this, believe a simple reboot or loading backup tapes will be sufficient).  

To be truly effective the attacks will continue and each time an effected system is restored, it will be attacked again.  How much time and patience the attacker has, I don’t know, but I would imagine it will take weeks to effectively put a dent in a nation’s economy.  The banking industry is on a separate network (which I believe is also susceptible but that’s the subject of another article), and I believe it will survive for the most part. 

A sophisticated enemy is going to implant tools which will continually reattack and spread and cause long term damage.  More harmful would be a worm with the sole purpose of replicating and ‘delete *.* or fdisk on all .com, .gov and .mil systems’.

Is this possible?  Not yet.  The tools to do this have not yet been developed OR have not yet been used.  But, the good news is that whoever unleashes a God-worm will also kill their own computer and will shut them self off from the rest of the world.  I’m sure this little factoid will cross their mind at least once while they are developing their ‘God worm’.

Bottom line.  There are some really sick minds out there.  Some day, just some day, somebody will unleash a worm that might be programmed to ‘destroy anything with a .cn domain name.  Oops, that’s China.  Oops?

Cross-posted from To Inform is to Influence

Possibly Related Articles:
Government Military Cyberwar Cyber Security Attacks Infrastructure Cyber Offense cyber weapon Estonia
Post Rating I Like this!
Lisa Simpson Thanks to the ability to flash ROM's from the OS, it's pretty trivial to load trash into a ROM. Let's assume for a moment that this particular ROM is sitting on a RAID card in an HA server on the (Fill in Your Favorite Country Here)'s Stock Exchange that's responsible for recording transactions....
Michael Johnson I'd have to say the scenario is an extremely unlikely one, for the following reasons:
1. When have you heard of multiple targets getting hit in one attack? Sure, multiple targets got hit in the past by separate but related incidents, but never (to my knowledge) through a single incident.
2. Most enterprise networks will be segmented and have layered security. While an attack could theoretically affect stuff that's almost directly connected to teh Internetz on multiple targets, the effects would be superficial. It's not going to touch anything critical buried behind other properly configured stuff. Targeted attacks are needed for that.
3. Every network would have to be pretty much uniform to get the same effects widespread.

Having said that, remember that time when a load of traffic was 'accidentally' diverted to the Chinese portion of the Internet? A routing protocol attack, perhaps?
Joel Harding Michael, the attack on Estonia in 2007 was multiple targets in the same groupings of attack. It shut down much of Estonia's economy. The attacks on South Ossetia, again not proven but supposedly by Russia, were attacks on listed targets, tools were provided and a time schedule was posted. There probably are others. The attack on South Ossetia probably is a blueprint for future attacks, providing the tools, posting the targets and a time schedule really preserves anonymity and accomplishes results. The only drawback is that the world knows the country behind the attacks but can't legally prove it.
The layered security doesn't help with many attack suites. If all the front ends are targeted, everything behind is blinded from outside observation.
Good intelligence, before the attack, will reveal any and all vulnerabilities. As we all know, no network is completely impervious, we have cracks in every defense. To say otherwise is almost ignorant.

I always thought the routing attack was an accident.. but, having said that I'm sure it would have been a great dress rehearsal for a bigger DNS takedown. I've actually read about that in some "warfare in cyberspace" books.

Glad you're reading my stuff... keep the comments coming!
Michael Johnson But the Estonia attack consisted of DDoS against web sites, which is vastly different from actually penetrating networks and compromising stuff that's critical - stuff behind the front end that would really hurt, putting the targets out of business for months, if not permanently. Yes, it caused some degree of economic damage, but so did Anonymous' attack on PayPal. If that's a blueprint for future attacks, there's little to fear. DDoS is pretty lame and common now, and organisations should be anticipating it.

As for the routing attack, a successful one would do far more than take down the DNS (which likely isn't possible directly). It would cripple huge parts of the Internet. If the PRC somehow managed to propagate changes in routing tables that marked its own AS as more efficient than a target country's (geography and borders do matter), the traffic would get redirected. This is what 'cyber warfare' people should be worrying about, if they're concerned with attacks hitting multiple targets simultaneously.
Joel Harding A DDOS attack takes down a website, which was their objective. There was not attempt to penetrate the site.

As a former military offensive cyber planner I honestly did not care how I took down a site, I just wanted results. I never did, but it was made clear that if I were to target an electrical generator which powered the targeted server, I could knock out the server as well as anything else, especially if there is no backup power or an inadequate UPS. If I can mess with your DNS listing and divert traffic from your site during a critical time period, I have succeeded. If I deface your homepage I have accomplished almost next to nothing, the processes behind the screen are still ongoing. There is penetration and then there is mission accomplishment.

A proper cyber attack, on its own, is almost a stupid idea. But, if you can properly target thousands and thousands and thousands of servers and sites, you can effectively stifle any response. Honestly, do you think only the botnets owned by the Russians are the only compromise of massive amounts of computers worldwide? It's not legal, but who's to blame whom? I'm sure it's been at least discussed... darn the lawyers... Nay, they have the final say, darn it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.