Scenario 2
Security researcher Fred Blinks discovers a website, that has been hacked and is hosting drive-by-download malicious software or malware, which means that any visitors to the website could potentially have their computers infected with malware.
Option 1
Fred Blinks contacts the administrators of advising them about the malware being served on their website and the fact their website has been hacked.
Option 2
Fred Blinks investigates the malware served on further and discovers that it connects to Fred also notices that mybotnethome.cn provides statistics to the bot herder, such as from which website users were infected. Knowing this, Fred purposely infects a machine of his and inserts a piece of programming code into the section that the malware uses to tell the bot herder from which website the user was infected (in technical speak, this is known as the HTTP referrer).
This piece of programming code will cause the bot herder"s Internet browser to connect to Fred"s machine when the bot herder views the statistics of its bots, therefore providing Fred with the IP address of the bot herder.
Scenario 3
Law enforcement official John Smith discovers that an online hacking and credit card bulletin board, has been compromised and that the hacker has advertised her alias and front web page of the hacked bulletin board.
Option
Knowing that obtaining a copy of the ccmarket bulletin board database would provide an enormous amount of information, John Smith, using the alias "da_man," contacts the perpetrators of the www.ccmarket.ws compromise, asking if they would be willing to sell him a copy of the ccmarket database. This database would include information such as private messages, email addresses, and IP addresses. Here, John is financing a person who committed an illegal act.
Scenario 4
Law enforcement official Michael McDonald has been investigating an online group that is involved with sharing child abuse material. Michael believes he has identified the alias of the person who is leading the group, but he is unsure where this person is geographically located. Michael knows that this person uses anonymous proxies to mask his IP address when on the Internet and is reasonably technical. Michael also knows that this person appears to be s.e.xually abusing children and uploading images of his crimes onto the Internet.
Option
Michael, in consultation with his technical people, decides that the only way to identify the leader of this online child exploitation group is to compromise his computer.
Michael"s technical people are able to successfully compromise the leader"s computer, providing them with information that can positively identify the leader and the leader"s whereabouts. Michael, who is based in the United States, now knows that the leader is based in Belarus and knows that his technical people may have broken the laws there.
In Summary
Policymakers would be well-advised to consider these scenarios as realistic depictions of events that could and do occur in many nation-states. The only question is which option best addresses the interests of the state and its citizens, and the answer to that question is outside the scope of this submission.
This essay was written by an active duty member of an international law enforcement agency.
Whole-of-Nation Cyber Security
By Alexander Klimburg The general public is often wholly unaware of how much of what we commonly call "security" depends on the work of informal groups and volunteer networks. For a while it seemed that Western governments had generally gotten the message: when most of your critical infrastructure is in private hands, it is natural that new forms of private-public partnerships need to be created to be able to work on critical infrastructure protection. Organizations such as the US ISAC (Information Sharing and a.n.a.lysis Center) and the UK WARP (Warning, Advice, and Reporting Point) are examples of this thinking. Unfortunately, most governments have a hard time moving beyond the "two society" (government and business) model. In an age where even the "managing" bodies of the Internet (such as ICANN) do not belong to either of these groups but instead are really part of the "third society"-i.e., the civil society-this is a critical, and potentially fatal, omission. From groups of coders working on open source projects to the investigative journalism capability of blogs, the breadth of the involvement of the civil society and nonstate actors in cyber security is wide and growing. But what are these groups, exactly?
The variety of these groups is as wide as the Internet itself, and these groups also interact directly with the harder side of cyber security. Nongovernment forces of various descriptions have attacked countries on their own (e.g., Estonia, Lithuania) and defended them, helped wage a cyber war (e.g., Georgia), and sought to uncover government complicity in them. One can even argue that most of the cyber terror and cyber war activity seen over the last decade can be ascribed to various nonstate actors. A recent US Congressional inquiry heard that the great majority of the Chinese attacks against the United States were probably being done by young volunteer programmers whose connection with the security services was probably more accidental then anything else. Indeed, if one looks at the sum total of cyber security-relevant behavior, from software and patch development on the technical side to the freelance journalism and general activism on the political side (and with the "script kiddie patriot hackers" somewhere in between), it indeed seems that most "cyber security" work is done by members of the third society, with business following close behind-and government bringing up the rear.
Do these groups really have anything in common? After all, it is questionable whether heavily instrumentalized civilian hacker groups in China and Russia really qualify as representatives of a "civil society." Should they really be compared to, say, a Linux developers" group or an INFOSEC blog network? Aren"t these "patriot hackers" just an update of the age-old paradigm of the citizen militia and the flag-burning rent-a-mob, but with broadband?
Although the militia model can to a limited extent be applied to some of the Russian and Chinese groups (indeed, the Russians actively talk of the need to maintain an "information society" for their national security, and the Chinese have recruited an "information operations militia"), the model just does not hold for the many groups rooted in liberal democratic societies. This is particularly evident when examining nontechnical (i.e., not "White" or "Grey" hacker) groups and their activities. They are increasingly able to provide critical input into one of the most difficult aspects of any wide-scale cyber attack, namely attacker attribution.
Identifying the true actors behind a cyber attack is a notoriously difficult task. Attributing attacks to individual actors is traditionally seen as being the acid test to determine whether an attack is rated as an act of cyber war or an act of cyber terrorism (or even "cyber hooliganism"). Given these rather high standards, governments have been notoriously reluctant to point fingers. After all, there was no evidence that could be shared publicly. On the surface it seemed that the authoritarian governments of Russia and China had found the ultimate plausible-deniability foil with which to jab the West: rather then personally engaging in hostile cyber attacks, these governments could simply refer to the activities of their "engaged and active civil society" and wash their hands of the affair.
The advent of engaged civil society groups has changed this. Since 2005, these groups have published a flood of reports that have examined suspicious cyber behavior, mostly originating in Russia and China. The Georgian cyber attacks were particularly interesting, as the timing seemed to indicate at least some level of coordination between the Russian military"s kinetic attacks and the a.s.sault on Georgian servers. Reports such as those generated by Project Grey Goose helped to show that although the information of Russian government complicity in the cyber a.s.sault on Georgia was far from conclusive, there was much circ.u.mstantial evidence. For the reports, and the Western media that depended on them, this was sufficient. Unlike governments, for the public, "perfect" was clearly the enemy of the good.
The information in these reports is not good enough for cruise missiles, but it certainly is good enough for CNN. The barrage of reports that imply direct Russian government involvement has been widely reported in Western media. The increase of embarra.s.sing questions posed to the Kremlin is probably a direct result of this media attention. At a cyber security conference at the Organization for Security and Co-operation in Europe (OSCE) in 2008, an American official privately remarked to me that the incessant accusations repeated in the media were leading the Kremlin to reduce its support of various groups, such as the pro-Putin Nashi, whose members have been implicated in cyber attacks. He directly credited the work of the civil society groups-including Grey Goose-in bringing this about. Sunlight as a disinfectant seems to work across borders as well.
It therefore appears that the best defense against a compromised or captive civil society is a free one. I have taken to referring to these "free" groups as security trust networks (STNs), and there are considerable differences between these groups and the ones that they often seem to work in direct opposition to: An STN is independent and not beholden to any agency of government or private business. The state does not exert direct control over them, and cannot (easily) shut it down. This does not mean that the STN does not support a government; it just means that it chooses when and if to do so.
An STN is defined not only by the trust within the network itself but also the trust that other networks bring to it. For instance, an STN will often be seen as a credible partner for government and law enforcement, despite having no formal structure or pedigree.
STNs are defined by ethics: besides (generally) operating within the remits of the law, its members share a common moral code, explicit or implicit, based on "doing the right thing." The shared moral mission of the STN is its official raison d"etre.
