Saturday, October 3, 2009

Could a single hacker crash a country's network?

You know you're living in the new millennium when one of the Obama administration's newest positions is nicknamed the "cyberczar." In May 2009, President Obama formally announced his plans to appoint a national cybersecurity adviser, charged with protecting computer networks in the United States -- which Obama referred to as "strategic national assets" -- from hacking and spying.



Cybersecurity isn't a new topic making the rounds in Washington. In 2007, the Commission on Cybersecurity for the 44th President, within the Center for Strategic and International Studies, was tasked with examining public policy and issues surrounding cybersecurity and developing recommendations for its improvement. According to the commission's executive summary, the vulnerability of computer networks has become a national security problem.

Computer hacking has evolved from a casual tech sport into a full-blown nefarious industry. With vast amounts of personal information floating around on the Internet, people are constantly at risk for identity theft and the ripple effect of stolen money. For instance, in 2008, the FBI reported $264.6 million lost due to Internet fraud [source: Internet Crime Complaint Center]. The federal government has even more at stake than bank account numbers and birth dates, though. In addition to the appointment of the cyberczar, the Department of Defense plans to establish a U.S. Cyber Command Center to combat the tide of online threats against its networks and classified government data.

The recent series of cyber-attacks on July 4, 2009, highlighted why we need online safeguards. That weekend, government and public Web sites in the United States and South Korea were assaulted with denial-of-service attacks (DoS), which are essentially virus programs that flood sites with traffic and temporarily disable them. North Korea, which isn't even known for having high-tech hacking capabilities, was suspected as the perpetrator [source: Olsen]. While the North Korea allegation hasn't been confirmed, the hackers targeted at least nine U.S. sites, including the White House, Treasury Department and National Security Agency (which is, incidentally, where the future U.S. Cyber Command Center is slated to be stationed). In South Korea, the DoS attacks clogged more than 20 sites.


Estonia's Hack Attack

Cyber-Armageddon has yet to commence, but hackers are waging small skirmishes -- like what took place on July 4, 2009, against the United States and South Korea -- and their skills only continue to mature. Some of the most talented hackers these days live in Russia and former Soviet states [source: Poulsen]. That criminal tech tidbit is interesting, given the political situation surrounding the virtual collapse of Estonia's nationwide network in 2007.

In March 2009, a 22-year-old Russian named Konstantin Goloskokov admitted to rallying a group of pro-Kremlin friends to launch a series of cyber-attacks against Estonian Web sites two years prior. Rioting broke out in Estonia in the spring of 2007 after government workers relocated a commemorative World War II statue of a Soviet soldier. Russian loyalists took offense to the statue incident, which they perceived as a direct snub to the former Soviet Union's contributions to the war [source: Lowe]. As the fighting in streets calmed, a second wave of aggression cropped up in cyberspace. According to Goloskokov, he and a group of friends directed enormous streams of data to Estonian government, bank and media Web sites, effectively crippling the nation's Internet access off and on from April 26 to May 18, 2007.

The Estonian virtual invasion consisted of distributed denial-of-service attacks (DDoS). With DDoS attacks, hackers use other people's computers, sometimes halfway across the globe, to wreak virtual havoc. To launch DDoS attacks, hackers first access other people's computers through zombie applications, malicious software that overrides security measures or creates an entry point. Once hackers gain control over so-called zombie computers, they can network them together to form cyber-armies, or botnets. The Estonian attack relied on vast botnets to send the coordinated crash-inducing data to the Web servers.

Just how much damage did that small group of hackers carry out? According to a New York Times article reporting on the events, the hackers rained down a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours [source: Landler and Markoff]. Hannabank, Estonia's largest bank and one of the prime targets of the attack, lost around $1 million over the course of the attacks, and Parliament members couldn't access e-mail for four days .

Goloskokov, the cyber-attack mastermind, claimed the siege was a form of civil disobedience, rather than criminal behavior. Whatever the intent, the incident demonstrated the tremendous power that a remote group of hackers can wield. Especially considering that Estonia is one of the most wired nations on the globe, the implications for what could happen to larger and arguably less sophisticated networks in, say, the United States seem rather grave. In 2000, the Estonian government adopted Internet access as a basic human right. But as hackers hone their skills, the Baltic nation may have to fight to defend it.

Is cyberwar coming?

Listen up, soldier! Not every battle takes place over rugged terrain, on the open sea or even in the air. These days, you'll find some of the fiercest fighting going on between computer networks. Rather than using bullets and bombs, the warriors in these confrontations use bits and bytes. But don't think that digital weaponry doesn't result in real world consequences. Nothing could be further from the truth.

