Cyberwarfare and measures to enhance cyber-security
Evolution of Warfare
The general evolution of warfare is well understood – there has been evolution from physical and direct armed attacks towards hybrid wars that include cyberspace. The evolution of warfare is boldly categorized into four generations (Cochrane 2009):
- 1st Generation – Human vs. Human
- 2nd Generation – Human vs. Machine
- 3rd Generation – Machine vs. Machine
- 4th Generation – Hybrid, “The Singularity”
This categorization shows that the 4th stage is the most blurry one – there are no strict lines to define it. This generation subsumes much more means & tools for conducting wars than ever before.
There are big differences between the traditional and new generation wars, and those lie within actors, goals, methods and form of finance, accordingly (Kaldor 2013):
This confirms previously mentioned thought about blurriness of the new era of wars. Also, as there are also non-state actors involved – it makes the wars even more dangerous, because the amount of actors is much higher and the variation of their goals and methods, too.
- Traditional wars - winning the other side and taking over their state
- New era wars - concentrate on opposite – of dismantling the states (Kaldor 2013)
Future warfare evolution
When thinking ahead in the future, there have been warnings about Artificial Intelligence (AI) and the possibilities of the war moving to space. It may sound fiction – but some while ago ‘cyber war’ seemed fictional, too. The biggest threats are probably cyber-attacks and weapons of mass disruption – which could be far more effective than bombs and bullets. Machines (AI and the whole Internet of things) will most likely get more and more capabilities and responsibilities and become autonomous (making their own independent decisions) – and that point is called ‘the singularity’ - which could possibly become a threat for the whole humanity and its existence. (Cochrane 2009)
Many great minds, such as Stephen Hawking, Elon Musk and Bill Gates have expressed their concerns about AI’s possible threats towards humanity – and the need to be aware of it. This is why the importance of safe ways of development such capable computers/machines should be taken seriously – and the need for technical ingenuity and legal strictures to constrain the innovations. (The dawn… 2015)
The term "cyber war" is also used in a quite vague way, covering a wide range of activities but mainly it encompasses actions by a nation/state to penetrate another nation's computers and networks for purposes of causing damage or disruption. (State security agency, 2015)
Here proper examples would be Russia-Georgia war in 2008, when a kinetic attack with was combined with simultaneous cyber attacks against numerous Georgian government websites or Operation Cast Lead in December, 2008 – January, 2009 when Israel launched an attack against the Palestine National Authority which included cyber attacks against government websites and media outlets. (Real Cyber warfare: Carr’s top Five picks, 2011)
Definition of a cyber weapon
Any hostile actions in cyber space are committed with special tools called cyber weapons. Cyber means of warfare causes by design or intent injury to persons or objects and is conducted by multiple malicious programs aimed for espionage, data theft, or sabotage by infiltrating into enemy networks in order to violate confidentiality of the target.
Cyber weapon makes a considerable impact in conducting cyber warfare and its main benefits are:
- Infinite aftermath
- No standardized international legislation in cyber space in order to legally counteract
History of cyberwars
The Morris Worm is the first case of a massive expansion of a worm in the Internet. Created by Rober Cornell in 1988, back then student of MIT, it managed to reach more than 10% of the total world machine pool. Even though it was not designed to damage the machines it was infecting but to propagate, the fact that it could infect several time a same machine turned it into a dangerous weapon.
Using vulnerabilities in basic functions of the machines, it managed to reach other machines using the sendmail and fingerd shells. Reaching the network access of the computer, it was shared with the other part of the network. The estimated costs of the first worm of history are between 10 to 100 millions dollars, which is impressive considering that only 6000 machines were infected. It was also the first condemnation according to the Computer Fraud and Abuse Act, published only 2 years before. (IntelFreePress, 2013)
On 2007, several Estonians institutions (parliament, banks, newspapers,...) websites shut-downed due to coordinated cyberattacks by DDoS. Websites and servers were flooded by several requests or spamming of news portals. The attacks followed the relocation of a Soviet Statue inside Tallinn.
Even thought there is no evidence, several experts (both hackers and defense experts) believe the Kremlin was conducting the attacks as a retaliation. The only person charged for the actions was a Russian-ethnic Estonian studying in Tallinn, but it is rather clear that he was not the only one coordinating the attacks considering the side of them. Russian always denied taking part on this attack.
In the end, a pro-Kremlin party from Transnistria (secessionist region of Moldova) claimed the attacks had been carried on by the party. But as Transnistria is not recognized as a country by both EU and Estonia, no further legal actions were taken. (GWU, Jason Richards)
Stuxnet, USA counterstrikes
Created in 2010 by the National Security Agency (NSA) along with Israel Cyberforce (Unit 8200), Stuxnet is a worm that aimed the uranium centrifuges of Iran. Its particularity was that is was the first worm to be that complex, and to target a such specific industrial point. It reprogrammed the industrial systems met on the way, meaning that a lot of collateral damages occurred.
