Virtual Criminology Report 2009

8/14/2019 Virtual Criminology Report 2009

1/40Virtual Criminology Report 2009

Virtual Criminology Report 2009Virtually Here: The Age of Cyber Warfare


2/40

Foreword 1

Introduction 2

Is the Age of Cyber War at Hand? 4

The Private Sector in the Crosshairs 14

Setting the Agenda for a Public Debate 24on Cyber Defense Policy

Moving Forward 32

Contributors 34

CONTENTS

Virtual Criminology Report 2009



Foreword

War is not a term to be tossed around lightly. That is why the growing debateover cyber war has caught our attention.

The annual McAfee Virtual Criminology Report has traditionally focused on the methods, targets andbehavior of cyber criminals. And yet, as we put together the 2007 report, numerous experts pointedout that nation-states were not only spying on each other in cyberspace, but also developing increasinglysophisticated cyber attack techniques. Since that report was published, we have seen the concept ofcyber war debated more often in the face of mounting attacks and network penetrations that appearto be motivated by political objectives instead of nancial gain, making it a stretch to characterize themas cybercrime. We decided to revisit the possibility of war in cyberspace in this years report.

Experts disagree about the use of the term cyber war, and our goal at McAfee is not to create hype orstoke unwarranted fear. But our research has shown that while there may be debate over the de nition ofcyber war, there is little disagreement that there are increasing numbers of cyber attacks that more closelyresemble political con ict than crime. We have also seen evidence that nations around the world areramping up their capabilities in cyber space, in what some have referred to as a cyber arms race.

If cyberspace becomes the next battleground, what are the implications for the global economy and vitalcitizen services that rely upon the information infrastructure? What should those of us outside the militarydo to prepare for the next wave of cyber attacks?

Finding answers to these questions was not easy because much of this discussion is only happening behindclosed doors. We believe this veil of secrecy around cyber warfare needs to be lifted.

There is little doubt that the impact of cyber war will extend beyond military networks. As our dependenceon Internet technology grows, so does the need for thoughtful discussion on political con ict in cyber-

space. This years Virtual Criminology Report highlights the complexities and potential consequences thatarise when political con ict goes online. Our hope is that the report will help encourage and frame a globaldialogue on protecting our digital resources from the scourge of cyber war.

Dave DeWaltPresident and CEO, McAfee, Inc.


4/402 Virtual Criminology Report 2009

Introduction

Is the Age of Cyber War at hand? This year, the fth annual McAfee VirtualCriminology Report contemplates this question and others prompted by thefact that nation-states are arming themselves for the cyberspace battle eld.Since our 2007 report, when we last discussed the growing cyber threat tonational security, there have been increasing reports of cyber attacks and net-work in ltrations that appear to be linked to nation-states and political goals.The most obvious of these attacks was the August 2008 cyber campaign againstGeorgia during the South Ossetia War. We decided it was time to furtherexamine whether cyber warfare is now a part of human con ict that weshould get used to seeing more often.

McAfee commissioned Good Harbor Consulting to research and write this report. The report wasprepared by Paul B. Kurtz, a recognized cyber security expert who served in senior positions on the White

Houses National Security and Homeland Security Councils under U.S. Presidents Clinton and Bush, andDavid W. DeCarlo, with the support of Stacy Simpson. The team interviewed over 20 experts in interna-tional relations, national security and Internet security from around the world to assess their opinions onthe de nition of cyber war, its impact on the private sector and the priority of issues for public discussion.



Although there is no commonly acceptedde nition for cyber war today, we haveseen nation-states involved in varyinglevels of cyber con ict. Further, while we havenot yet seen a hot cyber war between majorpowers, the efforts of nation-states to buildincreasingly sophisticated cyber attack capabili-ties, and in some cases demonstrate a willing-ness to use them, suggests that a Cyber ColdWar may have already begun.

If a major cyber con ict between nation-states were to erupt, it is very likely thatthe private sector would get caught inthe cross re. Most experts agree that criticalinfrastructure systemssuch as the electricalgrid, banking and nance, and oil and gas sec-torsare vulnerable to cyber attack in manycountries. Some nation-states are actively doing

reconnaissance to identify speci c vulnerabilitiesin these networks. In the words of one expert,nation-states are laying the electronic battle eldand preparing to use it.

Too much of the debate on policies relatedto cyber war is happening behind closeddoors. Important questions, such as where todraw the line between cyber espionage andcyber war, are being discussed in private, or per-haps not at all. Many governments have chosento keep debate on cyber con ict classi ed. Sincegovernments, corporations and private citizensall have a stake in the future of the Internet, it istime to open a global dialogue on how to man-age this new form of con ict.

There have been increased reports ofcyber attacks and network infiltrationsthat appear to be linked to nation-statesand political goals.

Three key ndings emerged:


6/40

Is the Age of Cyber War at Hand?As millions of Americans all over the world celebrated their nationsindependence over the July 4 th holiday weekend, Web sites belonging to theirgovernment were bombarded with access requests, slowing and sometimesblocking access to the sites.



These denial-of-service attacks targeted the WhiteHouse, Department of Homeland Security, U.S.Secret Service, National Security Agency, Federal

Trade Commission, Department of the Treasury,Department of Defense and the Department ofState, as well as the New York Stock Exchange,Nasdaq, Amazon and Yahoo.

When these sites were attacked, however, the wholecountry was busy spending time with friends andfamily and grilling food on their patios. Hardlyanyone seemed to notice that they could not accessthe latest news from the Federal Trade Commissionor the Treasury Department.

The following Tuesday, 11 Web sites of the SouthKorean government were brought down by thesame network of 50,000 computers used in theattacks on the United States. South Korean intel-ligence of cials blamed North Korea as the sourceof the attacks, an allegation that was reported bythe Associated Press. Suddenly a lot more peoplestarted paying attention.

Internet security experts quickly determinedthat an unsophisticated adversary launched theattacks on the U.S. and South Korea, and debatedwhether North Korea was behind the attacks.Many of the Web sites were able to return totheir usual business within a few hours. Somesecurity experts and policymakers concluded thatthe attacks were no more than a nuisance to thepeople of the United States and South Korea,regardless of whether North Korea was responsible.

What was the motive behind the July 4 attacks?If the attacks did originate from North Korea, one motivation could have been to testthe impact of flooding South Korean networks and the transcontinental communica-tions between the U.S. government and South Korea on the ability of the U.S. militaryin South Korea to communicate with military leaders in Washington and the PacificCommand in Hawaii, suggests Dmitri Alperovitch, Vice President of Threat Researchat McAfee. The ability of the North Koreans to severely diminish the informationtransmission capacity of those links would provide them with a significant advantagein case of a surprise attack on South Korea across the Demilitarized Zone.



The Georgian Cyber Flood:A Model for Future Conflicts?In August 2008 Russia attacked the nation ofGeorgia in a dispute over the Georgian prov-ince of South Ossetia. As the Russian militarymounted its assault on the ground and in the air,a group of Russian nationalists joined the fray in

cyberspace. Any civilian, Russian-born or other-wise, aspiring to be a cyber warrior was able tovisit pro-Russia websites to download the soft-ware and instructions necessary to launch denial-of-service attacks on Georgia. On one Web site,called StopGeorgia, visitors could download a listof target Web sites and an automated softwareutility. The only effort required by the user wasto enter the Web address of a target and clicka button labeled Start Flood. 2

The coordinated assault inundated Georgiasgovernment and media Web sites with access

requests. While the effects were minor at rst,with service going down on some Web sitessporadically, the denial-of-service attacks becamemore severe once the armed hostilities started.News and government Web sites were no longer

reachable by anyone within or outside Georgia,severely hampering Georgias public communica-tions. Russia achieved a signi cant psychologicalvictory by preventing Georgia from disseminatingaccurate information about the state of battle tothe public. And, with Georgias side of the storysilenced, Russia practically won the battle overinternational public opinion by default.

Russia denied any involvement on the part of itsmilitary or government in the cyber attacks. Butsome people were suspicious that the Russian mili-tary had the serendipity to begin hostilities on theground concurrently with an entirely independentcivilian cyber assault. The U.S. Cyber Consequenc-es Unit (US-CCU), an independent, non-pro tresearch institute, began monitoring the situationalmost immediately after the attacks, in part todetermine how the campaign was organized. Ina recently released report, the US-CCU concludedthat all of the attackers and activities showedevery sign of being civilian, yet someone in theRussian government must have given the organiz-ers of the attacks advanced notice of the timing ofRussias military operations. 3

Others had a different view of the attacks. By theend of the week, Representative Peter Hoekstra, amember of the U.S. Congress, was stating publiclythat the U.S. should conduct a show of force orstrength against North Korea for its alleged rolein the attacks. Whether it is a counterattack oncyber, whether it is, you know, more internationalsanctionsbut it is time for America and SouthKorea, Japan and others to stand up to NorthKorea, he said, or the next timethey will goin and shut down a banking system or they willmanipulate nancial data or they will manipulatethe electrical gridand they may miscalculate and

people could be killed.1

The attacks were perhaps more than a simplecrime in cyberspace, but did they warrant a U.S.political response or threat of military action?What was the motive of the attackers? Was thereany truth to the assertion that North Korea wasresponsible for the attacks? If they were, whatwere the intended consequences?

