by Ron Kelson, Pierluigi Paganini, Benjamin Gittins, David Pace
US military strategist John Boyd states:
“War comprises acts of physical, biological, psychological, social, cultural and other destruction at all levels, for example, intrapsychic, interpersonal, intergroup, interorganisational, and international.”
Cyber warfare is combat in cyberspace and includes computers, the Internet and the “sphere of human thought” (Noosphere, Social Media). Cyber operations can be Kinetic (physical destruction) and Non-Kinetic (attacks against computers, intellectual property, financial systems, and the realm of ideas, opinions, beliefs and feelings). The boundaries between conventional operations (munitions, psychological) and cyber-operations is blurring, as cyber attacks begin to be used as a force multiplier in conventional operations.
Cyber warfare is generally different from cybercrime, with cybercrime seen as financially motivated, and cyber warfare as politically motivated. Cyber attacks that result in physical destruction of critical infrastructure or large loss of life are considered acts of war/terrorism. Cyber attacks can originate or be triggered from anywhere. Cyber warfare can be conducted by traditional nation-states and other actors. Paradoxically, cyber warfare can, and already does, take place during “peacetime” periods when there is no conventional conflict occurring.
In recent years, the use of technological tools for military operations has increased significantly. Countries such as the USA, China, Israel and Russia, were the first to invest significantly in building cyber warfare capabilities. Today it is claimed that at least 140 countries are developing cyber weapons, which are seen as covert and highly cost effective. Not surprisingly, the number of cyber warfare operations has increased substantially. Every day there are thousands of attacks against government systems around the world due to offensive foreign states. Vast amounts of information are being stolen and time-delayed kinetic attacks are being installed in critical infrastructures. Predominantly, non-kinetic attacks still cause real damage and are still ‘war’.
What are the main types of cyber warfare attacks?
Offensive attacks for sabotage: The primary purpose of these kinds of operations is to destroy the target, typically critical infrastructure such as communication systems, power grids or transportation infrastructures. Economic systems are also key targets. For example, several stock markets have been attacked by foreign countries, as happened to the Israeli Tel Aviv stock exchange at the start of 2012.
Stuxnet malware is the best-known example of a cyber weapon (widely believed to be) developed by US and Israeli intelligence agencies. It is designed to sabotage the Iranian nuclear industry by attacking nuclear sites that were advancing their uranium enrichment programme.
Cyber espionage: The act of information gathering to obtain sensitive, proprietary or classified information from individuals and governments also for military, political, or economic advantage using illegal exploitation methods on the internet, networks, software and/or computers.
There are different types of cyber espionage depending on the scheme adopted to steal classified information that is not handled securely. The attacks could be conducted using malware to spy on victim systems, or by introducing/exploiting backdoors in software or hardware. Recently, one of the main concerns regarding the cyber espionage are the attacks to gather information through social networks. These platforms are a rich mine of information that could advantage an attacker, and the acquired data could represent a preparatory phase to a major (conventional) offensive.
Cyber weapons for cyber war
Thomas Rid and Peter McBurney state that a cyber weapon threatens security with significant legal, political and other consequences. The line between what is and is not a cyber-weapon is subtle.
They define “cyber weapon” as “a computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings”
An interesting classification of cyber weapons is based on a spectrum of actions. In this scale we introduce the following categories:
- Low potential is malware able to affect systems from the outside, but unable to penetrate the target or to create direct harm. In this category there are tools and software designed to generate traffic to overload a system and adversely impact its services with a temporary effect (for example, Denial of Service attack) without actual software or hardware damage.
- Medium potential is any malicious intrusion that is able to disrupt or modify the behaviour of systems and steal information but cannot result in kinetic harm to a person. Generic intrusion agents such as malware, which can spread rapidly, are included in this category.
- High potential is an agent that is capable of penetrating the target, avoiding security controls (antivirus) and creating direct kinetic harm to the victim. For example, a sophisticated piece of malware such as the Stuxnet virus, which targets and harm a specific cyber-physical system. Inside this category we introduce a further distinction between a learning agent and an intelligent agent/weapon like Stuxnet that is without learning capabilities.
Typically, the higher the potential for damage, the higher the cost and complexity of developing these cyber threats. Furthermore, high value targets require a significant amount of time and intelligence to discover enough information to develop specific targeted weapons. For this reason some parties seek to identify and exploit other actors’ cyber offensive creations.