Western governments often depend on these STNs much more than they realize. This is especially true for the technical experts, who invest a large amount of labor that mostly goes unnoticed, but also for the investigative STNs, such as Grey Goose, that certainly have helped frame the public debate.
So is it possible for a government to help create these STNs? The question is not as bizarre as it might seem. Russia has actively followed this course since at least 2000 (the publication date of its "Information Security Doctrine") and is trying to "build a information society." Although Alexis de Tocqueville might well wince at the idea of a government building a civil society, there is indeed much that truly democratic governments can do to encourage the formation of such groups and work together with them: Openness Allowing government employees and security professionals to engage in social media (and blogging in particular) has been a contentious issue in the United States for years. A number of problems do arise from this type of behavior, quite a few of them security-related. Nonetheless, the possible benefits (such as the creation of an STN) can easily outweigh the real damage potential. The United States is far ahead here compared to most European governments, which still forbid this type of action.
Communication Organized outreach programs are vital. In the purely technical and purely diplomatic circles, this is an established practice, but it should extend to other security areas as well. Again the United States has gone far in this area, with experiments with crowdsourcing intelligence and the like, but Australia and the UK also have very engaging approaches.
Accessibility Being available for queries outside of the normal process is an important sign of truly open government. This means not only working across government ("Whole of Government") but also being prepared to collaborate and communicate with nongovernment organizations ("Whole of Nation"). Although everyone needs to improve here, the United States has an especially long way to go.
Transparency This is often misunderstood as demanding transparency on the inner workings of government. Instead, it is the government"s goals that should be transparent-which they should continuously be forced to defend-in part for the STNs that might be able to indicate where the government is, once again, working against its own goals. The United States does well here, although some European countries, such as the UK, Holland, and Sweden, are at least as transparent.
Understanding ambiguity This is always an important skill, and it is important that individual civil servants understand the different roles people can occupy, and to what extent these roles facilitate or hinder closer cooperation. This is particularly important when someone"s motivation is balanced between altruistic volunteerism and commercial opportunity-seeking. A mixed experience for the United States (the "revolving door"), but the UK traditionally has been a past master at this art.
Trust Trust makes security stronger, and it needs to work on every level. Security clearances are for the most part unreconstructed affairs dating back to the dawn of the Cold War. In the end, often they don"t mean much-whether you get information will still depend on the level of trust available. Obviously certain basic background checks are logical and should be done if any real security info is going to be pa.s.sed onto outsiders; however, these are a couple of levels below real security clearances and can stay that way. Trusting one"s own judgment is much more important. The United States can learn much about this from some European countries, especially the UK.
It is not an exaggeration to claim that an independent, vibrant, and engaged civil society is one of the unique indicators of a liberal democracy. The fact that they are a benefit, not a cost, is most evident in security trust networks. Democratic governments would do well to support them as a centerpiece in Whole of Nation cyber security.
Alexander Klimburg is a Fellow at the Austrian Inst.i.tute for International Affairs. Since joining the Inst.i.tute in October 2006, he has worked on a number of government national security research projects. Alexander has partaken in international and inter-governmental discussions, and he acts as a scientific advisor on cyber security to the Austrian delegation to the OSCE as well as other bodies. He is regularly consulted by national and international media as well as private businesses.