The answers to all these questions were unclear.Yet these cyber attacks were not the rst ones toraise such questions. In 2007 Estonia fell victimto a series of denial-of-service attacks on govern-ment and commercial Web sites. The attackslasted for weeks, affecting the ability of Estoniansto access their checking accounts online andconduct e-commerce. Technical analysis showedthe attacks came from sources within Russia, butthe Russian government denied any responsibility.

Although Estonia is a member of the NorthAtlantic Treaty Organizationan alliance estab-lished during the Cold War to deter attacks fromthe Soviet Unionthe members of the NATOdid not seriously consider an of cial military ordiplomatic response to the attacks, accordingto Taimar Peterkop, Defense Counselor at theEmbassy of Estonia in Washington. Some mem-bers of NATO did send technical advisors to helpEstonia reduce the impact of the attacks, butthe assistance was not provided as part of anof cial NATO mission.

1 Hoekstra: Stand up to N. Korea, Washington Times, July 9, 2009.



Once the attacks subsided, Estonia attemptedto pursue the perpetrators through a law enforce-ment response to the attacks. The investigation wassuccessful in identifying some of the attackersin Russia, but Estonian law enforcement of cersreached a dead end when they sought helpfrom their Russian counterparts. Estonia hasbeen unable to convince the Russian authoritiesto apprehend the offenders and bring them to

justice, Peterkop said.

In the wake of these events and others, govern-ments around the world are increasing their effortsto prepare for future cyber attacks. NATO has setup a Center of Excellence for cyber defense inEstonia to study cyber attacks and determine underwhat circumstances a cyber attack should triggerNATOs common defense principle that an attackon one is an attack on all. In June 2009, U.S.Defense Secretary Gates announced the formation

of the U.S. Cyber Command, a sub-uni ed orga-nization under U.S. Strategic Command. Led by afour-star general, the new command is designedto defend vital U.S. military networks. The UKgovernment recently announced plans to create acentral Of ce of Cyber Security (OCS) to deal withthe rising level of online attacks. The OCS will havea role in coordinating offensive capabilities and,in extreme cases, would have the ability to mounta cyber attack in response to intrusions on UKnetworks. Other nations are contemplating similarinitiatives to protect their populations in cyberspace.

2 Marching off to cyberwar, The Economist, December 4, 2008.

3 Overview by the US-CCU of the Cyber Campaign Against Georgia inAugust of 2008, US-CCU Special Report, August 2009.

Perhaps even more surprising than nding somelevel of coordination between Russian of cials andthe cyber attackers was that the Russians mighthave deliberately chosen to limit the damagecaused by the attacks. No critical infrastructureswere targeted, even though investigations bythe US-CCU suggested that a number of theseinfrastructures were vulnerable and could havebeen attacked. The fact that physically destruc-tive cyber attacks were not carried out againstGeorgian critical infrastructure industries suggeststhat someone on the Russian side was exercisingconsiderable restraint, the report says.

Scott Borg, Director of the US-CCU, believesthe Georgia con ict may be a harbinger of hownation-states will orchestrate future cyber attacks.People were provided with attack tools, targetsand timing in the Georgia cyber campaign, Borgsaid. So far this technique has been used indenial-of-service and other similar attacks. In thefuture it will be used to organize people to com-mit more devastating attacks.



Cooperative Cyber DefenceCentre of ExcellenceThe Cooperative Cyber Defence Centre of Excel-lence (CCDCOE) was established in May 2008 inTallinn, Estonia to enhance NATOs cyber defensecapabilities. The CCDCOE is an international organi-zation with membership open to all NATO nations.Currently, Estonia, Latvia, Lithuania, Germany,Italy, the Slovak Republic, and Spain have signedthe memorandum of understanding to providepersonnel and funding as Sponsoring Nations. Themission of the CCDCOE is to improve the capabili-ties, cooperation and information sharing amongNATO nations through education, research anddevelopment, consultation and evaluation oflessons learned from cyber con icts.

Toward a Definition of Cyber War

War is typically de ned as the use of force, or violence, by a nation-state tocompel another to ful ll its will. Prussian strategist Carl von Clausewitz essentiallyde ned it this way in his book On War a classic for strategic military thinkingfrom the early 19 th century. Speci cally, he described war as the continuationof politics by other means.

In other words, military con ict is a way for nation-states to achieve their political objectives whenother means, such as diplomacy, are not workingor are less expedient than violence. Clausewitzsconcepts continue to frame the way military strat-egists and international relations theorists thinkabout war today.

The use of force, however, may no longer be asobvious as it was during Clausewitzs time. Clause-witz wrote about war soon after the NapoleonicWars in which he served, when nation-states senttheir armies of uniformed infantry to oppose eachother on a battle eld a few hundred yards apartand re musket rounds at one another. He likelycould not have imagined a new battle eld madeup of bits and bytes where the borders betweencountries blur, the weapons are dif cult to detectand rarely seen, and the soldiers can easily bedisguised as civilians.

The worlds increasing reliance on informationtechnology coupled with the growing sophistica-tion of cyber attackers has prompted experts toexamine the notion of cyber war. Yet there isdisagreement among cyber security, technologyand international relations experts as to what kindof actions, if any, constitute warfare in cyberspace.

When determining whether a cyber attack isan act of cyber war, experts evaluate four keyattack attributes:

Source: Was the attack carried out or supportedby a nation-state?

Consequence: Did the attack cause harm?

Motivation: Was the attack politically motivated?

Sophistication: Did the attack require customizedmethods and/or complex planning?



International relations experts today widely acceptthe basic de nition that warfare is the use of forceby one or more nation-states against another forpolitical gain. In addition, an act of war is widelyregarded as a serious event. Few nations would goto war over a nuisance such as rocks being tossedover their borders, but rockets would be anothermatter entirely.

It sounds simple in theory, but applying theseconcepts to the cyber world is dif cult. Identifyingthe source, de ning harm, and understandingmotivations in a cyber con ict can be more of anart than a science. For instance, what one nationmay view as an inconvenience might be seen byanother as an intolerable threat. And, if a nationencourages an attack, but does not actually carryit out with its own military, can it still be consid-ered cyber war?

Does This Mean War?

Figure 1. Evaluating Cyber Attack Attributes

0 3little or no evidenceof state involvement

4 8state-toleratedstate-sponsored

8 10state-executed

SOURCE

0 3unknown/criminal

4 8may be politicallymotivated

8 10stated/explicitpolitical objective

MOTIVATION

0 3low impact/ short duration

4 8moderate impact/ medium duration

8 10severe impact/ long duration

CONSEQUENCE

0 3known exploits

4 8unpublished exploits

8 10custom developedexploits

SOPHISTICATION

0 3 4 7 8 10

Estoniacyber attacks on Estonia

(April May 2007)

Georgiacyber attacks during

South Ossetia War(August 2008)

July 4cyber attacks during

fourth of July(July 2009)

Identifying the source, defining harm,and understanding motivations in acyber conflict can be more of an artthan a science.



Cyber attack capabilities may not yet be thechief weapon in nation-states arsenals, butevents have shown that a growing numberof nation-states do see them as part of thepanoply of military power.

It is in answering these questions that expertsstart to differ on the de nition of cyber war.While all experts agree that nations must havesome role in carrying out the attack, their opin-ions tend to diverge on what is the thresholdof damage or disruption where a cyber attackbecomes cyber warfare. Indeed, some expertsare skeptical that the cyber attack capabili-ties available today are capable of causing thesevere physical consequences, such as casualtiesand permanent damage to property, that most

nation-states would associate with warfare.

The cyber weapons we have seen to-date, usedalone, are not capable of achieving the level ofdamage necessary for an attack to rise to thelevel of warfare, according to Eugene Spafford,Director of the Center for Education and Researchin Information Assurance and Security at PurdueUniversity. I dont think the idea of cyber warfaredoesnt make sense, but it doesnt apply to anyof the events weve seen so far.

Cyber attack capabilities may not yet be the chief

weapon in nation-states arsenals, but events haveshown that a growing number of nation-states dosee them as part of the panoply of military power.According to national security of cials, several

nation-states are developing advanced cyberoffensive capabilities, the details of which areunknown to the public because they are strictlyclassi ed by governments.