Overall, the worm affected around 45000 machines, including 30000 in Iran. The rest were Western Europe machines using Siemens technologies, that were as well implemented in Iran. Several reference to the Bible heroin Esther pushed specialist to spot a link with Israel, but it happens a lot that fake clues are put inside the code to mislead investigators. The work to create Stuxnet is overwhelming, as it represent around 10000 man-days, equivalent to 6 months for a 10 people team. It wasn’t detected by most antivirus and propagated from a USB stick brought by an engineer to its office. (Le Nouvel Obs, 2012)
Iranian Cyber Army versus the Honker Union
In the beginning of 2010, a group of hackers called Iranian Cyber Army attacked the biggest search engine of China, Baidu. The hackers, unofficially associated with the Iranian government, had already blocked Twitter for a while the month before because it was used as a resistance tool by the Iranian opposition parties.
Baidu, quite supported by the Chinese government, decided to go offline rather than to show a pirated content on their homepage. In the meanwhile, several Chinese hackers counter strikes on Iranian websites. United under the name Honker Union. The content of the websites were deleted and replaced by a Chinese Flag along with support statements for the People's Republic of China. (The Guardian, 2010)
The Red October malware is a cyber spying program discovered in 2012, but already around the web for more than 5 years, that was discovering and transmitting confidential information to its creators. It was mainly targeted the diplomatic agencies.
The system was using flaws in the Word and Excel softwares, along with vulnerabilities in some. The creators quickly shut down the domains used to receive the information, and it is today impossible to clearly define who was the recipient of the information. (Kaspersky Lab, 2013)
Distributed Denial of Service (DDoS)
If you want to attack a system without getting any information but just to block a system, a DDoS is the perfect solution. This method consists in overloading a system in order to make it crash. The point with a DDoS is that it doesn’t impact the computer system, when the attack is over the system still work properly. Hackers use DDoS method to knock off services or websites for example. This is mainly a political stunts. Usually, those attacks target companies or organizations like NGOs and Universities. Avoiding those attacks against a system is not very easy but with basic security practices we can protect some critical part of the system like payments, trading networks…
Advanced Persistent Threat (APT)
This method consist in attacking a single target in order to obtain some specific information. Most of the time those information are classified or sensitive for a government or a company but it can also be an intellectual property or anything valuable. This kind of specific attack are used mostly against European and US technology companies in order to steal secrets about new technologies. This kind of weapons are really sophisticated and focus the effort in a single target. The main goal is to infiltrate a sensitive system without being detected as long as possible. This weapon has become the favorite one for intelligence spying because it is really complicated to identify for the victim and even identified, the threat is hard to eradicate. In fact, traditional methods are ineffective against this kind of attack. If you want a system to be protected against it you need many layers of defense, a single technology is ineffective. The best way is still to stop the server to stop the attack and eliminate the risk of technological leak. APTs have forced companies and governments to develop new cyber protection methods like Continuous Persistent Monitoring (CPM).
Cross-Platform Malware (CPM)
At some point during the evolution of computer systems, hackers faced a big issue, the number of different platform used by lambda users. Before, most of the people used Windows as a system so it was quite easy to infect a lot of people with only one malware. But since some years, the number of system has increased and the number of user per system is constantly decreasing. So, in the begin hackers started to develop malware for each platform but it became quickly not manageable. This number of platform incited hackers to consider new way to attack many people at the same time with malwares and this is how they thought about creating malware usable in several platforms at the same time. The main goal of those malware is to block the system no matter which one it is. Thanks to that targets of those malware are basically all the users in all the platforms. Still today there is no efficient way to fight those malware.
Metamorphic and Polymorphic Malware
This kind of malware is more recent, it is based on the Cross-Platform Malware system which means that those malware are efficient in all the platforms. The difference is that they can change their code automatically. This is a big threat to companies and organizations because they easily escape detections system and classic anti-viruses programs by changing their code. In another hand, writing this kind of malware is a way more complicated because it needs really advanced programming techniques.
In order to defend against those cyber weapons in the cyberwarfare, organisations and countries use can use several processes in order to evaluate the attacks and counter them. Each situation has its own needs, therefore there is no perfect defense system for a given organisation. However, by combining those tools together, the risk of getting hurt is reduced. Here is a list of Defense Systems used in order to protect from cyber weapons:
List of cyber defense tools
A firewall is a system allowing to protect a computer or a computer's network of the potential intrusions coming from a third network (especially internet). It filters the data packets exchanged through the network, and protect the network against the external threats but also allow the data packets from the inside to go to the outside.
The firewall system is a software system, sometimes based on a hardware material that act as an intermediary between the local machine and the several external networks. It is possible to place the firewall system on every machine, as long as the machine is powerful enough to treat the traffic, the system is secured and no other service except the firewall is working on the server.
