Pandemonium: Nation States, National Security,
And the Internet
original by Kennth
Geers brought into compact mode
Summary
Russia
Winston Churchill called Russia “a riddle wrapped in a
mystery inside an enigma.” Today, cyber defence researchers often make a
similar claim: Russia has the world’s best hackers, so they can operate quietly
and without being caught. There is likely some truth in that, but it seems
equally true that Russia has been at least tangentially involved in some of the
best-known cases of international cyber conflict to date. From the Chechen
Wars, the primary lesson for future cyber war planners is that, in the age of
the World Wide Web, the propaganda battle for hearts, minds, and wallets will
be fought website by website. In
1998, when Russian ally Serbia was under attack by NATO, anonymous pro-Serbian
hackers jumped into the fray, flooding NATO networks with denial-of-service
(DoS) attacks and at least twenty-five strains of virus-infected email. In
2007, Russia was the prime suspect in the most famous international cyber
attack to date – the punitive digital assault on Estonia for having moved a
Soviet-era statue. In 2008, there was evidence that
computer network operations played a supporting role in Russian military
advances during its invasion of Georgia, and
Russia was the prime suspect in what U.S. Deputy Secretary of Defense William
Lynn called the “most significant breach of U.S. military computers ever”, a
USB-vector attack on Central Command (CENTCOM). In
2009, Russian hackers were blamed in “Climategate”, a breach of university
research intended to undermine international negotiations on climate change
mitigation. In
2010, the FBI arrested and deported suspected Russian intelligence agent Alexey
Karetnikov, who had been working as a software tester at Microsoft.16
In response to the spectre of future cyber wars,
Russia, like the U.S., China, and Israel, is creating cyber warfare-specific
military units17 and, in an effort to improve its digital
defences, is buying old-fashioned typewriters.
China
China’s
enormous population and rapidly expanding economy have combined to create a
voracious appetite for information, which is sometimes most easily acquired
through cyber espionage. Much of this espionage appears to have national
security implications, which could, over time, alter the balance of power in
the Pacific. As early as 1999, the U.S. Department of Energy believed that
Chinese cyber espionage posed an “acute” threat to U.S. nuclear security. In 2001, following the mid-air
collision between a U.S. Navy EP-3 signals intelligence (SIGINT) aircraft and a
People’s Liberation Army Navy (PLAN) J-8II fighter, and the prolonged detention
of the U.S. crew in China, pro-U.S. and pro-China “patriotic” hackers threatened
to take the conflict into their own hands.20 More
recently, China apparently stole the plans for the most advanced U.S. fighter
jet, the F-35, and hacked Google, Intel,
Adobe, RSA, Lockheed Martin, Northrop Grumman, the
New York Times, the Wall Street Journal, and the Washington Post. In a
turn toward critical infrastructure, U.S. intelligence agencies believe that
Chinese hackers targeted two dozen gas pipeline companies, possibly for
sabotage, as well as the U.S. Army Corps
of Engineers’ National Inventory of Dams. Outside the U.S., the story is little different.
Chinese hackers are believed to have compromised the British House of Commons
in 2006, the German Chancellery in 2007, Japanese classified documents in 2011, an
air-gapped Indian Navy headquarters in 2012, and in 2013 both the South
Korean government30 and the Australian Security Intelligence Organization.
In response, Chinese officials contend that their
country is also a victim of cyber attacks. In 2006, the China Aerospace Science & Industry Corporation
(CASIC) found spyware on its classified network. In 2007, the Chinese
Ministry of State Security stated that foreign hackers were stealing Chinese
information, “42%” by Taiwan and “25%” by the United States. In 2009, Chinese Prime Minister Wen Jiabao announced that a hacker from
Taiwan had stolen his upcoming report to the National People’s Congress. In 2013, Edward Snowden, a former system administrator at the National
Security Agency (NSA), published documents suggesting that the U.S. conducted
cyber espionage against China; and the Chinese
computer emergency response team (CERT) stated that it possessed “mountains of
data” on cyber attacks by the U.S.
United States
Ralph Langner, the most experienced researcher of Stuxnet, contends that
there is “only one” cyber superpower in the world: the U.S.37 In fact, if we narrow our definition of
cyber attack to the digital destruction of physical infrastructure, Stuxnet may
be the only true cyber attack the world has ever seen.
Analysts typically refer to the innovation and elegance of Stuxnet in
quasi-religious terms: multiple zero-day exploits, a forced cryptographic “hash
collision”,38 and exceptionally sophisticated
sabotage under a veneer of legitimate operational data. This malware is so
precise that it becomes active only on certain target network configurations,
and parts of it have never been fully understood or even decrypted. In contrast
to computer worms such as Slammer and Code Red, Stuxnet did not seek to
compromise as many computers as possible, but as few as possible. What
more could the cyber war skeptics be waiting for?
The most amazing thing about Stuxnet is that its true
purpose was to change the
course of world history. If Stuxnet was the world’s first glimpse of cyber war, the attack may
have been followed by our first glimpse at a cyber counterattack. A group
calling itself the “Cutting Sword of Justice”, possibly directly or indirectly
supported by Iran, used the “Shamoon” virus to attack the Saudi Arabian national
oil company Aramco, deleting data (including office documents and email) on
three-quarters of its corporate computers – and replacing them with the image
of a burning American flag. Another
group called Izz ad-Din al-Qassam launched “Operation Ababil”, a series
of DoS attacks against U.S. financial institutions including the New York Stock
Exchange. More recently, the Wall Street Journal
reported that Iran had increased its efforts to compromise U.S. critical
infrastructure.
