di Marco Capriz
Defining Cyberwarfare
Military scholars have been debating the evolution of warfare ever since Julius Caesar and Sun Tsu wrote about warfighting over two millennia ago. Warfare has undergone a faster evolution in the last 20 years than it has in the last 2000 owing to the development of computer technology. Warfighters now have to consider a much faster change in battlespace conditions, and this change of pace has been a result, in part at least, of the introduction of computerized technology governing weapons and communications. Indeed the term “battlespace” itself implies that combat is not only conducted within a geographic dimension, but within a “virtual” dimension as well. This virtual dimension is cyberspace, or the environment created by the manipulation of digitized information by computers. Warfare has evolved to encompass the use of new tools provided by computerized management of digital information, or information technology; indeed warfare and military operations have now become very dependent on the tools created by information technology. As this technology has enhanced military capabilities it has also enhanced activities in the civilian world. But the widespread availability of information technology has also spawned opportunities, for people and groups with malicious intents, to exploit its complexity and flaws in its implementation for the purpose of vandalism, crime and terrorism. Cyberwarfare describes the activities that take place in cyberspace between those who would use information technology for destructive purposes and those who use it to defend against them. However this may be too wide a definition; we should distinguish between cyberwarfare and cybercrime. The definition of cyberwarfare therefore should be narrowed down to the malicious activities that take place in cyberspace and that are designed to result in serious damage to a country in terms either of lives lost, or severe economical damage, or both.
Whereas it is relatively easy to define what Cyberwarfare is, it is harder to determine what potential damage could be caused by a cyber attack. In order to understand the effects of cyber warfare has on an asset we need to understand that, if information technology is used to add value or create value of an asset, then that asset’s value is inherently tied with the correct operation of the information technology that manages its value. Therefore an attack on the information systems that manage the asset’s value is equivalent to an attack on the asset directly.
The greatest advancement of information technology to date occurred when computers married telecommunications. This fusion has lead to the evolution of human communications through the Internet. The worldwide availability of cheap computing and Internet access points, and the “borderless” nature of Internet communications have lead to a shift of many human activities in to cyberspace. In most cases this shift has progressed faster than the knowledge required to handle it safely. As economies become ever more dependant on the transmission of electrons and photons between computers, their value shifts from tangible assets like commodities and production plants to intangible ones such as the control and management of digital information. Indeed it is the manipulation of digital information that determines the ultimate values of commodities and production. Our dependence on information technology to determine “value” puts that value at risk when the technology that manages it is at risk. Therefore attacks in cyberspace against the information processing devices controlling the tangible assets of an economy have the potential to be even more damaging than direct attacks against these assets. The problem is exacerbated by the fact that we have become so dependant on information technology that we place trust in it to determine what the value of our economies is. An attack in cyberspace directed at the means of defining that trust destroys the value of the underlying assets it manages just as effectively as a bomb attack against an oil refinery. And attacks in cyberspace are much more cost effective than direct military or terrorist action as the only “weapons” needed in most cases are specialized knowledge, a computer and an Internet access point.
Variations of Cyberwarfare
Cyber attacks take place on different fronts. At its most basic level, the malicious use of information technology is used for propaganda or vandalism. This is the operation area of “hacktivists” that carry out attacks against specific websites. “Hacktivists” (a combination of the words “hacker” and “activist”) exploit security weaknesses in the operating systems (Windows in particular) of third party computers (without the awareness of their owners) to launch Distributed Denial of Service (DDOS) attacks against a website or a specific Internet address. DDOS attacks are relatively easy to set up, and don’t require much skill as there are tools available on the Internet that allow these attacks to be launched by relatively inexperienced operators. More skilled hacktivists will conduct acts of cyber-vandalism by modifying websites that do not belong to them (web defacements); these attacks are carried out by exploiting security holes inadvertently left open by the administrators of the attacked website servers. The attackers in this case demonstrate better IT skills than those belonging to the staff managing the attacked site, and this is indeed one of the motivations that drives these kinds of attacks in the first place (a demonstration of who has the best skills).
The attacks described above, however, should be classified more as cyber-nuisance than cyberwarfare. A more serious threat originating in cyberspace comes from the proliferation of companies that store people’s personal information for record purposes. If the computers in these companies aren’t properly secured (and many of them are not) personal details can be hacked by people that may have criminal intents. Two unfortunate consequences of this are identity theft and cyberstalking. But these are cases of cybercrime, not cyberwarfare. Malicious intent is directed against persons, not countries.
The best opportunity for cyberwarfare attacks come from exploiting the weaknesses inherent in the IT systems that govern the operations of national critical infrastructures, such as water, gas and electricity generation, storage and distribution networks. The potential damage that would result from such an attack could be catastrophic in terms of lives lost and economic damage to a nation. And the scenarios for such an attack unfortunately are credible: the levels of security in IT systems managing operations in these environments are woefully inadequate.
