Inside Cyber Warfare

Jeffrey Carr

Part 20

Report Chapter

Although a number of private companies and nonprofit organizations have constructed a cyber infrastructure designed to detect cyber attacks, these infrastructures do little to provide adequate early warning for a politically motivated cyber attack.

Additional technical solutions will not adequately solve the problem of building an early warning capability for detecting politically motivated cyber attacks. Instead, a fresh a.n.a.lytical framework is needed. This framework will help limit the pool of possible aggressors and allow policymakers to marry whatever technical evidence can be gathered during a cyber attack with a list of possible aggressors. Ideally, the output of this a.n.a.lysis will be the identification of the actor responsible for a cyber attack.

More importantly, this framework should allow defenders to predict rather than react to the occurrence of politically motivated attacks. The current cyber early warning systems that track scans and probes cannot provide the same predictive capability as the proposed model. The current cyber early warning system does not sort signals from noise and instead reports on all perceived malicious scans and probes. The model discussed in the following section will allow defenders to predict when a cyber attack will occur and which actors are likely to initiate the attack.

Building an a.n.a.lytical Framework for Cyber Early Warning

A careful review of numerous politically motivated cyber attacks reveals a consistent pattern in how they are organized and executed. Previous attacks, whether executed by nonstate or state actors, appear to be grounded in latent political tensions between adversaries. As these latent tensions heat up, cyber aggressors tend to carry out cyber reconnaissance probes in an apparent effort to prepare for future attacks. Latent tensions require some type of initiating event that can be used to mobilize cyber patriots into a cyber militia. The cyber militia can be used to carry out brute-force attacks, while more elite hackers can use the intelligence gathered from prior cyber reconnaissance probes to execute more sophisticated attacks (Figure 12-1).

Figure 12-1. Stages of a politically motivated cyber attack

Latent tensions

Although still dominated by nation-states, today's international political system features a number of players. Nonstate actors-such as terrorist groups, international organizations, and in some cases ideologically affiliated flash mobs-have exercised some measure of geopolitical influence.

It is therefore important to test the proposed model of the stages of politically motivated cyber attacks against both state and nonstate actors. The model must be equally useful in predicting a cyber attack originating from either a state or nonstate actor against either a state or a nonstate actor.

Latent tensions exist in the background between any number of actors in the international political system. For example, historical animosity between Muslims and the state of Israel have resulted in a steady state of politically motivated attacks-both in the physical world and in cybers.p.a.ce. Under the right conditions, these latent tensions can explode into full-fledged warfare.

Cyber reconnaissance

Against this simmering backdrop, tensions can at times boil over. However, prior to the initiation of hostilities in cybers.p.a.ce, adversaries are likely to conduct probes of each other's infrastructure. The rationale for conducting cyber reconnaissance is no different than the rationale for conducting reconnaissance in the physical world. Adversaries conduct cyber reconnaissance in an effort to discover vulnerabilities in their rival's infrastructure that can be exploited if and when tensions erupt into hostilities. Cyber reconnaissance also allows adversaries to develop effective tools specifically designed to attack an enemy's infrastructure.

During the August 2008 war between Russia and Georgia in the disputed region of South Ossetia, a parallel conflict occurred in cybers.p.a.ce. Investigations by Project Grey Goose researchers found that pro-Russian hackers conducted in-depth cyber reconnaissance prior to the initiation of hostilities on August 8, 2008. Specifically, Georgian websites were probed for vulnerabilities. The US Cyber Consequence Unit (USCCU) later confirmed these findings. In a report on the cyber conflict in Georgia, the USCCU wrote: [W]hen the cyber attacks began, they did not involve any reconnaissance or mapping stage, but jumped directly to the sort of packets that were best suited to jamming the websites under attack. This indicates that the necessary reconnaissance and the writing of attack scripts had to have been done in advance. Many of the actions the attackers carried out, such as registering new domain names and putting up new websites, were accomplished so quickly that all of the steps had to have been prepared earlier.