Basically, considering the IP of the sending machine, the type of packet and the port number, it either allows or deny the passage of packets and instructions. This allows the system to filter the potentials attacks from the outside, our to detect strange behavior of the operating system.
Installed on bigger installations, the system can also block instructions coming from the outside world (i.e: HTML request coming from another country to a nuclear central).
The intrusion detector is a mechanism that listen furtively the activity of a network and takes the correspond measures when necessary.
The detection can be based on the different techniques: checking of the protocolar pile (look for violation of TCP or IP protocols and signal those violations), checking the application protocols (check the number of intrusions of the invalid protocols behaviors), recognition of the Pattern Matching attacks (detect a dangerous packet, and analyse it to filter all the IP source address)...
Usually, when an attack is detected, the intrusion will be blocked by the system, or the network will shut down in order to prevent further damages.
The honeypot is a quite sneaky technique used as a protection of a system. It is the equivalent of a black box that register every activity in the system, as it does not have a production purpose, every activity going through it is either a scan or an attack.
Therefore, when an unexpected behavior goes through the honeypot, it means that the system is being attacked by a third party. Usually, as it doesn’t represent any value, the system doesn’t not block the hacker but rather keep everything he does in order to analyse later the behavior of the attacker.
This is still a risk for the owner of the system, as sometimes from the honeypot a malware can reach the other part of the system, yet it can be a good investment on the future to identify the possible flaws.
National level defense systems
Also, there could be some basic measures taken on state level. Every state should have some standard aspects that would help them to enhance their national security:
1. Comprehensive National Cyber-security Strategy:
- Clear prioritized (reachable) objectives and actions how to reach them
- Defined capabilities/resources (often this part is neglecting! – but it is very important to prove there are needed resources for achieving the objectives)
- Clear terminology
- Mapping critical information infrastructure – this helps to identify the dependencies of vital services on information systems - and based on that to develop security requirements (Cyber Security… 2014)
- Strategic future threats and risks analysis
- Clear roles & responsibilities
- Include different stakeholders in Strategy development process
2. A National Information System Authority - organizing protection of the state’s ICT infrastructure, and exercising supervision over the security of information systems
3. Strong cooperation between public and private sector - also, on individual, society and international level
4. National Cyber Security Center
5. Cyber Security Council as a part of the National Security Committee - for supporting strategic level inter-agency cooperation (Cyber Security… 2014)
6. Crisis Management Organization
7. Legislation, regulations, and policies on Cyber Security
8. CERT (Computer Emergency Response Team) - for handling cyber security incidents
9. A volunteer basis Cyber Defense League - ‘to improve the security of state agencies’ and companies’ information systems through coordinated exercises, testing of solutions, training’, also to ‘support civilian institutions and protect critical infrastructure in a crisis situation’ (Cyber Security… 2014)
10. Training and awareness-raising provider in the field of cyber security (Cyber Security… 2014)
11. Conduct/participate in cyber security exercises - for different stakeholders
12. Data Embassies (virtual & physical) - keeping back-up data in ‘data embassies’ that would protect from data loss
13. Involvement of Cyber operations in Military & Police
14. Bio-metrics based authentication - to guarantee higher security
- Warfare evolution - from physical and direct armed attacks towards hybrid wars that include cyberspace (most blurry warfare generation)
- Future warfare chances: AI and war in space
- Cyber strategies rather reactive (Estonia is a great proof of example for that – ‘the awakening’ started only after 2007 cyber war) – but there must be more emphasis put on proactive measures!
- It is not enough to only focus on cyber strategies, but also on cyber conferences, learning sessions and training on national and international level! (Estonia does give a good example for it, though. NATO Cooperative Cyber Defence Centre of Excellence is conducting the world’s Largest International Technical Cyber Defence Exercises, holding Conferences on Cyber Conflict and making other international level of cooperation (NATO Cooperative…))
- Cyberspace is strongly interconnected – there are no ‘loose ends’, and this means there must be attention paid on every single aspect – only then it acts as an effective ‘whole’.
- Cochrane, P. (2009). Peter Cochrane's Blog: Can tech end bloody wars? – Tech Republic | here
- Cyber Security Strategy: 2014-2017. (2014). - Ministry of Economic Affairs and Communication
- Kaldor, M., (2013). In Defence of New Wars. - Stability: International Journal of Security and Development. | here
- NATO Cooperative Cyber Defence Centre of Excellence. | here
- The dawn of artificial intelligence. (2015). - The Economist | here
- Lessons from the First Major Computer Virus -Intelfreepress | here
- Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security - George Washington University | here
- Stuxnet : comment les Etats-Unis et Israël ont piraté le nucléaire iranien - Le Nouvel Obs | here
- 'Iranian' hackers paralyse Chinese search engine Baidu -The Guardian | here
- Kaspersky Lab Identifies Operation “Red October,” an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide | here
- Cyber Threat Landscape: Basic Overview and Attack Methods | here