return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ US IT infrastructure is as, likely more, vulnerable to active and passive cyberattack than Estonia ]

US IT infrastructure is as, likely more, vulnerable to active and passive cyberattack than Estonia


'Cyber-collection' versus cyberterrorism

The ongoing organized cyberattack on Estonian state and commercial IT infrastructure is the clearest example of a "cyber Pearl Harbor" - an active attack to disrupt or degrade the capacity of a state to function, to conduct commerce, to defend itself - yet as instructive, even attention grabbing to the thoughtful few, as this active attack is, it is among the smaller risk category of IT cyber risk; The greater risk is the wholesale 'passive' probing and intrusion efforts to reconnoiter infrastructure and steal proprietary/classified information.

Between FY 2005 and 2006, federal assets showed a marked rise in activities involving unauthorized access, improper usage, scans/probes attempted access, investigation, even denial of service, yet a decrease in malicious code (a condition I believe is due more to spear phishing and other, more intelligent exploits than to lessened activity).

In their fiscal year 2006 financial statement audit reports, 21 of 24 agencies indicated that they had significant weaknesses in information security controls. [The] weaknesses persist in major categories of controlsincluding, for example, access controls, which ensure that only authorized individuals can read, alter, or delete data, and configuration management controls, which provide assurance that only authorized software programs are implemented. An underlying cause for these weaknesses is that agencies have not yet fully implemented agencywide information security programs, which provide the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. Until agencies effectively and fully implement agencywide information security programs, federal data and systems will not be adequately safeguarded to prevent unauthorized use, disclosure, and modification.

Without a systemic application of a Design Basis Threat (DBT) analysis, I cannot see federal or commercial systems staying ahead of the growing number of attackers and recon efforts; money and attention will be squandered for "feel good security" rising from false practices and vendors' siren recommendations of their particular wares as plugging the gap. See:

Furthermore, most systems are Brownfield legacy or if they are Greenfield they have critical links/access to Brownfield systems. Atop that, most systems are not designed with security in mind. From The defender's dilemma: common threads in exploiting commercial supply networks:

The problem is that the commercial production environment, in this case the "defender," is supremely exploitable as commercial supply chains are designed around economic efficiency and manufacturing efficiency rather than exploitation security. [Terrorist supply chains, or asymmetrical attacker Supply chains, are not built for commercial efficiency but for detection avoidance at least until the attack is in progress.] Cost and risk rise to the commercial defender as they try to backfill security needs atop a commercial structure. In this situation, it tracks with the difficulty in countering IP theft and diversion unless the process is built in from the onset. In all such environments, it is too easy to ask how often [the target will be attacked] as opposed to if or when?

Readers are encouraged to review my 2005 Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets that highlighted the Chinese Titan Rain intrusion efforts and confirms "our experience that 'cyber-collection' far outranks cyberterrorism":

The black hat community attacking commercial and military targets is as large as it is diverse and global:

  1. State espionage against foreign commercial and military targets
  2. Criminal enterprises focused on money over fame or ideology
  3. Stateless terrorism and its associated criminal money raising campaigns (phishing for example)
  4. "Outsourced" smaller criminal enterprises in low cost, permissive cultures (who can fabricate exploits too labor intensive for more established criminal groups)
  5. Cracker groups selling exploits to groups 1, 2, and 3 directly or through brokers

The Chinese enshrined informationalization, the best definition of which is from the Double Tongued Dictionary, into its military doctrine in 2004:

Subsequent analysis has shown that the People's Liberation Army (PLA) pursues a similar outsourcing strategy in its IT (Information Technology) and IP (Intellectual Property) harvesting by using Chinese commercial entities as proactive agents, i.e., your contract engineering house or supplier is also the collector of your proprietary information [private briefing to clients].

In a DOD background briefing for the 2007 Military Power of the People’s Republic of China, a question was raised on "informationization, which sounds quite a bit like our network-centric. Would that be a correct assumption?"

