In light of the growing concern related to Google cyber attack, we're re-posting this column, which originally ran October 19, 2009.
Gladiators and jousters, Wild West gunslingers and kamikaze pilots, are long retired to history books and celluloid epics, each a reminder of war tactics from a bygone era. They're supplanted today by anonymous warriors--pseudonyms sitting in virtual garrisons, spying, probing, and launching attacks from non-descript buildings all over the world. This is not your father's war. It's not even your older brother's war. In cyberwarfare, there may be no victors, no spoils, just havoc, theft, and assault.
Those who cling mindlessly to notions of war driven by sovereignty and territorial conquest through armed forces should look no further than the specter of current events, where warlords live in caves and their henchmen strap on home-made explosives. Take shock value and terror and layer in the Internet's abstraction and suddenly those who hate or feel disenfranchised or seek wealth or yearn for sanity, or whatever else, gain instant targets and instant audience, and an almost-impossible cave to find.
New wars call for new rules and new definitions. Kris Herrin, chief security officer of Heartland Payment Systems, recently riveted banking industry veterans, as he often does when he folds his company's disastrous security breach inside out. The Russian hackers who breached Heartland and stole its data late last year outsource their malware development to India, have customer service guarantees, offer a help desk, and provide a fully automated attack platform (you can select a target and an attack method, much as you would customize a hand bag online).
It would be easy enough to label this cybercrime, but Russian civilians have engaged in cyberattacks against neighboring Georgia. During Herrin's talk, a Bank of America executive reminded the audience that the Department of Homeland Security revealed that Al-Qaeda had attacked banks worldwide to the tune of hundreds of millions of dollars to fund its operations. Cybercrime, or cyberwarfare? The Russian outfit that attacked Heartland breached 300 financial institutions. If they marched into America as armed militia, or took out electric grids with guns and tanks, would that be crime or war? The lines blur.
Fear and outrage followed North Korea's alleged infiltration of the Department of Justice and Federal Trade Commission computer systems. The U.S. reportedly hacked into Iran's systems early this decade to monitor that country's nuclear program. The New York Times reported that U.S. soldiers lured Al-Qaeda into a death trap by hacking into a computer and falsifying information. There are numerous reports on persistent probes from Chinese hackers into U.S. systems, including network operators penetrating several electric grids. Some government officials suspect China of building trapdoors (hidden code or altered physical layers) into the chips that run many of our computer systems.
Well-known security researcher Marcus Ranum argues that cyberwarfare doesn't exist, that cyberattacks only accompany a vast military invasion. Besides, what right-minded military would tolerate a weapon that could be disabled with a push of a button. And yet unmanned fighter drones capable of surveillance and strikes fly non-stop miles above Iraq and Afghanistan and regularly fall into automated holding patterns when pilots thousands of miles away lose Internet connectivity to the aircraft, cyberflanks exposed.
In 2007, Israel, suspecting a nuclear installation in Syria, sent an air raid to destroy the facility, bypassing Syria's vaunted radar systems. Many speculate that the radar had been tampered with. Cyberwarfare.
Because civilians allegedly drove the Russia-Georgia battle in cyberspace, many refuse to call it war. Likewise, in Estonia, a country was disrupted, money was lost, but no sovereignty was taken, no guns, no victory or defeat. The wars of history don't allow for engines of abstraction, only those of explosives.
Mike McConnell, former director of national intelligence, recently said: "The ability to threaten the U.S. money supply is the equivalent of today's nuclear weapon."
Despite the threats, some experts, including RAND Corp., suggest a slowdown in spending on cyberwar defenses, and there already have been substantial cuts, including the Air Force cybersecurity programs. The government has been mum on developing cyberoffensive capabilities, although many arm-chair pundits have suggested we're building our own trapdoors in the hardware and software we export.
There are, however, several initiatives under way, including building a replica of the Internet to test for vulnerabilities and a DARPA-funded initiative through MIT to test our own ability to examine chips for things like trapdoors (the program is called Trust in IC). Col. Charles Williamson III, the staff judge advocate for Air Force Intelligence, argued in the Air Force Journal for creating a .mil botnet using an army of discarded or aging computers, though he stopped short of calling for civilian zombies.
And then there's policy. Certainly, the rules will need some rewriting. The Geneva and Hague Conventions make civilian involvement in war illegal, but those agreements don't account for cyberwarfare. Melissa Hathaway, former senior director for cyberspace for the National Security Council and Homeland Security Council, made the case to take the discussion international given the widespread nature of these threats. "If we can bring it into some of the policies we're looking at, the synchronization, formulation, rules of engagement, and what is ethical behavior . . . that's one way to address it."
While policy and agreements are nice in theory, they will prove meaningless against today's cyberwarrior. The anonymity of attackers and the thick dossier of attack targets mean more casualties and a call for an ever-more-vigilant defense posture. The painful part is figuring out who may attack, how it will occur, and where it will begin. Indeed, it may have already begun. After all, on the Internet, nobody knows they're in a dogfight.
Fritz Nelson is the Editorial Director for InformationWeek and the Executive Producer of TechWebTV. Fritz writes about startups and established companies alike, but likes to exploit multiple forms of media into his writing.
Follow Fritz Nelson and InformationWeek on Twitter, Facebook, YouTube and LinkedIn: