[Infowarrior] - The Fog of Cyberwar

[Richard Forno]

The Fog of Cyberwar

NATO military strategists are waking up to the threat from online  
attacks.
By Evgeny Morozov | NEWSWEEK
Published Apr 18, 2009
 From the magazine issue dated Apr 27, 2009

http://www.newsweek.com/id/194605

Ghostnet sounds like something John le Carré would invent. This vast  
cyber-espionage operation spanned 1,295 computers worldwide, a third  
of them located in ministries of foreign affairs, embassies,  
international organizations and news media, some holding classified  
data. According to a report by three Canadian security think tanks in  
March, it included at least one unclassified computer at NATO  
headquarters in Mons, Belgium. Although the culprit is unidentified,  
some experts suspect China. Whether it exploited any of the data is  
hard to say. That it could obtain it so easily has raised eyebrows in  
the world's mightiest military alliance.

NATO is only just beginning to recognize that the Internet has become  
a new battleground, and that it requires a military strategy. As  
economic life relies more and more on the Internet, the potential for  
small bands of hackers to launch devastating attacks on the world  
economy is growing. To counter such threats, a group of NATO members,  
including the U.S. and Germany, last year established a kind of  
internal cybersecurity think tank, based in a former government  
building in Tallinn, Estonia. The 30 staffers at the Cooperative Cyber  
Defense Centre of Excellence analyze emerging viruses and other  
threats, and pass on alerts to sponsoring NATO governments. They are  
also working to bring the allies together on the elusive issues that  
deepen the fog of cyberwar.

Experts with backgrounds in the military, technology, law and science  
are wrestling with such questions as: What qualifies as a cyber  
"attack" on a NATO member, and so triggers the obligation of alliance  
members to rush to its defense? And how can the alliance defend itself  
in cyberspace? Already, the debate is producing strikingly different  
answers: as Washington moves to create a new "cybersecurity czar" and  
new funds for cyberdefenses, Estonia is moving much of the job into  
civilian hands, aiming to create a nation of citizens alert and wise  
to online threats.

The choice of Estonia as the home to NATO's new cyberwar brain trust  
is not accidental. In 2007 Estonia was in a public squabble with  
Russia over the fate of a Soviet-era monument when it suddenly found  
itself under a wave of cyberattacks. Among the targets were two of  
Estonia's biggest banks, whose online systems were severely degraded  
for several hours. The scale of the economic damage is still  
classified as a state secret, but the fact that this happened in "E- 
stonia," a proud digital society where even parking meters take  
payment via text messages, was eye-opening. Although the decentralized  
nature of cyberattacks made it hard to know whether the Kremlin  
ordered the attacks, clues led Estonia to a Russian suspect, whom the  
Kremlin refused to extradite.

One thing is clear: Russia gained from what may be the first  
successful invasion in the new age of cyberwar. Hillar Aarelaid, a  
manager at Estonia's computer emergency response team, who coordinated  
Estonia's defenses during the assault, told me that the attack used a  
nasty weapon called a "distributed denial of service," or DDOS. Cheap  
to organize and devastating, DDOS involves a small gang of hackers who  
command a cyber-army of infected PCs to overwhelm the Web sites of a  
bank (or other institution) with seemingly legitimate requests. Yet  
Aarelaid believes that the attackers who came after Estonia aimed to  
flaunt the range and power of their arsenal. If the orders came from  
the Kremlin, the message to former Soviet satellites was clear: defy  
us at your own risk. Estonia, courageously, went ahead and moved the  
Soviet monument anyway.

The attack revealed the vulnerability of a NATO member to external  
pressure. If a group in Russia could wreak so much havoc over a  
statue, imagine what a state-sponsored effort could do? Attackers  
could infect and gain control of thousands of computers—much like  
GhostNet did—and go after banks all across Europe, leading to digital  
chaos—online banking would go down, credit-card purchases couldn't be  
verified. Factor in electricity grids, dams and airport navigation  
systems, which are connected to the Internet, and it begins to sound  
like a Hollywood movie.

The trick, from NATO's standpoint, is figuring out when an attack is  
hacker mischief and when it's a military matter. Back in 2007,  
Estonia's minister of defense stated that "the attacks cannot be  
treated as hooliganism, but have to be treated as an attack against  
the state." But no troops crossed Estonia's borders, and there was  
almost nothing that we associate with a conventional conflict. How to  
respond, and against whom? The first step, say scientists at the  
center, is to identify when a threat warrants a military response. "In  
the absence of a clear legal framework for dealing with cyberattacks,  
it's very hard to decide whether to treat them as the beginning of  
armed conflict," says Rain Ottis, one of the center's senior scientists.

The United States is clearly leaning toward a military strategy. In  
March the U.S. Senate took up a bill that would bring cybersecurity  
work at the NSA, Air Force, DHS and a dozen other agencies under a  
"cybersecurity czar," who would also become a "national cybersecurity  
adviser." It would arm this person with unprecedented powers,  
including the right to shut off federal networks if they are found to  
be vulnerable. If passed, the bill might result in even further  
militarization of cyberspace; today, virtually all major security  
contractors—from Lockheed Martin to Boeing—have already set up  
cybersecurity divisions, fighting for government funds. U.S.  
government spending on secure computer networks is forecast to rise  
from $7.4 billion in 2008 to $10.7 billion in 2013. Most of NATO's  
biggest members, including France, Britain and Germany, appear to be  
following the U.S. lead.

Estonia, on the other hand, is choosing not to play up fear of a  
cyberwar. Such talk in 2007 only made already strained relations with  
Russia worse. Instead, it prefers to demilitarize the issue by  
shifting the responsibility for cybersecurity from the Ministry of  
Defense to the Ministry of Economic Affairs and Communications, and is  
working to identify the services—like online banking—that are most  
critical to running a digital economy. The Estonians are stepping up  
efforts to educate citizens on how to identify risks, and creating  
graduate programs in cybersecurity. Heli Tiirmaa-Klaar, the senior  
defense adviser at Estonia's defense ministry and one of the country's  
leading cybersecurity officials, speaks of promoting a "culture of  
cybersecurity," starting with schoolchildren.

The Estonians have the right idea. Cyberattacks would be prohibitively  
expensive if hackers had to build their own computers, rather than  
hijacking idle ones. And a society of savvy citizens is the best  
defense, because they have every incentive to stay ahead of the  
hackers; industry tends to stay a step behind, because attacks create  
a demand for new software. That's how America's reliance on  
centralized military industries could backfire: they are not numerous  
or nimble enough to fight Internet battles. Estonia's civilian answer  
is both more likely to prove popular in diplomatic circles, and more  
likely to be successful.

© 2009