Chapter 21
The proposed 5-stage framework of politically motivated cyber attacks can be used to create a Defense Readiness Condition (DEFCON) for cybers.p.a.ce. The existing DEFCON scale, from 5 to 1, measures the readiness level of the US armed forces. DEFCON 5 represents normal peacetime military readiness, whereas DEFCON 1 represents maximum readiness and is reserved for imminent or ongoing attacks against the United States.
The 5-stage model also could be used to inform the United State's DEFCON rating for cybers.p.a.ce. Cyber DEFCON 5 exists during normal conditions with latent political tensions between the United States and a range of adversaries.
Cyber DEFCON 4 could be activated when cyber reconnaissance is detected against the backdrop of existing latent political tensions between the United States and its adversaries. For example, when probes are detected from Russia, China, or other adversaries with a demonstrated cyber warfare capability and a declared intention, DEFCON 4 should be activated.
Cyber DEFCON 3 could be activated in the aftermath of cyber reconnaissance and an initiating event. For example, in the aftermath of the US-China spy plane incident in 2001, when a US Navy EP-3 surveillance aircraft collided with a People's Liberation Army fighter plane. This incident sparked a cyber war between US and Chinese hackers, during which a number of US and Chinese websites were defaced or knocked offline.
Cyber DEFCON 2 could be activated after an initiating event occurs and the mobilization of enemy cyber militias is detected. In the aftermath of the invasion of South Ossetia, pro-Russian hackers launched the StopGeorgia.ru website in order to mobilize a pro-Russian cyber militia. As previously discussed, cyber mobilization typically occurs in semipublic forums because militia organizers desire to attract as many sympathetic hackers as possible. The more public the call to arms, the greater the chance the militia will recruit new members and increase in size. Fortunately, the more public the call to arms, the greater the likelihood that the defender will detect the mobilization of the enemy's cyber militia. When these types of activities are detected, cyber DEFCON 2 should be activated.
Cyber DEFCON 1 should be activated when attacks appear imminent or are ongoing. It is apparent that cyber attacks will be used either in parallel with armed attacks or as the sole means of attack between adversaries. Therefore, it is important to understand how attacks are planned, organized, and executed.
Use of this model may improve the ability of the United States to predict and defend against future politically motivated cyber attacks. It is therefore important that this 5-stage model be discussed, tested, and altered as necessary.
[39] Ned Moran is a senior intelligence a.n.a.lyst for a well-known systems integrator, an adjunct professor in intelligence studies at Georgetown University, and a valued member of Project Grey Goose.
Originally Ned invited me to coauthor this paper for publication elsewhere, but due to my time limitations and the innovative nature of Ned's proposed model of predicting cyber attacks, I asked if he would consent to having it published here first. He graciously agreed, and I think the book is richer for it.
Chapter 13. Advice for Policymakers from the Field.
One of the many goals of this book is to offer informed advice to those individuals who will ultimately shape US policy in this highly complex domain. To that end, I announced an open call for submissions from individuals who are engaged in protecting their respective nation's networks from attack on a daily basis, both nationally and internationally.
Providing experts from other countries with a voice symbolizes the international approach to cyber security that has consistently provided the best results in combating cyber intrusions and in identifying the state and nonstate actors involved.
This chapter contains thought-provoking pieces of varying lengths from a naval judge advocate who wrote his thesis on cyber warfare, an experienced member of an international law enforcement agency, and a scientific adviser on national security matters to the Austrian government, as well as my own contribution.
When It Comes to Cyber Warfare: Shoot the Hostage
By Jeffrey Carr Harry: OK, Airport. Gunman with one hostage, using her for cover. Jack?
Jack: Shoot the hostage.
Harry: What?
Jack: Take her out of the equation.
Harry: You're deeply nuts, Jack.
-Speed (1994), written by Graham Yost The fun of movie scenarios aside, consider the same strategy when the hostage is not a human being but a piece of technology or a legacy policy that no one wants to change.
Here's a new scenario. A state or nonstate hacker attacks US critical infrastructures and Department of Defense networks at will and without fear of detection or attribution. He is able to do this from behind the protection of two very valuable "hostages" or, more precisely, "sacred cows" that US government officials, including the Congress, are loathe to change-using Microsoft Windows and regulating a segment of private industry: Hostage 1 The pervasive use of the Microsoft Windows operating system (OS) throughout the federal government but particularly within the Department of Defense, the intelligence community, and privately owned critical networks controlling the power, water, transportation, and communication networks Hostage 2 The uninterrupted, sustained economic growth of US Internet service providers, data centers, and domain name registrars who profit by selling services to criminal organizations and nationalistic hackers that prefer the reliability and speed of US networks to the ones found in their own countries In this case, the best solution, bar none, is to metaphorically "shoot the hostage," thus denying an adversary both of his weapons (1) malware configured for the Windows OS and (2) his attack platform-the most reliable Internet services companies in the world.
