Archive for May 2011

Cyber Attacks the New ‘Weapon of Mass Destruction’

May 17th, 2011 | By | Category: Articles
policy review » no. 152 » features

Hoover Institution Stanford University

by John J. Kelly and Lauri Almann

The botnet peril


The internet has enabled the bountiful benefits of eCommerce, and the incorporation of eCommerce into our economies has, in turn, created a dependence on the Internet, similar to our dependence on water, electric, and telephone utilities. Unlike other utilities, however, communication utilities can be crippled without even necessarily being physically attacked — they can be attacked in cyberspace. Such a cyber attack can result in loss of life, loss of wealth, and serious impediments to the flow of goods and services. In a modern just-in-time economy, these disruptions have the potential to cause catastrophic damage. Cyber attacks present a grave new security vulnerability for all nations and must be urgently addressed.

Cyber warfare is asymmetric warfare; more is at risk for us than for most of our potential adversaries. Another asymmetric aspect is that the victims of cyber warfare may never be able to determine the identity of their actual attacker. Thus, America cannot meet this threat by relying solely upon a strategy of retaliation, or even offensive operations in general.

Cyber attacks are best accomplished through exploiting intelligence on the enemy’s networks and servers, and on those servers’ software, the current vulnerabilities of the software’s applications, and standard security practices and typical lapses. Cyber attackers can exploit their targets’ networks and servers such that those systems not only stop supporting their intended purposes, but actually work against those purposes. As evidenced by recent attacks on the Pentagon computer system, the United States must assume that our potential adversaries in the world are preparing for such attacks.

Cyber warriors may choose to be discreet about high-value targets, the security of which is compromised, and wait for the optimal moment to launch their attacks. But they can also put low-value, low-security targets to coldly efficient use. A low-value target computer can be unwillingly, unknowingly conscripted (by being infected by a virus, worm, or Trojan software) in future attacks as a zombie in a botnet. Botnet is a term for a collection of software robots (bots) which run autonomously on compromised computers (zombie computers). These computers run malicious programs under the command of a so-called bot herder, who can control the group remotely. Any computer can be infected and available for use as part of a botnet without the computer’s owner knowing it. In the spring of 2007, Estonia was the victim of a month-long cyber attack, which, according to the New York Times, “came close to shutting down the country’s digital infrastructure.” Your personal computer may have been used in that attack without your knowledge. Cyber attacks involve not just one malicious computer but thousands of computers at a time, with new ones constantly joining the fray. Because so many computers are engaged, cyber sallies are all the more difficult to deflect.

When one computer floods a target’s server, router, or Internet connection with traffic (i.e., saturating the target with external communication requests, thereby overloading its capacity and effectively making it unavailable for others), it is called a dos (denial-of-service) attack. A dos attack is defeated by reconfiguring routers to reject all traffic from the originating ip address — that is, from the address of the aggressor computer. If a large number of computers are used in the battle, though, it is called a ddos (distributed denial-of-service) attack. In these cases, the routers of the target must be reconfigured to reject the ip address of each offensive, zombie computer as it is discovered. ddosattacks can be overwhelming — it was a ddos fusillade that crippled Estonia — so all computer owners have a civic duty to secure their machines against becoming part of a botnet.

The U.S. government has a similar duty, but on a larger scale. Because botnets represent such a real threat to our domestic cyberspace and all the assets that those Internet-accessible computers control, it is a vital national interest to secure the domestic Internet.

ATTACK ON ESTONIA

America should learn from Estonia’s experience. The attacks against that small nation can be divided into several stages.1 In the first phase, which started on the evening of April 27, 2007, botnets were actually not used. Instead, the so-called ping flooding (simple dos attacks) of several Estonian web sites occurred. These ping attacks were carried out by “hacktivists” incited by several Russian web sites and equipped by these sites with ping-flooding scripts. This initial attack was ostensibly a first phase of a response to the relocation of a Soviet war monument from the center of the Estonian capital-city, Tallinn, to a location at an Estonian military cemetery. The purpose of the initial hacktivist phase apparently was as pr cover for the later botnet phase. It was successful in that regard. It took some time for the international media to realize that the actual nature of the attack was the ensuing more sophisticated, organized, and devastating botnet attack.