Evolution of Cyberwarfare
Cyber intrusions, cyber nuisance, and cyber crime have evolved in step with the evolution of computer and telecommunications technology. It might be argued that the complexity of software development and the proliferation of popular operating systems and applications have driven software developers to race against each other to keep chasing market share to the detriment of safe code development. Security of digital information is something that is only now being seen as critical to the operations of companies whose added value (or indeed entire value) is provided by IT systems. And it only because of recent user demands that software developers have responded by closing some of the most obvious security holes in their code. Unfortunately operating systems that are made up of tens of millions of lines of code can not be fully audited for security, particularly if some of the poor coding is still required to support legacy applications and environments (one of the problems that Microsoft is facing with Windows). Cyber criminals are all too aware of the security holes that can be exploited, and continue to rely on them with new opportunistic code (viruses, trojans, etc.) that appear faster than the counter measures against them can be developed. Even so most cyber intrusions are still relatively benign, considering how exposed some systems really are. Most instances of cyber mischief are caused by DDOS attacks. Given that it is very difficult to completely secure any IT installation that is connected to the outside world through and Internet connection, any entry points left unattended (such as default administrator accounts with default passwords) will be exploited by anyone interested in gaining access to that installation, particularly if it is a repository of high value information. The extent of reach of the Internet and its borderless nature have made it much easier to access “secure” sites remotely, so the evolution of telecommunications has driven an evolution in cyber espionage. The Internet is also a source of software tools that allow identities to be hidden and spoofed, making it extremely difficult to trace the origins of an intrusion, and therefore investigate and prosecute guilty parties. Address spoofing tools are not the only tools available to cyber warriors on either side of a cyber conflict. The evolution of distributed information technology has seen the development of a set of tools that allow for completely secure communications.
Since the Internet is now used as a global telecommunications facility, voice data and video can travel as packets of digital information through a maze of different physical and logical paths between source and destination. Anything that can be represented digitally can be manipulated and hidden within other digital information. One of the weaknesses of any party at war has traditionally been communications between its operatives. This is no longer the case. The public domain offers extremely strong encryption algorithms that allow for completely secure communications. Without knowing (or being able to guess) the key used by the algorithm to encrypt a digital source, it is today technically impossible (according to the information in the public domain at least) to break the encoding using brute force even with the most powerful supercomputers. Coupled with encryption there are applications that allow data to be “hidden in plain view” by the use of steganography, or applications that make slight modifications to a digital object (such as an image file or a video or audio recording file) without affecting the integrity or quality of the object so that it can be used to carry hidden information (such as an encrypted data stream).
Like all IT tools this has benefits and drawbacks. Government communications and confidential commercial information can be transmitted securely without it being intercepted and read. The same secure communication paths are available to terrorists and criminals.
Significant aspects of Cyberwarfare today
In spite of doomsday headlines whenever a new virus or trojan is released that affects millions of computers before antivirus tools adapt to protect users from its effects, and despite a never ending proliferation of DDOS attacks for reasons that span from cyber mischief and Hacktivism, to extortion, we have yet to witness a true act of destructive cyber warfare that has lead to the destruction of lives, property or massive economic damage. Generally speaking, trust in information technology is still reasonably intact, if nothing else because there is no real alternative to its use. This is a good thing, since trust in IT is necessary for value to be assigned to the asset that the IT manages. Therefore the greatest threat that cyber warfare could create is a way of breaking that trust in a way that destroys only the value of the asset, but the value of all the assets managed by similar IT systems. The most obvious target for such an attack is a country’s banking system’ IT infrastructure. There are few industries (if indeed there are any) that derive their value more comprehensively from their IT systems than the banking industry. Demonstrating that a bank’s value can be destroyed through a cyber attack has as an immediate collateral the potential destruction of value of all of its customers’ assets. Beyond that the attack could demonstrate the fragility of the banking industry in an entire country, and panicked customers would complete the destruction by withdrawing trust in all other banks.
Fortunately banking IT systems are among the best protected from cyber attacks. This is not the case for another class of industries whose exposure to IT security flaws is much higher: utility companies. Whereas banks regard the security of their IT infrastructure as essential to the definition of value of their enterprise, IT security has traditionally been of very little concern to utility companies. To them, IT provides a tool that allows them to manage and optimize their operations. Unlike those deployed in banks and financial companies that are updated and changed as new technology becomes available, the IT systems used in utility companies are generally characterized by static configurations and cannot be easily updated. Also, whereas the financial industry can source IT systems from a wide variety of suppliers, utility companies tend to sign long term supply contracts with single vendors. Long-term contracts reduce the costs of the systems supplied, but do not give any incentive to the systems vendor to keep them updated or even upgradeable. Moreover, due to the rapid progression of technology, the systems become quickly obsolete during the first few years of their life spans, but are kept operational well beyond their technical obsolescence because, due to the fact that they can not be gradually upgraded, the costs of their “cold start” replacement is very high. In many cases some of the most critical IT components managing a critical infrastructure were developed well before digital security became a concern, and interception technology became easily available. Today many utility companies still have IT systems that control critical aspects of the safety of their operations through sensors and actuators that can be quite easily accessed, spoofed and modified through remote connections. This lack of safety is potentially very exploitable by any nation or non-state actor that harbors malicious intents towards the country within which the utility is operating.
Returning finally to the evolution of warfare itself, information technology has already become a force multiplier. Commanders have now the technical ability to view the entire battlespace as it evolves in real time, through sensors that collect all kinds of information (troop movement, environmental data, spectrum emissions, analysis of the communications spectrum, etc.) that is digitized sent over a secure comms network back to the battlespace command post. IT systems process raw data and distribute information as required in real time. Enemy communications can be intercepted, disrupted and spoofed. Deception can be carried out electronically. It is arguable that today most modern armed forces are already operating within a cyberwarfare context. The next step in cyberwarfare evolution is likely to be the extension of battlespace awareness down from the command posts through the chain of command to the troops on the forward edge of the battle area. This will require significant technology deployment as necessary digital information (imaging, databases, etc) is transmitted to frontline troops equipped with the tools required to interpret and display it.
This evolution may also consequently extend the cyberspace battles between those who wish to protect the integrity of the information carried over the battlespace networks and those who wish to damage it.