The question remains whether the posturing ofnation-states today means that cyber war, unac-companied by physical con ict, will somedaybecome a reality. Over the next 20 to 30 years,cyber attacks will increasingly become a com-ponent of war, said William Crowell, a former

Deputy Director of the U.S. National SecurityAgency, an intelligence organization. What Icant foresee is whether networks will be so per-vasive and unprotected that cyber war operationswill stand alone.

It may be dif cult to imagine an entirely virtualcon ict where nation-states go to war without

ring a single shot from a ri e, tank or airplane.Perhaps it will take a modern-day Clausewitz to liftthe fog surrounding cyber war and help the rest ofus peer into the future. In the meantime, there aremore immediate concerns, such as the confusion

that arises when nation-states enlist cyber criminalsas allies to achieve their political objectives.



Many of the challenges of cyber warmirror those in cybercrime because

nation-states and cyber gangs are allplaying from the same instruments.

In the case of the cyber attacks on Georgia,for example, civilians carried out the cyber attackson targets while the Russian military invadedGeorgia by land and air. There is evidence thatthese civilians were aided and supported byRussian organized crime, according to a recentreport by the U.S. Cyber Consequences Unit (US-CCU), an independent research institute. Russiadenied that its government or military providedany help to the attackers or communicated withthem. Yet the same US-CCU report found that

the cyber attacks were so close in time to thecorresponding military operations that there hadto be close cooperation between people in theRussian military and the civilian cyber attackers. 4

Herein lies the challenge of unraveling whetheran attack is a criminal act, an act of war, orsomething else entirely. The attacks on Georgiawere motivated by Russias political objectives,but, in large part, they were orchestrated by civil-ian attackers on civilian targets using methodsthat are not very different than those used bycyber criminals.

Many of the challenges of cyber war mirrorthose in cybercrime because nation-states and cyber

gangs are all playing from the same instruments,according to a German cybercrime investigator.For instance, anyone can go to a criminal groupand rent a botnet. Weve reached a point whereyou only need money to cause disruption, notknow-how and this is something that needs tobe addressed.

The Nexus Between Cyber Crime and Cyber War

The line between cyber crime and cyber war is blurred today in largepart because some nation-states see criminal organizations as useful allies.Nation-states have already demonstrated that they are willing to tolerate,encourage or even direct criminal organizations and private citizens to attackenemy targets.

4 Overview by the US-CCU of the Cyber Campaign Against Georgia inAugust of 2008, US-CCU Special Report, August 2009.



The hacking skills of criminal groups may makethem natural allies for nation-states looking fora way to deny involvement in cyber attacks. Inorder to avoid or circumvent international legalnorms on war altogether, nation-states maysponsor, encourage, or simply tolerate cyberattacks or espionage by private groups on theirenemies. Crowell believes there is evidence ofthis ruse. There is overlap between cyber warand cyber crime, Crowell said. Cyber crimeis often adjunct to or a cover for other kindsof malicious activities.

Furthermore, money is sometimes not the onlymotivation of criminal organizations. In a presen-tation on Fighting Russian Cyber Crime Mobstersgiven this year at the Black Hat brie ngs oncyber security, Dmitri Alperovitch, Vice Presidentof Threat Research, McAfee, explained howsome members of Russian cyber crime gangs aremotivated by nationalism and a righteous attitudetoward the West. These moral values are some-times proclaimed in online forums. In one forum,a banner states the groups mission: We willrecreate historical fairness. We will bring theUSA down to the level of 1928 33.

Cyber crime is often adjunctto or a cover for other kinds ofmalicious activities.

In theory, we already have concepts that applyseparately to war and crime. In practice, it issometimes dif cult to apply these categoriesto speci c attacks and their perpetrators.Countries around the world vary widely in theirapproach to combating terrorism; some treatterrorists as criminals, others treat them asprisoners-of-war, and the U.S. began treatingcaptured terrorists as enemy combatants soonafter the September 11, 2001 attacks, regardingthem as unlawful combatants that did not qualifyfor prisoner-of-war status under the GenevaConventions. There is no reason to presupposethat applying old concepts to a new kind ofhuman aggression in cyberspace will be easy.


15/40


16/40

The Private Sector in the CrosshairsThe threat to private companies and citizens is real. Nation-states havecontemplated launching cyber attacks that could be far more devastatingthan what was seen in Estonia or Georgia.



For instance, before the U.S. invasion of Iraq in2003, the U.S. military and intelligence agenciesplanned a cyber attack on the Iraqi nancial system.The attack would have frozen billion of dollars inSaddam Husseins personal bank accounts and

stopped payments to Iraqi soldiers and for war sup-plies. Everything was in place. Systems were ready,awaiting the go-code.

The Bush administration did not issue the attackorder. Sources within the former administration saidof cials were concerned that the attack would rip-ple outward from the epicenter of the Iraqi nancialsystem, potentially affecting banks in the MiddleEast, Europe, and the United States. 5 The risk of

jolting the world into a nancial crisis, U.S. of cialsmay have reasoned, was not worth it. While in thiscase the U.S. decided to hold back due to the high

risk of collateral damage, one can imagine what theconsequences for the private sector might be if hos-tilities were to erupt between two major powers.

Consider the perspective of a chief executive of cerat a large nancial institution. He opens the paperone morning and starts reading a story about asmall con ict that has ared up between rebeland government forces in a country thousands ofmiles away. An unnamed source says the CEOsgovernment might be nancing the rebels. Without

nishing the story, he ips to the nancial section,nishes his coffee, and then goes on with his day.

Meanwhile, the banks information technologyspecialists are nding out that they suffered a majorsystem breach during the middle of the night. Theattack is more complicated than they are used toseeing and they are having trouble restoring theirsystems. The IT specialists inform management andthe bank contacts law enforcement for help. Thebank is told the problem is widespread, but no oneis really sure what has happened or what to donext. By lunchtime the CEO receives a brief on theproblem, and he thinks to himself that maybe, justmaybe, the two events are related.

But it is too late. The attack has already compro-mised the data in the companys online bankingsystem serving millions of customers. There is aback up of the data, but it will take days to restoreit, and the customer service department is already

ooded with calls from people concerned abouttheir life savings. Con dence in the bank is at risk,potentially causing a classic run on the bank. Whileit may be theoretical, this scenario is not impossible.

One can imagine what theconsequences for the privatesector might be if hostilitieswere to erupt between twomajor powers.

5 Halted 03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk,New York Times, August 1, 2009.



The threat to critical infrastructures, however,is not unique to the Western world. Dr. MasakiIshiguro works in the Information Security Groupat the Mitsubishi Research Institute in Japan.If adversaries intended to attack nations in cyber

space, they would select targets which wouldcause the largest impacts and losses to theiropponents with the least effort, Ishiguro said.It is therefore a very reasonable assumption thatadversaries would attack critical infrastructuresystems via the Internet.

Although de nitions of critical infrastructure maydiffer between countries, much of the informa-tion systems in the various critical infrastructuresectors, particularly in developed economies, are

privately owned, according to Dr. Kim KwangChoo, information security expert at the AustralianInstitute of Criminology. Almost every businessin developed economies makes use of the Internetand as businesses and governments continue to

engage in electronic commerce they will becomeincreasingly globalized and interconnected, Dr.Choo said. The common use of informationtechnologies and communications infrastructurecreates various interdependencies between keysectors, with many of the same technology-relatedrisks affecting one or more of these sectors. Theconsequences of a cyber attack could thereforecontinue to reverberate after the immediate dam-age is done.

A Target-Rich Environment

Many international security and cyber security experts say that the criticalinfrastructure of nation-statesbanking and nance, electrical grids, oil andgas re neries and pipelines, water and sanitation utilities, telecommunicationssystemsare all likely targets in future wars. In many countries, especially inthe West, private ownership of these utilities means that private companies willlikely be caught in the cross re.

The consequences of a cyber attack couldtherefore continue to reverberate after theimmediate damage is done.



In some countries, for instance, the electricalgrid, water supply and other critical utilities areessentially tied to the Internet. Remote controldevicesknown in some industries as SupervisoryControl and Data Acquisition (SCADA) systems

help companies to cut the costs of running andmaintaining the infrastructure that provideselectricity and water and re nes the fuel to runcars. When companies installed these systems, itdoes not seem they anticipated that adversariesmight also want to control the systems remotelyto disrupt or damage them. Greg Day, a PrincipalSecurity Analyst at McAfee, believes the situationtoday arose from human beings responding tobasic economics. I have yet to meet anyone whothinks SCADA systems should be connected tothe Internet. But the reality is that SCADA systems

need regular updates from a central control,and it is cheaper to do this through an existingInternet connection than to manually move dataor build a separate network, he said.