Developing cyber war and conventional war capabilities are fundamentally different.
According to Martin C. Libicki in the book Cyberdeterrence and Cyberwar prepared for the USAF:
“Cyberspace is its own medium with its own rules. Cyber attacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities.”
Investment in cyber war started around 2006. Today, several intelligence studies claim that more than 140 countries have a cyber weapon development programme. One example is the $110 million US Defence Advanced Research Projects Agency (DARPA) dubbed “Plan X” (2012). Its goal is to harness computing power to help the US wage war more effectively (for example,.achieving kinetic effects). Plan X is part of a larger DARPA effort to create breakthrough offensive and defensive cyber-capabilities. With a cyber budget of $1.54 billion from 2013 to 2017, DARPA will focus increasingly on cyber-offence to meet military needs, officials say.
One of the goals of Plan X is the creation of an advanced map that details the entirety of cyberspace − a global domain that includes tens of billions of computers and other devices [ed: your computers and mine] − and updates itself continuously. Such a map would help commanders identify targets and disable them, using computer code delivered through the Internet or other means. Michael V. Hayden, a former NSA and CIA director, said he could imagine a map with red dots representing enemy computers and blue dots representing American ones. When the enemy upgrades his operating system, the red dots would blink yellow, meaning the target is out of reach until cyber operators can determine what the new operating system is.
Bearing in mind Martin C. Libicki’s statement: “Cyberattacks are enabled by the exploitation of the enemy’s vulnerabilities,” Libicki goes on to say: “The [cyberspace] medium is fraught with ambiguities; something that works today may not work tomorrow (indeed, precisely because it did work today).”
For Plan X to provide a “return on investment” to the United States, the billions of (civilian) computers connected to the Internet must have known exploitable vulnerabilities.
Consequently, the designers of cyber war weapons will be incentivised to: a) identify vulnerabilities and keep them a secret from the open community, b) introduce exploitable vulnerabilities into the software and hardware of computers used in civilian and critical infrastructure applications. The same incentives hold true for the 140 countries that now have at least one cyber weapon development programme. Hold this thought for just one minute while we consider the other side of the coin.
To quote the US CyberSpace Policy Review:
“Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities together with the larger community of nations, “Only by working with international partners can the United States best address these challenges, enhance cyber security and reap the full benefits of the digital age.”
No one can create a secure ICT ecosystem just for themselves because today’s computers and software are sold in every nation to achieve the necessary economies of scale to make them cost-effective. In our interconnected and interdependent global village we can’t create a secure “cyberspace” for international commerce if it is not globally secure.
According to military strategist Carl von Clausewitz, “War is an act of violence to compel our opponent to fulfil our will,” that is “the compulsory submission of the enemy to our will is the ultimate object. In order to achieve this object fully, the enemy must be disarmed.” That is, they must be vulnerable and exposed.
Will nation states invest in an effective cyber attack capability (and undermine the stability of the global community and their own nation), or will they invest in a truly effective common cyber defence? It is simply impossible to achieve an effective cyber defence if we deliberately leave exploitable vulnerabilities open to support cyber attack capabilities. There are important examples reported of parties discovering and exploiting government sponsored backdoors, such as one government’s monitoring of pro-democracy activists through a backdoor in Google’s Gmail, and monitoring of Greek government ministers phone calls.
An effective cyber defence requires the creation of inclusive trustworthy and dependable communication and computation systems to protect the legitimate interests of all stakeholders in multi-jurisdiction, multi-stakeholder Internet-scale environments. Future systems should embody the democratic principles of laws (fault tolerance, separation of powers, system of checks and balances, mutual accountability) directly in their architecture.
The ICT Gozo Malta Project and Synaptic Labs supports this vision by designing genuinely safe and secure ICT systems, with new commercial capabilities, to improve cyber security and safety across existing ICT infrastructures. Modern life depends on ICT, and citizens deserve to have the confidence of knowing that the weaknesses in current critical infrastructures and their personal computing devices are being addressed and removed. The stability of nations, and the global community, is at stake. A common/global defence policy must be defined. We still have much work to do. As a neutral nation, Malta is making a positive contribution to this goal.
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress)
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.
Ben Gittins is CTO of Synaptic Laboratories Limited.
David Pace is project manager of the ICT Gozo Malta Project and an IT consultant