Research and Advances
Architecture and Hardware Contributed articles: Virtual extension

Cyberwarfare: Connecting the Dots in Cyber Intelligence

  1. Introduction
  2. Key Insights
  3. Future Battles
  4. Data Collection and Analysis
  5. Discussion
  6. Conclusion
  7. Acknowledgment
  8. References
  9. Author
  10. Footnotes
  11. Figures
Defense Cyber Investigations Training Academy
Lucus Nelson teaches hash analysis for Windows forensics at the nationally accredited Defense Cyber Investigations Training Academy in Linthicum, MD, part of the DoD Cyber Crime Center (

Perpetrators and victims usually act as if it never happened, while the evidence is designed to erase itself.

Cyberwarfare is a potent weapon in political conflicts, espionage, and propaganda. Difficult to detect a priori, it is often recognized only after significant damage has been done. Gaining offensive capability on the cyber battlefield figures prominently in the national strategies of many countries and is explicitly stated in the doctrines of several, including China, Russia, and the U.S. It is generally understood they are laying the groundwork for potential cyber conflicts by hacking the networks of adversaries and allies alike.7

Back to Top

Key Insights

  • More than an attack against critical infrastructure, cyberwarfare can also include psychological conditioning through propaganda and control of the spread and content of information.
  • Even as countries unite to fight cyber-crime, they compete for dominance in the cyber arena.
  • Combined human and computer intelligence is needed to make inferences about incidents in cyberspace due to poor signal-to-noise ratio in the data.

Cyberwarfare incidents are increasing,22,31 not only among nation-states but among terrorists, political/social organizations, and transnational groups. An early example of cyberwarfare was the 1999 targeting of U.S. government Web sites by suspected Chinese hackers in the aftermath of the accidental, as officially reported, U.S. bombing of the Chinese embassy in Belgrade in 1999.3 Cyberwarfare has since been observed largely as nuisance attacks (such as Web-site defacement and denial-of-service, or DoS), with only occasional incidents of espionage and infrastructure probes. In rare cases, these attacks have caused large-scale failure of the public Internet though have not resulted in large-scale injury, loss of life, or destruction of property.

Future attacks could involve destruction of information and communications systems and infrastructure and psychological operations. The cyberattacks against Estonia in 2007 and Georgia in 2008 hinted at the potential of cyberwarfare. The prospective crippling impact to critical national infrastructure has established the role of cyberwarfare in modern conflicts.

The tools and techniques for launching attacks in cyberwarfare are the same as in cybercrime. However, perpetrator motivation differs from the more political objectives of cyberwarfare to the significant financial incentives motivating much of today’s cybercrime. In addition, scale, intention, and consequences can be much more severe for cyberwarfare. The publicly reported losses incurred due to cybercrime in the U.S. have increased steadily, totaling $560 million in 2009, according to the U.S. Department of Homeland Security.17 Such losses are due in part to increased sophistication of cyberattacks and partly to increased dependence on online banking and trade. Evidence of this dependence and its costs comes from several recent incidents; for example, in 2009, Albert Gonzales and two co-conspirators were charged with penetrating the networks of several companies, including Heartland Payment Systems, 7-Eleven, and Hannaford Bros., with headquarters in New Jersey, Texas, and Maine, respectively. They stole more than 130 million credit card numbers. The attack was well orchestrated, with systematic reconnaissance conducted on victim companies and hacker identities concealed via proxy services and multiple online pseudonyms. To prevent detection, intrusion-detection software was disabled by the attackers. The victim computers were installed with software for remote control and to harvest credit card information from online transactions.36

Another is the Conficker worm, designed to exploit a Windows service vulnerability that allows network shares to infect machines on a specific port. Once a machine is infected, the vulnerability it exploited is patched and the port sealed to disallow competition from other malware. Updates of anti-malware software and Windows system “restore points” are also disabled. Another feature is that the worm spreads more quickly within the confines of a corporate network to stay ahead of system-administrator response. Conficker B and later variants use a state-of-the-art encryption scheme, called MD6 to avoid detection. Conficker (all variants) created a botnet of approximately six million sleeper machines that when and if awoken can be turned to nefarious purposes.21 Preventing cyberattacks is difficult since there are countless software vulnerabilities and numerous attack vectors.

Here, I discuss the cyberwarfare landscape, as well as the challenges involved in data collection, analysis, and attribution in cyberwarfare incidents. Analyzing cyberattacks follows several discrete steps, including attack detection, relevant data collection, chronology determination, damage assessment, identification and remediation of vulnerabilities, and assignment of attribution. Each poses special challenges (such as disparate sources of data, privacy laws that slow data acquisition, lack of cross-border treaties for data sharing, use of cloaking techniques to hide identity, and volatile data that can be erased if not gathered promptly). Here, I cover the current state of cyberwarfare and its challenges and an approach toward intelligent data collection and forensic analysis of cyberwarfare incidents.

Cyberwarfare involves several major actors, including nation-states, terrorists, and sociopolitical groups28 that differ primarily in intent and target. Nation-states aim to weaken enemy nation-states to give the attacker wartime advantage. Terrorists generally inflict damage as revenge or as a show of strength, leveraging it to solicit sponsors and recruits. Sociopolitical groups crave attention and relevance in political negotiations and policy formulation. In some cases, the distinction between terrorist and sociopolitical groups is blurred, with groups defined by overlapping motivations. Sociopolitical groups may also have the tacit support of government organizations when their objectives align. In addition, secondary players work symbiotically or parasitically with major actors toward their own ends (political or financial), engaging in espionage, reconnaissance, attacks on Internet infrastructure, and raw cyber vandalism.

Espionage and reconnaissance. Several reported cases of cyberwarfare over the past several years have involved reconnaissance and espionage between countries. In 2008, there were nearly 5,500 known breaches of U.S. government computers with malicious software, up from nearly 4,000 in 2007 and 2,000 in 2006, according to the Department of Homeland Security.16 A 2009 U.K. government security document reported the U.K. was a “high priority espionage target” for 20 foreign intelligence agencies, including France and Germany, despite being allies and fellow members of the European Union.32 Cyberspace is increasingly important in U.S. military strategy and tactics,20 as it is in China and Russia. Several reports attributed to Chinese military officials specifically discuss the need for China to devise cyberwarfare techniques to target enemy financial markets, civilian electricity grids, and telecommunications networks by installing malware on systems ahead of launching cyberattacks.8,27,38 A 2009 investigation conducted by researchers at the University of Cambridge and the University of Toronto discovered a massive espionage network originating from China that had infiltrated at least 1,295 computers in 103 countries, many belonging to embassies, foreign ministries, and other government offices, as well as to the Dalai Lama’s Tibetan exile centers in Brussels, India, London, and New York.10,25

In 2009, Chinese hackers reportedly launched an attack that penetrated computers of more than 30 companies, including Google and Yahoo.39 They were camouflaged by multiple levels of encryption, allowing hackers to operate undetected for significant periods of time. Attack vectors, including an Internet Explorer “remote code execution” exploit, were downloaded via email or instant-message links to malicious or infected Web sites. Hackers stole intellectual property and gained access to the email messages of Chinese human-rights activists. The attacks purportedly came from Taiwan but were traced to mainland China. Assigning attribution is often a serious challenge; for instance, it is not unreasonable to assume that Taiwanese activists perpetrated the attacks and (through electronic anonymization) made it appear that someone in mainland China was responsible. This differs from traditional warfare between countries, where the enemy’s identity is generally more readily discernable.

Not all attacks aim to disable computing and network infrastructure. Equally devastating is the use of social media for propaganda, manipulation of public opinion, and incitement of violence, hatred, and nation-state public disharmony.

Propaganda and social warfare. The Internet has amplified terrorist effectiveness by enabling distribution of shared ideologies to a much wider population; for example, social networks1 are employed to foster member kinship and fuel member zeal to act by propagating ideas about martyrdom and revenge. The public Internet allows loosely connected terrorist groups to aggregate, forming larger networks that are distributed, layered, more redundant, and, consequently, more resistant to leadership and succession disruption.35 The ability to recruit members from population centers where terrorist acts are to be committed, rather than transporting operators globally, gives terrorists a strategic advantage. Evidence that terrorists’ reach is widening can be seen in attacks across the globe, in Egypt, India, Indonesia, Pakistan, Russia, Spain, the U.K., and the U.S. An important element in the terrorist strategy is mobilizing public opinion. To sustain themselves, terrorist organizations need sympathizers willing to provide resources and logistic support, as well as to perpetrate their crimes. Terrorist groups are able to launch effective propaganda using the Internet, gaining influence over international affairs, including the flow of information, public opinion, and politics. Efforts intended to locate and shut terrorist Web sites have been largely unsuccessful over the past 10 years, since the Web sites are able to crop up elsewhere.24 With some success, counter narratives are used extensively to negate terrorist messages.

Sociopolitical groups (operating independently or under tacit patronage from national governments) are another potent cyberthreat, with large social followings used for both propaganda and attacks. During Israel’s Gaza offensive, winter 2009, a Moroccan-based Islamic group hacked into an Israeli registration server and poisoned the routing table of popular domains to reroute users to a page featuring hacker-created anti-Israel messages, rather than launch a typical DoS attack.23 Likewise, following the November 2008 attacks in Mumbai, hackers in India and Pakistan defaced government-sponsored Web sites in Pakistan and India, respectively, throughout each other’s national networks.2 Most such attacks can be categorized as a nuisance, drawing minimal attention to their respective causes and affecting only specific government Web sites that are often quickly restored.

Disabling government Web infrastructure. Deliberate attacks that disable a critical portion of national government Web presence can affect communication between governments and their citizens, demoralizing the citizens and destabilizing the governments. These attacks reflect an even more disturbing trend, with long-term ramifications, especially as they are linked to political conflicts among nations. Within hours of the start of the Russia-Georgia war, August 2008, Russia-based cyberattackers disabled and defaced Georgian government Web sites.6 The attacks were encouraged and facilitated by a Russian patriotic hacker group called Nashi and launched by seemingly ordinary civilians who could not be provably employed by the Russian government or military. While there is evidence that Russia was the source of the attack, no conclusive proof confirms Russian government involvement.33 However, what was clear is that ordinary Russian civilians actively participated in the attacks. The hacker group provided the resources and information to perform the attacks, and a large number of Russian citizens and expats launched them. A similar attack in May 2007 was also launched by Russian hackers against Estonian government Web sites in response to the uprooting of a World War II memorial statue commemorating Russian military losses in the campaign to drive the Germans from the region in World War II.

Numbers of attack participants sometimes play an important role in such attacks. As the disparity in Internet availability is bridged between developed and developing countries, those with larger populations can expect to have a future strategic advantage. China and India (with populations of more than a billion each) will be powerful forces in citizen-led attacks. Ironically, botnets, blamed for many recent attacks, will be critical in shifting the cyberwarfare strategic balance, as nations attempt to create botnets using resources from other countries to bridge the disparity. How to classify ordinary citizens participating in these attacks is an important question. Are they criminals, warriors, or patriots? Answering is neither obvious nor easy but has serious implications in terms of law enforcement and international justice.

Back to Top

Future Battles

Cyberwarfare incidents to date have not generated mass panic and are driven more by citizens groups (with implicit government support) than by overt government-sponsored national campaigns. These attacks are meant to send a political message; however, future attacks could have serious consequences, pitting nation against nation and requiring political, as well as military, intervention. One concern shared by all governments is the threat to critical infrastructure through electronic control systems.

While cyberwarfare analysis is hindered by lack of robust international laws and treaties governing cyberwarfare, everyone’s ability to determine attribution suffers the most.

Critical infrastructure attacks. Critical infrastructure is an easy target for enemy countries and rogue transnational groups, since it is widely distributed geographically and largely unprotected. The systems that manage water supply, power, oil, and transport are all critical elements of national infrastructure, each representing a different threat level, though significant interdependencies can lead to unintended consequences in an attack. The critical infrastructure is also increasingly under supervisory control and data acquisition, or SCADA, primarily through ease of remote monitoring and management. However, increased accessibility correlates with increased vulnerability to breached security. Rising SCADA homogeneity further escalates the potential for breaches, since a single exploit could be used to attack multiple systems.18

Given the geographic distribution of critical infrastructure, governments recognize their inability to protect everything. A key concern is that the interdependence of infrastructure elements could mean a failure in a single element could cause devastating widespread damage in multiple critical elements. The power grid is one of the most vulnerable, including transmission lines, transformers, power stations, and suppliers (power plants). In 2009, authorities found that many segments of the U.S. power grid had experienced a suspected hacker infiltration; software tools that could be used to disable infrastructure were identified on the machines.16 Interdependencies in the power grid alone were evident from the blackouts throughout the northeastern U.S. and Canada in August 2003. Failure of a single Ohio power plant led to a complete blackout of the entire Northeast U.S., along with nearby connected portions of the Canadian national power system.4 In 2008, CIA analyst Tom Donohue confirmed that the U.S. power grid in multiple regions was disrupted for the purpose of extorting money.

The water supply is another critical, vulnerable element, encompassing both fresh-water supply and wastewater collection. The U.S. has more than 170,000 public water systems, including reservoirs, dams, wells, aquifers, treatment facilities, pumping stations, aqueducts, and transmission pipelines. Waste collection includes 19,500 municipal sanitary sewer systems and 800,000 miles of sewer lines.a In October 2006, an unknown foreign hacker gained control of a water-filtration-plant computer in Harrisburg, PA, installing software that could have affected plant operations. Though the U.S. water supply is well distributed throughout the country, presenting multiple soft targets, interdependencies are weak, and the effect of any single attack would be localized, affecting at most a few hundred thousand people. Moreover, a failed pump is easily repaired or restarted, leading to quick recovery without serious long-term consequences.

Failure of the financial infrastructure could undermine public confidence in financial institutions, as well as in the government. Goel and Shawky13 established a clear link between security breaches and erosion of market value for U.S. publicly traded firms. However, less clear is how to compare financial losses to the loss of life or to injury. Not all infrastructure attacks are perceived as equally devastating. Thorough risk and interdependence analyses are needed to accurately determine risk.

Internet censorship. A looming battle concerns government censorship and control of the public Internet. The struggle over information content has caused international discord. Some governments are apprehensive about exposing their citizens to offensive material that might be morally, culturally, or politically deleterious, while others, as well as citizen groups, vociferously advocate free speech. Effective censorship requires multilayered access control, including laws and regulations, technical filtering, physical restrictions, surveillance and monitoring, warnings, and arrests. Laws and regulations include penal codes, anti-terrorism laws, digital media laws, and legislation allowing government access to ISP and telecommunication-company information.

Governments do not usually launch direct attacks, but rather aid and abet patriotic hacker groups; for instance, there is no conclusive evidence that the Russian government instigated its citizens to attack Georgian government Web sites.

The Chinese government deploys firewalls and Internet gateways that prevent access to certain IP addresses; it also performs DNS poisoning of specific Web sites and imposes harsh penalties on ISPs and organizations that carry content not permitted by Chinese law.b Many other countries also engage in online censorship, including Bahrain, Burma, Cuba, Iran, Jordan, Kuwait, Saudi Arabia, Singapore, Syria, Tunisia, United Arab Emirates, Uzbekistan, Vietnam, and Yemen, as well as parts of Africa. Even Australia, Germany (region-specific), and Switzerland censor specific Web sites and content.

Techniques for censoring information11,12 include IP blocking, DNS filtering and routing,c URL and packet filtering, and Web feed (such as blogs and RSS) blocking. Internet content is also monitored through automated tools and manual inspection to block objectionable pages, with ISP cooperation. Censorship can be circumvented through proxy servers allowing anonymized access to censored material; however, these servers can be blocked and their use discouraged by government threats to shut down specific Web sites.

Large companies sometimes fight back; for example, in 2010 Google threatened to remove its search engine and Web site unless China allowed it to access uncensored information, remove its offices from China, cancel media events, and delay release of phones with the Android operating system.9 These declarations were in response to Chinese hacker attacks on Google’s servers (allegedly, according to Google, at the behest of the Chinese government) and brought the long-brewing battle of Internet censorship into the open. Concerning the economic consequences of such actions, companies cooperating with governments receive preferential access rights and contracts, while noncooperation can lead to potential harassment and litigation. Google was among the first, in 2006, to willfully abide by Chinese Internet censorship regulation, despite public disapproval in the U.S.14 Google’s decision, in June 2010, to suspend censorship rules in China in response to the attacks can be inferred as not only financially based but as retaliation for the inferred espionage. The threat of Google alone may not warrant concern, but combined with other large companies (such as Microsoft and Yahoo!) could pose a greater threat to China’s situation than any government action. The leverage of companies against governments and the influence individual governments have in reining in multinationals is generally defined by local circumstances.

The complexity of government control of information is evident from the public battle Canadian smartphone communication company Research In Motion has engaged in with several countries, including China, India, Russia, Saudi Arabia, and the United Arab Emirates, that wish to monitor communication on the Blackberry network within their borders. Being a cross-border network makes it difficult for RIM to comply with conflicting laws in different countries; for example, dealing with a call between someone in the U.S. and someone else in China becomes tricky; where U.S. laws protect citizens’ right to privacy, China emphasizes the government’s right to intercept and monitor communication.

To respond effectively to cyberwarfare attacks, governments need advanced detection and analysis capabilities, as well as a new legal framework. Existing techniques for incident and linguistics analysis can be leveraged to develop such strategies for cyberwarfare.

