Ever since European cybersecurity officials discovered the Stuxnet worm last June, it has been characterized as a "paradigm shift" in critical infrastructure threats. European Network and Information Security Agency Executive Director Udo Helmbrecht characterized Stuxnet, which is unprecedented in its capabilities and sophistication, as "a new class and dimension of malware."
Stuxnet, which contains four zero-day Windows vulnerabilities as well as two stolen digital certificates for authentication is the first discovered worm that secretly monitors and reprograms industrial control systems. Stuxnet exploits weaknesses in Windows operating systems and takes command of a Siemens component that controls critical industrial operations, such as those of oil pipelines, electrical power grids, and nuclear energy plants.
Whether Stuxnet is a new weapon of modern espionage or cyberwarfare is unclear. However, many security experts believe the sophisticated malware was developed by a well-funded private entity or a national government agency to attack Iran's industrial infrastructure, including the Bushehr nuclear power plant. Iranian officials report that Stuxnet has infected 30,000 machines involved in running its industrial control systems, and the Bushehr facility reportedly didn't work correctly for several months. "An electronic war has been launched against Iran," according to Mahmoud Liaii, director of Iran's Information and Technology Council of the Industries and Mines Ministry.
To be certain, the digital age is ushering in entirely new ways to fight wars. "Cyber tools can be used as an instrument for government security as well as for military and intelligence purposes," states Herbert Lin, chief scientist for the Computer Science and Telecommunications Board at the U.S. National Research Council. Adds Rain Ottis, a staff scientist at the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, "Cyber warfare is almost certain to emerge the next time two technologically advanced states fight a major shooting war."
It's not an abstract concept. Although government Web sites and computer systems are likely targets (many government systems are 10 to 20 years old and can't support modern security standards), civilian targets like power grids, telecommunications networks, flight control systems, and financial networks are also at risk. "Cyberwarfare has the potential to cause significant strategic damage," observes Sami Saydjari, CEO of Cyber Defense Agency, a cybersecurity consulting firm headquartered in Wisconsin Rapids, WI.
The evolution of weaponry has always centered on gaining superiority over an enemy. However, in the digital age, the nature of war is changing radically. It's one thing to detect an invading army and its well-marked planes, tanks, and troops. It's not so simple to identify bits and bytes of data, ascertain exactly where they're coming from, and understand the sender's intentions.
In fact, hackers and others attack government and corporate systems for a broad array of reasons that have nothing to do with politics or ideology. As a result, defining cyberwarfare is a challenge and the hype often exceeds reality. "Some very visible and vocal people have seemingly equated any malicious activity on the Internet to cyberwarfare," Ottis observes. "Most, if not all, cyberattacks should be classified as criminal, espionage related, or hactivist, and not warfare."
Moreover, there is no clear international law covering cyberattacks although experts say the mere act of one nation or state invading another's computers could be construed as an act of war. Common attack methods include vandalism, spreading propaganda, gathering classified data, using distributed denial-of-service (DDoS) attacks to shut down systems, destroying equipment, attacking critical infrastructure, and planting malicious software.
Over the last few years, untold incidents may have fallen into these categories, but proving the legitimacy of attacks is next to impossible. That's because hackers hijack computers all over the world and use them as part of a botnet to launch attacks. Tracing back the Internet protocol address doesn't necessarily provide insight into who actually is launching the attack. In May 2007, for example, Estonia's government Web sites came under attackpresumably from Russiaafter the government moved a Soviet war memorial. The wave after wave of DDoS attacks came from IP addresses all over the world, though many of them originated from Russian-hosted servers.
In October of the same year, Israel mounted a sneak air attack against Syria and destroyed a fledgling nuclear research center deep inside the country. Some analysts believe that Israel avoided detection by hacking radar and other defense systems in Syria and perhaps additional countries. Afterward, Aviation Week magazine reported: "The process involves locating enemy emitters with great precision and then directing data streams into them that can include false targets and misleading message algorithms."
When Russian troops invaded the Republic of Georgia in August 2008 the news media diligently reported the event and analysts pondered the repercussions. But what wasn't apparent to manyat least immediatelywas that the battle wasn't being fought only with troops and tanks. Several servers and Web sites operated by the Georgian government, including the nation's primary government site, were rendered useless through a steady barrage of DDoS attacks.
Almost immediately, the Georgian Ministry of Foreign Affairs issued a statement via a replacement site built on a blog-hosting service. It read: A cyber warfare campaign by Russia is seriously disrupting many Georgian websites. Meanwhile, Barack Obama, then a U.S. presidential candidate, issued a demand that Russia stop interfering with the Web sites. Analysts and security experts noted that the attacksmostly originating in Russia and Turkeywere linked to the Russian Business Network, a group with close ties to Russian gangs and the government.