Shoot the first hostage by switching from Microsoft Windows to Red Hat Linux for all of the networks suffering high daily-intrusion rates. Red Hat Linux is a proven secure OS with less than 90% of the bugs found per 1,000 lines of code than in Windows. Many decision makers don't know that it is the most certified operating system in the world, and it's already in use by some of
The data from Kaspersky Lab in Figure 13-1 shows how few malware have been developed for operating systems other than Windows. Linux certainly has its vulnerabilities, but the math speaks for itself. Shoot Windows and eliminate the majority of the malware threat with one stroke.
Shoot the second hostage by cracking down on US companies that provide Internet services to individuals and companies who engage in illegal activities, provide false WHOIS information, and other indicators that they are potential platforms for cyber attacks.
Figure 13-1. Kaspersky figures on malware distribution by OS The StopGeorgia.ru forum-whose members were responsible for many attacks against Georgian government websites, including SQL injection attacks that compromised government databases-was hosted on a server owned by SoftLayer Technologies of Plano, TX.
The distributed denial of service (DDoS) attacks of July 2009 that targeted US and South Korean government websites were not controlled by a master server in North Korea or China. The master server turned out to be located in Miami, FL.
ESTDomains, McColo, and Atrivo-all owned or controlled by Russian organized crime-were all set up as US companies with servers on US soil.
The Russian criminal underground prefers to host their web operations outside of Russia to avoid prosecution. And the robust US power grid, cheap broadband, and friendly business environment makes this country the ideal platform for cyber operations against any target in the world, including the US government.
Congress needs to send a strong signal to US Internet hosting and service provider companies that profit must be tempered by due diligence and that they are, effectively, a strategic a.s.set and should be regulated accordingly.
Neither of these recommendations is politically safe. However, the United States is now facing a serious threat from a new domain with so many evolving permutations that senior leaders.h.i.+p, both civilian and military, seem to be standing still. And that's absolutely the wrong strategy to employ.
The United States Should Use Active Defenses to Defend Its Critical Information Systems
By Lieutenant Commander Matthew J. Sklerov [40]
Cybers.p.a.ce is a growing front in 21st-century warfare. Today, states rely on the Internet as a cornerstone of commerce, communication, emergency services, energy production and distribution, ma.s.s transit, military defenses, and countless other critical state sectors. In effect, the Internet has become the nervous system of modern society. Unfortunately, reliance on the Internet is a two-edged sword. While it provides tremendous benefits to states, it also opens them up to attack from state and nonstate actors. Given the ease with which anyone can acquire the tools necessary to conduct a cyber attack, anonymously and from afar, cyber attacks provide the enemies of a state with an ideal tool to wage asymmetric warfare against it. Thus, it should come as no surprise that states and terrorists are increasingly turning to cyber attacks to wage war against their enemies.
Today, the United States treats cyber attacks as a criminal matter and has foregone using active defenses to protect its critical information systems. This is a mistake. The government needs to modernize its approach to cyber attacks in order to adequately protect US critical information systems. Unless policymakers change course, the United States will continue to be at greater risk of a catastrophic cyber attack than need be the case.
Modernizing the US approach to cyber attacks requires major changes to the way the federal government currently does business.
First and foremost, the United States needs to start using active defenses to protect its critical information systems. This will better protect these systems, serve as a deterrent to attackers, and provide an impetus for other states to crack down on their hackers.
Second, the United States needs to devote significantly more resources and personnel to its cyber warfare forces. Creating the preeminent cyber warfare force is an absolute imperative in order to secure US critical infrastructure against cyber attacks, and to prevent the Internet from becoming the Achilles' heel of the United States in the 21st century.
Furthermore, a large, expertly trained cyber warfare force should be a prerequisite to actually using active defenses, since using active defenses on the national scale without properly trained personnel could easily lead to unjustified damage against illegitimate targets.
The decision to use active defenses will, no doubt, create a lot of controversy, as would any major change to state practice. However, there is sound legal justification to use them, as long as their use is limited to attacks originating from sanctuary states, as laid out in Chapter 4. Limiting active defenses to attacks originating from sanctuary states still leaves states vulnerable to cyber attacks from rogue elements of cooperating states, but this change to state practice significantly improves US cyber defenses without running afoul of international law.
Furthermore, under a paradigm where active defenses are authorized against sanctuary states, the United States could feel comfortable knowing that either cyber attacks would be defended against with the best computer defenses available or that when computer defenses were limited to pa.s.sive defenses alone, the state of origin would fully cooperate to hunt down and prosecute the attackers.