Because the hacktivist attacks did not have the desired effect, due to the rapid implementation of filtering and other protective measures, the aggressors escalated the battle. At 11 p.m. on May 8, 2007 (0 hours, May 9, Moscow time), they began employing vast botnets in their attacks. The peak attack is now believed to have been carried out by several different botnets totaling over a million computers located in about 100 different countries. Once the European Union Computer Emergency Readiness Teams (certs) were engaged, the attacks originating within Europe effectively ceased. The attacks did continue from other countries, however, thus underscoring the importance of international cooperation in defending against cyber warfare.

The main ddos attack lasted ten days, from May 8 to May 18. During the period between May 10 and May 15, Estonia’s banks came under fire from the cyber warriors; two major banks had to stop their online services. Ninety-four percent of banking transactions in Estonia are conducted online, and so the attacks had a crippling effect on financial dealings in the country. Most Estonians do not have checkbooks. When the banking system was set up after the nation regained independence in 1991, the decision was made to skip the issuance of checkbooks in favor of direct, online banking. This, of course, made Estonia even more vulnerable to damage from attacks.

Of course, a ddos attack against online banking lasting several days is enough time to do a great deal of damage to an economy. The attack was not continuous, but came in waves, suggesting that it was not a riot of hackers, but a well coordinated attack. It appears from the pattern of attack that one bot herder was controlling the intensity of the attacks. This demonstrates clearly that there was a single point of control. It is important to note that when the attack began, Estonia had no way of knowing how long the attack would last or whether it would be ongoing.

If the bot herder had been more sophisticated — by spoofing (masquerading as another) originating ip addresses, by better concealing his own location, by enlarging the botnet — then the assault on Estonia could have been far more debilitating and effectively endless (most of the botnet could have been employed to continuously enlarge itself). The commercial router management tools that Estonia used to block the ddos traffic rendered incoming ddostraffic eight times less heavy than it would otherwise have been. If the botnet had been substantially larger, though, the nation’s blocking tools may have been inadequate. As ip addresses were blocked, new zombies joined the attack. Given the large number of zombies available, the attacker was able to expend thousands of zombies per hour. Also, as zombies in the more cooperative countries were blocked, the origin of the attack shifted to countries that did not have any incident management organization (e.g., cert), or where these organizations were not effective.

And botnets can be vast. In 2005, Dutch authorities arrested three young men who had set up a botnet consisting of1.5 million zombies.2 In 2007, Vint Cerf, one of the co-developers of tcp/ip, the protocol that underlies the Internet, estimated that as much as one quarter of the Internet could already be in botnets.3 Microsoft, in its current Security Intelligence Report, estimates that 10 percent of Windows computers are infected with malware.4 While Estonia’s experience has highlighted that there are national interests that have the capability and the intention of using cyber attack, their aggression is not the only type currently active in the world.

THE WORLD RESPONSE

Just as the Internet has enabled eCommerce, it has also enabled cyber crime, cyber terrorism, and cyber warfare. Unfortunately, the international community’s response to these dangers has been seriously insufficient. Botnets have the potential to do untold damage, and they should be classified as ewmds (electronic Weapons of Mass Destruction), a term we have coined. We believe it is appropriate to have a category distinction.wmds can kill in large numbers and cause great disruption. Computers are not generally configured so that they can cause physical damage to themselves or their surroundings, though there is concern about scada systems (Supervisory Control and Data Acquisition) — the computer systems that control utilities and process plants in general. The cia recently disclosed that electric utilities have been successfully attacked. But even if all software and data are securely backed up, there is still potential for great loss due to an ewmd attack.

It was recently determined that a single personal computer could disrupt cellular communications in a city, and that a medium-sized botnet could disrupt cellular communications in the entire United States.5 A network attack that denies the use of the networked infrastructure could have catastrophic consequences in a modern economy that has become dependent on that infrastructure (as in the case of the Estonian banking system). Attacks on U.S. governmental computers such as those at the Pentagon illustrate the intent to undermine the country’s military defense structure. ewmds have the potential to be the cyber equivalent of a military blockade. While one hopes ewmds will never be able to cause the loss of life that other weapons of mass destruction (nuclear, chemical, biological) can cause, they should still be recognized as having the potential to destroy livelihoods or even entire economies, as could have happened to Estonia with a larger and more long-term attack.

A personal computer could disrupt cellular communications in a city, and a botnet could do the same to the entire U.S.

Traditionally, government has protected life, liberty, and property. But much of a modern economy’s wealth resides elsewhere than in, say, physical assets. In a modern economy, much of the wealth is in equities, far beyond the underlying book values and the physical assets. Today’s businesses can be destroyed without damaging any of their physical stock. In an economy where stores are run using electronic inventories with automatic ordering, and factories are run using Manufacturing Resource Planning, a disruption to either system or the means for data communication between the two would disrupt the flow of food and goods. Disruption to electronic banking would disrupt all of the companies that rely on those banks. The efficiencies of just-in-time inventory systems also cause the flow of goods to be more vulnerable to disruption. A disruption to the flow of goods and services could trigger damages that cascade through the economy. International trade also brings the possibility that a firm’s market share earned over many years could be quickly lost if its customers decide that it is no longer a reliable supplier. But unlike a military blockade or most wmds, it does not currently require the resources of a nation-state to have a botnet. We will probably always be vulnerable to some degree of cyber crime, cyber terrorism, and cyber warfare, but the one weapon that can be used by all to create catastrophic damage is the botnet. This further underscores the point that we need to institute better safeguards to reduce the scale of the botnet threat.

Of course, as long as computers are connected to the Internet, cyber attacks will occur. Additionally, computer infrastructure can never be perfectly secured by electronic means. For the foreseeable future, so long as computer software is complex and rapidly evolving, there will be bugs for cyber attackers to exploit. But the degree of vulnerability can be dramatically reduced by securing computers and networks through current best practices. The root of the current vulnerabilities, although technical, is also administrative. Many computers are controlled, or administered, both now and for the foreseeable future, by people who do not possess an adequate understanding of the current best practices for security. Ideally, anyone who connects his computer to the Internet should be aware of effective ways to secure the machine, but many are not or do not take action, with the result that many machines have become infected.

Microsoft’s current Security Intelligence Report estimates that 10 percent of Windows computers are infected with malware.

Thankfully, though, to a considerable degree user ignorance can be compensated for by automated tools. Update management software, part of the Windows and Linux operating systems and some application software, helps make computers more secure. It is designed to be a convenience for users and should properly be considered to be one of our front lines against a cyber attack (though it is not a complete solution, by any means). The U.S. government (and others, too) might consider working with software manufacturers to further develop the effectiveness of these security systems. Similarly, the personal firewalls that are becoming more common on personal machines could be enhanced to help achieve a higher level of protection. And operating systems and applications using passwords should require that the passwords comply with minimum security standards (e.g., nondictionary words of sufficient length). Finally, an adequate degree of logging could be the default to better secure evidence for an investigation. Operating systems and application software can be configured to automatically keep an abbreviated record of all incoming and outgoing traffic. These and other local records would exist only on the pc and be completely private unless and until the owner of the pc chooses to share the records with law enforcement.

If an operating system has a mechanism to audit/enforce proper security, and evidence of the level of security were somehow available to the isp, then those computers with better security in place could receive preferential treatment in the event of a cyber attack. The isps are also in an advantageous position to perform ingress filtering — that is, to check that the “from” address on all packets corresponds to the computer from which the packets are actually coming. This simple check would do much to defeat spoofing and thereby make it easier to determine the origin of attacks.

Another important practice is regular audits. In the corporate environment, outside vendors often perform port scans and advise companies of their current computer vulnerabilities. Governments could work with the isps to institute remote automated audits for subscribers as a standard service. The isps are well positioned to monitor their networks for suspicious traffic that would indicate that a computer has become infected, and they could also proactively run scanning software to detect machines that are vulnerable and then coordinate with their clients to correct the vulnerability. Perhaps even more importantly, isps should have a specific requirement to prevent improper use. There is anecdotal evidence that some isps knowingly provide ip addresses and bandwidth to spammers because of the premium rates such spammers are willing to pay.

The above-mentioned management and auditing services could be performed by greater coordination of existing programs and services. For instance, so long as a user promptly fixes an identified vulnerability, he could be the only one to see the report. If he does not handle it in a timely manner, a report could be sent to his isp indicating a security risk on the isp’s network. The isp could then contact the customer to offer technical assistance. A national authority could set standards and provide support to the isps.