Back to Top

Data Collection and Analysis

A number of recent cyberwarfare incidents (such as cyber spying based primarily in mainland China) have been detected by technical experts cleverly analyzing network or system irregularities. Overt clues triggered an investigation after an attack had continued long enough to cause significant information loss or service disruption. It is virtually impossible to prevent such incidents in the future, since defenders must protect everything, while attackers need to find only a single vulnerability. However, timely intelligence could prompt defensive measures limiting disruption of services and protecting confidential information. Governments need a process of intelligent data gathering and analysis to establish the chronology of attack, identify systems affected, determine attack origin, prevent attacks from propagating, and assign attribution; however, to succeed, governments must look beyond the current strategy of mindless collection and mining of massive data sets. Finding useful intelligence within an enormous amount of worthless data is akin to finding a needle in an extremely large haystack. This problem is complicated by user anonymity, disparate data sources, and lack of international agreement on data sharing among intelligence agencies. Both unstructured text data and structured network traffic data are vital in this analysis. Based on recent cyberwarfare incident analysis, most notably the GhostNet investigation,10 a promising approach combines unstructured text and structured network data to give analysts a comprehensive view of the data.

Unstructured data. Unstructured text data for cyberwarfare typically consists of hacker-forum postings, blogs, and Web sites and is valuable for predicting imminent network threats, identifying their origins, and assigning attribution; for instance, during the 2008 Russia-Georgia conflict hackers posted instructions, along with relevant tools, for attacking Georgian government Web sites. Similar data can be collected from forums, chat rooms, and postings (such as blogs and newsgroups), both open source and private. Information from private communication channels is usually obtained covertly (such as by joining private forums). Personal protection from hackers involves taking appropriate precautions to obfuscate investigator virtual identity through pseudonyms, proxies, and other identity-manipulation software. Complications include identifying the right forums and finding, testing, and training native speakers able to creatively identify and penetrate them. Social-engineering skills are often necessary for such infiltration. Once a forum is identified, automated software bots can be sent to periodically collect online data and structure it appropriately.

An important aspect of data collection is building a domain ontology for tagging unstructured data and creating associations between disparate data sources. This can be achieved with the help of domain experts and a literature review. In addition, field investigations (interviews, discussions, notes, and surveys) may be required to get additional information from key parties. Such field investigation data must be associated with context information (such as location, date/time, topic, and participants). Fragments of it can provide valuable clues that might have been removed or camouflaged in published text to build circumstantial evidence. Mindless data collection must be replaced by targeted data collection, as too much data can be as useless as too little data.

Network data. Sources of network data include log files from infected computers, routers, firewalls, intrusion-detection systems (IDSs), darknets, and honeynets. Routers and firewalls form the core of the network-security infrastructure, actively filtering packets and connections based on suspect IP addresses and port numbers. IDSs, darknets, and honeynets are specialized tools that passively observe traffic, log data, and generally look to detect suspicious data. Each represents a piece of information that can be assembled to give a comprehensive view. Collection in these cases often relies on intercepting attacks (such as botnets) during execution.

IDSs are typically employed to detect malicious activity and are useful against previously known attacks. Local host IDS alerts are not sufficient for detecting large-scale cyberwarfare attacks; however, network IDSs may be able to detect and report early warning signs. Network threats can be determined more effectively through darknets (such as Cymrud and CAIDAe) monitoring unused network spaces. Darknets typically consist of a single server analyzing received packets, logging information, and alerting system administrators of malicious activity. Since the address space assigned to a darknet is unused, its traffic is typically either malicious (coming from compromised hosts) or erroneous. Hackers profile networks for vulnerabilities and hit darknets accidently as part of randomized scans. While an IDS is designed to classify traffic as benign or malicious, darknet traffic requires no further classification, with everything simply logged. Darknets are designed to detect a zero-day exploit before an IDS has a signature available. Honeynets are redundant vulnerable machines, with logging capabilities put on networks to entice hackers to attack, complementing IDS and darknet data and serving as harbingers of future attacks likely to affect the rest of the network.

Analysis of network traffic (such as connection requests, packets, and DNS resolves) is often insufficient for detection since attacks can be camouflaged as normal network activity. Aggregating data from multiple sources reveals patterns that help detect attacks not evident from a single source. Forensic examination of data can assist in establishing attack timelines. Malware analysis can help identify exploited vulnerabilities that can be patched to prevent future attacks. Any IP address associated with an attack should be blocked at the institutional, ISP, or national level, depending on scale and origin. IP-based geolocation can be used to identify the physical location of attack; however, reliability is poor, as IP addresses can be masked or spoofed.

Cyberwarfare incidents can be more complex than cybercrime attacks in terms of scale, strength, and speed. Investigations might also need invasive techniques (such as rogue network participation and fake command-and-control centers) to get additional information. The value of the collected data often depends on the quality of its analysis.

Cyberwarfare analysis with unstructured and structured data. In cyberwarfare investigations, technical analysis using structured data must be combined with analysis of unstructured data to establish attribution. Network and text analysis can be used as mutual triggering activities; an alert triggered by network data analysis should prompt a deeper investigation on specific hacker forums, and, vice versa, intelligence gained from hacker forums should generate a deeper examination of network data from specific collection efforts. A classic example involves the 2008 Russia-Georgia cyberwarfare incidents. Investigators15 obtained data from Georgia CERT and were thus able to identify hidden connections between hackers, as well as correlate server data on cyberattacks against specific IP addresses. The IP addresses led to identification of forum posts listing Georgian government Web targets, as well as attack logistics. Analysts also collected Russian hacker-forum posts discussing attack methods, options, and triage of successful Georgian Web attacks on the same Web sites. An ontology was created to store relevant entities, including hacker aliases, URLs, post content, dates, and times. Combining network data with hacker-forum posts, analysts were able to identify commonalities connecting specific hackers with specific Web sites attacked. While this work was done manually through an international group of experts, such analysis must be institutionalized and at least partly automated for future events.

Content analysis of open-source data from the public Internet (such as Web forums, chat rooms, Web sites, and blogs) or any text data can be used for behavior analysis to help ascertain perpetrator motivations. Content analysis19 involves breaking down content into meaningful and pertinent units of information for analysis and interpretation of message characteristics. Natural language contains information about individual personality traits, social circumstances, emotional and cognitive state, and idiosyncratic reactions to crisis. In its simplest form, an analysis can help measure word frequency in categories of interest. A research question might involve determining if there is a greater presence of positive or negative words with respect to a specific hypothesis; for instance, individuals tend to use more first-person singular pronouns when young,30 depressed, dealing with a personal crisis,29,34 or honest, as opposed to deceptive.26 Greater reference to other people might signal a greater sense of community.37

Behavior profiles developed from content analysis, combined with network data analysis, can provide deeper insight into the activities of cyberwarfare actors. Using automated data-mining tools for cyber-incident analysis is difficult for several reasons: a large disparity in the volume of useful versus junk data; multilingual content leading to loss of semantic meaning in automated translation; and prevalence of unstructured data, making it difficult to relate disparate data sets. Human cognitive ability allows quick determination of relevant portions of data; however, large volume also makes manual sorting infeasible. Human cognitive ability coupled with data-processing tools that aggregate data into a concise, eloquent form suitable for human cognition is the ideal combination. Also important is to be able to obtain a single view of disparate data sources for drawing collective inferences.

The author was involved in a 2010 investigation of U.S. power-grid cyber-attacks using open source intelligence (OSINT) performed as a part of a Project Grey Goose initiative5 that collected text data from such sources as news articles and documented reports on critical infrastructure failures, as well as hacker blogs and forum postings. We identified cyberattacks on the U.S. power grid, 2000–2010, from around the world and covering 120 incidents. We correlated political events with the attacks to infer potential sources and identification of potential state and non-state actors based on media reports to determine suspected attackers (countries and groups). We combined it with attack locations obtained via IP-to-geological-point conversion and used a “means, method, and opportunity analysis” to determine if the attacks were cyberwarfare incidents or ordinary cyberattacks. Assigning attribution was relatively straightforward for several incidents but unclear in others.5

Back to Top


Even with effective analysis of structured and unstructured data, attribution is difficult in any cyberwarfare incident. Governments do not usually launch direct attacks, but rather aid and abet patriotic hacker groups; for instance, there is no conclusive evidence that the Russian government instigated its citizens to attack Georgian government Web sites. Likewise, there is no conclusive proof the Chinese government was involved in attacks on Google or other U.S. corporations, though there is significant circumstantial evidence. While cyberwarfare analysis is hindered by lack of robust international law and treaties governing cyberwarfare, everyone’s ability to determine attribution suffers the most. Efforts have been made by China, Japan, South Africa, and the U.S., along with countries throughout Europe, to improve international cooperation in fighting cybercrime and create legal mechanisms (such as the 2001 Convention on Cyber Crime Treatyf) for storing and accessing data. However, effectiveness is limited by politics and conflicting national interests. A key concern is that unfettered access to data and suspects across national boundaries in pursuit of cybercriminals infringes national sovereignty.

Response to the threat of cyberwarfare requires new tools combining disparate data sets and efficiently extracting intelligence information, along with semiautomated tools that assist human analysts in tagging data, automated link-analysis tools that identify links in disparate data sets, and visualization tools that make analysis easier. Also required are tools and techniques that help identify and disable the command-and-control structure of botnets and detect and clean botnet-infected machines. Moreover, centralized databases of active hacker groups, with their political/national affiliations and ideologies, must be created. Their activities must be monitored, so they can be correlated with political events and with cyberattack incidents. International treaties on cyberwarfare must be created and ratified like treaties involving traditional warfare. Also needed are mechanisms for monitoring compliance with those treaties and resolving ensuing disputes. The propaganda of terror groups must be neutralized through counter narratives.

A key concern is that unfettered access to data and suspects across national boundaries in pursuit of cybercriminals infringes national sovereignty.

Nations must invest not only in cyber defense, but also in cyber deterrence, by building offensive capability. Coordination with upstream ISPs is needed to quickly block specific country domains or address spaces when large-scale threats are identified. Regulatory bodies must be required to audit critical infrastructure SCADA security. Legislation requiring utilities report cyberattacks using mandatory breach-disclosure laws would also help investigate such incidents. Finally, public awareness, vigilance, and crisis-management training should also be incorporated to protect against the effects of cyberwarfare.

Back to Top


Cyberwarfare includes propaganda, recruitment, fundraising, sabotage of critical infrastructure, and espionage. Scale, speed, and strength necessitate collection and analysis of information. Unread reports in boxes stored away are worthless, and automatic processing of data without clear intelligence can yield erroneous conclusions. Human analysis should be supported with automated and/or semiautomated tools and techniques to combat cyberwarfare. Attack mechanics, groups/countries involved, motivations, and targets are pieces of the puzzle that must be identified and fit together. A comprehensive approach to analyzing cyberwarfare requires both structured network data and unstructured data (such as forum postings, Web sites, blogs, and chat rooms) combined with field investigation and further technical or malware analysis. Techniques are drawn from diverse fields, including computer science, forensics, psychology, and linguistics. The work the author did with Project Grey Goose5 in 2010 used this approach on power-grid cyberattacks, where the means, motives, and opportunities of the actors were correlated to assign attribution with relative confidence. Although a case can be based on circumstantial evidence by associating political events, online postings, chronology of attacks, and connection between motives and objectives, incontrovertible proof of attribution is especially difficult to obtain. With cyberwarfare only beginning, anyone who depends on a computer must be prepared for its future challenges.

Back to Top


I thank Damira Pon from the University at Albany for her valuable suggestions that helped improve the article.

Back to Top

Back to Top

Back to Top

Back to Top


UF1 Figure. DoD Cyber Crime Center (

Back to top

    1. Al-Shishani, M.B. Taking Al-Qaeda's jihad to Facebook. Terrorism Monitor: In-depth Analysis on the War on Terror 8, 5 (Feb. 4, 2010).

    2. Andrabi, J. After Mumbai, Pakistan and India wage war in cyberspace. The National (Jan. 2, 2009).

    3. Billo, C. and Chang, W. Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States. Technical Report. Institute for Security Technology Studies at Dartmouth College, Hanover, NH, 2004;

    4. Bredemeier, K. First stop in search for answers: 7 Ohio power lines. The Washington Post (Aug. 9, 2008), A01.

    5. Carr, J. and Goel, S. [principal investigators], Himley M., Lasko, A., and Saly, T.J. [researchers]. Project Grey Goose Report on Critical Infrastructure: Attacks, Actors, and Emerging Threats, 2010;

    6. Carr, J. et. al. Project Grey Goose Phase I Report Russia/Georgia Cyber War: Findings and Analysis (Oct. 17, 2008);

    7. Clarke, R.A. and Knake, R.K. Cyber War: The Next Threat to National Security and What to Do. Ecco, New York, 2010.

    8. Dai, Q. Innovating and developing views on information operations. China Military Science (Aug. 2000), 72–77.

    9. Dann, G.E. and Haddow, N. Just doing business or doing just business: Google, Microsoft, Yahoo!, and the business of censoring China's Internet. The Journal of Business Ethics 79, 3 (May 2008), 219–234.

    10. Deibert, R. and Rohozinski, R. Tracking GhostNet: Investigating a cyber espionage network. Information Warfare Monitor. University of Toronto, Munk Centre for International Studies at Trinity College, Toronto, 2009;

    11. Deibert, R. and Villeneuve, N. Firewalls and power: An overview of global state censorship of the Internet, In Human Rights in the Digital Age, M. Klang and A. Murray, Eds. GlassHouse, London, 2005, 111–124.

    12. Dornseif, M. Government-mandated blocking of foreign Web content. In Security, E-Learning, E-Services: Proceedings of the 17th DFN-Arbeitstagung uber Kommunikationsnetze, J. von Knop, W. Haverkamp, and E. Jessen, Eds. (Dusseldorf, June 14–18). Knowledge Systems Institute, San Francisco, 617–648.

    13. Goel, S. and Shawky, H. Measuring the impact of security breaches on stock valuations of firms. Information & Management 46, 7 (Oct. 2009) 404–410.

    14. Goldsmith, J. and Wu, T. Who Controls the Internet?: Illusions of a Borderless World. Oxford University Press, Oxford, U.K., 2006.

    15. GreyLogic. Project Grey Goose Phase II Report (Mar. 20, 2009);

    16. Harwood, M. Cyberespionage threatens everyone. Security Management (Apr. 10, 2009).

    17. Homeland Security News. U.S. cybercrime losses double (Mar. 16, 2010);

    18. Igure, V.M., Laughter, S.A., and Williams, R.D. Security issues in SCADA networks. Computers & Security 25,7 (Oct. 2006), 498–506.

    19. Krippendorff, K. Content Analysis: An Introduction to its Methodology. Sage Publications, Beverly Hills, CA, 1980.

    20. LaMonica, M. Report: Spies hacked into U.S. electricity grid. CNET News (Apr. 8, 2009).

    21. Leyden, J. Conficker's 6m strong botnet confounds security probes. The Register (Aug. 5, 2010);

    22. Libicki, M.C. Conquest in Cyberspace: National Security and Information Warfare. Cambridge University Press, New York, 2007.

    23. Lillian, N. Israeli domain registration server hacked. YNetNews (Jan. 2, 2009).

    24. McNeal, G.S. Cyber embargo: Countering the Internet jihad. Case Western Reserve Journal of International Law 39, 3 (2007–2008), 789–827.

    25. Nagaraja, S. and Anderson, R. The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement. Computer Laboratory, University of Cambridge, Cambridge, U.K., 2009;

    26. Newman, M.L., Pennebaker, J.W., Berry, D.S., and Richards, J.M. Lying words: Predicting deception from linguistic style. Personality and Social Psychology Bulletin 29, 5 (May 2003), 665–675.

    27. Niu, L., Li, J., and Xu, D. On information warfare strategems. Beijing Zhongguo Junshi Kexue (Jan. 12, 2001), 115–122.

    28. Parker, T., Shaw, E., Stroz, E., Devost, M.G., and Sachs, M.H. Cyber Adversary Characterization: Auditing the Hacker Mind. Syngress Publishing, Inc., Rockland, MA, 2004.

    29. Pennebaker, J.W. and Lay, T.C. Language use and personality during crises: Analyses of Mayor Rudolph Giuliani's press conferences. Journal of Research in Personality 36, 3 (June 2002), 271–282.

    30. Pennebaker, J.W. and Stone, L.D. Words of wisdom: Language use over the life span. Journal of Personality and Social Psychology 85, 2 (Aug. 2003), 291–301.

    31. Rattray, G.J. Strategic Warfare in Cyberspace. MIT Press, Cambridge, MA, 2001.

    32. Rayment, S. Britain under attack from 20 foreign spy agencies, including France and Germany. The Telegraph (Aug. 2, 2009).

    33. Richards, J. Georgia accuses Russia of waging 'cyberwar.' Times Online (Aug. 11, 2009).

    34. Rude, S.S., Gortner, E.M., and Pennebaker, J.W. Language use of depressed and depression-vulnerable college students. Cognition and Emotion 18, 8 (Dec. 2004), 1121–1133.

    35. Stohl, M. Cyberterrorism: A clear and present danger, the sum of all fears, breaking point, or patriot games? Crime, Law and Social Change 46, 4–5 (Mar. 2007), 223–238.

    36. Stone, B. Three indicted in theft of 130 million card numbers. The New York Times (Aug. 17, 2010).

    37. Stone, L.D. and Pennebaker, J.W. Trauma in real time: Talking and avoiding online conversations about the death of Princess Diana. Basic and Applied Social Psychology 24, 3 (2002), 172–182.

    38. Wang, B. The current revolution in military affairs and its impact on Asia-Pacific security. China Military Science (2000).

    39. Zetter, K. Google hack attack was ultra sophisticated, new details show. Wired (Jan. 14, 2010);

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More