Cyber warfare: don't inflate it, don't underestimate it

"Inside Cyber Warfare" author Jeffrey Carr on China, Russia, and the one target that worries him most

jcarr-cyber-warfare-cover.pngThe public rift between Google and China may have elevated cyber security and cyber warfare into the public’s consciousness, but truth is, network attacks and Internet-based espionage are nothing new.

In the following interview, Jeffrey Carr, author of “Inside Cyber Warfare,” takes a measured look at cyber attacks — the major players, the hot spots, the huge problems, and the realistic solutions. He also reveals the one cyber warfare target that keeps him up at night.

Cyber warfare: What it is, where does it comes from?

Mac Slocum: If you had five minutes or less to give somebody a firm sense of cyber warfare, how would you do that? What would you tell them?

Jeffrey Carr: I like the illustration of the introduction of the handgun. When Colt invented it, it became known as the great equalizer. So the way that the handgun revolutionized warfare is being done now, again. And it would be fair to call cyber warfare the great equalizer because it balances the scales between a vastly superior force and any nation. That’s because of two things: the vulnerability of the current Internet and because most modern military forces are network-centric. The reliance on networks, particularly power networks, to conduct war is critical. Anybody who can attack the network can greatly inhibit a superior adversary. So I think that’s a revolutionary step forward.

MS: Does the cyber warfare threat come from a specific government, or is it more broadly disbursed than that?

JC: I think that every government potentially would use cyber warfare in its own defense, including the ones that we normally would think of. So when it comes to China, for example, they’ve made it very clear they’ll act defensively. You can go back historically and see that.

Part of the Chinese government’s operational guidance for their military is that if an imminent attack was present from the United States, they would launch a preemptive network attack. And so in order to be able to do that, they need to have access to our network beforehand. And that’s why I believe this is such a serious matter. You may not hear about blackouts or power grid failures or any kind of cyber intrusion into the vast electrical grid system, but I think you need to accept the Chinese military at their word and recognize that this is their goal.

Russia, on the other hand, has not made it as clear as China. And Russia has not demonstrated that it would only attack in self-defense. It has used cyber attacks in an aggressive, offensive manner many times, going back into the late ’90s. It’s a whole different ballgame there.

So it really depends on the state. Is it an aggressor nation? Then they’ll use it offensively like Russia has done. There are numerous states in Africa that are using cyber in an offensive manner against internal opposition. We’re going to see more of the prevailing party attempting to silence the opposition party through various means, including cyber attacks.

MS: Doesn’t that mean we’ve got an awful lot of states infiltrating and spying on each other’s systems right now?

JC: Sure. But that’s not new. I call espionage the world’s third oldest profession because it’s been around forever. This is just a new way to conduct espionage that we didn’t see before.

MS: How long has cyber warfare been going on?

JC: It was already happening back in the late ’90s. There was a commission during the Clinton administration. They released the Marsh Report [PDF] in 1997 and it discussed a lot of the same things that we’re hearing about today. It’s not new. It just happens to be a hot topic today.

Governments should worry, not people

MS: Clearly, there’s a threat. And clearly, it’s been present for quite a while. But if we take this down to the individual level, how does personal privacy factor into all this?

Gov 2.0 Expo 2010JC: Most people don’t have to worry about it. Like the current deal that’s being negotiated between Google and the NSA. The NSA really doesn’t care about most people. They’re only looking for certain things. So I don’t think privacy is an issue.

However, the more important part about privacy is that we’ve already given up privacy voluntarily because of what we post on Facebook, MySpace, Twitter, LinkedIn, Live Journal, and a host of other smaller but still available web forums. So if all a country is doing is mining what’s already out there, then is that considered a violation of privacy? Because it’s publicly available and you made it available.

MS: So how should people approach this?

JS: What I do is if I don’t want it to be known, I don’t post it. I don’t care if it’s password protected or not.