Chapter 14. Conducting Operations in the Cyber-s.p.a.ce-Time Continuum
The United States, NATO, and the European Union all partic.i.p.ate in cyber warfare games in order to create scenarios that can be utilized for offensive and defensive planning. However, many of these scenarios fall into the same traditional mode of combat that has served the US Department of Defense so well over the years-that of a known adversary who combines a kinetic attack with a supporting cyber attack. Unfortunately, with the exception of the Russia-Georgia conflict in 2008, that"s almost never the case. Not only does attribution continue to be an unsolved problem, certain government officials like Secretary of State Hillary Clinton are taking attribution for granted based on the skimpiest evidence.[41]
IPB, Intelligent Preparation of the Battlefield, was the former DoD acronym for knowing the lay of the land upon which a battle will be fought (it has since been changed to Joint Intelligence Preparation of the Environment).[42] Eventually, cybers.p.a.ce will be incorporated into that doctrine; however, based on current thinking (as evidenced by a web search on the subject), it"s being bolted onto warfare in a three-dimensional world that should no longer be defined in three dimensions. A perfect example of this mindset is described in the article "Rise of a Cybered Westphalian Age"[43]: First, the technology of cybers.p.a.ce is man-made. It is not, as described by the early "cyber prophets" of the 1990s, an entirely new environment which operates outside human control, like tides or gravity. Rather, as its base, the grid is a vast complex system of machines, software code and services, cables, accepted protocols for compatibility, graphical pictures for human eyes, input/output connections, and electrical supports. It operates precisely across narrow electronic bands but with such an amalgamation of redundancies, subst.i.tutions, workarounds, and quick go-to fixes that disruptions can be handled relatively well as long as everyone wants the system to work as planned.
In the earliest days of the Internet, otherwise known as Web 1.0 (the Read-Only Web), this was certainly true. As we moved to Web 2.0 (the Read-Write Web), it became less true. The more integrated our physical and virtual lives become (Web 3.0), the further away from that definition we land. The fact that the authors of the paper still believe that cybers.p.a.ce is nothing more than a man-made piece of hardware says volumes about how the domain is misunderstood at the highest levels of the DoD, which is obvious with the miscategorization of cybers.p.a.ce as a fifth domain:[44]
Though the networks and systems that make up cybers.p.a.ce are man-made, often privately owned, and primarily civilian in use, treating cybers.p.a.ce as a domain is a critical organizing concept for DoD"s national security missions. This allows DoD to organize, train, and equip for cybers.p.a.ce as we do in air, land, maritime, and s.p.a.ce to support national security interests.
Theoretical physicist Basarab Nicolescu argues that cyber-s.p.a.ce-time (CST)-a more accurate name than "cybers.p.a.ce"-is both artificial and natural at the same time:[45]: The information that circulates in CST is every bit as material as a chair, a car, or a quantum particle. Electromagnetic waves are just as material as the earth from which the calculi were made: it is simply that their degrees of materiality are different. In modern physics matter is a.s.sociated with the complex relationship: substance-energy-information-s.p.a.ce-time. The semantic shift from material to immaterial is not merely naive, for it can lead to dangerous fantasies.
One of Nicolescu"s influences was n.o.bel Laureate Wolfgang Pauli.[46] Pauli, in turn, was intrigued by Carl Jung"s theory of synchronicity. In fact, Pauli and Jung spent a great deal of time together because Pauli believed there was a relationship between Jung"s acausal connecting principle and quantum physics-specifically, a conundrum known as "quantum indeterminacy."[47] In a kind of ironic twist, Carl Jung"s theory of synchronicity has its genesis in his fascination with an ancient Chinese oracle, The Book of Changes, or Yijing. Dating back to the Qin dynasty, this divinatory oracle teaches that the universe is composed of parts that are interconnected. The coins or yarrow stalks[48] used in the Yijing symbolize those parts, while their use symbolizes the mystery of how the universe works (Pauli"s quantum indeterminancy). Chinese emperors and generals have used this oracle since approximately 300 BCE, and it may still provide a glimmer of insight into the mysterious nature of this new age of cyber-s.p.a.ce-time, as well as how cyber battles may be fought and won.