Some ISPs are said to be providing IP addresses and bandwidth to spammers who are willing to pay.

Developers release patches for their software when new vulnerabilities are discovered. When much Internet software is designed, security is not a major consideration in its development, so the need for patches is common. The rejoinder to this is simple: Do not patch in security, but design it in. If software is created with attention paid to security features, entire categories of vulnerabilities can be eliminated.

Mass-market software is by definition vulnerable to cyber attacks. First, because the software is readily available through commercial or open-source means, hackers can study copies for vulnerabilities. (Open source may be somewhat more secure because it undergoes more scrutiny, but it is also easier to study.) Second, because many copies will exist on the Internet, it is likely that copies will show up in response to even a modest port scan (usually the first step in an attack is to find programs to exploit on computers within a range of ip addresses of interest). Finally, if the software is mass-market, there are likely to be a sufficient number of instances of the software on the Internet to merit investment in discovering its vulnerabilities and developing ways to exploit those vulnerabilities. Because programs that are not mass-market in their deployment do not meet these criteria, heightened security requirements may not need to apply to software that is developed for limited use.

How to enhance the security of mass-market software? Security standards could be established with software developers being obliged to certify that their mass-market software complies with the generally-accepted security practices. Without knowledge of the internal workings of a software program, Underwriters Laboratories-style third-party testing — i.e., running a test suite against something’s external interface — may reveal some bugs and vulnerabilities, but will not be adequate to ensure security. And while it is feasible to inspect the source code to ensure that proper practices are used, doing so becomes highly problematic if it involves an external audit — giving source-code access to someone who is not an employee of the developer. Such access greatly increases the risk of a company’s intellectual property being compromised. And as a practical matter, it can be expensive to understand someone else’s source code, particularly if it embodies esoteric technical concepts. External audits would also build potentially significant delays into software’s release cycle. For these reasons it makes sense for an industry-standards body to publish the security design requirements for mass-market software and require that software developers file a certification of compliance. Sample code could be provided so that this requirement is not burdensome for small developers.

This certification should be required of all the software that runs on all network devices (e.g., routers and switches). It should also be required of the hardware itself, without which the Internet wouldn’t work. One of the big problems here is that a substantial amount of this equipment originates in untrustworthy countries. It is not enough to require that developers certify their software and hardware because certifications outside of trusted countries may be worthless. The presence of all these potentially-compromised network devices remains a massive vulnerability.

In August, as Russian tanks rolled into the nation of Georgia, Georgia’s websites were also under assault from Russian cyber attackers. Government websites were knocked offline. The lesson: It is essential that the personnel who control the isp equipment be trustworthy. Georgia had some of its international Internet connections through Russia but thought it had independent communications, since some of the Internet connections went through Turkey. But the access via the isps in Turkey also went down, apparently because the isps were controlled by the Russian Business Network.

While improving technical capabilities is central to stopping cyber warfare, there are various other areas of concern that the United States should address. For example, there is a need for legislation that would improve the ability of private parties to track down hackers and discover their true identities. When a server is compromised, it is possible for the administrator to preserve logs which might be helpful in determining the origin of the intrusion. Unfortunately, the hacker often hides behind fraudulent registrations. Because it is difficult and expensive for a private individual or small business to pierce these fraudulent, and often foreign, registrations, it is that much easier for the hackers to proceed unimpeded. While it is important to protect privacy, the anonymity afforded by the Internet has helped increase the number of cyber attacks. Hackers currently can launch assaults with little fear of recourse. That’s unfortunate; it should be much easier for victims to track down the identities of those who attacked them. Internet registrars should be required to employ a process that is much more rigorous, and much less susceptible to fraudulent registration. Moreover, a government organization could take on the role of active defense against hackers. With the proper legislation, the widespread hacking of private computers could be greatly reduced.

