Q&A: Cyber warfare

Geoff Harris is the President of the UK Chapter of the Information Systems Security Association (ISSA) a not-for-profit, international organization of information security professionals and practitioners. In this interview he discusses cyber warfare.

In your opinion, how far are we from a international consensus as to what constitutes an act of cyber warfare and what issues do you predict will be the major stumbling blocks on the road to such an agreement?
There have been various incidents that could be described as acts of cyber warfare.
The Cyber-attacks against Estonian systems in starting in April 2006 with data-flooding attacks on key government websites, culminating on a coordinated Distributed Denial of Service (DDoS) attacks on key government, financial and media sites in May 2006 certainly would fall under this category.

In terms of what constitutes an act of cyber warfare, I would have to refer this to international lawyers and powers such the United Nations. There has been enough debate around what constitutes an act of war in convention terms e.g. Iraq Like the definition of “war” itself, the term “cyber war” is complex. The most basic definition is that cyber war simply entails waging war through digital, technological means. According to the Institute for Advanced Study of Information Warfare (ASIW), they have defined cyber as “the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, and adversary’s information, information-based processes, information systems, and computer-based networks while protecting one’s own.

A country will have to be extremely careful when it comes to attributing attacks to a source, because the cyber world is eminently suitable for misdirection and subterfuge, and traces left by attackers are not obvious to the greater public. Do you think there will be a need for some kind of international court or body that will have final ruling on who’s to blame for attacks and breaches that cross the line between cyberterrorism and cyber espionage and cyber warfare?
In the example above, the Estonian defence authorities traced the sources of the attacks to Russian IP addresses. However the Russian authorities were unable provide details on the individuals owning these IP addresses stating that they had no legal powers to do so, apparently stating that these acts were not illegal in Russia at that time.

Organization such as The Internet Governance Forum (IGF) have been doing some excellent work in areas such as:

• The definition of security threats, international security cooperation, including such issues as cybercrime, cyber terrorism and cyber warfare.
• The relationship between national implementation and international cooperation.
• Cooperation across national boundaries, taking into account different legal policies on privacy, combating crime and security.
• The role of all stakeholders in the implementation of security measures, including security in relation to behavior and uses.
• Security of internet resources.

What are your thoughts about the partnership between Google and NSA?
It is in the interest of national security and law enforcement organizations to work together with major Internet providers such as Google to combat all forms of e-crime to make the Internet as safer place to work and play. Users have a choice when signing up to use such services and should read privacy and service level contractual terms if they have any concerns. I would expect other Internet service providers and products vendors to follow.

In some ways, cyber wars will surely emulate real-life ones. Do you see countries that are historical allies banding together?
Absolutely, an example of this is the recent Directive 2008/114/EC “on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection”. In March 2009 the EU Commission published a Communication on Critical National Infrastructure Protection entitled “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience” (COM(2009)149 final, Council document 8375/09). This document was accompanied by 400+ pages of “Impact Assessment” (COM(2009)399 and 400, Council document 8375/09 ADD 1-4) setting out the background to the Commission’s approach to this issue.

What would be the cyber counterpart of gained territory and resources in a meatspace war?
This could be gaining control of systems and networks at either administrator privileged access level or the ability to launch so form of attack from them e.g. botnets which are used to perpetrate a host of different attacks including DDoS, keylogging, spamming, phishing, Web-scraping, etc. Botnets are of interest to many bodies, including those with commercial, criminal, military, intelligence or terrorist interests. The scale of the problem and the future potential is large and growing. It demands a coordinated approach by all stakeholders. It cannot be addressed by, for example, law enforcement or military action alone.

However, the more covert and subtle intelligence gathering threats potential present more of a risk from mass attacks which are easily detected and traced to their originating sources.
Examples of these are Targeted Trojan Email Attacks as defined in the UK’s National Infrastructure Security Co-ordination Centre advice paper released 5 years ago. In this reference was made to a series of trojanised email attacks targeting UK Government and companies with the aim of the attackers to covertly gather and commercially or economically valuable information. Trojans were detected delivered in email attachments or through links to a websites using techniques such as social engineering, spoofed sender address and sending information relevant to a recipient’s job or interests. Once installed on a user machine, Trojans could used to obtain passwords, scan networks, exfiltrate information and launch further attacks.

The recent attacks on targeted Google users in China and other global organizations are no surprise. The advice above was given in 2005 and attackers intent on commercial, criminal, military, intelligence or terrorist e-crime will use these as well as product vulnerabilities. The January 2010 Internet Explorer Vulnerability (Microsoft Security Advisory 979352) used for these attacks earlier this year falls into this category.

Should “political” hackers be considered paramilitary organizations under the leadership or, at least, working with tacit approval of the country whose interests they promote?
E-crime is a criminal act as defined by the jurisdiction in which the act takes place. Organizations such as The Internet Governance Forum (IGF) that are addressing the issues of law enforcement and cooperation across national boundaries need to address this, taking into account different legal policies on privacy, combating crime and security.

You serve as the Cyber Defence conference chairman. How important is this event? Will there be a need for more focus on this topic in the near future?
This event now in its 3rd year will discuss and raise issues such those above. It serves as an important event to collect latest views and thought leadership on International Cyber Defence issues. I can only see this topic growing throughout this decade as all counties use of the Internet for part of their critical national infrastructures continues to grow.