But you don’t want to get carried away. You need to consider: What do I have that’s of value to someone else? That’s what you don’t want to post. Like your bank information. Or if you work for a government or a company and you’re in a position where you know that you’re going to be targeted, then you would have a different approach to your Internet security vs someone who just works in his own neighborhood. That guy doesn’t have any national security ties or work for any industries that are of interest to foreign estates. Most likely, he’s perfectly safe. He shouldn’t really be too concerned.

MS: That’s just common sense, right?

Yeah. I really do want to see it balanced. I hate exaggeration on either side. To over blow the threat is just as wrong as to hide it. What I tried to do in the book is just make it as factual and as balanced as I possibly could.

MS: So some people might work themselves up unnecessarily, but what about governments? Do they take this seriously enough?

JC: The U.S. government is clearly not taking it seriously enough. It makes absolutely no difference what they say because, like I said, you can go back to 1997 and read the Marsh Report and see for yourself. Action is what counts.

My biggest aggravation — I published a post about this on my blog — is you need to start putting your country first. I realize that sounds corny. But in adversary states, it’s not corny. They do put their nation’s interests first. In the U.S., we push that aside for profit. If it hurts business, if it hurts the economy or if it even has the potential of doing that, then we set it aside. And that’s taken us to a place of high vulnerability.

I would like to see people put their self-interests aside, recognize the seriousness of the threat, and collaborate together on actions that can defend us.

The solutions

MS: So what recommendations would you make to governments? What actions can be taken?

JC: The first thing that I would do is enforce the existing requirements that ISPs vet their customers. By ISP I mean any Internet service company that sells or leases servers to host websites. Servers are used as attack points, and if they’re in the United States that’s the best because you’ve got reliable power, great up-time, and it’s relatively cheap. Attribution is almost impossible because you’re attacking a U.S. government website from a server that’s located in the U.S. So who’s responsible?

We can fix that if you simply bring the law to bear on these companies and force them to vet their customers and to monitor what their customers are doing. You could solve a lot of problems overnight because you would force them [countries/people looking to conduct cyber warfare] to find other servers outside of the U.S. It would help attribution and it would help reduce the vulnerability via the internet.

The other thing I would counsel is to evaluate what you own that’s at risk. Consider taking it entirely off the internet. Crucial infrastructures use what’s called an air-gapped strategy, where the control servers have no connection whatsoever to the public Internet. The U.S. government does that with their secret network. SIPRNet is completely isolated from NIPRNet, which is the unclass intranet that runs throughout the government.

MS: You mentioned cyber attack attribution. How are you tackling that?

JC: Most companies are trying to find a technical solution. The thinking is: If you look at the malware closely enough, if you look at the nodes, is there a particular signature that assigns attribution? I’m not convinced there will ever be a technical solution to attribution.

What my company does is expand the picture greatly. We start at the state level. What do we know about what those states are doing? What R&D projects are they financing within their research institutions? That’s where you have to begin because once you know what’s been attacked, then the next question is who does that serve? Who would find that information of value? Is it only of value to a state? That’s where you’ll start looking.

If you can find a state who is actively researching a particular area, and the information that was stolen supports that research, that adds another brick to the wall. We’re looking at it like a criminal case. You have to build a full picture because you’ll never find a smoking gun.

No source, no counter-attack

MS: If a cyber attack can come from anywhere, how does that change the whole notion of a counter-attack?

JC: Right now, that’s why deterrence is impossible. As long as attribution is not forthcoming, you cannot deter. You cannot respond, unless you completely change the model of attribution. And that might be possible. That’s what my company and others are working on. We’re building a more comprehensive model of how to identify where an attack has come from. So it is a challenge that’s being addressed, but it’s going to take a little time before we have an agreed upon way of doing that.

It requires international cooperation. I think the U.S. is on the right track when it comes to trying to have agreements signed among various law enforcement agencies to pursue cyber criminals across borders. It’s the same network. The network that’s being used to send out phishing scams and botnets is, often times, the very same network that’s used to launch various attacks against nation states.

