26 February 2017

What is cyber warfare?

Davey Winder

The Oxford Dictionaries definition of cyberwar is “The use of computer technology to disrupt the activities of a state or organisation, especially the deliberate attacking of information systems for strategic or military purposes.”

Definitions are important at this level of national security, because legally justifiable responses depend upon them being accurate. In the case of cyber warfare, it's not as straightforward as you might imagine. The dictionary definition doesn’t even mention attribution, let alone the clear and unambiguous attribution that would be required for an act of cyber warfare to be declared.

Is anyone under cyber warfare attack?

The answer, if you go by the dictionary definition, is an unequivocal yes. Along with most Western countries there are concerted cyber-attacks pretty much daily against government organisations and enterprises alike. But are we engaged in a cyberwar? Not according to the 'clear and unambiguous' attribution requirement.

We know that Russia and China are developing cyber weapons to use in any future cyber conflict, and the US, France and Israel are just as active as nation states leading the way in this endeavour. But that doesn’t mean we can say any of these countries are using them, although we know they have the capability and have done so in the past. Stuxnet, for example, was a joint venture between Israel and the USA to destroy Iran’s nuclear programme capability.

What weapons are used in cyber war?

Primarily, the weapons are not dissimilar to those we see being used in criminal attacks all the time. So, there are DDoS botnets to serve up denial of service attacks that can disrupt if not actually take strategic servers out of play. As in many data robberies, DDoS can be used as a resource diverting smokescreen for other activity on the network. Social engineering and spear phishing attacks are also weaponised to introduce an attacker into the system of an adversary. Assuming they don't already have a mole to do it for them, yes the insider threat is a very real weapon in the cyber warfare armoury.

Stuxnet is a great example of how multiple layers of attack can be successfully used. An inside man, mole or unknowing worker, physically inserted an infected USB stick into an air-gapped system. Malware using multiple zero-day exploits searched for specific software controlling centrifuges, and one located reprogrammed them to spin dangerously fast then slow, for a period of several months. Eventually the centrifuges broke, and more than 1,000 machines were effectively destroyed.

No weapon is more coveted than the zero-day exploit that targets a vulnerability nobody, other than the attackers, are aware of yet. Stuxnet used multiple 0days, with a dark market value in the millions, to ensure success. These are the secret weapons of the cyber arms race, more likely to be denied than proudly declared as defiant threats to would-be aggressors.

False flags

The only cyber weapon that is perhaps even more dangerous and disruptive than the zero day is the false flag. We know that, for example, the attack by the so-called 'Cyber Caliphate' claiming to be affiliated to ISIS on a US military database was a false flag operation by the Russian state-sponsored hacking group APT 28. Why does this matter? Because the US retaliated with kinetic attacks on cyber communication channels and drone strikes against human targets in Syria. Hearts and minds people...

No comments: