Inside Cyber Warfare

Jeffrey Carr

Part 22

Report Chapter

Scenario 2

Security researcher Fred Blinks discovers a website,, that has been hacked and is hosting drive-by-download malicious software or malware, which means that any visitors to the website could potentially have their computers infected with malware.

Option 1

Fred Blinks contacts the administrators of, advising them about the malware being served on their website and the fact their website has been hacked.

Option 2

Fred Blinks investigates the malware served on further and discovers that it connects to Fred also notices that provides statistics to the bot herder, such as from which website users were infected. Knowing this, Fred purposely infects a machine of his and inserts a piece of programming code into the section that the malware uses to tell the bot herder from which website the user was infected (in technical speak, this is known as the HTTP referrer).

This piece of programming code will cause the bot herder's Internet browser to connect to Fred's machine when the bot herder views the statistics of its bots, therefore providing Fred with the IP address of the bot herder.

Scenario 3

Law enforcement official John Smith discovers that an online hacking and credit card bulletin board,, has been compromised and that the hacker has advertised her alias and front web page of the hacked bulletin board.


Knowing that obtaining a copy of the ccmarket bulletin board database would provide an enormous amount of information, John Smith, using the alias "da_man," contacts the perpetrators of the compromise, asking if they would be willing to sell him a copy of the ccmarket database. This database would include information such as private messages, email addresses, and IP addresses. Here, John is financing a person who committed an illegal act.

Scenario 4

Law enforcement official Michael McDonald has been investigating an online group that is involved with sharing child abuse material. Michael believes he has identified the alias of the person who is leading the group, but he is unsure where this person is geographically located. Michael knows that this person uses anonymous proxies to mask his IP address when on the Internet and is reasonably technical. Michael also knows that this person appears to be s.e.xually abusing children and uploading images of his crimes onto the Internet.


Michael, in consultation with his technical people, decides that the only way to identify the leader of this online child exploitation group is to compromise his computer.

Michael's technical people are able to successfully compromise the leader's computer, providing them with information that can positively identify the leader and the leader's whereabouts. Michael, who is based in the United States, now knows that the leader is based in Belarus and knows that his technical people may have broken the laws there.

In Summary

Policymakers would be well-advised to consider these scenarios as realistic depictions of events that could and do occur in many nation-states. The only question is which option best addresses the interests of the state and its citizens, and the answer to that question is outside the scope of this submission.

This essay was written by an active duty member of an international law enforcement agency.

Whole-of-Nation Cyber Security

By Alexander Klimburg The general public is often wholly unaware of how much of what we commonly call "security" depends on the work of informal groups and volunteer networks. For a while it seemed that Western governments had generally gotten the message: when most of your critical infrastructure is in private hands, it is natural that new forms of private-public partnerships need to be created to be able to work on critical infrastructure protection. Organizations such as the US ISAC (Information Sharing and a.n.a.lysis Center) and the UK WARP (Warning, Advice, and Reporting Point) are examples of this thinking. Unfortunately, most governments have a hard time moving beyond the "two society" (government and business) model. In an age where even the "managing" bodies of the Internet (such as ICANN) do not belong to either of these groups but instead are really part of the "third society"-i.e., the civil society-this is a critical, and potentially fatal, omission. From groups of coders working on open source projects to the investigative journalism capability of blogs, the breadth of the involvement of the civil society and nonstate actors in cyber security is wide and growing. But what are these groups, exactly?

The variety of these groups is as wide as the Internet itself, and these groups also interact directly with the harder side of cyber security. Nongovernment forces of various descriptions have attacked countries on their own (e.g., Estonia, Lithuania) and defended them, helped wage a cyber war (e.g., Georgia), and sought to uncover government complicity in them. One can even argue that most of the cyber terror and cyber war activity seen over the last decade can be ascribed to various nonstate actors. A recent US Congressional inquiry heard that the great majority of the Chinese attacks against the United States were probably being done by young volunteer programmers whose connection with the security services was probably more accidental then anything else. Indeed, if one looks at the sum total of cyber security-relevant behavior, from software and patch development on the technical side to the freelance journalism and general activism on the political side (and with the "script kiddie patriot hackers" somewhere in between), it indeed seems that most "cyber security" work is done by members of the third society, with business following close behind-and government bringing up the rear.

Do these groups really have anything in common? After all, it is questionable whether heavily instrumentalized civilian hacker groups in China and Russia really qualify as representatives of a "civil society." Should they really be compared to, say, a Linux developers' group or an INFOSEC blog network? Aren't these "patriot hackers" just an update of the age-old paradigm of the citizen militia and the flag-burning rent-a-mob, but with broadband?