In adopting this approach, the United States needs to use its diplomatic influence to emphasize states' duty to prevent cyber attacks, defined as pa.s.sing stringent criminal laws, conducting vigorous law enforcement investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyber attacks. Using US influence to emphasize this duty, combined with the threat that the United States will respond to cyber attacks with active defenses when states violate this duty, should help coerce sanctuary states into taking action against their hackers. This is an essential step toward both a global culture of cyber security and eliminating the threat of cyber attacks from nonstate actors.
Admittedly, the decision to use active defenses is not without complications. Technological limitations will still make it difficult to detect, a.s.sess, and trace cyber attacks. As a result, frontline forces will run into trouble trying to factually a.s.sess attacks and, given the speed with which cyber attacks execute, will frequently be forced to make decisions with imperfect information. (These difficulties are a.s.sessed in greater detail in Chapter 4.) Thus it is imperative for the United States to invest the capital necessary to ensure that its cyber warfare forces are able to overcome these difficulties. Otherwise, poor decisions are likely to be made, and active defenses might accidentally be directed against allied states or used before the legal thresholds for their use are crossed.
At a time when cyber attacks threaten global security and states are scrambling to find ways to improve their cyber defenses, there is no reason to s.h.i.+eld sanctuary states from the lawful use of active defenses, and every reason to enhance US defenses to cyber attacks by using them. Selectively targeting sanctuary states with active defenses will not only better protect the United States from cyber attacks but should also push other states to take cyber attacks seriously as a criminal matter because no state wants another state acting within its borders, even electronically.
Using force against other states may sound like a harsh measure, but states that wish to avoid being the targets of active defenses can easily do so; all they must do is fulfill their duty to prevent cyber attacks.
Lieutenant Commander Sklerov is a native of upstate New York. He received his Bachelor of Arts from the State University of New York at Binghamton, his Juris Doctorate from the University of Texas, and his Masters of Law in International and Operational Law from the US Army Judge Advocate General's School. He is admitted to practice before the Texas Supreme Court, the US District Court for Southern Texas, the US Court of Appeals for the Armed Forces, and the US Supreme Court.
In June 2006, Lieutenant Commander Sklerov reported to USS NIMITZ as deputy command judge advocate. While on NIMITZ, he deployed twice and served as officer of the deck (Underway) during combat operations in support of OEF and OIF. He is currently stationed at Naval Base Kitsap Bangor in Silverdale, Was.h.i.+ngton, where he serves as the staff judge advocate for Submarine Groups NINE and TEN (also known as Submarine Group TRIDENT).
[40] The views expressed here are those of the author and do not necessarily represent the views of the Department of Defense.
Scenarios and Options to Responding to Cyber Attacks
The following are fictional scenarios various government and private organizations come across for which there is insufficient legislation or frameworks to guide them in deciding on a proportionate response to cyber attacks.
With these scenarios I have provided a list of options for response, to a.s.sist in the creation of future legislation governing such responses. As of this writing, some of the options considered here are either not legal or may be legally questionable.
Scenario 1
TeraBank, a financial inst.i.tution with 5,000 employees, is forwarded a phis.h.i.+ng email from 10 of their customers. The phis.h.i.+ng attack prompts users to click on a Internet link to provide their online banking credentials and "validate their account."
Option 1
TeraBank contacts the Internet hosting provider of the phis.h.i.+ng website linked to in the email and requests the website be taken down. The hosting provider will usually take down the phis.h.i.+ng websites, but by the time that occurs, the phishers may have received hundreds of bank account credentials from TeraBank's customers.
Option 2
TeraBank forwards the email to other organizations, such as law enforcement. Law enforcement will recieve many of these phis.h.i.+ng emails, and as they are constrained by national borders, they would most likely do nothing. Some organizations, such as Internet service providers, may respond to this phis.h.i.+ng attack by blocking access to the phis.h.i.+ng site for their customers.
Option 3
TeraBank, using an automated computer program, enters information for hundreds of thousands of fake bank accounts in the phis.h.i.+ng website. Although legally questionable, this approach would pollute the pool of valid banking credentials the senders of the phis.h.i.+ng email would possess. It is likely that after attempting to use their harvested banking credentials with no success, the attackers would move onto launching phis.h.i.+ng emails against another bank.
Option 4
TeraBank contacts a "hacker for hire" and pays him to launch a distributed denial of service (DDoS) attack against the phis.h.i.+ng website, making it inaccessible. Launching DDoS attacks typically are illegal in many countries. While TeraBank is financing an illegal act, this DDoS attack may impact the businesses of innocent parties, especially if their businesses are hosted on the same website as the phis.h.i.+ng website.