There are examples of synchronicity in both psychology and science. During one of Carl Jung"s many talks with Wolfgang Pauli on this subject, Jung described how a patient was relaying her dream of receiving a piece of gold jewelry in the shape of a scarab beetle and, in that exact moment, how a small goldish-green colored scarabeid beetle was repeatedly banging into the gla.s.s of Jung"s office window.[49]
A similar example in chaos theory, known as the b.u.t.terfly effect, connects two seemingly disparate events: The flapping of a single b.u.t.terfly"s wing today produces a tiny change in the state of the atmosphere. Over a period of time, what the atmosphere actually does diverges from what it would have done. So, in a month"s time, a tornado that would have devastated the Indonesian coast doesn"t happen. Or maybe one that wasn"t going to happen, does.[50]
While both Jung and Pauli are from the early 20th century, Basarab Nicolescu is a contemporary theoretical physicist who believes that cyber-s.p.a.ce-time is on par with organic systems: The emergence of at least three different levels of Reality in the study of natural systems-the macrophysical level, the microphysical level, and the cyber-s.p.a.ce-time-is a major event in the history of knowledge. The existence of different levels of Reality has been affirmed by different traditions and civilizations, but this affirmation was founded either on religious dogma or on the exploration of the interior universe only.[51]
Another important scientific theory, similar to chaos, is the complexity theory. Appropriately, both theories are children of the Computer Age because only computers are capable of performing the immense calculations needed to prove their existence. A complex system is one in which numerous independent elements continuously interact and spontaneously organize and reorganize themselves into more and more elaborate structures over time. The World Wide Web is a perfect example of complexity theory in action, evolving from Web 1.0 to 3.0 and whatever follows from there. The relationship that physics, psychology, and ancient Chinese oracles have with cyber warfare is that the terrain of cyber-s.p.a.ce-time is not only chaotic and unknown, but unpredictable. Although network defenses stop millions of automated probes and drive-by attacks each day, we are always surprised by targeted attacks-which are the ones that really matter. Before we can design a superior plan to defend against the targeted attack, we need to understand how dependent we have become on this new networked and wired world.
The world"s militaries are struggling to cope with a new cyber battlefield because they are stuck in an old reality that no longer exists and are affected by a new reality they don"t understand. The following sections present a few examples of threat vectors that can cause significant havoc, yet which current cyber warfare doctrine ignores.
Anarchist Cl.u.s.ters: Anonymous, LulzSec, and the Anti-Sec Movement
Anonymous and the anti-sec movement have offered concrete proof of how effective chaotic attack cl.u.s.ters can be at defeating poorly defended organizations. Their victims have included the Atlanta Infraguard office, the Arizona Department of Public Safety, Vanguard Defense Industries, HB Gary Federal, and the CIA"s public website. Although it"s not a security organization, Sony had its web properties attacked more than 20 times in 60 days, which must be some kind of record. Anonymous hasn"t only gone after US targets-other victims have included the Columbian Black Eagles Special Police Unit, the UK Serious Organized Crime Agency, and government websites in Brazil, Tunisia, Italy, Zimbabwe, and Australia.
Anonymous, LulzSec, Phsy, AntiSecPro Security Team, and many other similar cl.u.s.ters of anarchist hackers and script kiddies haven"t used any advanced hacking techniques. They"ve been incredibly successful using nothing more than spear phishing, social engineering, and SQL injection when breaking into networks. Stolen information is then made public by hosting it on a public website like The Pirate Bay or PasteBin. They"ve been so successful at this that the Department of Homeland Security (DHS) took the unusual step of preparing and releasing a report on the organization.[52] While the FBI, Scotland Yard, and other international law enforcement agencies have made numerous arrests, it has had little effect on these ongoing operations. This is partly due to the nature of a loosely organized, widely distributed network that can randomly come together to form attack cells, then split apart and reform at a later date under new aliases. New members are eager to get involved since the barrier to entry is so low and the anti-establishment appeal is so high.
[41] Jeffrey Carr, "Why is Hillary Clinton so interested in cyber-attacks on Google?", The Guardian, June 3, 2011, "Field Manual 34-130-Intelligence Preparation of the Battlefield," Enlisted.info, Chris C. Demchak and Peter Dombrowski, "Rise of a Cybered Westphalian Age," Strategic Studies Quarterly, Spring 2011.