Although the militia model can to a limited extent be applied to some of the Russian and Chinese groups (indeed, the Russians actively talk of the need to maintain an "information society" for their national security, and the Chinese have recruited an "information operations militia"), the model just does not hold for the many groups rooted in liberal democratic societies. This is particularly evident when examining nontechnical (i.e., not "White" or "Grey" hacker) groups and their activities. They are increasingly able to provide critical input into one of the most difficult aspects of any wide-scale cyber attack, namely attacker attribution.

Identifying the true actors behind a cyber attack is a notoriously difficult task. Attributing attacks to individual actors is traditionally seen as being the acid test to determine whether an attack is rated as an act of cyber war or an act of cyber terrorism (or even "cyber hooliganism"). Given these rather high standards, governments have been notoriously reluctant to point fingers. After all, there was no evidence that could be shared publicly. On the surface it seemed that the authoritarian governments of Russia and China had found the ultimate plausible-deniability foil with which to jab the West: rather then personally engaging in hostile cyber attacks, these governments could simply refer to the activities of their "engaged and active civil society" and wash their hands of the affair.

The advent of engaged civil society groups has changed this. Since 2005, these groups have published a flood of reports that have examined suspicious cyber behavior, mostly originating in Russia and China. The Georgian cyber attacks were particularly interesting, as the timing seemed to indicate at least some level of coordination between the Russian military's kinetic attacks and the a.s.sault on Georgian servers. Reports such as those generated by Project Grey Goose helped to show that although the information of Russian government complicity in the cyber a.s.sault on Georgia was far from conclusive, there was much circ.u.mstantial evidence. For the reports, and the Western media that depended on them, this was sufficient. Unlike governments, for the public, "perfect" was clearly the enemy of the good.

The information in these reports is not good enough for cruise missiles, but it certainly is good enough for CNN. The barrage of reports that imply direct Russian government involvement has been widely reported in Western media. The increase of embarra.s.sing questions posed to the Kremlin is probably a direct result of this media attention. At a cyber security conference at the Organization for Security and Co-operation in Europe (OSCE) in 2008, an American official privately remarked to me that the incessant accusations repeated in the media were leading the Kremlin to reduce its support of various groups, such as the pro-Putin Nashi, whose members have been implicated in cyber attacks. He directly credited the work of the civil society groups-including Grey Goose-in bringing this about. Sunlight as a disinfectant seems to work across borders as well.

It therefore appears that the best defense against a compromised or captive civil society is a free one. I have taken to referring to these "free" groups as security trust networks (STNs), and there are considerable differences between these groups and the ones that they often seem to work in direct opposition to: An STN is independent and not beholden to any agency of government or private business. The state does not exert direct control over them, and cannot (easily) shut it down. This does not mean that the STN does not support a government; it just means that it chooses when and if to do so.

An STN is defined not only by the trust within the network itself but also the trust that other networks bring to it. For instance, an STN will often be seen as a credible partner for government and law enforcement, despite having no formal structure or pedigree.

*** You are reading on ***

STNs are defined by ethics: besides (generally) operating within the remits of the law, its members share a common moral code, explicit or implicit, based on "doing the right thing." The shared moral mission of the STN is its official raison d'etre.

Though the networks and systems that make up cybers.p.a.ce are man-made, often privately owned, and primarily civilian in use, treating cybers.p.a.ce as a domain is a critical organizing concept for DoD's national security missions. This allows DoD to organize, train, and equip for cybers.p.a.ce as we do in air, land, maritime, and s.p.a.ce to support national security interests.

Theoretical physicist Basarab Nicolescu argues that cyber-s.p.a.ce-time (CST)-a more accurate name than "cybers.p.a.ce"-is both artificial and natural at the same time:[45]: The information that circulates in CST is every bit as material as a chair, a car, or a quantum particle. Electromagnetic waves are just as material as the earth from which the calculi were made: it is simply that their degrees of materiality are different. In modern physics matter is a.s.sociated with the complex relationship: substance-energy-information-s.p.a.ce-time. The semantic shift from material to immaterial is not merely naive, for it can lead to dangerous fantasies.

One of Nicolescu's influences was n.o.bel Laureate Wolfgang Pauli.[46] Pauli, in turn, was intrigued by Carl Jung's theory of synchronicity. In fact, Pauli and Jung spent a great deal of time together because Pauli believed there was a relationship between Jung's acausal connecting principle and quantum physics-specifically, a conundrum known as "quantum indeterminacy."[47] In a kind of ironic twist, Carl Jung's theory of synchronicity has its genesis in his fascination with an ancient Chinese oracle, The Book of Changes, or Yijing. Dating back to the Qin dynasty, this divinatory oracle teaches that the universe is composed of parts that are interconnected. The coins or yarrow stalks[48] used in the Yijing symbolize those parts, while their use symbolizes the mystery of how the universe works (Pauli's quantum indeterminancy). Chinese emperors and generals have used this oracle since approximately 300 BCE, and it may still provide a glimmer of insight into the mysterious nature of this new age of cyber-s.p.a.ce-time, as well as how cyber battles may be fought and won.

