2007: When Cyberwarfare Came of Age

There is a new war taking place over the internet that can be likened to computer games such as Doom. However, as Richard B Gasparre explains, in modern warfare, there are no free replays, and the blood is real.


In hindsight, military analysts may well regard 2007 as the year that cyberwarfare reached critical mass. Variously known as information warfare, network attack, e-warfare or cyberterrorism, depending on the context, cyberwarfare made headlines with Israel's 6 September raid on a presumed Syrian nuclear facility, in which the IAF disabled Syria's air defence system with cyberwarfare techniques.

Cyberwarfare is far more than just an air force niche, however. In 2007, two other events – neither of them military, technically speaking – served as warning signs that information and intelligence, which were always important components of war, could become increasingly critical to the armies of the world in an era of universal digital electronics.

THE INTERNET NEVER CLOSES, EXCEPT WHEN ESTONIA ANGERS RUSSIA

"Military analysts may regard 2007 as the year cyberwarfare reached critical mass."

Last year, for three weeks in April and May Estonia's internet infrastructure experienced a 'distributed denial of service' (DDoS) attack of unprecedented size and coordination.

DDoS attacks overload websites and networks by flooding them with fake queries and requests that either slow target response time to a crawl or crash their servers altogether.

This campaign followed Estonia's relocation of a Soviet WWII monument from the center of Tallinn, Estonia's capital, to a military cemetery on the outskirts of town.

After initial riots by ethnic Russians in Estonia and an attack on the Estonian embassy in Moscow drew strong Western responses, the DDoS attacks began on 27 April and escalated rapidly. The blitz peaked on 9 May, the day when Russia commemorates the surrender of Nazi Germany, and then tailed off, presumably to highlight the political point that 'disrespecting' Russia is a hazardous activity, even if done incidentally.

The operational purpose of the attack was to disrupt government and business operations, and judging by several criteria, the attack was successful. At the height of the onslaught, at least six government megasites, including those of the justice and foreign ministries, were virtually paralysed.

Web and even storefront commerce, including credit card purchases of such staples as food and gasoline, imploded as transaction processing ground to a halt. Estonian supply chain and operating finance continuity broke down, costing millions of Euros in foregone business. To handle critical local internet traffic, moreover, Estonia was forced to curtail foreign access to its sites, thus exacerbating the economic squeeze.

The attack might even have caused destruction and/or death had Estonia's public services infrastructure been stressed by adverse physical events. Indeed, a spokesman for Estonia's defence ministry compared the attacks to those launched against America on 11 September 2001.

Though a rhetorical exaggeration in some respects, this analogy is not completely unwarranted: Estonia, a country of only 1.3 million people, is one of the most wired nations on earth, and lives and dies by foreign commerce.

SERIOUSNESS OF THE CYBERATTACK

The severity of the Estonian cyberinvasion stemmed directly (but not entirely) from the enormous numbers of computers involved – by some estimates, over a million worldwide.

"Hackers launching cyberattacks typically create 'botnets' – ad hoc networks of computers enslaved by viruses."

To overcome servers that are designed to handle volume, DDoS attacks must create huge torrents of messages in short timeframes. Small numbers of computers cannot generate the necessary volume, and if they could, network firewalls would simply reject on sight all messages bearing the IP addresses of the few culprit computers.

To overcome this problem, the hackers who launch such attacks typically create 'botnets' – ad hoc networks of computers enslaved by viruses – to propagate reams of messages without the knowledge of their operators.

Like zombies in a horror movie, the hijacked computers not only participate in the attack, but also infect new computers, thus increasing output geometrically over time.

As a socio-cultural group, Russians present a triple threat in terms of generating such leverage.

To begin with, the original pool of motivated hackers was large, as many ethnic Russians worldwide were genuinely offended by the original statue relocation. Many Russian-language internet sites featured anonymously posted primers on how to launch DDoS attacks.

Moreover, unscrupulous internet companies or cybercrime gangs can rent out botnets, or even build them to specifications. Indeed, Russia is home to some of the leading cybercrime organisations, such as the notorious Russian Business Network, and is generally a bountiful source of math and programming talent.

Finally, the Russian government probably provided aid to the front-line hackers, and may have orchestrated the campaign directly. According to Hillar Aarelaid, Estonia's cyberdefence chief, many of the earliest attacks originated from computers associated with Russia's government. Furthermore, Russian government entities and officials are not necessarily antagonistic toward domestic organised crime syndicates.

GARBAGE IN, SECRETS OUT (TO CHINA)

Shortly after Russian hackers stopped depressing Estonia's GNP, German security operatives discovered Chinese e-surveillance software in a number of sensitive ministry sites, including computers in the office of German chancellor Angela Merkel.

"DDoS attacks overload websites and networks by flooding them with fake queries and requests."

According to unnamed sources, the software infiltrated the local networks through the Trojan Horse technique, in which malware hides within or disguises itself as innocuous or even legitimate files. The software was the equivalent of an industrial-strength vacuum cleaner, apparently copying and transmitting over 150GB of data within short time cycles (such as a day).

German officials asserted that intelligence units within China's People's Liberation Army were culpable in this matter.

Counterintelligence sources did not disclose (if they knew at all) whether the files had slipped past network defences electronically or had been implanted manually by human operatives.

For its part, Chinese authorities implied that private hackers, perhaps based in China, were responsible, and made a rather public promise to crack down on independent cyberpirates, the 'usual suspects' in the demi-monde of Chinese e-commerce.