Consider all the different systems in the United States connected to the Internet:

* Emergency services
* Financial markets and bank systems
* Power grids
* Water and fuel pipelines
* Weapons systems
* Communication networks



That's just the beginning. Think about all the services and systems that we depend upon to keep society running smoothly. Most of them run on computer networks. Even if the network administrators segregate their computers from the rest of the Internet, they could be vulnerable to a cyber attack.

Cyber warfare is a serious concern. Unlike traditional warfare, which requires massive amounts of resources such as personnel, weapons and equipment, cyber warfare only needs someone with the right knowledge and computer equipment to wreak havoc. The enemy could be anywhere -- even within the victim nation's own borders. A powerful attack might only require half a dozen hackers using standard laptop computers.

Another frightening aspect of cyber warfare is that a cyber attack can come as part of a coordinated assault on a nation or it could just be a malicious hacker's idea of a joke. By the time a target figures out the nature of the attack, it may be too late. No matter what the motive, cyber attacks can cause billions of dollars in damages. And many nations are woefully unprepared to deal with cyber attacks. With that in mind, the question isn't will there be a cyberwar -- the question is when will there be one?

Some people might argue that the cyberwar is already here. In fact, based on attacks perpetrated daily against the United States and other nations, the first real cyberwar began back in the late 1990s.

Cyberwars Around the World

Although the Internet has been around for a few decades, it's still a relatively young technology. It's also an extremely useful technology. Governments, corporations and ordinary citizens adopted Internet technology very quickly. Before long, entire industries and government services became dependent upon the Internet to function. The problem is that on the whole, the Internet and the systems connected to it aren't very secure. There are many ways to exploit vulnerabilities and infiltrate systems. Internet security hasn't been able to keep up with adoption and use.

Wargames
The Eligible Receiver experiment employed what is known in the security industry as a red team attack. Red teams are groups of people who are on your side, but behave as if they were a true opponent in order to test your defenses. They can employ all of the strategies a real adversary might use in an attack.

Some people recognized the inherently dangerous nature of the Internet fairly early on. In 1997, the Department of Defense commissioned an experiment codenamed Eligible Receiver. While most of the details regarding Eligible Receiver remain classified, the main purpose of the exercise was to see if a group of hackers using readily-available computers and software could infiltrate the Pentagon's computer systems. The results were sobering -- according to John Hamre, the deputy secretary of defense at the time, it took three days before anyone at the Pentagon became aware that the computer systems were under attack.

The team of hackers gained control of Pentagon and national military command systems. A real attack could have caused the computer systems to shut down. Even more discomforting was the thought that the attackers could access and steal information.


In fact, it seems that a real adversary managed to do just that only a year later. In an attack that the U.S. government called Moonlight Maze, someone managed to penetrate multiple computer systems at the Pentagon, NASA and other facilities and access classified information. U.S. officials discovered the probing attacks by accident in 2000 after going unnoticed for two years. The pilfered data included strategic maps, troop assignments and positions and other sensitive info. Government agents were able to trace the attacks back to Russia, but it's impossible to say if that was their true origin.

The United States isn't always on the defense in cyber warfare. The U.S. has used cyber warfare strategies against Iraq and Afghanistan. During the Kosovo war, the U.S. used computer-based attacks to compromise the Serbian air defense systems. The attacks distorted the images the systems generated, giving Serbian forces incorrect information during the air campaign. Security agents are also working to infiltrate terrorist cells and monitor them remotely.

Recently, cyber warfare played a role in the conflict between Russia and Georgia. Hackers attacked Georgian Web servers with a series of distributed denial of service attacks (DDoS). Essentially, a DDoS involves sending millions of pulses called pings to a Web server. The server becomes overwhelmed trying to respond to the pings and eventually slows or even crashes. The identity of the attackers is still unknown -- it could have been anyone from Russian agents to mafia hackers to someone who wasn't even involved with the conflict.

The list doesn't stop there. Some suspect that North Korea has used cyber attacks on South Korea. There are rumors that China uses cyber attacks against Taiwan. The terrorist organization Al Qaeda has even declared a cyber jihad on the U.S. In many cases, proving one nation is actively using cyber attacks on another is impossible.

What does a cyberwar look like? In the next section, we'll take a closer look at some of the strategies cyber warriors use.

Cyberwar Battle Strategies

While there are many different cyberwar scenarios we could look into, in general you can break down the strategies into two major categories. Let's take a look at each one in detail.



SCADA Systems
Water and fuel systems often use system controls and data acquisition (SCADA) control systems. That's because SCADA systems can automate many tasks by taking cyber commands and converting them into real world actions like opening a valve in a fuel line or shutting off a power grid. But most SCADA systems run on the same software -- mainly Microsoft products -- that happen to have well-known vulnerabilities.

The first major strategy is the Pearl Harbor attack, named after the surprise attack on the naval base at Pearl Harbor, Hawaii, in 1941. This kind of attack involves a massive cyber assault on major computer systems. Hackers would first infiltrate these systems and then sabotage them. They might shut down part or all of a nation's power grid or attack water and fuel lines.

Another approach is to use computer viruses to do the dirty work. Viruses like Code Red, Slammer and Nimda spread rapidly across the Internet. Code Red directed infected computers to attack the White House Web site. These viruses caused billions of dollars worth of damage as companies and governments had to repair computer systems affected by the viruses. Viruses offer hackers a low-risk/high-reward attack because it can be difficult to track down the programmers who unleash them.

Pearl Harbor attacks can be frightening all on their own, but some security experts worry that enemies could coordinate a cyber attack with a physical assault. Imagine your city's power supply winking out in an instant, and within moments you hear the sound of explosions going off in the distance. Such an attack could not only cause a lot of damage, it would be a powerful psychological tactic. Some experts worry that terrorist organizations like Al Qaeda are working on plans that follow this strategy.

­The other method of attack is much more subtle but just as dangerous. Instead of committing a massive cyber assault, the enemy would infiltrate computer systems and just watch and wait. This strategy involves spying and r­econnaissance. The key is to avoid detection and gather as much information as possible. The enemy could use that information to target weak points in the victim nation's infrastructure.

A hacker who has managed to infiltrate a system can also sabotage that system in a more gradual way that avoids detection. By tweaking lines of code in subtle ways, the hacker can make systems less accurate and less reliable over months or even years. This long-term strategy might eventually lead to the system becoming completely unreliable or unresponsive. This method takes longer to implement than a Pearl Harbor attack but it's also more difficult to detect and prevent or repair.

A hidden hacker could even insert computer viruses into an infiltrated system. Not all viruses attack instantaneously. Some hackers build in triggers that they can activate with a manual command. Others use time-activated triggers that will release a virus on a certain date.

Cyberwar Defenses


­Because cyber warfare is so different from traditional warfare, you can't rely on the same rules you'd use in a physical conflict. With the right techniques, a hacker can make an attack practically untraceable. It's not hard for a skilled hacker to create an entire army of zombie computers -- machines infected with a program that allows the hacker to control the computer remotely. A person owning one of these infected computers might not be aware of the intrusion at all. If a computer system comes under attack from an army of zombie computers, it might not be possible to find the hacker ultimately responsible.

Part of preparing for a cyber attack is to educate citizens around the world. The importance of computer security can't be overstated. A combination of the right antivirus software and a careful approach to Internet activities can help prevent hackers from gathering the resources they need to mount an offense in the first place.

Security experts like Richard Clark, former cyber security advisor to the United States, say that part of the responsibility falls on software companies. He has said that software companies often rush products to market without putting them through a rigorous quality control phase. In particular, he criticized Microsoft for its practices. Since then, Microsoft claims it spends more time and resources making sure its products have strong security features .



Why release products that aren't secure? The issue isn't as clear-cut as we might like. There's an economic tradeoff when companies take more time to look into security issues before releasing a product. The longer the production cycle, the more money the company has to spend. That puts software companies in a difficult position. Should they increase the price of their products, which can hurt the consumer? Should they keep the price the same and absorb the added development costs, which hurts their investors? Should they cut costs elsewhere by lowering salaries, which hurts their workforce? The reality is that an increased focus on security will result in an impact on the bottom line of the business. If companies feel the risk of a security breach is low, it's possible that they'll ignore the possibility entirely.

Another thing to consider is that private companies own most of the Internet's infrastructure. Unless the government implements regulations, it's up to these private companies to ensure the safety of their networks. Even experts like Richard Clark have said that regulation is not the right decision -- he argues that it inhibits innovation and lowers the bar for security across all industries.

Most industries and governments employ security experts who monitor their respective computer systems constantly. They are responsible for detecting probes and intrusions and reacting to them. Security experts like John Arquilla, an associate professor at the Naval Postgraduate School, and John Hamre, CEO and president of the Center for Strategic and International Studies, have said that a Pearl Harbor attack would probably not cause widespread destruction, in part because we've learned to detect and respond to attacks quickly [source: Frontline]. While an attack might still be successful, they say that the recovery period would be relatively short. Governments and companies should still try to seal any security holes they might have, but it's not likely that a massive attack could cripple major systems for a significant period of time. Other experts are less certain -- they caution that a well-organized assault could take us by surprise and hit enough systems to cause widespread economic damage.

While it might not be obvious to us in our every day life, there's no doubt that cyber warfare is going on right now between nations and factions around the world. So is cyberwar coming? It may already be underway.

No comments: