Topic 11: Current Issues in Security: Cyber Security - 26 april

NATO and Cyber attacks

'NATO does not define cyber-attacks as a clear military action. This means that the provisions of Article V ... will not automatically be extended.'

Eric Chien put it this way about Stuxnet:

'Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over a period of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process

Computer World calls Stuxnet

'one of the most sophisticated and unusual pieces of software ever created'

Alexander Klimburg: Hackers are traditionally distinguished as

'white', 'grey' or 'black hats'. Black hats operate beyond the law, for purely nefarious purposes, while grey and white hats actively support cyber-security efforts. Such cyber volunteers have more than once saved the Internet from itself.

Trends in Crime-Espionage Discourse

(1) Tech-savvy individuals (often young) with the goal of mischief or personal enrichment shaped early history of cybercrime -Today, dominated by professional criminals - cyberspace perfect for theft, fraud, forgery, extortion, money laundering etc. (2) Biggest challenge: attribution problem -How to identify those responsible for a cyberattack - and their motivations?? Hidden online identities create 'plausible deniability' for actors and thus the ability to officially distance themselves from cyberattack/s - eg China

Cyber Security Discourses: (I) Technical Discourse

-Main actors: computer experts, anti-virus industry -Main referent objects: computers, computer networks -Focus on evidence to date: large majority of attacks remain fairly unsophisticated and pursue small- to medium-sized businesses with little IT security awareness/investment -On this basis, many argue focus on 'advanced persistent threat attacks' is overblown - we hear a lot about them, but this is disproportionate to their current frequency of occurrence and contribution to cyber insecurity

Crime-Espionage (njósnir) Discourse

-Main actors: law enforcement, intelligence community -Main referent objects: business networks, classified information (government networks) -Threat posed not just by criminals or juveniles, but classified/sensitive information could be acquired relatively easily via hackers - for third party use

Stuxnet

-cyber weapon designed to burrow deep into Iran's nuclear enrichment facility at Natanz and damage the nuclear enrichment equipment -aimed to shut down Uranium enrichment centrifuges in Iran -highly advanced malware

Since 1999..

2007 DDoS attacks against Estonia (attributed to Russia) 2008 DDoS attacks, website defacement against Georgia on eve of Russian-Georgian war (attributed to Russia) 2010 Stuxnet worm (attributed by Snowden to US and Israel) 2017: Industroyer virus deliberately targeting power grids

Cybercrime:

A criminal activity done using computers and the internet

RMA

A revolution in military affairs

Arab Spring

A revolutionary wave of protests and demonstrations overtaking dictators in the Middle East (2011)

Kony 2012 campaign

A social media campaign to shine a light on Ugandan warlord Joseph Kony has attracted ire of its own after critics attacked its methods. Is using Facebook and Twitter to promote change pointless, or the natural extension of our social media habit? They terrorize villages, they take children into custody and turn them into child soldiers, they engage in rape and slaughter in villages they go through. They have been a scourge on the Uganda and that entire region, eastern Africa. The video, part of a campaign called Kony2012, became a viral sensation with more than 35 million views. #Kony2012 was a number one topic of conversation on Twitter, and was shared multiple times on Facebook by concerned citizens and celebrities alike.

Military-Civil Defence Discourse

Actions targeting the entire information infrastructure of an adversary - political, economic, military, throughout the continuum of ops from peace to war 1999 NATO Op Allied Force - first sustained use of full-spectrum of information warfare components in combat Use of propaganda, disinformation, DDoS attacks, website defacement....hacking of bank accounts (?)

Mobilising Cyber Power

Alexander Klimburg

Encouraging mutual trust is perhaps the most important element in developing an integrated national cyber capability. - Alexander Klimburg

Appealing to patriotism will not be sufficient; they must be able to trust their government to do the right thing. Similarly, government needs to trust these groups as well. Encouraging mutual trust is perhaps the most important element in developing an integrated national cyber capability.

What is the actual impact of the RMA on the invasion and occupation of Iraq and Afghanistan?

Both campaign/herferðir defeated the initial resistance/andspyrna of state very quickly - a little over three weeks in the case of Iraq and not much more in Afghanistan.

Alexander Klimburg: China and cyber-attacks

China behind many attacks China has greatest numbers of internet users in the world and blogging is a problem for the communist party It was recently revealed that Beijing maintained a programme to finance bloggers 'at times of public-opinion crisis'. There are reportedly as many as 30,000 such agents, all paid by the government, and apparently including some of the most well-known and trusted 'dissident' bloggers Many of China's technical (and particularly information-technology) students are automatically considered to be part of the Chinese defence organisation. Technical students are often drafted for one- to four-week training sessions to reinforce this status, and are considered to be part of the general (or ordinary) militia. It is possible for Chinese men to belong to the militia without ever having worn a military uniform. For many students in technical universities it is Militia units are creating information warfare units. Many civilian institutions, especially state-owned enterprises, have a militia role as well. Given the likely number of Chinese patriot hackers who may be part of military structures, it is not surprising that most cyber attacks on the United States come from China.

alternative of cyber attacks

Cyber also offers great potential for striking at enemies with less risk than using traditional military means

According to A. Klimburg from the perspective of a cyber warrior

Cyber crime can offer the technical basis (software tools and logistic support) and Cyber terrorism the social basis (personal networks and motivation) with which to execute attacks on the computer networks of enemy groups or nations.

alternative of cyber attacks

Cyber is, moreover, less costly than traditional military action

How significant is the cyber risk?

Cyber-doom' scenarios popular - but to what extent do they reflect the reality? Few incidents have caused a national/global shock, and even fewer have caused physical violence against property or persons Strong mobilising power of military discourse PLUS bureaucratic 'turf wars' Cyber risk as a 'dread' risk - plays on fear and emotions - leads to calls for mil retaliation Competing bureaucratic entities have an interest in overstating the threat

Cyberwar vs Cyber(ed) war?

Debate continues over the future of conflict Does Stuxnet mark the beginning of unrestricted cyberwar amongst states? Will too much talk of 'cyberwar' create and perpetuate a cyber 'security paradox'? OR Is cyber simply the 'fifth domain of warfare'? This week's readings go into this in depth...

DoS-árás

DoS-árás er netárás sem gerð er á tölvu eða tölvunet í því augnamiði að lama þjónustu og gera ómögulegt fyrir venjulega notendur að nýta sér þjónustuna eins og að trufla og taka úr sambandi vefþjóna. Dreifð DoS-árás er gerð þannig að upphaf árásar kemur úr mörgum áttum, oft frá þúsundum mismunandi IP talna.

Stuxnet may represent a new twist:

First use of a cyber weapon, hidden within a shroud of ambiguity by the use of off-the-shelf and deniable resources drawn from the global cyber-crime community to help avoid attribution

Stuxnet used off-the-shelf code and tradecraft. That served two ends:

Firstly, it saved money by capitalising upon code expertise already proven effective. Secondly, Stuxnet's amalgam of components helped conceal its etiology. The central challenge in attempting to identify cyber attackers underscores the dark ecology of cyberspace

Trends in Crime-Espionage Discourse

Hacktivism = hacking and activism Intentionally challenging the power of states to keep information secret (usually on grounds of 'national security') Activities of hacker collectives (eg Anonymous/ LulzSec) Motives differ - keeping the internet free from state/corporation control; 'because they can'/entertainment; humiliating high-visibility targets.

Alexander Klimburg: The West, and the United States in particular

Has been relatively slow to realise the importance of integrated national capabilities in cyber power

respond to cyber attacks

How nations respond - and how much support they can rouse in their defence against an attack - may depend upon their relative power and importance.

The traditional Law of Armed Conflict requires that one identify an attacker.

In cyber war, that is difficult to do.

Industroyer virus

Industroyer: Biggest threat to industrial control systems since Stuxnet. Industroyer's dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware "to speak" those protocols.

Alexander Klimburg: Most Western nations do not have

Internet militias on the scale that China and Russia do, and they probably do not use cyber crime as a tool of cyber power, as there are often legal restrictions against it. But that is not to say that the liberal democracies, and the United States in particular, do not have considerable non-state national cyber capabilities. In fact, US national resources alone may dwarf all others.

RBN - Russian business network

Is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack and an alleged operator of the now defunct Storm botnet.

Alexander Klimburg: A common interpretation of China's national cyber capability

Is that the Chinese Communist Party aims to be able to regularly use its netizens to attack or spy on its foreign enemies, and to use indirect control through organisational affiliation with national defence frameworks to integrate them into national policy.

If the attacking parties would be identified:

It is clear that Stuxnet damaged the property of a number of parties outside Iran, which sustained only 60% of the Stuxnet infections. Some of the damage in countries such as India, which had a satellite affected, may have been potentially serious. That creates a potentially serious risk of political blowback if the attacking parties are identified.

Alexander Klimburg: Russians also have been involved in hostile cyber acts

It is usually unclear whether the perpetrators are state or non-state actors; the two often work closely together. Moonlight Maze, occurred in 1998-2000., the attacks were traced back to the Russian Academy of Sciences in Moscow, and were taken by Russian cyber criminals, possibly with the active encouragement or even support of the Federal Security Service (FSB). Gangs of politically motivated hackers - so-called 'hacker patriots' There are strong connections to the Russian security services, and to the Kremlin. Former members of the security services, known as the siloviki, have steadily gained influence within the Russian government, a process that corresponded with the rise of Vladimir Putin. While the FSB was on the rise, so was Russian cyber crime. Many public reports have pointed to the role of the Russian Business Network (RBN), described by the Economist as the world's foremost cyber-crime organisation, as a provider of the logistic basis for cyber attacks.

One important benefit of cyber attack concerning the Iran case

It may be a greater opportunity to achieve goals such as retarding the Iranian nuclear program without causing the loss of life or injury to innocent civilians that airstrikes would seem more likely to inflict.

Cyber Security

Measures taken to protect a computer or computer system against unauthorized access or attack

German expert Ralph Lagner describes Stuxnet as a

Military-grade cyber missile that was used to launch an 'all-out cyber strike against the Iranian nuclear program

Alexander Klimburg: Data theft represents a direct threat to national security (and private business)

Network-exploitation attacks are also the basis for one of the most dangerous types of cyber attacks, the unnoticed planting of hidden 'logic bombs'.

Alexander Klimburg: A basic assumption of cyber power in Russia, China and perhaps elsewhere:

Non-state actors can be used by the state, publickly or secretly, to execute plausibly deniable cyber attacks

Arab Spring in Egypt

President Hosni Mubarak, in power for 30 years. He was put on trial (accused of ordering the killings of protesters). The military has been running the country since President Hosni Mubarak. Much of the unrest in Egypt was driven by poverty, corruption, and demographic bulge of young people unable to find work. At least 846 people were killed during the uprising & more than 6,400 people were injured.

Cyber attacks that cause physical damage or injury to people similar to damage or casualties in traditional war

Qualify as use of force and armed attack. Cutting power from an air-traffic-control facility and causing a plane to crash would qualify as use of force, whether the attack was a denial of service to facility computer systems, disrupting their function, or insertion of viruses, worms or other malware to achieve the same result.

Cyber crime, cyber terrorism and cyber warfare

Share a common technological basis, tools, logistics and operational methods. They can also share the same social networks and have comparable goals. The differences between these categories of cyber activity are often razor thin, or only in the eye of the beholder.

Do the new forms of social media that have been enabled by the IT revolution undermine, or contribute to, democracy?

