Part 5 (1/2)
On the July 4, 2009, weekend and continuing into the following week, a DDoS attack took down US and South Korean government and commercial websites for indeterminate periods of time. The South Koreans believed the government of the Democratic People's Republic of Korea (DPRK) or its agent was responsible, whereas no formal opinion as to attribution was expressed by any US officials.
Iran.
During the disputed Iranian presidential elections of June 14, 2009, hundreds of thousands of irate Iranians protested the results. One of the forms of protest was the use of DDoS attacks directed against Iranian government websites, using the popular social software service Twitter as an organizing platform.
Tatarstan.
In June 2009, the president of Tatarstan's website was knocked offline and Internet access was lost in an attack he attributes to the Russian Federal Security Service (FSB).
United States.
On April 21, 2009, the Wall Street Journal reported that security around the Pentagon's multi-billion-dollar Joint Strike Fighter project was compromised and several terabytes of data were stolen by unknown hackers presumed to be from the People's Republic of China.
On July 46, 2009, a relatively small-scale DDoS attack of unknown origin was launched against about 25 US government websites, some of which became inaccessible for several days, including the Federal Trade Commission and the Department of the Treasury, while others on the target list, such as the White House website, were unaffected. A second and third wave of these attacks were launched in the following days against South Korean government websites (see ).
Kyrgyzstan.
On January 18, 2009, a DDoS attack shuttered two to three of the nation's four ISPs for several days, denying Internet access to most of the population during a time of growing political unrest. It is still unclear who was responsible, but at least three theories have been floated around: It was the Russian government in an attempt to force the Kyrgyzstan president to close the Manas Air Base to US traffic.
The Kyrgyzstan president hired nonstate Russian hackers for the purpose of denying the Internet as a medium to opposition parties.
It was the result of a power struggle between competing ISPs.
Israel and the Palestinian National Authority.
Along with Israel's military action against Hamas bases in the Palestinian National Authority in December 2008 (designated Operation Cast Lead), literally thousands of Israeli and Arabic websites were defaced, both government and civilian. (See Chapter 2 for a thorough look at the Gaza cyber war.) Hackers involved allegedly included members of the Israeli Defense Forces and Hamas, which makes this one of the few cyber events that involved official state involvement.
Zimbabwe.
As reported by Concerned Africa Scholars on December 2008, in a paper ent.i.tled ”The Gla.s.s Fortress: Zimbabwe's Cyber Guerilla Warfare,” the Mugabe government has been silencing its opposition through jamming techniques on its airwaves and the Internet, as well as by monitoring all email traffic from domains ending in .zw. Both sides reportedly engaged in defacing websites and launching DDoS attacks. At the time the paper was written, these attacks had been occurring for at least five years.
Myanmar.
On September 23, 2008, in antic.i.p.ation of the first anniversary of the Saffron Uprising, the government launched DDoS attacks against three websites that support the monks: The Irrawaddy, the Os...o...b..sed Democratic Voice of Burma (DVB), and the New Era in Bangkok. The newspaper the Australian covered the story that day, reporting: The concerted attacks-which appear to originate in China, Russia and Europe as well as Burma-can only be the work of agents of the Burmese Government and may be an effort to compensate for its failure last year to stem the flow of images showing vast columns of unarmed demonstrators and their eventual dispersal under a rain of bullets and truncheons.
A representative of DVB reported that the attacks appeared to be coming from sites in Russia and China, which, if true, would indicate that the Myanmar government outsourced the attacks.
Cyber: The Chaotic Domain.
The answer to the question posed earlier about which of the previously discussed events qualifies as an act of cyber war is ”none of the above.” As of this writing, there is no legal ent.i.ty known as ”cyber war”; the only issue that has been defined by international agreement is a nation's right to self-defense when attacked, and that applies only to the traditional manner of attack, i.e., ”armed” attack.
The a.s.sortment of cyber attacks listed earlier, ranging from internal attempts to silence opposition movements (Zimbabwe, Kyrgyzstan) to state-employed hackers taking out strategic websites (Israel, the Palestinian National Authority), ill.u.s.trates just how malleable this domain can be. Furthermore, it would be incredibly naive to think that every permutation of this domain has been seen by now, which raises the importance of regular war-gaming or other types of forward-thinking exercises. This, unfortunately, is not a universally agreed-upon strategy.
The Center for Strategic and International Studies (CSIS) issued a report in February 2009 ent.i.tled ”The 20 most important controls and metrics for effective cyber defense and continuous FISMA compliance.” The following appeared in the report: A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that ”offense must inform defense.” In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008. That new proposed legislation calls upon Federal agencies to: Establish security control testing protocols that ensure that the information infrastructure of the agency, including contractor information systems operating on behalf of the agency, are effectively protected against known vulnerabilities, attacks, and exploitations (emphasis added).
This is an extremely short-sighted approach to security. A tier-one hacker's favorite pursuit is the discovery of a zero-day exploit, which means finding a vulnerability in the software that no one else has yet discovered. To look only to the past as a defensive strategy means that our cyber security protocols will always be playing catch-up.
With the risk of discovery almost nil, a disputed legal status, and little in the way of unified international law enforcement collaboration, the cyber domain is today's equivalent of the untamed American West during the 1800s. Keyboards have replaced revolvers and hackers are the new gunslingers. However, as with the other a.n.a.logies, this one breaks down in one important respect: land is a physical, three-dimensional ent.i.ty, and cybers.p.a.ce is an electronic terrain that does not occupy physical s.p.a.ce, yet through it flows ever-increasing amounts of data that may control physical processes.
From an adversary's point of view, this is an ideal fighting ground. He can enter it unseen to conduct espionage or offensive attacks and escape without fear of being detected. The cost of entry is low, and a single person can have a significant impact (with the help of a botnet that can be rented or purchased). Furthermore, in many countries, including the United States, cyber attacks defenses are scattered, uneven, and lack any coordination or consistency. Political infighting and the elevation of economic and health care challenges in the Obama White House pushed the issue of cyber security so far down the priority ladder that one prime candidate after another announced lack of interest in the position of cyber coordinator that President Obama announced in early 2009. The position was finally filled on December 22, 2009, with the appointment of Howard Schmidt.
One sign of the growing frustration over how to defend against cyber attacks was seen in August 2009 when the US Marine Corps announced a total ban on all social networking sites (SNS) on NIPRNET: IMMEDIATE BAN OF INTERNET SOCIAL NETWORKING SITES (SNS) ON MARINE CORPS ENTERPRISE NETWORK (MCEN) NIPRNET.
Date Signed: 8/3/2009 MARADMIN Active Number: 0458/09 R 032022Z AUG 09.
UNCLa.s.sIFIED//.
MARADMIN 0458/09.
MSGID/GENADMIN/CMC WAs.h.i.+NGTON DC C4//.
SUBJ/IMMEDIATE BAN OF INTERNET SOCIAL NETWORKING SITES (SNS) ON MARINE CORPS ENTERPRISE NETWORK (MCEN) NIPRNET//.
REF/A/MSGID:MCO/STRATCOM/102315Z//.
AMPN/REF A IS USSTRATCOM ORDER TO ADDRESS RISK OF USING NIPRNET CONNECTIVITY TO ACCESS INTERNET SNS.//.
POC/MARK R SCHAEFER/LTCOL/UNIT:HQMC C4 IA/-/TEL:703-693-3490 /EMAIL:[email protected]//.
POC/TIMOTHY LISKO/CTR/UNIT:HQMC C4 IA/-/TEL:703-693-3490 /EMAIL:[email protected]//.
GENTEXT/REMARKS/.