Categories
Archives
 January, 2011 (2) |
| January, 2012 (4) |
| January, 2013 (4) |
| February, 2011 (7) |
| February, 2012 (4) |
| February, 2013 (5) |
| March, 2011 (9) |
| March, 2012 (6) |
| March, 2013 (4) |
| April, 2011 (4) |
| April, 2012 (4) |
| April, 2013 (4) |
Are worries about a '9/11' cyber attack justified?
Are worries about a '9/11' cyber attack justified?
7 March 2012 by Pelle Neroth
The arrest of a couple of hackers from the Anonymous and LulzSec collectives this week has focused the public's attentions on cyberactivism.
The groups defaced media organisation webpages (including blanking parts of today's FT), stole intelligence analyst company email and pinged various websites. But, somewhat behind the scenes, politicians on both sides of the Atlantic have been dreading something much bigger.
In February 2011, Leon Panetta, then head of the CIA, now Secretary of Defence, warned that the next Pearl Harbor could be a cyber attack; while US cyber czar Richard Clarke warned of electronic catastrophes of a size that would make 9-11 pale in comparison.
Meanwhile, the EU last month decided to step up the EU's cyber defences by increasing the powers of ENISA, the European Network and Information Security Agency.
The European parliament vote, 52-3, to extend its mandate was greeted by Nellie Kroes, Digital Agenda commissioner, with the remark that cybercrime may now be "bigger than the drugs trade".
A report published by the Brussels think tank Security and Defence Agenda found that, in Europe, the UK, Estonia, Sweden had the best cyber defences - Romania and Italy worst. In a poll of 250 cyber security experts, the think tank found that by far the biggest concern was the destruction of infrastructures like power stations.
Sense of proportion, please
Cyber security, then, definitely seems to be an issue of the moment. But just how big are the risks? Cyber attacks on corporations and governments have become increasingly commonplace, but are the US fears of a giant conflagration justified? Thomas Rid, a researcher at King's College's famed institute of War Studies, thinks not in an interesting paper from the Journal of Strategic Studies.Here.
He argues that there have been no examples of cyber warfare in history, and most unlikely won't be, and explains why. Instead, cyber attacks will most likely be variations of old techniques of war: espionage, sabotage and subversion. Why is this? Because wars have to involve violence, be instrumental - that is, with the practical aim of imposing one's will on the opponent, changing their behaviour towards your ends.
And because wars are, ultimately, political, following Clausewitz's dictum that war is the continuation of politics by other means.
Further, in order to be political, an entity has to have a form - an intention that is at some point transmitted to the adversary. There is no example in history of a war without attribution. You cannot have a war without an opponent with goals that he puts across to you.
Rid then argues that no cyber offences so far have met all three criteria, and very few have met even one of them. An often cited cyber attack was the alleged "logic bomb" of 1982 that created an explosion in a Siberian pipeline equivalent to 3 kilotons, or a small nuclear device. The cause of the attack was supposedly computers containing control software purchased from Canada by the Soviets which had had malicious software inserted by the CIA. This software supposedly manipulated pump speeds and valve pressure to a level far beyond that which the pipeline welds and joints were designed for.
A former National Security Council aide described the incident in a 2004 book, At the Abyss.
However, it draws on only a single document and the CIA's declassified account of providing defective technology to the USSR, the so-called Farewell dossier, doesn't mention it.
If the explosion did happen, it's not clear there were any casualties - so may not even have met the violence criteria. The Soviets, for their part, said an explosion happened at around the same time but 50 km away in Tobolsk and were caused by the shifting of pipes under the melting tundra. The evidence is pretty thin on the ground, and since that example is wheeled out as the strongest case, Rid concludes "no known cyber-attack unequivocally meets Clausewitz's first criterion, violence, where people have been killed".
Another oft quoted example of cyber warfare is the series of attacks following the move of a bronze statue of a Soviet soldier, in Tallinn, Estonia, in the spring of 2007. Thousands of ethnic Russians rioted at the removal of the war memorial to another location, and in due course Estonians government and commercial websites were hit by simple ping floods and later more sophisticated denial-of-service attacks using botnets.
The country's biggest bank was off the net for a total of three and half hours on two occasions, Estonia is famously one of the most networked countries in the world; NATO set up its cyber defence centre in Tallinn in response, but even they were not able to pinpoint the attacks as having come from Russia. The Estonian prime minister said it was the equivalent of a warship blocking a harbour, and another senior figure talked of botnets "gathering like armies".
Rid says the analogy is incorrect: there was no implicit threat of violence, no tactical objective and no clear political force behind the attack. Not even the comparison to demonstrators showing up outside government buildings is a good parallel: as people would have to show up for those; while botnets are easier to launch.
Similar arguments pertain to a series of cyber-attacks on Georgian government websites a year later during the Georgian-Russian war, which forced the Georgian foreign minister to set up a site on Google's Blogger service. The inconvenience was rather small, Rid says. The biggest effect on the Georgians was the recommendation not to use electronic banking for ten days.
Sabotage
There are instances of cyber sabotage, though, on occasion in conjunction with conventional attack. On 6 September 2007, Israel F16 jets bombed a nuclear reactor building project in Syria after Israel's cyber warfare unit had disabled the Syrian air defences, one of the world's best. Another instance of sabotage is the Stuxnet virus which infiltrated itself into the control systems of Iranian reactors through thumb drives and a field laptop that connected to the system. The goal was to change the output frequencies of motor and thereby physically damage the reactor turbines.
Because the final target was not networked, all functionality had to be included in the executable file. Tens of thousands of computers were infected around the world on Stuxnet's long journey into the heart Iran's nuclear systems, but Stuxnet activated only on reaching its targets.
It was highly sophisticated in that it provided fake input from sensors to fool Iranian plant operators into complacency while the real processes were manipulated. And it was probably preceded by an earlier virus that infiltrated the programme to find out details about the reactor design so it could be targeted.
Large numbers of developers spending a lot of time on this belies the claim that cyber-attacks will become more common and cheaper, Rid says.
Again, cyber-attacks are not quite harmless - but they are not war.
Espionage
Espionage is another growing area. Twenty-five terabytes of data were stolen by hostile intelligence agencies relating to the American F-35 fighter programme, and MI5 in 2007 warned hundreds of British companies that they were targeted by hackers.
A project called Ghostnet was a sophisticated spy network, possibly of Chinese origin, that infiltrated NGOs, government organisations and news media in over 1,300 host computers was sophisticated enough log keystrokes and download documents.
Subversion
Subversion, like the Arab spring connecting via Facebook, is powerful only if there is a strong cause in the mainstream of societies with a rapidly growing following backing it. Loose hacker affiliations such as Anonymous, with their Guy Fawkes masks, will always find a stream of support in cyberspace but are limited by lack of clear leadership, organisation and mass support.
Some of their goals are really quite specific such as defacing the website of internet security companies that threaten to expose them. Internet anonymity makes internet activism easier to enter into than before the internet, but the cost of withdrawing from activism is also lower, another self-limitation to the movement unless supported by larger social changes.
Still, it's worth observing that, in Brussels SDA think tank poll, only 25% of experts polled thought the term cyber war was considered "scaremongering or outright inaccurate" by respondents; while 45% thought it was accurate.
Mind you, maybe all professions talk up their importance...
-------------------------
Pelle Neroth -- EU correspondent
The groups defaced media organisation webpages (including blanking parts of today's FT), stole intelligence analyst company email and pinged various websites. But, somewhat behind the scenes, politicians on both sides of the Atlantic have been dreading something much bigger.
In February 2011, Leon Panetta, then head of the CIA, now Secretary of Defence, warned that the next Pearl Harbor could be a cyber attack; while US cyber czar Richard Clarke warned of electronic catastrophes of a size that would make 9-11 pale in comparison.
Meanwhile, the EU last month decided to step up the EU's cyber defences by increasing the powers of ENISA, the European Network and Information Security Agency.
The European parliament vote, 52-3, to extend its mandate was greeted by Nellie Kroes, Digital Agenda commissioner, with the remark that cybercrime may now be "bigger than the drugs trade".
A report published by the Brussels think tank Security and Defence Agenda found that, in Europe, the UK, Estonia, Sweden had the best cyber defences - Romania and Italy worst. In a poll of 250 cyber security experts, the think tank found that by far the biggest concern was the destruction of infrastructures like power stations.
Sense of proportion, please
Cyber security, then, definitely seems to be an issue of the moment. But just how big are the risks? Cyber attacks on corporations and governments have become increasingly commonplace, but are the US fears of a giant conflagration justified? Thomas Rid, a researcher at King's College's famed institute of War Studies, thinks not in an interesting paper from the Journal of Strategic Studies.Here.
He argues that there have been no examples of cyber warfare in history, and most unlikely won't be, and explains why. Instead, cyber attacks will most likely be variations of old techniques of war: espionage, sabotage and subversion. Why is this? Because wars have to involve violence, be instrumental - that is, with the practical aim of imposing one's will on the opponent, changing their behaviour towards your ends.
And because wars are, ultimately, political, following Clausewitz's dictum that war is the continuation of politics by other means.
Further, in order to be political, an entity has to have a form - an intention that is at some point transmitted to the adversary. There is no example in history of a war without attribution. You cannot have a war without an opponent with goals that he puts across to you.
Rid then argues that no cyber offences so far have met all three criteria, and very few have met even one of them. An often cited cyber attack was the alleged "logic bomb" of 1982 that created an explosion in a Siberian pipeline equivalent to 3 kilotons, or a small nuclear device. The cause of the attack was supposedly computers containing control software purchased from Canada by the Soviets which had had malicious software inserted by the CIA. This software supposedly manipulated pump speeds and valve pressure to a level far beyond that which the pipeline welds and joints were designed for.
A former National Security Council aide described the incident in a 2004 book, At the Abyss.