There are examples of synchronicity in both psychology and science. During one of Carl Jung's many talks with Wolfgang Pauli on this subject, Jung described how a patient was relaying her dream of receiving a piece of gold jewelry in the shape of a scarab beetle and, in that exact moment, how a small goldish-green colored scarabeid beetle was repeatedly banging into the gla.s.s of Jung's office window.[49]

A similar example in chaos theory, known as the b.u.t.terfly effect, connects two seemingly disparate events: The flapping of a single b.u.t.terfly's wing today produces a tiny change in the state of the atmosphere. Over a period of time, what the atmosphere actually does diverges from what it would have done. So, in a month's time, a tornado that would have devastated the Indonesian coast doesn't happen. Or maybe one that wasn't going to happen, does.[50]

While both Jung and Pauli are from the early 20th century, Basarab Nicolescu is a contemporary theoretical physicist who believes that cyber-s.p.a.ce-time is on par with organic systems: The emergence of at least three different levels of Reality in the study of natural systems-the macrophysical level, the microphysical level, and the cyber-s.p.a.ce-time-is a major event in the history of knowledge. The existence of different levels of Reality has been affirmed by different traditions and civilizations, but this affirmation was founded either on religious dogma or on the exploration of the interior universe only.[51]

Another important scientific theory, similar to chaos, is the complexity theory. Appropriately, both theories are children of the Computer Age because only computers are capable of performing the immense calculations needed to prove their existence. A complex system is one in which numerous independent elements continuously interact and spontaneously organize and reorganize themselves into more and more elaborate structures over time. The World Wide Web is a perfect example of complexity theory in action, evolving from Web 1.0 to 3.0 and whatever follows from there. The relationship that physics, psychology, and ancient Chinese oracles have with cyber warfare is that the terrain of cyber-s.p.a.ce-time is not only chaotic and unknown, but unpredictable. Although network defenses stop millions of automated probes and drive-by attacks each day, we are always surprised by targeted attacks-which are the ones that really matter. Before we can design a superior plan to defend against the targeted attack, we need to understand how dependent we have become on this new networked and wired world.

The world's militaries are struggling to cope with a new cyber battlefield because they are stuck in an old reality that no longer exists and are affected by a new reality they don't understand. The following sections present a few examples of threat vectors that can cause significant havoc, yet which current cyber warfare doctrine ignores.

Anarchist Cl.u.s.ters: Anonymous, LulzSec, and the Anti-Sec Movement

Anonymous and the anti-sec movement have offered concrete proof of how effective chaotic attack cl.u.s.ters can be at defeating poorly defended organizations. Their victims have included the Atlanta Infraguard office, the Arizona Department of Public Safety, Vanguard Defense Industries, HB Gary Federal, and the CIA's public website. Although it's not a security organization, Sony had its web properties attacked more than 20 times in 60 days, which must be some kind of record. Anonymous hasn't only gone after US targets-other victims have included the Columbian Black Eagles Special Police Unit, the UK Serious Organized Crime Agency, and government websites in Brazil, Tunisia, Italy, Zimbabwe, and Australia.

Anonymous, LulzSec, Phsy, AntiSecPro Security Team, and many other similar cl.u.s.ters of anarchist hackers and script kiddies haven't used any advanced hacking techniques. They've been incredibly successful using nothing more than spear phishing, social engineering, and SQL injection when breaking into networks. Stolen information is then made public by hosting it on a public website like The Pirate Bay or PasteBin. They've been so successful at this that the Department of Homeland Security (DHS) took the unusual step of preparing and releasing a report on the organization.[52] While the FBI, Scotland Yard, and other international law enforcement agencies have made numerous arrests, it has had little effect on these ongoing operations. This is partly due to the nature of a loosely organized, widely distributed network that can randomly come together to form attack cells, then split apart and reform at a later date under new aliases. New members are eager to get involved since the barrier to entry is so low and the anti-establishment appeal is so high.

[41] Jeffrey Carr, "Why is Hillary Clinton so interested in cyber-attacks on Google?", The Guardian, June 3, 2011,

[42] "Field Manual 34-130-Intelligence Preparation of the Battlefield,",

[43] Chris C. Demchak and Peter Dombrowski, "Rise of a Cybered Westphalian Age," Strategic Studies Quarterly, Spring 2011.

*** You are reading on ***

Popular Novel