MORE THAN A NUISANCE

Also, it is in the national interest to diminish the threat of botnets by undermining their financial sources — spammers. In a recent report, IronPort, the email security unit of Cisco Systems, determined that the infamous Storm botnet, which may involve up to 50 million computers, is controlled by Russians who finance their efforts by supporting spammers who sell pharmaceuticals online.6 While some botnets may not be associated with foreign governments and are not imminently a national threat, the tools that they develop will be utilized by terrorists and foreign adversaries. The U.S. government should make it a priority to prosecute spammers who support botnets. Two hundred known major spammers are responsible for 80 percent of the spam on the Internet. While prosecutions do occur, they are infrequent and thus not much of a deterrent to other spammers.

One can hope, though, that the lack of prosecution has been because the U.S. government has been busy building a case against spammers through the recent fbi sting “DarkMarket.” The fbi announced 56 arrests as a consequence of DarkMarket.7 Among the recently arrested is the HerbalKing Group, which is believed to be responsible for a third of all spam.8 Unfortunately, the amount of spam has not appreciably decreased. It appears that those arrested just passed their botnets on to others. If spamming were explicitly outlawed, then many more spammers could be arrested. If the revenues associated with the spam enterprises were severely curtailed by prosecuting the businesses promoted by the spammers, then there wouldn’t be such a valuable incentive for others to continue the enterprise.

Unfortunately, the spam problem is only likely to get worse. If a spam email is 3kb in size and each zombie computer has a connection that can transmit 1.5mb/ per second (i.e., a broadband connection), then 50 spam emails can be sent per second — 180,000 per hour, or 4.3 million per day. Estimates for the cost of renting zombie computers vary. A few years ago estimates ranged from $30 to $200 for sending out 1 million spam. A recent investigation of the Storm botnet estimated that the going rate is $100 per million spam.9 The current Microsoft Security Intelligence Report cites the instance of a botnet herder who charged just $200 dollars per week for 6,000 compromised computers (equivalent to 30 computer-weeks for a dollar) — enough capacity to transmit over 800 million spam emails. The Direct Mailers Association reports that direct mail sales campaigns sent through the postal system typically achieve a response rate of 2.15 percent — so they have to have some validity.10 The investigation into the Storm botnet determined that the actual response rate is 8 in 100 million for the pharmacy sales — a considerable profit margin if the spam campaign costs are at the low end of the estimates. The costs to society are considerable. If each recipient has just one second of his time wasted on average due to a spam campaign, then every one-million-piece campaign costs 277 hours of society’s time. The postal campaign, by contrast, might waste 98 seconds, on average, of your time for every two products or services you actually purchase — a much more tolerable imposition.

As briefly mentioned earlier, there is currently no legislation that specifically outlaws spam. The American can-spamAct of 2003 made fraudulent registrations — a tool used by many spammers — illegal, but it failed to give a legal definition to spam, perhaps out of a desire not to outlaw commercial bulk mail. Of course, every spam filtering company has been able to develop a working “common law” definition of spam. But it is not enough. The U.S. Congress and the European Union must revisit this issue and pass legislation to outlaw spam. The legal definition should then be adopted in international instruments regulating the trade in services.

ACTIVE DEFENSE

Cyber defense is accomplished through a combination of prevention, detection, response, and prosecution. Governments could undertake to work with isps, developers, and the general public to devise and support suitable procedures to minimize the vulnerability to botnet attacks, rapidly detect attacks as they occur, assistisps in isolating the malicious machines, and support the end user in both securing the evidence and recovering the machine. Finally, governments should ensure that cyber criminals are prosecuted, regardless of whether they are domestic or working in a cooperative foreign country. Governments should also share information and focus on the foreign threats originating from noncooperative countries.

And governments, especially that of the U.S., must begin to see cyber attacks and cyber warfare and ewmds as the national security threats they truly are. That means engaging in “active defense” and enlisting national police agencies and even the military in the fight. A cyber attack on a U.S. citizen or company, especially one originating outside the nation’s borders, should be viewed as a real and serious incursion, and possibly as the prelude to a more serious attack, as it was in Georgia. In the U.S., 85 percent of all critical infrastructure is in the private sector. It is not enough that private individuals and organizations be able to report a break-in after-the-fact. If someone is trying to break in your front door, you expect the police to come immediately. Similarly, the private sector should be able to report break-in attempts and expect a response.