DEFENSE DEPT. OFFICIAL: I would be hesitant to draw a direct parallel, but I think that certainly China's ideas on what informationization is would be informed by their understanding of network-centric warfare. I think when they say informationization, it's really their understanding of how information technology is now a pretty significant component of the modern battlefield. So it's, you know, intelligence, surveillance, reconnaissance, precision strike. So it's the role of information, information systems, information technology. So I'd probably say it's not a direct parallel.

Target Estonia, and only Estonia

Estonia ranks with Scandinavian states in its level of internet integration:

One of the most wired societies in Europe… Estonia has a large number of potential targets. The economic success of the tiny former Soviet republic is built largely on its status as an "e-society," with paperless government and electronic voting. Many common transactions, including the signing of legal documents, can be done via the Internet...

A massive DDoS (Distributed Denial of Service) attack against such a state had the potential to cripple it, incurring costs and interruptions, and raising the risk calculus of potential partners who might do business with it going forward. With Estonian-Russian relations already strained at best, an Estonian action to relocate a Soviet war memorial, the "Bronze Soldier," on 27 April triggered just such a series of attacks within hours. This attack is unique for its lack of criminal motive and the presence of a direct and identifiable nationalistic motive.

While specific Estonian ISPs have been under DDoS attack for months by the Allaple virus, the motive for those attacks are unclear. The April-May DDoS attacks, in contrast, are massive, immediately tied to causal condition and perpetrator(s). In a stroke, a state's electronic infrastructure was raised to the same level as its sovereign territory and airspace. Estonia's infrastructure - government, banking, ISPs, telecommunications and news agencies - was driven offline, almost completely outside of the Baltic states and Scandinavia.. The Estonian defense ministry ranked the attack on the nation as comparable to 11 September.

There was also precision in the attacks. While Estonia is both a NATO alliance member and an EU member, no NATO systems in Estonia were attacked.

Attack characteristics

Described as a "common-size attack" of 100-200 megabits per second, the Estonian attack is analogous to the Apolo Ohno attack in both size and nationalistic impetus; and similar in size to the 2006 rogue DNS server attack. "Multiple botnets and tools--both botnet-related and not botnet-related" were employed.

Though Estonia is generally cyber-wise, this attack demands substantial numbers of skilled technicians. Estonian ISPs are working with their international ISPs "that give them inbound traffic as well as the attack traffic" in order to push out traffic interdiction, identify root cause and isolate them. Expect changes in botnet locations and sources to retain attack vibrancy; Expect variations in sources, traffic and packet types.

Another 'characteristic' of the Estonian attack is its success; For a modest investment in botnets, the attacks have degraded Estonian commercial and governmental operations, registering an effective and highly visible protest. Governments, factions and corporations should expect copycat events. Much larger attacks, blended with multiple payload characteristics, are quite possible.

Stateless quality of active and passive cyber attacks

"If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?" NATO Official

The better DDoS attacks and penetration attacks share a condition common to terrorist groups, namely statelessness, and with it the ambiguity of identifying the culpable state actor and the risk of targeting the innocent. A peer-to-peer botnet can go far in camouflaging its controller. Whereas the first wave of attacks on Estonia largely emanated from Russian servers, including those government, the second, larger series emanated from a global array of servers.

This stateless nature, in addition to the newness of active statewide cyber attacks, raises many questions that have yet to be codified in international law:

  • What is the cyber equivalent for the death of a nation's citizen?
  • How many of those units constitute grounds for cyber or military retaliation?
  • What is the variance between a cyber and military threshold response?
  • What level of proof is needed to secure international approval?
  • If an attack emanated from within a state, is it a sanctioned state action or a rump action by groups of its or other nationals?
  • What is the appropriate level of response, in kind or otherwise?
  • When does a cyber attack become indistinguishable from a conventional attack? (One might well ask when this question will be considered quaint and rendered moot.)

Answering these questions will not be easy as the international community has yet to formulate responses to lesser levels of cyber crime and terrorism, much less a massive cyber attack; Neither NATO or the EU have yet defined what constitutes a cyber attack.

US ability to withstand a major active cyber attack

If the federal government is seriously contemplating a 'cyber Pearl Harbor' threat, the unclass reporting and current asset deployment does not reflect it. Quite the opposite, the current US cyber warfare strategy is seen as "dysfunctional" and a "complete secret to everybody in the loop" by General James Cartwright, US Strategic Commander. Cartwright made this assessment:

  • Cyber warfare strategy divided among three groups: Net Warfare (attack and reconnaissance), Joint Task Force for Global Network Operations (network defense and operations) and Joint Information Operations Warfare Center (electronic warfare)
  • Groups operate independently with poor information sharing
  • Present DOD approach "developed ad-hoc" based on terminal defense, commences action "only after an attack, and takes weeks for a response
  • Result is a "passive, disjointed approach that undermines the military's cyberspace operations"
  • US not developing cyber intellectual capital at the required rate to address a tiered hierarchy of "hackers, criminals, and nation-states"
  • "DOD must move away from a network defense-oriented cyber architecture [while] cyber reconnaissance, offensive, and defensive capabilities must be integrated and leveraged for maximum effect"

As Cartwright was opining in early 2007, it does not give this author comfort that the first federal cyber war exercise, Cyber Storm, carried out in February 2006 had such a relatively positive outcome. (It is moments like this when I remember the counsel of a skilled practitioner who noted that any exercise presided over by political elites must be designed not to fail lest their stewardship be called into doubt.)

Cyber Storm was to provide a "controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance" affecting "Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors." My lack of comfort was not improved by the choice of attacker, a group of "anti-globalization radicals and peace activists" called the Worldwide AntiGlobalization Alliance (WAGA) instead of a substantive Hezbollah or al Qaeda effort, or better yet, the expected swarm attack of a Chinese or Russian cyber offensive. See Informationalization in Chinese military doctrine affects foreign commercial and military assets.

Were the stakes not so high, this lighthearted review might be funny:

The attack scenario detailed in the presentation is a meticulously plotted parade of cyber horribles led by a "well financed" band of leftist radicals who object to U.S. imperialism, aided by sympathetic independent actors… Apparently, no computers were harmed in the making of Cyber Storm. "There were no actual attacks on live networks, no Red Team," the presentation notes. "Players reacted to situation and incident reports according to their regular/normal SOPs." So it was more of a paper exercise. A referee points at someone and yells, "You! Your website is defaced. What do you do?" -- and the organization responds accordingly… And on it goes, with over 800 scenario "injects" over four action-packed days.

Having spun scenarios without limit, Cyber Storm's "Overarching Lessons Learned" offer painful parallels to each of the TOPOFF series simulating large-scale terrorist attacks involving biologic, chemical and radiological WMDs ("diseases are fearsome, hospitals and first responders are overwhelmed, interagency and intra-agency coordination is pummeled while communications in the form of multiple control centers, numerous liaisons, and increasing numbers of response teams merely complicate the emergency response effort"). See Bioterrorism Drill TOPOFF 2 -- Failing to think like al Qaeda & relearning old lessons and Katrina as an "incident of national significance" puts the lie to DHS scenario planning for terrorist event preparation.

Who could be surprised by these lessons learned? They could describe any large bureaucracy under stress, perhaps even their daily environment:

  • Correlation of multiple incidents is challenging at all levels:
    • Within enterprises / organizations
    • Across critical infrastructure sectors
    • Between states, federal agencies and countries
    • Bridging public private sector divide
  • Communication provides the foundation for response
  • Processes and procedures must address communication protocols, means and methods
    • Collaboration on vulnerabilities is rapidly becoming required
    • Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum
  • Coordination of response is time critical
    • Crosssector touch points, key organizations, and SOPs must be worked out in advance
    • Coordination between publicprivate sectors must include well articulated roles and responsibilities

A way forward

USAF (Air Force) is undertaking what I believe is some long overdue consolidation, removing all ISR (intelligence, surveillance and reconnaissance) from the operations community and consolidating them under the intelligence directorate (A2), and standing up a Cyber Command based on 8th Air Force infrastructure capable of seeing "Cyberspace [as] a fighting domain where the principles of war do apply."

