September 2011

Both the term and the concept of cyber war are subjects of much debate. Professor John Walker FBCS CITP explores their origins.

The year 1993, location Amsterdam, venue was Virus Bulletin 93. It was here when presenting on the subject of virus evasion techniques, I first encountered the strange term ‘Cyber war’ introduced by an American gentleman, Winn Schwartau.

As one can imagine, even the very suggestion of this topic 19 years ago did raise some eyebrows, and of course, as with most advanced thinking, it was discounted - but not by me.

Around 1993 we were encountering the first serious operational use of the new toy called the PC, aligned with an early left shift from those big beast mainframe platforms, in favour of more agile and lower cost infrastructures in the form of client server environments. And as you will have now gathered from event type, it was focusing on malicious code in the early forms of viruses such as Brain, Cascade, and Coffee Shop.

Noisy and boastful

However, to set the scene, at that juncture in time, the malicious motivations were driven by achieving cult status, notoriety and intellectual accomplishment by spawning the next nasty piece of code to infect as many targets as possible!

There was also one very marked difference from today, in that those early infections were very noisy, and boastful, announcing their presence as and when trigger time was considered appropriate. However, with the advancement of time, the criminal and extremist imagination kicked in, which concluded the potential futuristic opportunities!

Now when it comes to the techy subject of cyber war, to date there has been two camps of opinion: those who discount the threat as the product of an over active imagination, and those who have seen a circumstance that could represent a real time threat. However, around 2008 with the eventuality of Titan Rain, mounting Cyber Attacks against UK, German, and US targets, the prospect of cyber war, and associated aggressive cyber incursions started to resemble more than just hype.

A second circumstance that raised the prospect of cyber war was the publication of Richard A. Clarke’s book Cyber War, followed by his thought provoking presentation at the RSA, London 2010. And given Mr Clarke was the first senior White House official responsible for cyber war and security, one should assert he would have more insight on this subject than most.

Furthermore, in June 2011 Liam Fox revealed criminals and foreign spy agencies have launched more than 1,000 cyber attacks on the Ministry of Defence in 2010 in an effort to steal secrets and disrupt services, costing the UK £27 billion, and losing the defence sector £1.6 billion!

I can also personally attest to the serious approach the US takes toward this new era threat. In 2009, I made a visit to NORAD (North American Aerospace Defense Command) located deep within Cheyenne Mountains, Colorado. Here it was clear, the advent of cyber attacks is treated along the same lines as would be an actual, or inferred aggressive kinetic incursion, threatening US physical, or in this case, logical boarders.

Zeus

There were further indications that cyber threats were being taken seriously when the UK government announced they had fallen victim to a cyber attack using the notorious information-stealing Zeus malware in December 2010. On this same topic William Hague addressed a Munich security conference, and revealed that the December 2010 attack was considered to be part of an international effort to infect systems.

However, what really upped the agenda was in 2011, when the USA announced a formal Pentagon Cyber Strategy outlining which acts of digital sabotage would constitute an act of war that could warrant conventional military retaliation, thus escalating a cyber-incursion to the level of a kinetic response - so long of course there is clear, irrefutable classification of the aggressor.

In unconventional terms, considering the opportunities of mounting cyber attack, as opposed to employment of conventional weapons, can present an effective, economically beneficial operation. Whilst the effectiveness of a conventional weapon locating a target has clear capabilities, delivering devastation, destruction, and loss of life, it still nevertheless requires significant resource to present the desired effect to its unfortunate target.

Now by comparison, consider the cyber attack. Firstly, the tools and weapons that may be leveraged to deliver a cyber strike come in at a much lower cost, than say a Tornado, or Eurofighter. Secondly one must focus on the objective of the attack. In the case of the cyber incursion, it could be aimed at disrupting systems supporting, services, and critical infrastructure such as Supervisory Control and Data Acquisition Systems (SCADA).

Stuxnet

Or suppose, it is possible to obtain access to an ATM estate through the prime organisation, or via some ill-conceived third party engagement, with the intent of delivering a denial or service attack to render the endpoint ATM’s inoperable.

Or, as with Stuxnet, creating some new crafted, intelligent seek and destroy cyber weapon in the profile of a covertly developed advanced persistent threat (APT), or even worse, under the cloak of an advanced evasion technique (AET), which is possibly why nations like China, and Russia are showing interest in these logical capabilities. Thus cyber war or cyber conflict takes a step from the shadows, and moves a little closer to reality. But how do we measure cyber war or cyber conflict, and what shape does it come in - as a definition:

‘The illegal, or legal employment of systems, infrastructures, applications, tools, or techniques used as weapons, with the objective of attacking a target, or target’s to deliver payload causing logical, or physical damage; or to cause loss. or reduced service, or breakdown of critical, or dependent infrastructures, communications, systems, and utilities; or where such attacks are employed with the direct, or indirect intention to cause economic, commercials disruption; or with direct, or indirect motivation to affect the morale of residents, or a population.’

* In the above definition, you may have noticed that the definition suggests that such an act may be considered both illegal, and legal. The rational here is considering cyber weaponry under the same guise as other systems which may be introduced into any theatre of conflict, to deliver a kinetic payload. Thus, it may be envisaged that such cyber weapons could one day be utilised by governments under current international rules of engagements and agreements.

Titan Rain

To date whilst there have been examples of cyber conflict, however, the fledgling cyber war has not as yet been encountered with a full and identified terms of engagement.

However, given the events to date, ranging from Titan Rain, Chinese Attacks against Google, through to attacks on UK HMG, and the regular attacks on the internet’s underpinning root servers, linked with statements, and positioning of international governments, it may be that, those who denounce cyber war, or conflict out of hand should reconsider the position - this genie is out of the bottle, and to coin a phrase: smell, and coffee springs to mind!