However, it draws on only a single document and the CIA's declassified account of providing defective technology to the USSR, the so-called Farewell dossier, doesn't mention it.
If the explosion did happen, it's not clear there were any casualties - so may not even have met the violence criteria. The Soviets, for their part, said an explosion happened at around the same time but 50 km away in Tobolsk and were caused by the shifting of pipes under the melting tundra. The evidence is pretty thin on the ground, and since that example is wheeled out as the strongest case, Rid concludes "no known cyber-attack unequivocally meets Clausewitz's first criterion, violence, where people have been killed".
Another oft quoted example of cyber warfare is the series of attacks following the move of a bronze statue of a Soviet soldier, in Tallinn, Estonia, in the spring of 2007. Thousands of ethnic Russians rioted at the removal of the war memorial to another location, and in due course Estonians government and commercial websites were hit by simple ping floods and later more sophisticated denial-of-service attacks using botnets.
The country's biggest bank was off the net for a total of three and half hours on two occasions, Estonia is famously one of the most networked countries in the world; NATO set up its cyber defence centre in Tallinn in response, but even they were not able to pinpoint the attacks as having come from Russia. The Estonian prime minister said it was the equivalent of a warship blocking a harbour, and another senior figure talked of botnets "gathering like armies".
Rid says the analogy is incorrect: there was no implicit threat of violence, no tactical objective and no clear political force behind the attack. Not even the comparison to demonstrators showing up outside government buildings is a good parallel: as people would have to show up for those; while botnets are easier to launch.
Similar arguments pertain to a series of cyber-attacks on Georgian government websites a year later during the Georgian-Russian war, which forced the Georgian foreign minister to set up a site on Google's Blogger service. The inconvenience was rather small, Rid says. The biggest effect on the Georgians was the recommendation not to use electronic banking for ten days.
Sabotage
There are instances of cyber sabotage, though, on occasion in conjunction with conventional attack. On 6 September 2007, Israel F16 jets bombed a nuclear reactor building project in Syria after Israel's cyber warfare unit had disabled the Syrian air defences, one of the world's best. Another instance of sabotage is the Stuxnet virus which infiltrated itself into the control systems of Iranian reactors through thumb drives and a field laptop that connected to the system. The goal was to change the output frequencies of motor and thereby physically damage the reactor turbines.
Because the final target was not networked, all functionality had to be included in the executable file. Tens of thousands of computers were infected around the world on Stuxnet's long journey into the heart Iran's nuclear systems, but Stuxnet activated only on reaching its targets.
It was highly sophisticated in that it provided fake input from sensors to fool Iranian plant operators into complacency while the real processes were manipulated. And it was probably preceded by an earlier virus that infiltrated the programme to find out details about the reactor design so it could be targeted.
Large numbers of developers spending a lot of time on this belies the claim that cyber-attacks will become more common and cheaper, Rid says.
Again, cyber-attacks are not quite harmless - but they are not war.
Espionage
Espionage is another growing area. Twenty-five terabytes of data were stolen by hostile intelligence agencies relating to the American F-35 fighter programme, and MI5 in 2007 warned hundreds of British companies that they were targeted by hackers.
A project called Ghostnet was a sophisticated spy network, possibly of Chinese origin, that infiltrated NGOs, government organisations and news media in over 1,300 host computers was sophisticated enough log keystrokes and download documents.
Subversion
Subversion, like the Arab spring connecting via Facebook, is powerful only if there is a strong cause in the mainstream of societies with a rapidly growing following backing it. Loose hacker affiliations such as Anonymous, with their Guy Fawkes masks, will always find a stream of support in cyberspace but are limited by lack of clear leadership, organisation and mass support.
Some of their goals are really quite specific such as defacing the website of internet security companies that threaten to expose them. Internet anonymity makes internet activism easier to enter into than before the internet, but the cost of withdrawing from activism is also lower, another self-limitation to the movement unless supported by larger social changes.
Still, it's worth observing that, in Brussels SDA think tank poll, only 25% of experts polled thought the term cyber war was considered "scaremongering or outright inaccurate" by respondents; while 45% thought it was accurate.
Mind you, maybe all professions talk up their importance...
-------------------------
Pelle Neroth -- EU correspondent
FuseTalk Standard Edition - © 1999-2013 FuseTalk Inc. All rights reserved.
Latest Issue
"Summer is on the way, so we turn our attention to a few leisurely pursuits - and some not-so leisurely ones..."
Find E&T on:
News
Most viewed
From forums
- Transformers Vector Group [04:55 pm 19/06/13]
- E&T magazine - Debate - HS2, the need for speed [01:33 pm 18/06/13]
- Creating an Iphone App [05:50 pm 17/06/13]
- CO2 is good [07:29 pm 16/06/13]
- DECC-EDF makes yet another attempt to fund 3rd Generation Nuclear at any cost [05:02 pm 15/06/13]
Subscribe
Subscribe to the hard copy of E&T magazine, and various other newsletters.