If the US was confronted with a major cyber attack against critical IT infrastructure, DoD is said to be "prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source" but I am not sanguine. "The primary group responsible for analyzing the need for any cyber counterstrike is the National Cyber Response Coordination Group (NCRCG)" whose key members are US-CERT, DoJ and DoD. But it appears that a coordinated response remains a work in progress:

The NCRCG's three co-chairs acknowledge it’s not simple coordinating communications and information-gathering across government and industry even in the best of circumstances, much less if a significant portion of the Internet or traditional voice communications were suddenly struck down. But they asserted the NCRCG is "ready to stand up" to confront a catastrophic cyber-event to defend the country.

I think it accurate to say that interagency coordination and response, together with coordination with the private sector who manages much of US IT infrastructure, has yet to be tested; Cyber Storm's next event should inject realism over rainbow scenarios. At the moment, US Strategic Command will issue a counterattack recommendation to POTUS:

In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the [US] would consider launching a counterattack or bombing the source of the cyberattack [but] the preferred route would be warning the source to shut down the attack before a military response.

Given that initiating a cyber counter-counterattack will currently violate the Computer Fraud and Abuse Act, we have a long road ahead.

Double Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

War Fears Turn Digital After Data Siege in Estonia
New York Times
May 29, 2007

Cyberattack in Estonia--what it really means
Arbor Networks' Jose Nazario takes stock of the denial-of-service attack against the Baltic nation--and the wider implications.
By Robert Vamosi

May 29, 2007, 4:00 AM PDT

Air Force examines its vulnerability to cyberattack
BY Sebastian Sprenger
May 29, 2007

Feds take 'cyber Pearl Harbor' seriously
BY Jason Miller
Published on May 28, 2007

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People’s Republic of China
Office of the Secretary of Defense

Cyber Assaults on Estonia Typify a New Battle Tactic
By Peter Finn
Washington Post
May 19, 2007

Estonian DDoS Attacks - A summary to date
by Jose Nazario
Security to the Core
Posted on Thursday, May 17, 2007

NATO concerned over cyber attacks on Estonia, possible impact on alliance
Associated Press/IHT
May 17, 2007

Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks
AFP/Sydney Morning Herald
May 16, 2007 - 12:05PM

Russia accused of unleashing cyberwar to disable Estonia
· Parliament, ministries, banks, media targeted
· Nato experts sent in to strengthen defences
Ian Traynor in Brussels
May 17, 2007
The Guardian

A cyber-riot
The Economist
May 10, 2007

INFORMATION SECURITY: Persistent Weaknesses Highlight Need for Further Improvement
Testimony Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives
Statement of Gregory C. Wilshusen and David A. Powner
April 19, 2007

Black Hat: Botnets Go One-on-One
Kelly Jackson Higgins
Dark Reading
FEBRUARY 22, 2007

Cartwright: Cyber warfare strategy ‘dysfunctional’
BY Josh Rogin
Published on Feb. 9, 2007

RSA - US cyber counterattack: Bomb one way or the other
Ellen Messmer
vrijdag 9 februari 2007

Blue Force Tracker for cyberspace?
BY Josh Rogin
Jan. 25, 2007

Air Force to reorganize intell community
BY Josh Rogin
Published on Jan. 12, 2007

When Hippies Turn to Cyber Terror
By Kevin Poulson
Wired Blog 27B Stroke 6
August 15, 2006 | 12:27:58 AM

Report: Hackers engage in vulnerability auctions
BY Rutrell Yasin
July 12, 2006

National Cyber Exercise: Cyber Storm
National Cyber Security Division
New York City Metro ISSA Meeting
June 21, 2006

Military Power of the People’s Republic of China
Office of the Secretary of Defense

Risk management critical for FISMA success
Experts say IGs, execs must agree on common enforcement and audits
BY Michael Arnone
March 13, 2006

China Investing in Information Warfare Technology, Doctrine
By Kathleen T. Rhem
American Forces Press Service
July 20, 2005

The Military Power of the People’s Republic of China
Office of the Secretary of Defense

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  


  discuss this article

<<  |  May 2020  |  >>
view our rss feed