Subsequently, in the autumn of 2007, the Pentagon disclosed that a similar Trojan virus infected computers in the office of Secretary of Defense Robert Gates last June, not a month after the German flap. The Pentagon stated that the only compromised network component was an unclassified e-mail system, but did not disclose details regarding the programme, particularly its ability to virally replicate or deposit 'sleeper viruses' as backup.

Although the Pentagon did not officially identify the suspects, counterintelligence sources are convinced that the penetration was the work of China, and specifically intelligence units of the PLA. Naturally, China's foreign ministry denied any responsibility for the penetration.

FURTHER CYBERATTACKS

This incident was hardly the first or even largest example of presumptive Chinese espionage against the US, however. In particular, according to Time Magazine, three routers in Guangdong Province were staging grounds for an extensive cyberattack campaign that targeted dozens of websites and hundreds of computers belonging to US government agencies and defence contractors.

"DDoS attacks create huge torrents of messages in short timeframes."

The US national security community calls this campaign, which definitely lasted from 2003 to 2005, Titan Rain, but will reveal little else about it, including when it might have begun and what publicly reported intelligence breaches are suspected to be part of it.

Post-2005 penetrations that fit the Titan Rain profile have been given a new collective code name – which itself is classified.

The evidentiary problem, of course, is that passage through routers, even in authoritarian states, is circumstantial. Indeed, even identifying the 'point zero' originating computer does not necessarily prove that a particular person or entity launched the attack, especially if access to the computer is unrestricted.

For this reason, US officials have not formally accused the Chinese government in connection with Titan Rain. Navy Rear Admiral Elizabeth Hight, deputy director of DoD's joint task force for global network operations, stated that "although we are seeing attacks that traversed through China. I can't say with any real assurance that that's where they start."

The official Chinese denial at the time also invoked the independent hacker scourge, but was more intriguing in another respect. Senior Colonel Wang, a military attaché at the Chinese Embassy in Washington was quoted as saying that China does not want to employ hackers to cyberspy on the US. Would China use hackers if no better option were available? Whether the implication was a linguistic accident or a Freudian slip was never clarified.

THE US ARMY'S GREAT LEAP FORWARD: FUTURE COMBAT SYSTEMS

So what does all this have to do with army technology? The answer, at least in the US, is simple: the army envisions tomorrow's battles as a larger version of multiplayer online war games such as Unreal Tournament or Doom, but with real blood and no free replays.

To fight this war, the army is pursuing its most ambitious R&D programme ever: Future Combat Systems (FCS). This umbrella initiative comprises development projects for over a dozen munitions, platforms and sensor suites. Many of them are designed to operate robotically – and underlying the entire package would be one of the most extensive and complex wireless networks in the history of information technology.

"The army envisions tomorrow's battles as a larger version of multiplayer online war games."

Not surprisingly, FCS is controversial for many reasons, but the issue of interest here is the software effort underlying the network construction. In March of last year, the Congress's General Accounting Office (GAO) issued a report that called the software programming an 'unprecedented undertaking', and for good reason: as of early 2007, the Army estimated that the FCS software programming would comprise almost 64 million single lines of code (SLOC). Compare this number with the SLOC counts from these well-known projects:

  • Space defence initiative: at least 40 million and perhaps as many as 100 million in its experimental state when shelved
  • Windows XP: around 40 million prior to the security pack two release, which fixed major holes in XP's original security architecture
  • Windows Vista: roughly 70 million, illustrating the maxim that code, like paperwork, tends to grow over time

Aside from the historical parallels, these SLOC figures should scare FCS programmers because of two generally accepted guidelines in software development:

  • An inconsistent but nevertheless positive relationship exists between SLOC counts and bug counts
  • More critically, a positive and much more consistent relationship exists between bug counts and exploitable security faults

If this weren't enough, the GAO report also observed that the software effort was lagging the hardware projects, which themselves have drawn criticism for unduly optimistic timetables. Historically, the stickiest wicket drives the length of the development cycle, but if cost overruns threaten to cripple FCS, the Army could decide to turn software development into a crash programme.

Such a response would significantly increase the chances of major security faults in the FCS network architecture. Haste makes waste largely because haste causes outright errors, or bugs, in the software context. Moreover, debugging is usually a longer and more painful process than writing the original code.

Finally, FCS developers must come to grips with two meta-development security issues.

"To fight the cyberwar, the US Army is pursuing its most ambitious R&D programme ever: FCS."

System security is not just software security, but hardware component security as well. To save money, the Pentagon has embraced commercial sourcing of off-the-shelf parts, which could potentially be modified to compromise user security (e.g. the trouble over the NSA's promotion of the Clipper Chip).

In particular, many electronic components come from China and other emerging-market countries that could be antagonistic to the US.

Similarly, guaranteeing security requires not only trustworthy programmes, but also trustworthy programmers. For example, the German and US e-security breaches last year could conceivably have been executed by internal IT employees for purely mercenary reasons. Indeed, the worst security breaches usually involve trusted insider specialists, as illustrated by notorious spy networks such as the John Walker ring, regarded by the KGB as the most successful espionage operation in its history.

Therefore, in the context of 'Warfare 2.0', Russian and Chinese cyberoffensive capabilities begin to pose threats that go beyond disruptive to potentially catastrophic.