Middle
East
In 2013, Iranian
media reported that the Syrian army had carried out an attack, with some
collateral damage to its own domestic networks, in order to facilitate the
Israeli Air Force’s destruction of a suspected Syrian nuclear facility. In 2013, Iranian media reported that the
Syrian army had carried out an attack against the water supply in the Israeli
city of Haifa. Professor Isaac Ben-Israel, a cyber security adviser to Prime
Minister Benjamin Netanyahu, denied the report, but nonetheless opined that
cyber attacks on critical infrastructure pose a “real and present threat” to
Israel. Often, the trouble with computer hacking
is that offensive operations do not need to be highly sophisticated to succeed,
even against a target as security-conscious as Israel: in 2012, the ineptly
written49 “Mahdi” malware compromised at least 54
targets in Israel. In 2009, during Israel’s military invasion of Gaza,
pro-Palestine hackers briefly paralyzed many Israeli government sites with a
distributed denial-of-service (DDoS) attack emanating from at least 500,000
computers. Due to technical similarities with the 2008 cyber attack on Georgia
during its war with Russia, Israeli officials surmised that the attack was
carried out by a criminal organization in the former Soviet Union, and paid for
by Hamas or Hezbollah.
North
Korea
Due to ongoing regional and global tensions,
everything that North Korea does is of interest to national security thinkers
around the world, especially when it involves asymmetric capabilities such as
weapons of mass destruction (WMD) and computer hacking.
North Korea launched its first cyber attack on U.S. and South Korean
government websites in 2009. There was little damage done, but the incident
gained wide media exposure.58 By 2013, North Korean hackers had matured. A group
called the “DarkSeoul Gang” is believed to be responsible for high-profile
operations against South Korea over a period of at least four years, including
DDoS attacks and the insertion of malicious code that wiped computer hard
drives at banks, media outlets, ISPs, and telecommunications and financial
firms, overwriting legitimate data with political messages. Suspected North
Korean attacks on U.S. targets include military units based in South Korea, the
U.S.-based Committee for Human Rights in North Korea, and the White House. Such
incidents often take place on dates of historical significance, including July
4th, the U.S. Independence Day.
North Korean defectors have described a burgeoning cyber warfare department
of 3,000 personnel, likely trained in China or Russia. They believe that North
Korea has a growing “fascination” with cyber attacks as a cost-effective way to
target conventionally superior foes, and that North Korea is growing
increasingly comfortable and confident in this new warfare domain, assessing at
least two things: that the internet is vulnerable, and that cyber attacks can
put psychological pressure on the West. To this end, North Korea has ensured
that its own national servers are not connected to the internet, while
simultaneously building a dedicated “attack network”.
As with China, North Korea asserts that it too is a
victim of cyber attacks. In June 2013, when the North suffered a two-day outage
of all of its in-country websites, North Korean reporters denounced
“concentrated and persistent virus attacks” and proclaimed that the U.S. and
South Korea “will have to take the responsibility for the whole consequences.”
Pyongyang also noted that the attack took place coincident with Key Resolve, a
joint U.S.-South Korean military exercise. The South Korean Joint Chiefs of Staff denied any connection.
India
and Pakistan
As a final example, it is important to remember that wherever there is
historical tension in the “real world”, there is now parallel tension in
cyberspace. Although a heavily fortified border separates India and Pakistan on
a traditional map, the quiet, borderless nature of the internet means that both
sides are free to engage in computer hacking, even during peacetime.
In 2009, India announced that Pakistani hackers had
placed malware on popular Indian music download sites as a clever and indirect
way to compromise Indian systems. In 2010,
the “Pakistani Cyber Army” defaced and subsequently shut down the website of
the Central Bureau of Investigation, India's top police agency. In 2012,
over one hundred Indian government websites were compromised.64 India, for
its part, appears responsible for “Operation Hangover”, a large-scale cyber
espionage campaign in which Pakistani information technology, mining,
automotive, legal, engineering, food service, military, and financial networks
were targeted.
World Map
According to FireEye data, the top ten countries that were home to
malicious C&C infrastructure in 2013 are the United States (24.1%), Germany
(5.6%), South Korea (5.6%), China (4.2%), the Netherlands (3.7%), the United
Kingdom (3.5%), Russia (3.2%), Canada (2.9%), France (2.7%), and Hong Kong
(1.9%). The U.S., probably due to a combination of over 500 million
internet-connected computers,66 a free market philosophy, and plenty of intellectual
property to steal, was home to nearly one quarter of the world’s initial
C&C infrastructure in 2013. The largest international clusters of malicious
servers were in Europe and Asia. The primary takeaway from this data is that
the world is now swamped in malware –hacker infrastructure was found within the
Internet Protocol (IP) space of 206 distinct country code top-level domains in
2013.
The consequence for cyber defenders is that the
ubiquitous nature of initial C&C infrastructure allows attackers to change
their point of attack to anywhere on the planet. Thus, attackers can and often
do “appear” to come from anywhere because there is virtually no place on the
Earth today that is malware free, from the Faroe Islands to the Falkland
Islands to French Polynesia.
Conclusion
There is often a strong correlation between the sophistication of a
cyber attack and its geopolitical context. In the case of Iran, the question at
hand was whether to allow a new nation into the world’s nuclear club; it was
one of the most important questions that international security decision makers
could face. Therefore, it is not surprising that Stuxnet, the malware
discovered inside the Iranian nuclear program, was the most advanced malicious
code that public researchers have seen.
In the near future, the size of the international
cyber stage and the number of actors upon it will grow. Governments will both
want and need to flex their digital muscles in order to gain a comparative
advantage in political and military affairs as well as to create some level of
cyber attack deterrence.
Keine Kommentare:
Kommentar veröffentlichen