MS: Is “warfare” the wrong word to describe what’s happening? Is it dangerous to categorize cyber warfare as a military domain, like “air,” “land,” or “sea”?

JC: The name of the book is “Inside Cyber Warfare,” but I hate using that word. I used it because that’s what everybody’s using. But there is no agreed upon definition of what an act of cyber warfare is. It just doesn’t exist. There’s cyber conflict. There’s cyber attacks. There’s cyber espionage. There’s all of that. But there is no cyber war that we can point to that has any legal substance.

I think it’s dangerous to define domains in the sense you don’t want to put limitations in your mind about what’s possible via the Internet. The Internet is so completely pervasive that if you only think of it as a single domain, you’re going to block out threat possibilities that could impact other domains. You’re not safe if you’re at sea from a network attack. You’re not safe in the air from a network attack. That’s why I think it’s limiting and probably shouldn’t be defined that way.

A different view of China

MS: For China in particular: what are the things to consider and what are the things to look out for?

JC: China clearly has a lot of problems internally. Their economy is growing, but it’s still relatively fragile and highly dependent on the U.S. The difference in economic conditions varies radically from the countryside to the cities. On the other hand, they own over a trillion dollars of U.S. debt. That gives them incredible leverage. So that’s a balancing act that’s going to be very interesting to watch, especially over this Google issue. But they’ll never concede to eliminating censorship on their Internet. They’ll walk away from Google if that’s what it takes.

People inflate fear about China, but China has no interest in attacking the U.S. They want the same things that any country would want. And they’re going about it the same way that we would go about it. We’re doing espionage. We’re looking after our interests. We’re exerting our will as a nation. It’s silly to try to take the moral high ground here. It doesn’t serve any useful purpose.

MS: One of the interesting points that came out of the Google-China analysis is the idea that Google has its own foreign policy now. Do you think that’s the case?

JC: Honestly, I don’t see it as anything new. The idea of a new, more sophisticated attack against Google that we’ve never seen before, I think that’s overblown. The idea that you have hackers who gain entrance to a network and then exploit data from that network, that’s not new. This is all just espionage. Google is just another company that has something of value.

But Google does represent a turning point because it’s getting so much press. It’s raising the issue to the point where the U.S State Department got involved. That’s all good.

Near-term hotspots and the most vulnerable target

MS: Broadly, what do you see happening within cyber warfare over the next few years?

JC: Africa has a huge population of infected computers. I read one estimate a few months ago that they have about 100 million PCs scattered throughout the continent and maybe 80 percent of those are infected. Once broadband hits Africa, then you’ve got this huge opportunity for botnets to spring up. These mega botnets could conceivably dwarf Conficker or some of these other huge botnets.

East Africa is another spot to watch. In Somalia, where piracy is lucrative and the area is so lawless, it’s such a chaotic environment. There’s a growth of religious extremists there as well. So you’ve got criminals with a huge pile of cash, these pirates, and then you have these radical extremists looking for ways to create havoc. Should their interests coincide, I would fear for very destructive Internet attacks.

MS: Last question: Out of all this, what’s the thing that keeps you up at night?

JC: The most worrisome thing to me is the vulnerability of the power grid. I just released a report on this — it’s Project Grey Goose’s Report on Critical Infrastructure — where I and my team of researchers document the problem. The Department of Defense has identified 34 critical assets to conducting its mission. Thirty-one out of the 34 are dependent on the public power grid.

I know in my state of Washington, they tell us that if there’s an earthquake or some other natural disaster, you can expect no help for at least seven days. There will be no police response, no 911 response, no National Guard for at least seven days because they’ll all be busy protecting critical infrastructures. And so that’s what I worry about. The grid is so vulnerable. It would cause a lot of chaos here if somebody were to actually attack it.

Note: This interview was condensed and edited.

Update, 6/10

Jeff Carr spoke about government, security and openness at the 2010 Gov 2.0 Expo. Here’s the video:

tags: , , , ,