Chapter 5
On the July 4, 2009, weekend and continuing into the following week, a DDoS attack took down US and South Korean government and commercial websites for indeterminate periods of time. The South Koreans believed the government of the Democratic People's Republic of Korea (DPRK) or its agent was responsible, whereas no formal opinion as to attribution was expressed by any US officials.
Iran.
During the disputed Iranian presidential elections of June 14, 2009, hundreds of thousands of irate Iranians protested the results. One of the forms of protest was the use of DDoS attacks directed against Iranian government websites, using the popular social software service Twitter as an organizing platform.
Tatarstan.
In June 2009, the president of Tatarstan's website was knocked offline and Internet access was lost in an attack he attributes to the Russian Federal Security Service (FSB).
United States.
On April 21, 2009, the Wall Street Journal reported that security around the Pentagon's multi-billion-dollar Joint Strike Fighter project was compromised and several terabytes of data were stolen by unknown hackers presumed to be from the People's Republic of China.
On July 46, 2009, a relatively small-scale DDoS attack of unknown origin was launched against about 25 US government websites, some of which became inaccessible for several days, including the Federal Trade Commission and the Department of the Treasury, while others on the target list, such as the White House website, were unaffected. A second and third wave of these attacks were launched in the following days against South Korean government websites (see).
Kyrgyzstan.
On January 18, 2009, a DDoS attack shuttered two to three of the nation's four ISPs for several days, denying Internet access to most of the population during a time of growing political unrest. It is still unclear who was responsible, but at least three theories have been floated around: It was the Russian government in an attempt to force the Kyrgyzstan president to close the Manas Air Base to US traffic.
The Kyrgyzstan president hired nonstate Russian hackers for the purpose of denying the Internet as a medium to opposition parties.
It was the result of a power struggle between competing ISPs.
Israel and the Palestinian National Authority.
Along with Israel's military action against Hamas bases in the Palestinian National Authority in December 2008 (designated Operation Cast Lead), literally thousands of Israeli and Arabic websites were defaced, both government and civilian. (See Chapter 2 for a thorough look at the Gaza cyber war.) Hackers involved allegedly included members of the Israeli Defense Forces and Hamas, which makes this one of the few cyber events that involved official state involvement.
Zimbabwe.
As reported by Concerned Africa Scholars on December 2008, in a paper ent.i.tled "The Gla.s.s Fortress: Zimbabwe's Cyber Guerilla Warfare," the Mugabe government has been silencing its opposition through jamming techniques on its airwaves and the Internet, as well as by monitoring all email traffic from domains ending in.zw. Both sides reportedly engaged in defacing websites and launching DDoS attacks. At the time the paper was written, these attacks had been occurring for at least five years.
Myanmar.
On September 23, 2008, in antic.i.p.ation of the first anniversary of the Saffron Uprising, the government launched DDoS attacks against three websites that support the monks: The Irrawaddy, the Os...o...b..sed Democratic Voice of Burma (DVB), and the New Era in Bangkok. The newspaper the Australian covered the story that day, reporting: The concerted attacks-which appear to originate in China, Russia and Europe as well as Burma-can only be the work of agents of the Burmese Government and may be an effort to compensate for its failure last year to stem the flow of images showing vast columns of unarmed demonstrators and their eventual dispersal under a rain of bullets and truncheons.
A representative of DVB reported that the attacks appeared to be coming from sites in Russia and China, which, if true, would indicate that the Myanmar government outsourced the attacks.
Cyber: The Chaotic Domain.
The answer to the question posed earlier about which of the previously discussed events qualifies as an act of cyber war is "none of the above." As of this writing, there is no legal ent.i.ty known as "cyber war"; the only issue that has been defined by international agreement is a nation's right to self-defense when attacked, and that applies only to the traditional manner of attack, i.e., "armed" attack.
The a.s.sortment of cyber attacks listed earlier, ranging from internal attempts to silence opposition movements (Zimbabwe, Kyrgyzstan) to state-employed hackers taking out strategic websites (Israel, the Palestinian National Authority), ill.u.s.trates just how malleable this domain can be. Furthermore, it would be incredibly naive to think that every permutation of this domain has been seen by now, which raises the importance of regular war-gaming or other types of forward-thinking exercises. This, unfortunately, is not a universally agreed-upon strategy.
The Center for Strategic and International Studies (CSIS) issued a report in February 2009 ent.i.tled "The 20 most important controls and metrics for effective cyber defense and continuous FISMA compliance." The following appeared in the report: A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that "offense must inform defense." In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008. That new proposed legislation calls upon Federal agencies to: Establish security control testing protocols that ensure that the information infrastructure of the agency, including contractor information systems operating on behalf of the agency, are effectively protected
This is an extremely short-sighted approach to security. A tier-one hacker's favorite pursuit is the discovery of a zero-day exploit, which means finding a vulnerability in the software that no one else has yet discovered. To look only to the past as a defensive strategy means that our cyber security protocols will always be playing catch-up.
With the risk of discovery almost nil, a disputed legal status, and little in the way of unified international law enforcement collaboration, the cyber domain is today's equivalent of the untamed American West during the 1800s. Keyboards have replaced revolvers and hackers are the new gunslingers. However, as with the other a.n.a.logies, this one breaks down in one important respect: land is a physical, three-dimensional ent.i.ty, and cybers.p.a.ce is an electronic terrain that does not occupy physical s.p.a.ce, yet through it flows ever-increasing amounts of data that may control physical processes.
From an adversary's point of view, this is an ideal fighting ground. He can enter it unseen to conduct espionage or offensive attacks and escape without fear of being detected. The cost of entry is low, and a single person can have a significant impact (with the help of a botnet that can be rented or purchased). Furthermore, in many countries, including the United States, cyber attacks defenses are scattered, uneven, and lack any coordination or consistency. Political infighting and the elevation of economic and health care challenges in the Obama White House pushed the issue of cyber security so far down the priority ladder that one prime candidate after another announced lack of interest in the position of cyber coordinator that President Obama announced in early 2009. The position was finally filled on December 22, 2009, with the appointment of Howard Schmidt.
One sign of the growing frustration over how to defend against cyber attacks was seen in August 2009 when the US Marine Corps announced a total ban on all social networking sites (SNS) on NIPRNET: IMMEDIATE BAN OF INTERNET SOCIAL NETWORKING SITES (SNS) ON MARINE CORPS ENTERPRISE NETWORK (MCEN) NIPRNET.
Date Signed: 8/3/2009 MARADMIN Active Number: 0458/09 R 032022Z AUG 09.
UNCLa.s.sIFIED//.
MARADMIN 0458/09.
MSGID/GENADMIN/CMC WAs.h.i.+NGTON DC C4//.
SUBJ/IMMEDIATE BAN OF INTERNET SOCIAL NETWORKING SITES (SNS) ON MARINE CORPS ENTERPRISE NETWORK (MCEN) NIPRNET//.
REF/A/MSGID:MCO/STRATCOM/102315Z//.
AMPN/REF A IS USSTRATCOM ORDER TO ADDRESS RISK OF USING NIPRNET CONNECTIVITY TO ACCESS INTERNET SNS.//.
POC/MARK R SCHAEFER/LTCOL/UNIT:HQMC C4 IA/-/TEL:703-693-3490 /EMAIL:[email protected]//.
POC/TIMOTHY LISKO/CTR/UNIT:HQMC C4 IA/-/TEL:703-693-3490 /EMAIL:[email protected]//.
GENTEXT/REMARKS/.
PURPOSE. THIS MESSAGE ANNOUNCES AN IMMEDIATE BAN ON INTERNET SNS WITHIN THE MCEN UNCLa.s.sIFIED NETWORK (NIPRNET).
BACKGROUND. INTERNET SNS ARE DEFINED AS WEB-BASED SERVICES THAT ALLOW COMMUNITIES OF PEOPLE TO SHARE COMMON INTERESTS AND/OR EXPERIENCES (EXISTING OUTSIDE OF DOD NETWORKS) OR FOR THOSE WHO WANT TO EXPLORE INTERESTS AND BACKGROUND DIFFERENT FROM THEIR OWN. THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYs.p.a.cE, AND TWITTER.
ACTIONS. TO MEET THE REQUIREMENTS OF REF A, ACCESS IS HEREBY PROHIBITED TO INTERNET SNS FROM THE MCEN NIPRNET, INCLUDING OVER VIRTUAL PRIVATE NETWORK (VPN) CONNECTIONS.
EXCEPTIONS.
ACCESS MAY BE ALLOWED BY MCEN DESIGNATED ACCREDITATION AUTHORITY (DAA) THROUGH A WAIVER PROCESS.
ACCESS IS ALLOWED TO DOD-SPONSORED SNS-LIKE SERVICES INSIDE THE GLOBAL INFORMATION GRID (GIG) ON AUTHORIZED DOD MILITARY SYSTEMS THAT ARE CONFIGURED IN ACCORDANCE WITH DISA SECURITY TECHNICAL IMPLEMENTATION GUIDES (E.G., INTELINK, ARMY KNOWLEDGE ONLINE, DEFENSE KNOWLEDGE ONLINE, ETC).
WAIVER REQUEST PROCESS.
IF MISSION-CRITICAL REQUIREMENTS EXIST FOR ACCESS TO INTERNET SNS, WAIVER REQUESTS MUST BE SUBMITTED TO COMMAND INFORMATION a.s.sURANCE MANAGER (IAM) FOR VALIDATION AND FORWARDING PER NETOPS C2 STRUCTURE.
WAIVER REQUIREMENTS.
(1) COMMAND/UNIT.
(2) POINT OF CONTACT.
(3) NAME OF SNS.
(4) OPERATIONAL NEED FOR SNS.
(5) OPERATIONAL IMPACT WITHOUT SNS.
(6) NUMBER OF SNS USERS.
(7) NUMBER OF TIMES ACCESSED PER WEEK PER USER.
(8) ACCESS METHOD: NIPRNET OR GOVERNMENT-FURNISHED COMMERCIAL INFRASTRUCTURE AND COMPUTERS C. ROLES AND RESPONSIBILITIES.
(1) COMMAND IAM: INVESTIGATE AND VALIDATE MISSION-CRITICAL NEED FOR INTERNET SNS ACCESS. IF NEED IS JUSTIFIED, FORWARD REQUEST TO MARINE CORPS NETWORK SECURITY OPERATIONS CENTER (MCNOSC).
(2) MCNOSC: INVESTIGATE THE TECHNICAL IMPLEMENTATION OPTIONS AND FORWARD TO MCEN DAA.
(3) MCEN DAA: FINAL APPROVAL AUTHORITY. MCEN DAA WILL STIPULATE HOW ACCESS TO INTERNET SNS IS OBTAINED BASED ON MISSION NEED (I.E., THROUGH NIPRNET OR GOVERNMENT-FURNISHED COMMERCIAL INFRASTRUCTURE).
IT PROCUREMENT. IT PROCUREMENTS MADE TO FACILITATE INTERNET SNS USE MUST CONTAIN AN APPROVED WAIVER REQUEST.
CANCELLATION. THIS MARADMIN WILL BE CANCELLED ONE YEAR FROM DATE OF PUBLICATION.
RELEASE AUTHORIZED BY BGEN G. J. ALLEN, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS/CHIEF INFORMATION OFFICER OF THE MARINE CORPS.//.
DMC-PR-05-07-02 dated 5 August 2009 Version 1.0 ONLINE ENGAGEMENT GUIDELINES.
SUMMARY.
Not everyone agrees with the USMC's new policy, including the chairman of the joint chiefs of staff, who said in an interview with Next.gov: "Obviously we need to find right balance between security and transparency," Adm. Mike Mullen Tweeted (http://twitter.com/TheJointStaff) after the Marine Corps said (http://www.nextgov.com/nextgov/ng_20090804_3800.php?oref=topnews) it would ban social networking sites. "We are working on that. But am I still going to tweet? You bet."
While the US Department of Defense continues to study the issues surrounding the use of social media, the UK Ministry of Defense released its social software guidelines for service members on August 5, 2009.
Service and MOD civilian personnel are encouraged to talk about what they do, but within certain limits to protect security, reputation and privacy. An increasingly important channel for this engagement, and to keep in touch with family and friends is social media (such as social networking sites, blogs and other internet self-publis.h.i.+ng). Personnel may make full use of these but must: Follow the same high standards of conduct and behaviour online as would be expected elsewhere; Always maintain personal, information and operational security and be careful about the information they share online; Get authorisation from their chain of command when appropriate (see para 2 below); Service and MOD civilian personnel do not need to seek clearance when talking online about factual, uncla.s.sified, uncontroversial nonoperational matters, but should seek authorisation from their chain of command before publis.h.i.+ng any wider information relating to their work which: Relates to operations or deployments; Offers opinions on wider Defence and Armed Forces activity, or on third parties without their permission; or Attempts to speak, or could be interpreted as speaking, on behalf of your Service or the MOD; or, Relates to controversial, sensitive or political matters.
If in doubt personnel should always seek advice from their chain of command / line management.
The UK approach to managing its Defense Ministry personnel's online activities is much saner and safer than an outright ban. The solution lies in discussion and training. A ban would simply drive the unwanted behavior underground, where it would morph into something potentially even more dangerous and unmanageable.
Chapter 4. Responding to International Cyber Attacks as Acts of War.
Whereas the previous chapter discussed some of the legal questions and strategies being debated among the international community of legal scholars, this chapter focuses on one strategy in particular that addresses the fuzzy role of nonstate actors in cyber conflicts between nation-states, that is, a.s.signing states responsibility for their nonaction and enacting consequences because of it.
I want to thank Lt. Cdr. Matt Sklerov for laboriously rewriting his 111-page thesis so that I could include it in this book.[3] In my opinion, Matt is one of the rising stars of the Department of Defense, and I feel privileged that he has consented to have his work republished here. Although there are still unresolved issues with Active Defense (such as confusion around attribution), he makes his case so thoroughly and persuasively that I believe it will serve as an excellent platform for further discussion, not just in the US government, but in governments and military commands around the world.
-Jeffrey Carr By Lieutenant Commander Matthew J. Sklerov One of the most heavily debated issues in international law is when states may lawfully respond to cyber attacks in self-defense. While the law of war is comprised of well-known and widely accepted principles, applying these principles to cyber attacks is a difficult task. This difficulty arises out of the fact that the law of war developed, for the most part, in response to conventional wars between states. When evaluating armed attacks in that paradigm, it was easy to a.s.sess the scope of an attack and the ident.i.ty of an attacker. Unfortunately, when a cyber attack is in progress, it becomes difficult for states to a.s.sess the scope of an attack or figure out who is responsible for it. These difficulties have made states reluctant to respond to cyber attacks in self-defense for fear of violating the law of war, and they have turned cyber warfare into one of the hottest topics in international law.
This chapter explores the unique challenges that cyber attacks pose to the law of war and provides an a.n.a.lytical framework for dealing with them. Once the current state of the law of war is fully explored, this chapter will demonstrate that states have a right under international law to: View and respond to cyber attacks as acts of war and not solely as criminal matters.
Use active, not just pa.s.sive, defenses[4] against the computer networks in other states, that may or may not have initiated an attack, but have neglected their duty to prevent cyber attacks from within their borders.