Inside Cyber Warfare

Jeffrey Carr

Part 21

Report Chapter

The proposed 5-stage framework of politically motivated cyber attacks can be used to create a Defense Readiness Condition (DEFCON) for cybers.p.a.ce. The existing DEFCON scale, from 5 to 1, measures the readiness level of the US armed forces. DEFCON 5 represents normal peacetime military readiness, whereas DEFCON 1 represents maximum readiness and is reserved for imminent or ongoing attacks against the United States.

The 5-stage model also could be used to inform the United State's DEFCON rating for cybers.p.a.ce. Cyber DEFCON 5 exists during normal conditions with latent political tensions between the United States and a range of adversaries.

Cyber DEFCON 4 could be activated when cyber reconnaissance is detected against the backdrop of existing latent political tensions between the United States and its adversaries. For example, when probes are detected from Russia, China, or other adversaries with a demonstrated cyber warfare capability and a declared intention, DEFCON 4 should be activated.

Cyber DEFCON 3 could be activated in the aftermath of cyber reconnaissance and an initiating event. For example, in the aftermath of the US-China spy plane incident in 2001, when a US Navy EP-3 surveillance aircraft collided with a People's Liberation Army fighter plane. This incident sparked a cyber war between US and Chinese hackers, during which a number of US and Chinese websites were defaced or knocked offline.

Cyber DEFCON 2 could be activated after an initiating event occurs and the mobilization of enemy cyber militias is detected. In the aftermath of the invasion of South Ossetia, pro-Russian hackers launched the website in order to mobilize a pro-Russian cyber militia. As previously discussed, cyber mobilization typically occurs in semipublic forums because militia organizers desire to attract as many sympathetic hackers as possible. The more public the call to arms, the greater the chance the militia will recruit new members and increase in size. Fortunately, the more public the call to arms, the greater the likelihood that the defender will detect the mobilization of the enemy's cyber militia. When these types of activities are detected, cyber DEFCON 2 should be activated.

Cyber DEFCON 1 should be activated when attacks appear imminent or are ongoing. It is apparent that cyber attacks will be used either in parallel with armed attacks or as the sole means of attack between adversaries. Therefore, it is important to understand how attacks are planned, organized, and executed.

Use of this model may improve the ability of the United States to predict and defend against future politically motivated cyber attacks. It is therefore important that this 5-stage model be discussed, tested, and altered as necessary.

[39] Ned Moran is a senior intelligence a.n.a.lyst for a well-known systems integrator, an adjunct professor in intelligence studies at Georgetown University, and a valued member of Project Grey Goose.

Originally Ned invited me to coauthor this paper for publication elsewhere, but due to my time limitations and the innovative nature of Ned's proposed model of predicting cyber attacks, I asked if he would consent to having it published here first. He graciously agreed, and I think the book is richer for it.

Chapter 13. Advice for Policymakers from the Field.

One of the many goals of this book is to offer informed advice to those individuals who will ultimately shape US policy in this highly complex domain. To that end, I announced an open call for submissions from individuals who are engaged in protecting their respective nation's networks from attack on a daily basis, both nationally and internationally.

Providing experts from other countries with a voice symbolizes the international approach to cyber security that has consistently provided the best results in combating cyber intrusions and in identifying the state and nonstate actors involved.

This chapter contains thought-provoking pieces of varying lengths from a naval judge advocate who wrote his thesis on cyber warfare, an experienced member of an international law enforcement agency, and a scientific adviser on national security matters to the Austrian government, as well as my own contribution.

When It Comes to Cyber Warfare: Shoot the Hostage

By Jeffrey Carr Harry: OK, Airport. Gunman with one hostage, using her for cover. Jack?

Jack: Shoot the hostage.

Harry: What?

Jack: Take her out of the equation.

Harry: You're deeply nuts, Jack.

-Speed (1994), written by Graham Yost The fun of movie scenarios aside, consider the same strategy when the hostage is not a human being but a piece of technology or a legacy policy that no one wants to change.

Here's a new scenario. A state or nonstate hacker attacks US critical infrastructures and Department of Defense networks at will and without fear of detection or attribution. He is able to do this from behind the protection of two very valuable "hostages" or, more precisely, "sacred cows" that US government officials, including the Congress, are loathe to change-using Microsoft Windows and regulating a segment of private industry: Hostage 1 The pervasive use of the Microsoft Windows operating system (OS) throughout the federal government but particularly within the Department of Defense, the intelligence community, and privately owned critical networks controlling the power, water, transportation, and communication networks Hostage 2 The uninterrupted, sustained economic growth of US Internet service providers, data centers, and domain name registrars who profit by selling services to criminal organizations and nationalistic hackers that prefer the reliability and speed of US networks to the ones found in their own countries In this case, the best solution, bar none, is to metaphorically "shoot the hostage," thus denying an adversary both of his weapons (1) malware configured for the Windows OS and (2) his attack platform-the most reliable Internet services companies in the world.