Shirky: slow growth of a free media environment will contribute to democratic goals Mobile text messaging and internet services allow 'larger, looser groups' to 'take on some kinds of coordinated action...that were previously reserved for formal organisations using shared awareness' Technology has encouraged a wave of global popular protest as 'memes' of street protest and the occupation of public space spread through these networks, eg Arab Spring... Morozov: internet + associate technology can serve purpose of authoritarian control Promote titillation, trivia etc over serious public discourse - thereby distracting, rather than empowering, the citizenry. Producing 'slacktivism' - eg Kony 2012 Facebook, Twitter, etc provide an immense source of information for secret police and security services of various kinds to track and suppress dissent Places of surveillance, as much as liberation.

Social media role in the Arab Spring

Social media played a significant role facilitating communication and interaction among participants of political protests. Protesters used social media to organize demonstrations (both pro- and anti-governmental), disseminate information about their activities, and raise local and global awareness of ongoing events. Research from the Project on Information Technology and Political Islam found that online revolutionary conversations often preceded mass protests on the ground, and that social media played a central role in shaping political debates in the Arab Spring. Governments used social media to engage with citizens and encourage their participation in government processes; in others, governments monitored internet traffic or blocked access to websites, and in the case of Egypt cut off access to the internet, as part of the government's attempts to prevent uprisings. As a result of their research many academics have come to the conclusion that social media played a critical role in "mobilization, empowerment, shaping opinions, and influencing change" during the Arab Spring.

Farwel & Rohozinski

Stuxnet and the Future of Cyber War (2011)

Stuxnet incident of 2010

Stuxnet was a computer virus, a ´worm´ that infected systems at the Iranian nuclear facility at Natanz. It infected 60.000 computers in total, only about half of them in Iran. No responsibility was claimed for the attack, but the US and Israel were widely assumed to be responsible. Did the Stuxnet show the future of cyber-war? It is likely, that more effective viruses than Stuxnet will be developed and used to further aims in the conflict between states. Does the beginning of the twenty-first century mark an era of cyber-wars and information revolutions?

2000s: Nuclear fears and sanctions - US/IRAN conflict

The US accuses Iran of a clandestine nuclear weapons programme, which Iran denies. A decade of diplomatic activity and intermittent Iranian engagement with the UN's nuclear watchdog follows. But several rounds of sanctions are imposed by the UN, the US and the EU against ultra-conservative president Mahmoud Ahmadinejad's government. This causes Iran's currency to lose two-thirds of its value in two years.

Due to Stuxnet

The full extent of the damage remains to be seen, but the Iranians were apparently caught off guard and surprised by the degree to which their defences could be penetrated, even against highly protected air-gap systems. And even if the damage was limited and repaired quickly, Stuxnet points to a new way forward. A future attack, using more sophisticated worms or malware, may inflict more serious, longer-lasting damage.

Stuxnet's real strategic importance lies in

The insight it offers into the evolution of computer warfare that is occurring far away from Washington's beltway. The driver for this evolution is industrial cyber crime.

Alexander Klimburg: Cyber attackers often come through holes or mistakes in programs

The most important work is being done by software and hardware companies, to find bugs in their systems and deliver the relevant patches or fixes; the vast majority of attacks come through holes or mistakes in programs.

ALTERNATIVE of drone warfare

The most significant advantage of drone warfare is that it is comparatively cheap. Drones cost much less to build and operate than manned aircraft.

Cyberespionage:

The unauthorised probing to: -test a target computer's configuration, or -evaluate its system defences, or -the unauthorised viewing and copying of data files

Cyber-war as the transformation of the metaphorical place in which machine-mediated communications occur´ into a space of combat.

This means, the the main, the internet, the World Wide Web that is accessed through it, and the physical infrastructure from which this interaction emerges.

laumunet/Botnet

Táknar stóran hóp varnarlausra heimilistölva, þar sem í hverja tölvu er búið að planta tilteknu laumuforriti sem virkar á við trójuhest. Laumuforritin bíða í dvala frekari fyrirmæla, þangað til tölvuþrjótur notar þau til að fjarstýra öllum tölvunum í einu til ýmissa óheillaverka.