Initiating event

Initiating events are any events that cause latent tensions to boil over and trigger politically motivated attacks. Just as the of Archduke Ferdinand put countries aligned with Austria-Hungary onto a collision course with countries aligned with Serbia and eventually led to World War I, similar initiating events have led to the outbreak of politically motivated cyber attacks.

The 2007 Cyber War against Estonian websites took place against the backdrop of simmering tensions between Estonia and Russia. Tensions between Estonia and Russia are primarily a result of the Soviet Union's annexation of the Baltic nation-state in 1940 at the start of World War II. Following this annexation the Soviet Union initiated a crackdown, arresting more than 8,000 Estonian citizens and executing an additional 2,000 citizens.

The proximate cause for the cyber attacks on Estonia was the Estonian government's decision to relocate a Soviet Red Army war memorial from central Tallinn, the Estonian capital city. Many Estonians see the memorial as a stark reminder of the former Soviet Union's "occupation" of Estonia, whereas many Russians view the statue as a memorial to the Red Army's sacrifices in its liberation of Estonia from n.a.z.i Germany.

In the immediate aftermath of the statue's relocation, angry youths with links to the Kremlin rioted around the Estonian in Moscow. Russian officials also insisted that the statue be returned to its original location, and in an unprecedented move, demanded that the current Estonian government resign. These riots in the physical world were paralleled by a corresponding campaign of digital violence.

Cyber mobilization

According to Adam Elkus, cyber mobilization "is a process of ma.s.sing force against decisive points" ( The aggrieved actor uses the initiating event to incite patriotic hackers into action.

Examples of cyber mobilization abound. Chinese patriotic hackers have traditionally rallied support to their cause via various online message boards and chat rooms. In 2008, Chinese citizens created the Anti-CNN web forum in response to "the lies and distortions of facts from the Western media." Chinese citizens and patriotic hackers believed the Western media unfairly criticized China's treatment of Tibetan people. Although the creation of the Anti-CNN forum and the mobilization of Chinese patriotic hackers against Western media companies did not result in any successful high-profile attacks against Western media websites, the Anti-CNN forum was able to mobilize a number of Chinese citizens in its efforts to counter perceived biases in Western media coverage. In April 2008, shortly after the web forum launched, the website claimed to receive 500,000 visits per day.

Cyber attack

Politically motivated cyber attacks range in sophistication from small-scale denial of service attacks to well-organized and stealthy espionage attacks. The sophistication of a cyber attack is dependent on the skill of attackers and the amount of reconnaissance performed prior to the attack. A sophisticated attacker aided with intelligence gathered from reconnaissance can execute a devastating attack, whereas an unsophisticated attacker without any intelligence on its targets will be relegated to simple brute-force attacks.

Cases Studies of Previous Cyber Attacks

A deeper understanding of this model can be achieved by a.n.a.lyzing previous politically motivated cyber attacks. To fully test the utility of this model, it is important to study previous cyber wars between nation-states, cyber attacks by nation-states against nonstate actors, and cyber attacks by nonstate actors against nation-states.

Case study: Cyber attacks against Georgia

*** You are reading on ***

Latent political tensions between Russia and Georgia existed prior to the breakup of the Soviet Union. In the late 1980s, Georgian opposition leaders pressed for independence from the Soviet Union. In 1989, Abkhaz nationalists demanded the creation of a separate Soviet republic. This demand led to conflicts between ethnic Georgians living in Abkhaz and Abkhaz nationalists supported by the Soviet Union.

Danish Muslim organizations sternly objected to the publication of the cartoons and held public protests to voice their displeasure. Protests soon spread around the world. The following February, protest against the publication of the cartoons continued and a corresponding campaign of website defacements and denial of service attacks were launched.

According to zone-h, a European consortium of IT security professionals that tracks cyber crime, over 600 Danish websites have been attacked. A majority of these attacks were website defacements; however, denial of service attacks against the Jyllands-Posten newspaper website ( were also executed.