Shoot the first hostage by switching from Microsoft Windows to Red Hat Linux for all of the networks suffering high daily-intrusion rates. Red Hat Linux is a proven secure OS with less than 90% of the bugs found per 1,000 lines of code than in Windows. Many decision makers don't know that it is the most certified operating system in the world, and it's already in use by some of the US government's most secretive agencies. Computers are changed out every three to four years on average anyway, so the monetary pain is probably not as great as it might seem. The benefit, however, would be immediate.

The data from Kaspersky Lab in Figure 13-1 shows how few malware have been developed for operating systems other than Windows. Linux certainly has its vulnerabilities, but the math speaks for itself. Shoot Windows and eliminate the majority of the malware threat with one stroke.

Shoot the second hostage by cracking down on US companies that provide Internet services to individuals and companies who engage in illegal activities, provide false WHOIS information, and other indicators that they are potential platforms for cyber attacks.

Figure 13-1. Kaspersky figures on malware distribution by OS The forum-whose members were responsible for many attacks against Georgian government websites, including SQL injection attacks that compromised government databases-was hosted on a server owned by SoftLayer Technologies of Plano, TX.

The distributed denial of service (DDoS) attacks of July 2009 that targeted US and South Korean government websites were not controlled by a master server in North Korea or China. The master server turned out to be located in Miami, FL.

ESTDomains, McColo, and Atrivo-all owned or controlled by Russian organized crime-were all set up as US companies with servers on US soil.

The Russian criminal underground prefers to host their web operations outside of Russia to avoid prosecution. And the robust US power grid, cheap broadband, and friendly business environment makes this country the ideal platform for cyber operations against any target in the world, including the US government.

Congress needs to send a strong signal to US Internet hosting and service provider companies that profit must be tempered by due diligence and that they are, effectively, a strategic a.s.set and should be regulated accordingly.

Neither of these recommendations is politically safe. However, the United States is now facing a serious threat from a new domain with so many evolving permutations that senior leadership, both civilian and military, seem to be standing still. And that's absolutely the wrong strategy to employ.

*** You are reading on ***

The United States Should Use Active Defenses to Defend Its Critical Information Systems

In June 2006, Lieutenant Commander Sklerov reported to USS NIMITZ as deputy command judge advocate. While on NIMITZ, he deployed twice and served as officer of the deck (Underway) during combat operations in support of OEF and OIF. He is currently stationed at Naval Base Kitsap Bangor in Silverdale, Washington, where he serves as the staff judge advocate for Submarine Groups NINE and TEN (also known as Submarine Group TRIDENT).

[40] The views expressed here are those of the author and do not necessarily represent the views of the Department of Defense.

Scenarios and Options to Responding to Cyber Attacks

The following are fictional scenarios various government and private organizations come across for which there is insufficient legislation or frameworks to guide them in deciding on a proportionate response to cyber attacks.

With these scenarios I have provided a list of options for response, to a.s.sist in the creation of future legislation governing such responses. As of this writing, some of the options considered here are either not legal or may be legally questionable.

Scenario 1

TeraBank, a financial inst.i.tution with 5,000 employees, is forwarded a phishing email from 10 of their customers. The phishing attack prompts users to click on a Internet link to provide their online banking credentials and "validate their account."

Option 1

TeraBank contacts the Internet hosting provider of the phishing website linked to in the email and requests the website be taken down. The hosting provider will usually take down the phishing websites, but by the time that occurs, the phishers may have received hundreds of bank account credentials from TeraBank's customers.

Option 2

TeraBank forwards the email to other organizations, such as law enforcement. Law enforcement will recieve many of these phishing emails, and as they are constrained by national borders, they would most likely do nothing. Some organizations, such as Internet service providers, may respond to this phishing attack by blocking access to the phishing site for their customers.

Option 3

TeraBank, using an automated computer program, enters information for hundreds of thousands of fake bank accounts in the phishing website. Although legally questionable, this approach would pollute the pool of valid banking credentials the senders of the phishing email would possess. It is likely that after attempting to use their harvested banking credentials with no success, the attackers would move onto launching phishing emails against another bank.

Option 4

TeraBank contacts a "hacker for hire" and pays him to launch a distributed denial of service (DDoS) attack against the phishing website, making it inaccessible. Launching DDoS attacks typically are illegal in many countries. While TeraBank is financing an illegal act, this DDoS attack may impact the businesses of innocent parties, especially if their businesses are hosted on the same website as the phishing website.

*** You are reading on ***

Popular Novel