Cyberterrorism:

Unlawful attacks against computers, networks, and the information stored therein, to intimidate or coerce a government or its people in furtherance of political or social objectives -Such an attack should result in violence against persons or property, or at least cause enough harm to generate the requisite fear level to be considered 'cyberterrorism' The term used loosely for cyber-incidents of a political nature

Stuxnet

a worm created to disrupt Iran's uranium enrichment program and thus damaging that nation's nuclear capability

Alexander Klimburg: Netizen

anyone who uses the internet becomes a netizen

Alexander Klimburg: The bulk of Chinese cyber activity is directed

at internal control, either directly (through propaganda, censorship and collusion) or indirectly (through schemes designed to bind and co-opt potentially dangerous individuals, in particular netizens and patriot hackers)

Cyber attacks

carry a risk of collateral damage.

Alexander Klimburg: A nation's cyber power has three dimensions:

coordination of operational and policy aspects across governmental structures coherency of policy through international alliances and legal frameworks, and cooperation of non-state cyber actors

denial of service attack - DDoS

floods a website with so many requests for service that it slows down or crashes the site

The idea of cyber-space as a new domain of war and hacking of various kind as a new tactic

has given rise to a great deal of speculation about the impact of cyber-attacs by terrorists, criminals or so called rouge nations. For example, the US has experienced cyber-attacks, especially from China.

Cyber attacks that cause repairable physical damage with no long-term consequences and no injury to humans

have not been treated as use of force or armed attacks

Aid of cyber attack by states

is limited. Inevitably it will give rise, as in the case of Stuxnet, to questions as to whether action is justified under the UN Charter.

The key to the Stuxnet worm

is that it can attack both known and unknown centrifuges.

RBN

is the only criminal organisation identified by NATO as a major threat. Some 40% of global cyber crime, estimated in 2007 as worth over $100 billion, is said to be directly due to RBN.

The genius of the worm is that

it can strike and reprogram a computer target

UAV

known as unmanned aircraft or uncrewed aircraft (UA), commonly known as a drone

A key strategic risk in cyber attack,

lies in potential escalatory responses.

Stuxnet's core capabilities and tradecraft render it

more of a Frankenstein patchwork of existing tradecraft, code and best practices drawn from the global cyber-crime community Nor is Stuxnet particularly innovative. The ability to jump air-gap systems is old news.

Stuxnet has apparently infected over 60,000 computers in:

more than half of them in Iran; other countries affected include India, Indonesia, China, Azerbaijan, South Korea, Malaysia, the United States, the United Kingdom, Australia, Finland and Germany

Strategies for using cyber weapons like Stuxnet

need to take into account that adversaries may attempt to turn them back against us

States are capitalising on

on technology whose development is driven by cyber crime, and perhaps outsourcing cyber attacks to non-attributable third parties, including criminal organisations

Cyber war

politically motivated computer network hacking designed to conduct sabotage and espionage

Stuxnet has:

strong technical characteristics. Yet more important is the political and strategic context in which new cyber threats are emerging, and the effects the worm has generated in this respect.

Alexander Klimburg: For Western democracies, the most important dimension of cyber power is

the ability to motivate and attract one's own citizens, an inward-focused softpower approach that is fundamental for creating a 'whole of nation' cyber capability

Cyber Security

the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access

Cyberwar:

the use of computers to disrupt the activities of an enemy country, especially deliberate attacks on communications systems The term used loosely for cyber-incidents of a political nature

Stuxnet is a sophisticated computer program designed

to penetrate and establish control over remote systems in a quasi-autonomous fashion. It represents a new generation of 'fire-and-forget' malware that can be aimed in cyberspace against selected targets.

The right to wage war

us ad bellum - requires proportional response to avoid collateral damage. What constitutes proportional response to an attack is an inherently subjective judgement.

Those that Stuxnet targeted

were not connected to the public Internet and penetration required the use of intermediary devices such as USB sticks to gain access and establish control.