The Prophet Mohammed cartoon controversy occurred against the backdrop of simmering tensions between European countries and Muslims (Figure 12-6). In the case of these attacks, very little cyber reconnaissance was required. Attackers understood that websites in the .dk domain were to be targeted. Many of the website defacements appear to have been carried out with automated scripts designed to exploit known vulnerabilities in production web server software.

Figure 12-6. Stages of cyber attacks on Danish websites Although the cyber attacks occurred many months after the publication of the cartoons, it is clear that these cartoons were used as the initiating event to rally Muslim and other sympathetic hackers to the cause of attacking Danish websites. These defacement and denial of service attacks were coordinated through a network of jihadist websites. Defaced sites also included propaganda designed in part to promote further attacks against Danish websites. Additionally, individuals promoting the boycott of Danish goods launched Although this particular website was not used to organize the Muslim cyber militia, it certainly drew attention to their cause.

Lessons Learned

Latent tensions and cyber reconnaissance are important stages in well-organized politically motivated cyber attacks, but they do not appear to be necessary. The low-cost and low-risk nature of cyber warfare allows an attacker to quickly coordinate an attack against an adversary. Latent tensions are not necessary as long as an initiating event capable of rallying a cyber militia to action occurs. A cyber militia can conduct an unsophisticated brute-force denial of service attack without conducting the type of extensive cyber reconnaissance necessary to execute a sophisticated cyber attack. The only reconnaissance required to conduct an unsophisticated brute-force denial of service attack is the simple list of targeted websites. However, these types of attacks are easier to defend against and therefore should not preoccupy US policymakers.

Instead, policymakers should focus on those cyber attacks executed by adversaries with preexisting grievances against the United States. These latent political tensions encourage an attacker's cyber militia to conduct detailed cyber reconnaissance as well as rally sophisticated hackers to join the attacker's cyber militia.

This model could also be used to distinguish between cyber crime attacks and politically motivated attacks. Sophisticated politically motivated cyber attacks will follow the 5-stage model set forth earlier in this chapter: latent tensions, cyber reconnaissance, initiating events, cyber mobilization, and cyber attack. Unsophisticated politically motivated cyber attacks will follow a truncated 3-stage model of initiating event, cyber mobilization, and cyber attack.

In contrast, cyber crime attacks are more likely to follow an altered 2-stage model: cyber reconnaissance and cyber attack. If no latent tensions exist between adversaries, no obvious initiating event occurs, and no mobilization of cyber militia is detected, then criminal organizations motivated by financial gain are likely responsible for the attacks in question.

The true value of this model is two-fold. From a proactive perspective, this model shows us that well-organized and sophisticated politically motivated cyber attacks are likely to involve some public or semipublic form of cyber mobilization. Cyber militias are likely to rally other sympathetic hackers to their cause via online chat rooms and message boards. These calls to arms are typically announced via public or semipublic channels because cyber militias are typically interested in rallying a large number of hackers to their cause. As more hackers join the cyber militia, the power of the militia increases in terms of its ability to generate more bandwidth during a distributed denial of service attack. Additionally, as more hackers join a cyber militia, more noise is generated and defenders will have a harder time detecting truly malicious attacks from the more benign brute-force denial of service attacks. Fortunately for the defenders, as cyber militias attempt to rally more hackers to their cause, their public or semipublic communications can be intercepted. A proactive defender can intercept a cyber militia's call to arms and construct an informed defensive posture.

From a reactive perspective, use of this model could aid in a.s.signing attribution for a cyber attack. As discussed, a sophisticated politically motivated cyber attack is likely to occur against the backdrop of latent political tensions between adversaries. As actors within the international arena are likely to have adversarial relations with only a limited number of actors, that pool of possible attackers is limited. The pool of possible attackers is further limited to those actors that have previously demonstrated both the capability and intent to conduct sophisticated cyber attacks.

Defense Readiness Condition for Cybers.p.a.ce

*** You are reading on ***

Popular Novel