Experts say that it is not trivial to hack SCADAsystems and other digital control systems. The hur-dle is not so much the availability of hackers withthe right technical skills as the amount of planningthat is required for an attack. Despite the chal-lenge of mapping out vulnerabilities in systems,there is evidence that it can be done and thatattacks on utilities can be carried out successfully.One senior analyst for the U.S. Central IntelligenceAgency said last year that hackers were able toattack the computer systems of utility companiesoutside the U.S, and in one case caused a poweroutage in multiple cities. 6

Despite the challenge of mapping outvulnerabilities in systems, there is evidencethat it can be done and that attacks onutilities can be carried out successfully.

6 CIA: Hackers shut down power to entire cities, Telegraph.co.uk, January 25, 2008.



Critical infrastructures may not be the only targetsof an attack. Nation-states are also likely to usecyber attack as a new means for conductingpropaganda campaigns. Dmitri Alperovitch, VicePresident of Threat Research, McAfee, believesthat Russia used such tactics in its campaignagainst Georgia. Its interesting to note that Russiahad complete military superiority. They didntneed a cyber attack to win the war, Alperovitch

said. But it was critical for Russia to win the warof international opinion. Russia executed a veryintense effort to destroy Georgia media operationsthrough both physical and cyber means.

The targets of a propaganda war may range fromtraditional news Web sites to social media sites,such as Twitter and Facebook. Any site that in u-ences public perceptions of current events mightbe the target of an attack during a con ict, andperhaps even during times of peace. Recently, inAugust 2009, Twitter, Facebook and other Websites came under a coordinated denial-of-service

attack that appeared to be directed at one man.

He was a 34-year old professor at a universityin Georgia who had been blogging about theGeorgian con ict. Because the attacks were timedclosely with the one-year anniversary of the Georgiawar, some people suspect that someone insideRussia wanted to silence the professors opinions. 7

The attacks also affected hundreds of millionsof other users. Although they were collateraldamage, few users seemed to care. In fact, onceTwitter came back online, a group of users starteda tongue-in-cheek discussion about what happenedto their lives when twitter was down. The con-sensus was that the outage had not changed theirlives at all.

But, as seen during the South Ossetia War, attackson the media may not always be so innocuouswhen the stakes are higher.

7 Twitter Snag Tied to Attack on Georgian Blog, Washington Post, August 8, 2009.



The private sector is generally responsible forprotecting themselves, but cyber war could changethe types of attacks companies see. The rapidevolution in offensive capabilities means that pri-vate sector defenses will need to be hugely adapt-able. This puts the private sector in a tough spot.Instead of confronting this challenge, businessexecutives may be tempted to rely on help fromthe government in the event of an attack. One ofthe chief roles of governments around the world,after all, is to provide for the common defense.

Some experts caution business executives thatrelying on the government may provide only afalse sense of security. Theres a danger that busi-nesses think they will get bailed out when a cata-strophic attack happens, said Scott Borg, Directorof the U.S. Cyber Consequences Unit (US-CCU),an independent research institute. This is not agood assumption for businesses to make. In theevent of an attack, they may not be able to counton the government because the government istied up with other problems. Or, the governmentmay react in a way that businesses dont like.

Borgs organization investigates the consequencesof possible cyber attacks and the cost-effectivenessof possible counter-measures. According to Borg,the US-CCUs studies generally show that a busi-ness that can continue functioning during an attackwill gain an economic bene t. In many industries,businesses that can weather cyber attacks betterthan their competitors stand to gain considerablemarket share during a wave of cyber attacks,Borg said. And their reputations will emerge fromthe crisis in better shape than businesses that wereless prepared.

The US-CCUs ndings might make a strong casefor private companies to be preparing for cyberattacks on their own, without the help of govern-ment. But business executives may wonder, if Icant count on the government to respond rapidlyto a serious attack, should my company considerstriking back at attackers? IT security experts callthis active defense. In contrast to the passivedefensive measures of, say, installing a rewall orencrypting sensitive transactions, an example of

Challenges for the Private Sector

Given the increasing sophistication of the threat from nation-states, privatecompanies need to think about how they can improve their cyber defenses,according to Dr. Greg Rattray, author of Strategic Warfare in Cyberspace.

The rapid evolution in offensive capabilitiesmeans that private sector defenses will needto be hugely adaptable.



active defense would be to target the source of acyber attack with a denial-of-service attack on theoffending Web server.

These active defense measures might be effec-tive, but they are also probably illegal, said JohnWoods, a Washington lawyer specializing inprivacy and information management. Woodsoffered the example of a credit card company thatis hacked and wants to know if there are any toolsthat could be used to track where the companysdata is going. While there are such tools avail-able, he said, they would have to be embeddedin the companys data, and would then need todownload themselves onto the hackers computersystem. Woods said that a number of countrieshave laws on the books that may treat this activityas criminal.

Since private companies may not be able tohack-back against an attack that has compro-mised their passive defenses, whom should theycall for help? Law enforcement, the military,intelligence agencies? Experts believe that privatecompanies and governments generally need toimprove their information sharing mechanisms sothat both will be working together and sharingresources in the event of a serious cyber crisis.

Information sharing can be critical to recognizingthat a serious network in ltration is happening orhas occurred. There have been several exampleswhere a private company did not know they hadbeen penetrated until they were told by a govern-ment agency or law enforcement. For example,according to a report earlier this year, electricalutility companies in the U.S. did not nd out thatother nation-states were probing their networksfor vulnerabilities until U.S. intelligence of cialstold them. 8

The problem is that government organizationsare not always forthcoming about detailed threatinformation on attacks and without the detail itis not always possible to respond to the threat,according to William Crowell, former Deputy Direc-tor of the U.S. National Security Agency. He saidthere have been cases where the U.S. governmenttold companies that they might be under attack yetdid not provide any detail on the speci cs of theattacks. Clearly, we need to nd a way to shareinformation about the detailed nature of cyberattacks, Crowell said. We should reduce the barsto the government sharing information with privateentities on cyber threats and vice versa.

Information sharing can be criticalto recognizing that a serious networkin ltration is happening or has occurred.

8 Electricity Grid in the U.S. Penetrated by Spies, Wall Street Journal, April 8, 2009.



Stuck in the Middle

Creating further challenges, much of the communications, software andnetwork infrastructure is owned and operated by the private sector. Becauseof the central role of technology companies, most experts agree that theywill need to play some role in responding to attacks.

The fact is that many already do work closely withgovernments and law enforcement on attack miti-gation. But the limits of private sector responsibilityand the exact nature of their role in detection andresponse remain unclear. Understanding the roleof the private sector and where they have responsi-bility is one of the key questions that no one reallyhas a good answer to right now, said Dr. JamesLewis, Director of the technology program at theCenter for Strategic and International Studies.

Experts have focused on the private sectorsresponsibility to improve the security of softwareand systems and further educate consumer userson protecting themselves from botnets and otherforms of malicious code. While it would be unfairto blame computers and their users that are step-

ping stones to a botnet, software vendors havea responsibility to make users aware of securityissues, said Dr. Neil Rowe, Professor of ComputerScience, Naval Postgraduate School.

Some nation-states may be willing to go a stepfurther, requesting or requiring help from telecom-munications companies and software vendors inthe name of national security or foreign policyinterests. During Irans presidential election inJune, for example, Twitter was planning an update

to its Web site that would have cut daytime ser-vice to Iranians who were protesting the election.The protesters were relying on Twitter, a socialnetworking service, to spread messages about ralliesand communicate with the outside world. The U.S.State Department recognized the consequencesfor protesters and contacted Twitter to ask thecompany to delay the planned update. 9

9 U.S. State Department speaks to Twitter over Iran, Reuters, June 16, 2009.



These events suggest that nation-states may seekto enlist the support of private companies, perhapseven forcing them to choose sides in a time of cri-sis. Dr. Dorothy Denning, a professor in the Depart-ment of Defense Analysis at the Naval PostgraduateSchool, notes that Internet service providers andsecurity rms have already helped detect and shutdown some attacks. Nation-states could asktelecommunications companies to do even more,

perhaps requiring them to routinely screen Internettraf c for the signatures of malicious softwarebefore an attack even occurs.

Proposals to introduce such screening mechanismsare a touchy subject due to concerns about protect-ing privacy rights. In several countries, debates arestriking up on how to balance the desire to improvesecurity with preserving the open and anonymousInternet that we know today. Brazils legislature isnow considering a bill that would require Internetservice providers to keep logs of all Internet traf cfor a period of three years. Vanda Scartezini, a

partner at POLO Consultores Associados, an ITconsultancy in Brazil, believes that this approach

strikes the right balance. While telecommunica-tions companies should be able to help govern-ment of cials gure out the source of attacks, theyshould not be made responsible for the contentof the Internet, she said. Other countries havealready adopted similar measures that requireaction by telecommunications companies toensure that certain data will be available in caseof future criminal investigations.

Jonathan Shea, CEO of the Hong Kong InternetRegistration Corporation, agrees that Internetservice providers and domain name registrieshave a speci c role to play in helping to preventattacks and collaborating with the government inresponse to attacks. When it comes to collectiveinterests like national security, governments inmany countries tend to trade in their peoplesprivacy for greater security, Shea said. I see thisas an increasing trend in cyber security, and I hopethat we can come up with new ways to detectand prevent security breaches without impacting

too much on personal privacy.



Experts believe the private sector should workwith government to explore new defensivemeasures such as prioritizing computer networkassets, developing mitigation and response plans,creating separate networks for highly critical sys-tems, and developing a synoptic view of networkactivity to improve situational awareness acrosssectors. Both the public and private sectors havea shared risk and shared responsibilities when itcomes to cyber security. It is in the interest of boththe public and private sectors to engage eachother to take preventive action against situationsand conditions that facilitate cyber exploitationopportunities, said Dr. Choo. Both the publicand private sectors should continually work

Exploring the Options

There is little doubt that cyber warfare will have a signi cantimpact on the private sector. Yet the roles and responsibilitiesof the private sector in a time of con ict remain unclear.

together to identify and prioritize current andemerging risk areas, develop and validate effectivemeasures and mitigation controls, and ensure thatthese strategies are implemented and updated.

In general, the public and private sectors need toshare information, particularly threat intelligence,more effectively together. If such measures areadopted proactively, before a major cyber attackhappens, they might even obviate the need forgovernments to ever contemplate a Big Brotherapproach to cyber security.

The public and private sectorsneed to share information,particularly threat intelligence,more effectively together.

Both the public and private sectors have ashared risk and shared responsibilities whenit comes to cyber security.


26/40

Setting the Agenda for a Public

Debate on Cyber Defense PolicyA signi cant challenge to resolving the questions raised by the prospectof cyber war has been the secrecy in which many governments are shroudingtheir strategies for using cyber weapons and defending against cyber attacks.



Computer scientists and internationalrelations experts are not talking to each

other right now.

The lack of a clear doctrine for cyber defensereminds Richard Clarke, former Special Advisorto the President for Cyber Security at the White

House, of the development of U.S. nuclear strategyafter World War II. In the 1950s to 1960s, civil-iansmany of them outside of the governmentcame up with a complex strategy for the use ofnuclear weapons. This strategy was then debatedpublicly and later incorporated into nationalpolicy, Clarke said. Today, planning for cyberwar is at a similar stage. For example, the U.S. hasa cyber command, but there hasnt been a publicdiscussion about when and how cyber weaponsshould be used. There hasnt been an academicdiscussion either. Computer scientists and inter-national relations experts are not talking to each

other right now.

In the 1950s U.S. nuclear policy was to launchits entire nuclear arsenal at the Soviet Union andits allies if the Soviet Union invaded WesternEurope and managed to overwhelm U.S. conven-tional forceseven if the Soviet Union did not usea single nuclear weapon in its attack. The purposeof this policy, known as massive retaliation, wasto deter the Soviet Union from launching such anattack. In the 1960s a group of nuclear strategists,many of them from academia, pointed out thatthe U.S. could not be certain that its rst strike

would destroy all of the Soviet Unions nucleararsenal. This uncertainty put the lives of Americansand Europeans at risk.



The group of strategists developed the conceptof counterforce as an alternative policy: theU.S. would rst target only Soviet military targetsin response to Soviet aggression, but would alsowarn the Soviet Union of impending attacks on itscities if it did not recall its forces. The U.S. eventu-ally adopted counterforce in place of the strategyof massive retaliation. It is not known for certainwhether the plan would have helped to forestall

Armageddonluckily, it has never been tested.Nonetheless, experts from outside the militaryand public debate certainly helped to shape U.S.nuclear strategy.

Today, many experts say that there has not beenenough discussion about the use of and appropri-ate responses to cyber attacks. Debate has beenlacking on a number of different levels: betweennation-states, within governments, between themilitary, civilian and intelligence agencies, andbetween the public and private sectors. Accordingto Dr. Greg Rattray, author of Strategic Warfare

in Cyberspace, cyber warfare entangles so manydifferent actors in so many different ways that

public debate is required to sort out all the issues.We need to have a national debate on how fargovernments should go in protecting the securityof their citizens, Rattray said. Cyber warfare isa major form of con ict that the public shouldweigh in on and have the chance to decide howthey want their governments to defend them.

Experts have identi ed several issues that should

be put on the agenda for public discussion, suchas: Will a cyber deterrence strategy work? Shouldthere be an international treaty on the use ofcyber weapons? What is the line between espio-nage and warfare in cyberspace? Public debateamong policymakers, diplomats, academics andprivate sector experts on these issues will in uencenational cyber strategies and may even lead tointernational agreements that address cyber war.



Experts advise against going too far with the anal-ogy to nuclear deterrence because cyber weap-ons are quite different from nuclear weapons.First, not every country is similarly vulnerable to acatastrophic cyber attack. Whereas the U.S. andSoviet Union were more or less equally vulnerableto the obliteration that would have followed anuclear strike, cyber warfare can be asymmetric.For instance, developed nations tend to have

more connections to the Internet than developingones. Furthermore, some nations have connectedcritical infrastructure systems and networks to theInternet; others have not, or have done so to alesser degree. If a less-connected nation were tolaunch a cyber attack on a more-connected one,the more-connected nation might have few, if any,targets upon which to launch a cyber counterat-tack. A country need not commit itself to onlyin-kind reprisalsthat is, taking an eye for aneye, or an e-commerce server for an e-commerceserver in order to deter attacks. But when acyber counterattack is not feasible, nation-statesmust decide what kinds of military, diplomatic andeconomic actions are proportional responses toparticular cyber attacks.

Some experts point to the dif culty of attributingthe source of cyber attacks as another reason whya strategy of deterrence may not work. Attackerscan essentially mask their identity or forge someoneelses through techniques that exploit the trustingnature of the mechanisms behind the Internet.

University researchers developed the Internetprotocols in the 1970s for communications anddata exchange with other researchers; they didnot have any reason to suspect that a person onthe other side of an information transaction wouldbe an imposter. Attackers have been able to takeadvantage of these basic aws, making it dif cultto ascertain who is responsible for an attack. Ifadversaries believe they can carry out an attack

with impunity, they are not likely to be deterredby a threat of reprisal, whether by cyber, physical,diplomatic or economic means. Furthermore,attribution becomes even more complex whenconfronting sophisticated supply chain attackswhere an adversary surreptitiously embeds back-doors in hardware or software during development,production, or distribution of products.

Researchers are working on improving the abilityto identify attackersor what many in the eldcall the attribution problemby developingtechniques to geo-locate attackers and by creating

mechanisms, such as authentication processes, thatwould make the Internet less anonymous overall.The attribution problem can be resolved, saidJamie Saunders, Counselor at the British Embassyin Washington. Maybe 100 percent accuracy isnot possible, but you can create doubt in the adver-sarys mind that they can get away with an attackand not be found out.

Not every country is similarlyvulnerable to a catastrophiccyber attack.

Will a Cyber Deterrence Strategy Work?

Nuclear deterrence was a mainstay of relations between the U.S and SovietUnion during the Cold War. The nuclear stockpiles of both nations reachedsuch levels that each side was capable of annihilating the other, and thensome. Summed up neatly in the phrase mutually assured destruction, someexperts credit this defensive posture with deterring the U.S. and Soviet Unionfrom getting into a hot war directly with one another. Will the proliferation ofcyber attack capabilities deter con ict in a similar way today?



Notwithstanding efforts to nd a silver bulletfor attribution, adversaries may still have littlereason to doubt they can get away with a cyberattack, especially if governments do not makeclear their policies for retaliation. Military strate-gists may argue that it is advantageous to keepresponse plans secret or inde nite to keep theenemy guessing. Confusion leads to fear and fearis a powerful deterrent. But there is always thechance that an adversary miscalculates, a chanceperhaps made more likely when rival powerskeep information on new weapons and theirintent to use them a secret. In the 1964 movieDr. Strangelove, a satire set during the Cold War,the Soviets build a doomsday device that isprogrammed to destroy the world if it detects anuclear strike on the Soviet Union. Unfortunately,the Soviets forget to tell the Americans aboutit until after a rogue U.S. general has ordered anuclear attack. The dire news prompts the titlecharacter, a mad scientist, to say, Of course thewhole point of a Doomsday Machine is lost if youkeep it a secret! Why didnt you tell the world?

Cyber weapons are the newest addition tothe offensive capabilities of nation-states andperhaps some non-state actors. As such, peoplehave begun to wonder whether current inter-national legal and ethical regimes on war andcon ict need updating.

Although cyber attacks are a relatively new formof human con ict, most experts believe that they

are subject to international laws of armed con ictand the Charter of the United Nations. That is,nation-states should still follow principles guidingwhen it is justi ed to use force against anothernationa body of law known as jus ad bellum and what actions combatants may take when inarmed con icta separate body of law known as

jus in bello.

Should There Be an International Treatyon the Use of Cyber Weapons?

Previous advances in weaponrythe longbow, the machine gun,the tank, the atomic bombhave sometimes in uenced the waynation-states prepare for war, when they go to war and how

they conduct warfare.



Applying these general principles to speci c events,however, is likely to require a great deal of analysis.The National Research Council, a U.S. institutefor independent investigations and analysis, issueda report in April 2009 on the technological, legal,ethical and policy implications for the potentialacquisition and use of cyber attack capabilities. Thereport argues that cyber weapons are not altogetherso different from kinetic attacks that internationallaws do not apply. Nevertheless, the report alsostates that because cyber weapons are so novel,there will be uncertainties in how [laws of armedcon ict] and UN Charter law might apply in a giveninstance. The report continues: An effects-basedanalysis suggests that the ambiguities are few-

est when cyberattacks cause physical damage toproperty and loss of lifeThe ambiguities multiplyin number and complexity when the effects do notentail physical damage or loss of life but do haveother negative effects on another nation. 10

Some legal experts have suggested that substantialupdating to the laws of armed con ict may be nec-essary. Current international law is not adequatefor addressing cyber war, said Eneken Tikk, legaladviser for the Cooperative Cyber Defence Centreof Excellence in Estonia. Analogies to environ-mental law, law of the sea and kinetic war all break

down at some point. Answering the question ofwhen to use force in response to a cyber attackneeds its own framework.

Other experts have noted the need to establishcommon norms and behaviors for actions incyberspace. For example, rather than seekingto bar the development of cyber weapons,nation-states could establish protocols for whatis acceptable and unacceptable behavior incyberspace. For example, establishing an under-standing that it is unacceptable for a nation stateto attack civilian infrastructure via cyberspace,and that such action would justify retribution,could deter a nation state from organizing orlaunching such attacks.

Even if nation-states generally agree that an entirelynew legal regime is not needed, their proposalsso far have con icted on how best to address theambiguities in the current framework. Some nation-states are arguing for a ban on the offensive use

Life Cycle of a Cyber Attack

Figure 3. There are ve generalstages to developing and deployinga cyber weapon

May not be able to use tool again if vulnerablilty discovered

Note that once a cyber attack tool is used, the enemy may discover the vulnerabilityand patch it, rendering the tool useless in the future.

1

R e

s e a r

c h

2 R e

c o n n

a i s s a n

c e 3 D e v e lo p m e n t

4 T e s t i n

g

5 A t t a c k

10 William A. Owens, et al., Technology, Policy, Law, and Ethics RegardingU.S. Acquisition and Use of Cyberattack Capabilities, Committee onOffensive Information Warfare, National Research Council (2009).



of cyber weapons, similar to international bans onbiological and chemical weapons. Other nationssay that because it would be dif cult, or impos-sible, to verify compliance with such a treaty, theinternational community should instead be workingon cooperative measures to decrease cyber crime.One example is the Council of Europe Conventionon Cybercrime. Over 40 nations have signed thetreaty, which pledges each nation to assist others in

identifying and bringing to justice the perpetratorsof criminal activity in cyberspace.

A number of experts point to the bene ts ofincreased international cooperation on cybercrime. According to Dr. Dorothy Denning, aprofessor in the Department of Defense Analysisat the Naval Postgraduate School, strong securityplus effective law enforcement may be the bestdeterrent for criminal cyber attacks. We needto remain focused on ghting cyber crime andthis is the area where international cooperationcan make a positive impact.

Rattray suggests that reducing cyber crime mayhelp to make the Internet more secure as a whole.The security of cyberspace needs to be consid-ered like an ecosystem. Cyber crime is making theInternet a messy place today. If we were to clean

up crime in cyberspace, it would be easier forgovernments to attribute attacks to their actualsources, he said. Having less to worry about fromcyber criminals, governments may be able to keepa better eye on each other.

There is still an argument to be made for formaland informal international frameworks that wouldmore directly address cyber con ict, according toone expert. Identifying threats and their sources isno easy task; it is compounded when we rememberthe impossibility of drawing a clear de nition ofterritorial borders to determine, for example, legalissues, such as the jurisdiction of a cyber crimelawsuit, said Raphael Mandarino, Jr., Directorof the Department of Information Security andCommunications, Institutional Security Cabinetof the Presidency of Brazil. Because cyberspacethreats are global in nature and their technologyis ever-evolving, the struggle to keep up with thisevolution demands an enhanced legal structure andincreased international cooperation. Manadarino

recommended that each countrys cyber securitystrategy should foster close cooperation withinternational organizations and other countries.Furthermore, he suggested the debate agenda forthe international community should include issuessuch as the de nition of cyber borders.

If you were a half-clever adversary,you probably wouldnt perpetratean attack that everyone agreesis cyber warfare; you would playin the shades of gray.

Michael Rothery, First Assistant Secretary,National Security Resilience Policy DivisioAttorneyGenerals Dept. (Australia)



The last decade is replete with stories of in ltra-tions by sources that were unidenti able, butclearly malicious in intent. These events togetherrepresent a reconnaissance method that is partof an attack philosophy, said Mike Jacobs, formerInformation Assurance Director, U.S. NationalSecurity Agency. But what has always worriedme is the stuff you cant see happening.

From what has been reported in the media, it

appears that nation-states are engaging in cyberespionage on a massive scale. From around 2002to 2005, for instance, an unknown source managedto download 10 to 20 terabytes of informationfrom a sensitive, but unclassi ed, U.S. Departmentof Defense network in an episode code-namedTitan Rain. To put this amount of informationin perspective, consider that digital copies of all thebooks (more than 18 million) in the U.S. Libraryof Congress would represent 20 terabytes of data.Most experts agree that downloading sensitiveinformationeven vast amounts of informa-tionin this fashion is no more than espionage.

Espionage is espionage, said Dmitri Alperovitch,Vice President of Threat Research, McAfee. Itsdangerous to call every spy action an act of war.

Yet some current and former national securityexperts warn that cyber espionage is not neces-sarily your typical game of espionage. In the daysof the Cold War, espionage might have involvedtapping into an adversarys telephone system orradio transmissions or sending a spy to break intoa secure facility to snap some photos of secret

les. In either case, the goal was usually to collectinformation rather than to manipulate or destroy

itthese forms of sabotage would have riskedalerting the enemy. Today, once a hacker gainsaccess to a system, it may be a relatively simpletransition from downloading data to sabotagingit. According to Richard Clarke, The distinctionbetween intelligence collection and damage tosystems is a few keystrokes.

National security experts and intelligence of cialscon rm that nation-states are leaving back doorson each others systems while spying in order to

guarantee future access to those systems. In somecases, hackers may even plant malicious piecesof software that could be activated in a futurecon ict to gain an advantage over the enemy.

These kinds of activities seem more like forwarddeployment for a future attack than the collectionof intelligence. The challenge is in deciding whereto draw the line since it may be more dif cultto discern an adversarys motives in cyberspace

than in the physical world. We can see physicalwar about to happen through satellite imagesof tanks building up at borders or major shiftsin military personnel, said John Woods, aWashington lawyer specializing in privacy andinformation management. But we may nothave this same visibility in cyberspace. Whenyou discover a network intrusion by a foreignnation, are you looking at intelligence gathering,intelligence gathering gone too far or forwardadvancement for an impending act of war?

A nations response to cyber espionage also poses

questions. Nation states are turning to Active Net-work Defense, which involves more than seekingto identify the origin of the attack but also redirect-ing such attacks without the adversarys knowledge.Active Network Defence could involve feeding theadversary disinformation, but it could also involvedisrupting and disabling systems through morespecialized covert attacks. Such activities couldescalate, leading to a wider con ict involving bothgovernment and private sector infrastructure.

Most governments do not seem to have madeup their minds about whether these potentially

damaging activities constitute acts of war, accord-ing to Saunders. The relatively easy transition fromespionage to disruption may be the only uniquecharacteristic of cyberspace, maybe the one rea-son why we cant simply apply the laws of armedcon ict to the virtual world, he said. Whilegovernments are aware that there is a level ofcyber espionage under way, they probably needto think more on the subject and clarify what willnot be tolerated.

Where is the Line Between Espionageand Warfare in Cyberspace?

Espionage is always a shadowy game. Played beneath the faade of peace,nations vie to steal state secrets from each other, the specter of con ictdistant, but recognizable. In some ways, cyber espionage is no different.

Once a hacker gains accessto a system, it may be arelatively simple transitionfrom downloading data tosabotaging it.


34/40

Moving Forward



International cyber conflict has reachedthe tipping point where it is no longer

just a theory, but a significant threat thatnations are already wrestling with behindclosed doors.

While experts may disagree on the de nitionof cyber war, there is signi cant evidence thatnations around the world are developing, testing

and in some cases using or encouraging cybermeans as a method of obtaining political gain.Much of this activity is shrouded in secrecy, butone national security expert remarked that thereis already a constant, low level of con ict occur-ring in cyberspace. Whether these attacks arelabeled as cyber espionage, cyber activism, cybercon ict or cyber war, they represent emergingthreats in cyberspace that exist outside the realmof cyber crime.

International cyber con ict has reached the tippingpoint where it is no longer just a theory, but a

signi cant threat that nations are already wrestlingwith behind closed doors. The impact of a cyberwar is almost certain to extend far beyond militarynetworks and touch the globally connected infor-mation and communications technology infra-structure upon which so many facets of modernsociety rely. With so much at stake, it is time toopen the debate on the many issues surroundingcyber warfare to the global community.



Contributors

EUROPE, MIDDLE EAST, AFRICA

Greg DayPrincipal Security Analyst for McAfee

Greg Day is the Principal Security Analyst for McAfee in EMEA(Europe, Middle East, Africa), the primary analyst of securitytrends and McAfee strategy in the region. As an active spokes-person for the company, he is a frequent contributor to journals,has had numerous papers published and is a keynote speakeron all aspects of information security at conferences and events.Mr. Day is the EMEA lead for the McAfee initiative to ght cybercrime globally and has spoken at the Council of Europe (CoE)and the Organization for Security and Cooperation in Europe(OSCE) events on cyber crime, warfare and terrorism. Mr. Day isalso a member of a range of security industry forums, includingthe Cyber Security Industry Alliance (CSIA), the Cyber SecurityKnowledge Transfer Network and the Internet Security Forum (ISF).

Taimar PeterkopDefense Counselor, Embassyof Estonia, Washington, D.C.

Taimar Peterkop is the Defense Counselor at the Embassyof Estonia to the U.S. in Washington, D.C. Prior to his currentposition, Mr. Peterkop worked as Director of Operations andCrises Management department at the Estonian Ministry ofDefence, with the main task of oversight of the Estonian DefenceForces operations in and outside of Estonia. He had this positionduring the April cyber attacks against Estonia in 2007. Beforethat, Mr. Peterkop was Director of International Law Sectionwhere he was responsible for legal aspects regarding Deploy-ment of Estonian Defence Forces to Iraq, Afghanistan and o thercon icts. He also dealt with Status of Forces issues and legalaspects of Estonias accession to NATO. Mr. Peterkop has alsoworked as a lecturer on international law and published articleson the role of the military in peacetime and status of forcesagreements of the visiting forces.

Dr. Jamie SaundersCounselor at the British EmbassyDr. Jamie Saunders is a counselor at the British Embassy inWashington, where he leads on cyber security policy. He hasover 20 years experience in the government of the UnitedKingdom, working on the application of technology to a rangeof national security problems including Counter Terrorism,Counter Proliferation and Counter Narcotics. Before joining theEmbassy in 2008, he worked for 5 years as a member of theSenior Civil Service supporting CONTEST (the UK GovernmentsCounter Terrrorism strategy).

Eneken TikkAdvisor in Public Law, CooperativeCyber Defence Center of Excellence

Eneken Tikk is Legal Advisor to the NATO Cooperative Cyber

Defence Centre of Excellence. She is also the head of the CyberDefence Legal Expert Team at the Estonian Ministry of Defenseand an adviser on information law and legal policy to the EstonianMinistry of Justice. Ms. Tikk is a legal expert on personal data,databases and public information law. She is a lecturer oninformation law and legislative drafting at Tartu University, andis currently working in various research programs, includingthe Harmonization of Information Law and Legal TheoreticalApproach to Regulation of Information. Ms. Tikk has previouslybeen a lecturer in the eld of international law and law of armedcon icts for the Estonian Military College.

UNITED STATES

Dmitri AlperovitchVice President of Threat Researchat McAfee

Dmitri Alperovitch is the Vice President of Threat Research atMcAfee. He leads the companys research in Internet threatintelligence analysis and correlation, as well as development ofin-the-cloud reputation services. With more than a decade ofexperience in the eld of information security, he has signi cantexperience working as a subject-matter expert with all levels ofU.S. and International law enforcement on analysis, investiga-tions and pro ling of transnational organized criminal activitiesand cyber threats from terrorist and nation-state adversaries.In addition, Mr. Alperovitch is a recognized authority on onlineorganized criminal activity and cyber security, and has beenquoted in numerous articles, including those by Associated Press,Business Week, New York Times, Los Angeles T imes, USA Today,and Washington Post. He has been a featured speaker andpanelist at numerous law-enforcement, industry and academicsecurity conferences.

Dr. Scott BorgDirector and Chief Economistof the U.S. Cyber Consequences Unit (US-CCU)

Dr. Scott Borg is the Director and Chief Economist of the U.S.Cyber Consequences Unit (US-CCU), an independent, non-pro tresearch institute that carries out extensive eld investigations intothe likely consequences of possible cyber attacks. He is responsiblefor many of the concepts that are currently being used to under-stand the implications of cyber attacks in business contexts. Hehas been a guest lecturer at Harvard, Yale, Columbia, and otherleading universities, and is currently a Senior Research Fellow inInternational Security Studies at the Fletcher School of Law andDiplomacy of Tufts University. Dr. Borgs comprehensive bookCyber Attacks: A Handbook for Understanding the Economic and Strategic Risks should be available later this year.

Richard ClarkeChairman of Good HarborConsulting and Former Special Advisor to thePresident for Cyber Security

Richard A. Clarke is an internationally-recognized expert on secu-rity, including homeland security, national security, cyber security,and counterterrorism. He is currently the Chairman of GoodHarbor Consulting, a global security consulting rm, and anon-air consultant for ABC News. Mr. Clarke served the last threePresidents as a senior White House Advisor. Over the course ofan unprecedented 11 consecutive years of White House service,he held the titles of Special Assistant to the President for GlobalAffairs, National Coordinator for Security and Counterterrorismand Special Advisor to the President for Cyber Security.



William P. CrowellIndependent SecurityConsultant and Former Deputy Director,U.S. National Security Agency (NSA)

William P. Crowell is an Independent Consultant specializingin Information Technology, Security and Intelligence Systems.Crowell previously served as President and Chief ExecutiveOf cer of Cylink Corporation, a leading provider of e-businesssecurity solutions. Prior to Cylink, he held a series of senior posi-tions in operations, strategic planning, research and development,and nance at the U.S. National Security Agency. He servedas Deputy Director of Operations from 1991 to 1994 runningits core signals intelligence mission. In February 1994 he wasappointed as the Deputy Director of NSA and served in that postuntil his retirement in September 1997. Crowell is an experton network and information security issues. In December 2008Security Magazine selected him as one of the 25 most in uentialpeople in the security industry. In May 2007 he co-authored thebook, Physical and Logical Security Convergence.

Dr. Dorothy E. DenningDistinguished Professorof Defense Analysis at the Naval Postgraduate School

Dr. Dorothy E. Denning is a Distinguished Professor of DefenseAnalysis at the Naval Postgraduate School, where her currentresearch and teaching encompasses the areas of con ict andcyberspace; trust, in uence and networks; terrorism and crime;and information operations and security. She is author ofInformation Warfare and Security and has previously workedat Georgetown University, Digital Equipment Corporation, SRIInternational, and Purdue University.

Michael J. (Mike) JacobsFormer Information AssuranceDirector, U.S. National Security Agency (NSA)

Michael J. Jacobs is an independent consultant on InformationAssurance matters. Previously, he served for ve years as a Vice

President and Director of the Cyber and National Security Pro-gram for SRA International, Inc. Prior to SRA, Mr. Jacobs was theInformation Assurance (IA) Director at the U.S. National SecurityAgency (NSA). Under his leadership, NSA began implement-ing an Information Assurance strategy to protect the DefenseInformation Infrastructure and as appropriate, the National In-formation Infrastructure. He is an industry veteran with 45 yearsof experience (38 in the U.S. Federal government) in informationsecurity and information assurance.

Paul B. KurtzPartner, Good Harbor Consulting

Paul B. Kurtz leads Good Harbors cyber and IT security practicegroup to provide strategic and tactical planning advice to a widevariety of international and domestic clients. He is also the execu-tive director of SAFECode, the Software Assurance Forum for

Excellence in Code, a global non-pro t organization dedicatedto promoting effective software assurance methods. Mr. Kurtzis an internationally recognized cyber security and homelandsecurity expert who has worked at the highest levels of govern-ment, serving under Presidents Clinton and George W. Bush.Most recently, he served on President Obamas transition team,evaluating cyber security policy and strategy for governmentagencies including the Department of Defense, the Departmentof Homeland Security, the National Security Administration andthe CIA.

Dr. James Andrew LewisSenior Fellow andProgram Director at CSIS

Dr. James Andrew Lewis is a Senior Fellow and Program Directorat CSIS where he writes on technology, national security and the

international economy. Before joining CSIS, he worked in theFederal government as a Foreign Service Of cer and as a mem-ber of the Senior Executive Service. His assignments involvedAsian regional security, military intervention and insurgency,conventional arms negotiations, technology transfer, sanctions,Internet policy, and military space programs.

Dr. Greg RattrayPrincipal at Delta Risk Consulting

Dr. Greg Rattray is a Principal at Delta Risk Consulting, whichestablishes risk management strategies and cyber securitycapacity building approaches for government and private sectorclients. Previously, Dr. Rattray served 23 years as a U.S. Air Forceof cer. His assignments included Director for Cyber Security onthe White House National Security Council staff, leading nationalpolicy development and NSC oversight for cyber security pro-

grams and oversight of Iraqi telecommunications reconstruction.He also served as an Assistant Professor of Political Science andDeputy Director of the USAF Institute of National Security Studiesat the Air Force Academy. He is the author of numerous booksand articles including Strategic Warfare in Cyberspace, a seminalwork in the cyber con ict eld.

Dr. Neil RoweProfessor of Computer Science,Naval Postgraduate School

Neil Rowe, Ph.D., E.E. is a Professor of Computer Science, Centerfor Information Security Research (CISR), U.S. Naval PostgraduateSchool. His interests include a broad range of topics in appliedarti cial intelligence. Dr. Rowes recent work has focused onmodeling and implementation of deception in cyberspace as wellas automated surveillance for suspicious behavior. He has authored

numerous publications on a range of cyber security issues.

Dr. Phyllis SchneckVice President and Directorof Threat Intelligence for the Americas for McAfee, Inc.

Dr. Phyllis Schneck is Vice President and Director of ThreatIntelligence for the Americas for McAfee, Inc. In this role, sheis responsible for design and applications of McAfees threatintelligence, strategic thought leadership and evangelism aroundtechnology and policy in cyber security, and leading McAfee ini-tiatives in critical infrastructure protection and cross-sector cybersecurity. Schneck has had a distinguished presence in the securityand infrastructure protection community, most recently as aCommissioner and a working group Co-Chair on public-privatepartnership for the CSIS Commission to Advise the 44 th Presidenton Cyber Security. She holds three patents in high-performance

and adaptive information security, and has six research publica-tions in the areas of information security, real-time systems,telecom and software engineering.



Dr. Gene SpaffordProfessor of Computer Scienceand Executive Director of the Center for Education andResearch in Information Assurance and Security (CERIAS)

Dr. Gene Spafford has been on the faculty at Purdue Universitysince 1987. He is currently a Professor of computer science andExecutive Director of the Center for Education and Researchin Information Assurance and Security (CERIAS). Dr. Spaffordis widely known for work in information security and privacy,software engineering, and computing policy. Some people con-

sider him a polymathic futurist, and others simply think hes aniconoclastic crank. He is a Fellow of the ACM, IEEE, AAAS andthe (ISC)^2. He has been repeatedly honored for his contribu-tions in research, education, and service, including an ACMPresidents Award, the CRA Distinguished Service Award, theIEEE Booth Award, and the NIST/NSA National Computer SystemsSecurity Award.

John WoodsPartner at Hunton & Williams

Mr. Woods is a Partner at Hunton & Williams, LLP in Washington,DC and his practice focuses on conducting internal investiga-tions, advising on information security legal issues and represent-ing corporations in government investigations and businesscrimes. He has a particular focus in advising corporations in thelegal response to network security intrusions and data breaches.

He advised RBS Worldpay in its investigation of a network intru-sion incident, a Fortune 500 retailer in the largest reported hackof credit card data in history, and is advising several companies inthe US defense industrial base regarding legal issues associatedwith the advanced persistent threat hacking problem.

Amit YoranChairman and CEO of NetWitness Corporation

Amit Yoran serves as the Chairman and CEO of NetWitnessCorporation, a leading provider of network security analyticproducts. He is a Commissioner of the CSIS Commission onCyber Security advising the 44th Presidency and serves on severalindustry and national advisory bodies. Prior to NetWitness,Mr. Yoran served as a Director of the National Cyber SecurityDivision at the Department of Homeland Security, and as CEOand advisor to In-Q-Tel, the venture capital arm of the CIA.

Formerly, he served as the Vice President of Worldwide ManagedSecurity Services at the Symantec Corporation. He formerlyserved as an of cer in the United States Air Force in the Depart-ment of Defenses Computer Emergency Response Team.

LATIN AMERICAS

Renato BlumCEO of Opice Blum Advogados Associados

Renato Blum is the CEO of Opice Blum AdvogadosAssociados. He is a lawyer and an economist by training. Cur-rently, he teaches an MBA course in Information TechnologyLaw at the Escola Paulista de Direito. He is also the President ofthe Supreme Council of Information Technology at the Federa-tion of Trade/SP. Mr. Blum was the coordinator and co-authorof the book, Manual de Direito Eletrnico e Internet (Electronic

Law and Internet Manual).

Raphael Mandarino, Jr.Director of the Department ofInformation Security and Communications, InstitutionalSecurity Cabinet, Presidency of the Federative Republicof Brazil

Mr. Raphael Mandarino Junior is currently the Director of theDepartment of Information Security and Communications (DSICDepartamento de Segurana da Informao e Comunicaes)of the Institutional Security Cabinet of the Presidency of theFederative Republic of Brazil, since May 2006. He is also

responsible for the Coordination of the ManagementCommittee of Information Security (CGSIComit Gestor daSegurana da Informao), group of the Council of NationalDefense (Conselho de Defesa Nacional), since September 2006.He is a member of Management Committee of InfrastructurePublic Key of Brazil (CG ICP-BRASILComit Gestor da Infra-Estrutura de Chaves Pblicas do Brasil), since April 2007.

Vanda ScarteziniPartner, POLO Consultores Associados

Vanda Scartezini has held many management positions withprivate technology companies and public institutions. Sheis the co-founder of and has been an active partner in PoloConsultores, a Brazilian IT consulting company, since 1985. Shealso acts as President of Altis, a Software & Service outsourc-ing company and as chair of the board of FITEC, an ICT R&D

foundation. She is also an associate partner of Getulio VargasFoundation Projects and member of the board of ABES, theBrazilian Software Industry Association. She has acted as a BrazilianGovernment representative in many international missionsaround the world as well as an expert and consultant for inter-national institutions.

ASIA-PACIFIC

Dr. Kim Kwang (Raymond) ChooAustralian Instituteof Criminology

Dr. Kim Kwang (Raymond) Choo works for the Australian Instituteof Criminology and is currently in the U.S. to undertake a projectfunded by a 2009 Fulbright Scholarship to research the futureof the cybercrime threat environment. He is also a Visiting Fellow

at The Australian National Universitys ARC Centre of Excellencein Policing and Security, and a member of the International Con-sultant Group (Research) in the United Nations Of ce on Drugsand Crime-Korean Institute of Criminology Virtual Forum againstCybercrime Program. In June 2009, he was named one of 100Emerging Leaders (Innovation category) in The Weekend Austra-lian Magazine/Microsofts Next 100 series. In September 2009, hereceived the Highly Commended award at the 2009 ACT PearceyAward for Young Achievers. Other awards include the 2008Australia Day Achievement Medallion and the Wilkes Award forthe best paper published in the 2007 volume of Oxford UniversityPresss Computer Journal.

Dr. Masaki IshiguroSenior Researchers at the InformationSecurity Research Group, Mitsubishi Research Institute, Inc.

Dr. Masaki Ishiguro is a Senior Researcher at the InformationSecurity Research Group, Mitsubishi Research Institute, Inc. Hiswork includes research and development on Internet threatdetection systems, risk evaluations for information security, formalveri cation of security protocols, and the trend of informationsecurity policy. Dr. Ishiguro received his masters degree at thegraduate school of Information Science at the University ofTokyo and he received his doctorate in Information Scienceat Japans Advanced Institute of Science and Technology.



Michael Rothery, First Assistant Secretary,National Security Resiliency Policy Division,Australian Attorney-Generals Department

Michael (Mike) Rothery heads the National Security ResiliencePolicy Division created in March 2009, which is responsible forpolicy and legal policy advice related to developing nationalresilience to the full range of natural and human made hazards,including the areas of critical infrastructure protection, chemical,electronic and identity security, and protective security policy. The

Division runs the Trusted Information Sharing Network for Criti-cal Infrastructure Protection (TISN), the Document Veri cationService and the Australian Government Computer EmergencyReadiness Team (GovCERT.au). In this position Mr. Rothery chairsthe Protective Security Policy Committee and the E-Security

Documents

Virtual Criminology Report 2009