While local law enforcement has the local relationships, the appropriate capabilities reside at the national level in various law enforcement and military organizations. In order to make these capabilities available at the local level, it appears that a coordinating role is required. In the U.S., the National Guard is charged with a similar role and has been performing it in the war on drugs. The National Guard is probably the best suited because if the cyber attack is an actual military or terrorist attack, then time is of the essence. Because what appears to be a criminal act could evolve into something much worse, it is accordingly desirable to keep the National Guard apprised from the first report. Under this approach, whenever a private sector server is under attack, the owner would send the evidence to their state National Guard, which would then perform an initial assessment as to the attack’s nature and specifics, with an initial determination as to whether it is an attack or a criminal act, and refer the matter to the appropriate agency. They would then monitor the situation, coordinate the follow-up, and keep the private individual or organization apprised.

Given the demonstrated willingness of aggressors to employ it — as the Russians did against Estonia and Georgia — and the certainty that it will be used again, by state adversaries and terrorists alike, it is crucial that we begin to treat cyber warfare as we would any other form of warfare. We must remove it from the exclusive domain of intelligence operations and establish a Cyber Warfare Command that includes an offensive capability. The U.S. Air Force has taken steps to do just that, but it has yet to be authorized.

In summary, a carefully orchestrated technical program that defends the domestic computer infrastructure should now be a critical goal for every technically-advanced nation. Action is required:

Individuals and businesses. Everyone who uses the Internet needs to understand that they have a civic duty to take reasonable care that their computers are reasonably secure from attack and infection. Any computers that become infected should be promptly cleaned or disconnected. To the extent feasible, forensic evidence should be made available to law enforcement.

Software Industry. Security should be designed into all mass-market applications and operating systems that are connected to the Internet. Designers should enhance comprehensive update management software and personal firewall software so that all machines attached to the domestic Internet can be quickly patched against new vulnerabilities. Logging software should by default preserve evidence that would aid those investigating any cyber attack. Operating systems and application software should require secure passwords and be designed for security and certified as such.

ISPs. isps should support their subscribers in detecting vulnerabilities, detecting infections, securing evidence, and repairing the infected machines. isps should also be required to perform ingress filtering on their routers to counterip address spoofing. ISPs who profit from knowingly providing ip addresses and bandwidth to spammers should face sanctions. All isp equipment and personnel should meet standards of trustworthiness.

Legislative bodies. Legislative bodies should pass laws to hinder fraudulent registrations, and they should explicitly outlaw spam campaigns. Legislation could be designed to draw a line between spammers, as exemplified by those identified in the Spamhaus rokso database, and legitimate commercial bulk email that is not so designated. This legislation probably should provide a safe harbor for legitimate businesses performing acceptable commercial correspondence. Guidelines may include how the address was obtained, the manner of targeting, the frequency of sending emails, the anticipated and actual response rates, and the number of emails compared to the size of the company’s current customer base. Those convicted of serious repeated abuses of the Internet could be fined, and/or banned from further access.

Executive branch. The executive branch should vigorously pursue and prosecute all spammers, hackers, and botnet perpetrators. It should designate and fund an agency to respond to every reported attack; the National Guard may be the appropriate agency for this role. The Defense Department should be tasked to establish a full military capability in cyber operations, perhaps with the Air Force as the lead service. The fbi should have adequate resources to prosecute all major cyber criminal acts.

These measures, along with an ongoing proactive relationship between government and industry to monitor the evolving cyber-warfare threat, evaluate the effectiveness of the measures to counter the threat, and devise improved safeguards, should greatly reduce the magnitude of and resulting damage from future attacks.


John J. Kelly III is president of Model Software Corporation. Lauri Almann was permanent undersecretary of defense for the Republic of Estonia from 2004 to 2008.


1 Swedish Emergency Management Agency, Large Scale Internet Attacks. The Internet Attacks on Estonia. Sweden’s Emergency Preparedness for Internet Attacks (2008).

2 Gregg Keizer, “Dutch Botnet Suspects Ran 1.5 Million Machines,” TechWeb News (October 21, 2005).

3 Tim Weber, “Criminals ‘may overwhelm the web,’” bbc News (January 25, 2007).

4 Microsoft Security Intelligence Report. (January through June 2008). http://download.microsoft.com/download/b/2/9/b29bee13-ceca-48f0-b4ad-53cf85f325e8/Microsoft_Security_Intelligence_Report_v5.pdf

5 William Enck, Thomas LaPorta, Patrick McDaniel, and Patrick Traynor, “Exploiting Open Functionality in sms-Capable Cellular Networks,” presented at the12th acm Conference on Computer and Communications Security (November 7–11, 2005).

6 See “2008 Internet Malware Trends” at http://www.ironport.com/malwaretrends/.

7 Federal Bureau of Investigation, “fbi Coordinates Global Effort to Nab ‘Dark Market’ Cyber Criminals” (October 16, 2008).

8 Asher Moses, “Spam flood goes on despite bust,” Sydney Morning Herald (October 20, 2008).

9 C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. ccs’08, (October 27-31, 2008) acm 978-1-59593-810-7/08/10.

10 dma Releases 5th Annual “Response Rate Trends Report.” Direct Marketing Association. http://www.the-dma.org/cgi/disppressrelease?article=1008. (October 2007).

Copyright © 2011 by the Board of Trustees of Leland Stanford Junior University



Is the cyber threat a weapon of mass destruction?

May 17th, 2011 | By | Category: Articles

BY JOSHUA POLLACK


Google’s surprise announcement of “a highly sophisticated and targeted attack” on its systems–a case of computer-aided espionage–has also raised the specter of offensive warfare. Defense News quotes Adm. Robert Willard of U.S. Pacific Command as declaring that “the skills being demonstrated” by Chinese hackers in the service of “exfiltrating data”–a fancy way of saying “spying”–are also relevant to “wartime computer network attacks.”

If that’s not alarming enough, last week, Gerald Posner added a new entry in the annals of hype in a piece he wrote for the Daily Beast: “While Google weighs exiting China, a classified FBI report says [Beijing] has already developed a massive cyber army [that is] attacking the U.S. with ‘WMD-like’ destruction capabilities.”

“In the last few years, it’s become almost a rite of passage among federal employees to have their computer networks partially shut down for days or weeks after an intrusion, usually (but not always) attributed to China.”

Posner’s assessment is clearly excessive. But recent years have seen a growing tendency to treat “the cyber threat” as a “strategic” problem, sparking an interest in “cyber deterrence.” U.S. Strategic Command even appears to have incorporated computer network attacks into the existing U.S. nuclear declaratory policy, based on the idea of “calculated ambiguity.” Last May, Gen. Kevin Chilton of STRATCOM told journalists, including the Global Security Newswire’s Elaine Grossman, “You don’t take any response options off the table from an attack on the United States of America,” including a cyber attack.

When “cyber attack” means a form of spying, General Chilton’s statement will come across as extreme. But it’s certainly possible that the ability to compromise computers will play a role in future war-fighting. (Aaron Mannes and James Hendler identified some realistic possibilities in a Washington Times op-ed last August.) Still, let’s keep the matter in perspective: If the United States were ever to get into a shooting war with another nuclear weapon state, cyber attacks would be the least of anyone’s worries.

The Google Affair underscores that there is a different sort of “strategic” cyber threat. Today’s issues of global concern hinge in large part on the state of U.S.-Chinese relations: stabilizing the world economy in the wake of the fiscal crisis, shoring up the nuclear nonproliferation regime, and achieving effective cooperation to forestall the worst effects of climate change, to name the most salient issues. And let’s be blunt: Pervasive spying via the internet is harming China’s relations with the United States.

In the last few years, it’s become almost a rite of passage among federal employees to have their computer networks partially shut down for days or weeks after an intrusion, usually (but not always) attributed to China. Everyone from the Office of the Secretary of Defense to the Commerce Department has been a target. And in certain circles, there are few computing experiences more familiar and less delightful than receiving the dreaded socially engineered e-mail attack–an authentic-looking message, seemingly from a known person, but with a nasty PDF attachment.

In other words, not every intrusion of this type is as systematic and well-planned as the December 2009 raid on Google, Adobe, and other U.S. firms. Any American who works on Asia-Pacific security issues or has an interest in human rights in China has probably been aware of the problem for some time. If they haven’t received an e-mail probe personally, chances are good they will know someone who has.