"Cyberwarfare is almost certain to emerge the next time two technologically advanced states fight a major shooting war," says Rain Ottis.
Meanwhile, the People's Republic of China and the U.S. have reportedly launched cyberattacks against each other dating back to the 1990s, though China has taken a lead in developing cyberwarfare systems, Saydjari says. For one thing, the government has adopted a more secure operating system named Kylin, which provides hardened protection that is not available with Windows, Unix, and Linux. China has also funneled capital and expertise into developing cyberwar capabilities, including enlisting patriotic hacker gangs. "They have acted slowly, patiently, and strategically," says Saydjari.
Although government-sponsored cyberattacks have so far occurred on a limited basis, the probability of a major cyberwar erupting over the next decade seems inevitable. In all likelihood, experts say, a cyberassault would accompany more traditional forms of warfare, but it could also serve as a way to wreak economic harm or destabilize a nation state without a conventional battle. As Ottis puts it, "In the end, the aim of war is usually not to kill your enemy but to impose your will on them."
Scott Borg, director and chief economist of the nonprofit U.S. Cyber Consequences Unit, located in Norwich, VT, has stated publicly that cyberattacks can cause "horrendous damage." Even a short-lived Internet failure could have severe repercussions. The cost of a flight control system crashing or an electrical power grid fading to black could extend into the hundreds of billions of dollars and lead to a cascade of economic problems.
Yet the ensuing fallout could cause an additional array of headaches. Because China manufactures many components, obtaining spare parts during a conflict could prove difficult, if not impossible. In addition, some analysts worry that electricity generators and other components imported from China and other countries could contain hidden software that allows hackers to access systems through a back door or execute a malicious software program on command.
Already, many nations have developed sophisticated hacking and intrusion capabilities, including planting Trojan horses, rootkits, and other nefarious tools on targeted systems. Many of these applications stealthily reside on computers until someone decides to flip a switch and activate them. In fact, much of the preparation goes on behind the scenes. "During 'peacetime' many nations actively prepare for offensive cyberoperations and some nations probably test their capabilities with nonattributable events," Ottis points out.
Of course, the idea of cyberwarfare hasn't been lost on terrorist organizations either. "While nation-states are likely to be quite choosey about how and when they use cyberwarfare tools, terrorists are likely to view things in a less methodical and calculating way," Saydjari explains. "Their goal can be as simple as destabilizing systems and creating chaos." Worse, it is nearly impossible to identify terrorists inflicting a cyberattack and strike back at a tangible target. Economic sanctions and diplomacy aren't viable either.
China has funneled capital and expertise into developing its cyberwar capabilities, including enlisting civilians and gangs of hackers.
What makes the situation all the more dangerous, Saydjari notes, is that a relatively large number of cybermercenaries exist and many openly advertise their skills. In some instances, they might be hired to handle a project that appears less harmful than it actually is or they might not be concerned about the repercussions. In addition, these individuals often act in a rogue manner and they can easily venture beyond a government's desired actions.
There is some pushback. For now, some businesses and governments are turning to ethical hackers to discover holes and vulnerabilities and report them to authorities. In addition, the U.S. government recently announced a $40-billion national cybersecurity plan to combat cyberattacks from foreign and domestic hackers. However, in May 2010, James Miller, principal deputy under secretary of defense for policy for the U.S. Department of Defense, noted the nation is losing enough data from cyberattacks to fill the Library of Congress many times over.
Make no mistake, the risk of cyberwarfare is growing and many, including Saydjari, warn that political leaders aren't entirely tuned into the severity of the threat. Murky definitions, old and insecure computer systems, difficult-to-detect actions, and vague rules of engagement aren't making things any easier. "Cyberwarfare must be taken seriously," Lin says. "The question isn't, Will it happen? It's how and when will it happen and what effect will it have on society."
The Evolution of Cyber Warfare, Council on Foreign Relations, Feb. 2008.
Clarke, R. A. and Knake, R.
Cyber War: The Next Threat to National Security and What to Do About It, Ecco, New York, NY, 2010.
"In a doomsday cyber attack scenario, answers are unsettling," Los Angeles Times, February 17, 2010.
Mueller, R. S. III.
"The State of Cyberterrorism and Cyberattacks," speech, RSA Cyber Security Conference, San Francisco, CA, March 4, 2010.
National Research Council
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009.
©2010 ACM 0001-0782/10/1200 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.