The damage to goodwill has been considerable. It isn’t shocking that one major power spies on another, or necessarily even intolerable. As the saying goes, “It’s all in the game.” But the game has never been friendly, and there’s something breathtakingly crude about how it’s being played today. The attempt to capture as many computers as possible is aggressive and indiscriminate, reaching into the lives of private citizens in the United States and beyond. In a particularly insidious turn, the spies have been known to take advantage of professional contacts between Americans and Chinese in order to assemble convincingly spoofed messages and to mine e-mail address books for targets.

All of this effort is aimed at getting the targets to open the attachments. No serious attempt is made to cloak where the attacks are coming from, should a fake message be spotted. That’s especially striking in contrast to the technical and social sophistication of the probes.

These practices are, quite frankly, abusive and uncivilized. And the mechanical denials of Chinese officials do as much harm to the country’s image as the scattershot spying itself, if that’s possible. As it happens, spying is not the same as warfare. But it does harm regardless.




China Fights a War Without Firing a Gun – Using cyberwarfare to undermine the US

May 15th, 2011 | By | Category: News

By Joshua Philipp & Matthew Robertson

Epoch Times Staff

While experts in the United States are still debating whether cyberwarfare poses a real threat, the Chinese Communist Party (CCP) has made cyberwarfare a fundamental part of its military strategy—one to win a war against an enemy who is militarily superior.

The Epoch Times interviewed former military and intelligence officials who have watched China’s cyberwarfare strategy, and other technological tactics, in different stages of development. Many of their observations agree with the Communist Party’s own military documents, as presented in threat analysis from the Department of Defense.

A battle in the snow-covered Amur Valley began a split between the Soviet Union and the Chinese Communist Party in 1969. When the smoke cleared, a stalemate left the Chinese leadership with a lesson that would underpin their military strategy to this day.

“Russia could not win because they didn’t have the manpower, and China couldn’t win because they didn’t have the technology. So it was mainly a stalemate,” said Terry Minarcin, a former Air Force cryptologist assigned to the National Security Agency (NSA), in a telephone interview.

“China learned a lot from that conflict,” Minarcin said.

Minarcin was trained as a Chinese linguist in the Air Force and intercepted communist communications for nearly 21 years. He retired in 1987, just prior to the fall of the Soviet Union, and has kept tabs on developments.

After the battle in the Amur Valley, the CCP took a different path from the Soviets and from the West in general in its military development.

While the West has focused on using technology to make combat operations more effective, the CCP has learned to use technology to make war without combat. As the lessons from the Amur Valley were absorbed, the CCP learned to adopt a new form of warfare.

Cyberwar
The concept of warfare is often misunderstood as simply the destruction of military targets. Thus the significance of Chinese cyber-attacks and cyber-espionage against businesses and government are often written off.

“When John Arquilla coined the phrase cyberwar in 1993, he framed the concept primarily around nation-state military actors, unfortunately this isn’t the case in the 21st century,” said John Bumgarner, chieftechnology officer of the U.S. Cyber Consequences Unit, an independent research institute that studies cyber conflicts.

Due to the outdated definition of cyberwar, when a conflict erupts in the cyber domain the concept of a military target is often misconstrued. “In the industrial defense era allied forces primarily bombed military and military-industrial targets, but in the cyberdefense era viable targets include civilian-operated critical infrastructures, which all militaries are dependent,” Bumgarner said.

The British even had an “Economic Warfare” military unit that existed in World War II. They are immortalized in a photo displayed at the Churchill War Rooms museum in London, according to Bumgarner.

A strategy to use cyber-attacks and other means to target and destroy the U.S. economy was outlined in “Unrestricted Warfare,” by two Chinese military colonels in 1999.

The document “is really a long-term strategy about how to erode your adversary’s will to fight through means other than armed conflict. One of the primary avenues of attack in this document is economics. Such attacks could take decades to be fully appreciated,” Bumgarner said.
“Economic warfare is really a big issue,” he said. “Eroding segments of another nation’s financial stability can be easily accomplished by stealing proprietary data about a widget, using that information to your advantage to manufacture the widget without having to incur all the research and development costs associated with the widget and then selling the widget on the world market at a fraction of the cost. Continually repeating this cycle starts making the target nation reliant on you for many things. Eventually you will hold the keys to the financial kingdom of the other country.”