Cyber: Defining the space | ADM May 2012

The World Wide Web (www) and the networking technology, the internet which underpins it, represent a disruptive technology in that it changed the world and how it operates. Governments, militaries, law enforcement and virtually every facet of public life are now digitally connected to each other and to individual members of the public. Businesses, social organisations and anyone who has a connection to the web, all have equal rights in this digital domain, which since 1982 has been known as cyberspace.

Just like any frontier, there is a level of pioneering spirit. Among many cyber citizens, there is some degree of lawlessness, as well as law enforcement agencies which cannot keep up with the ever changing and seemingly infinite ways that criminals devise new types of crime.

Cyber crime vs. Cyber warfare

There are many parallels between cyber crime and cyber warfare especially in the methods used.

In each case the actions which are undertaken can be written as a script. The concept of crime scripts is based on an idea advanced by Cornish. (Cornish 1993, 30-45)

So how do the cyber criminals and cyber warriors, operate according to a script?

• Plan the attack

• Select the target

• Scan the target

• Gather information about the target

• Gain access

• Escalate privileges

• Steal User information

• Scrub evidence of infiltration

• Create ‘back doors

• Carry out the attack.

There may be some variations to the script, such as exchanging item nine with item seven. However for the purpose of this essay, what happens in item ten is the main differentiator between cyber crime and cyber warfare.

In cyber crime the motive for attack is usually profit whereas in cyber warfare the motive will be to disrupt the enemies systems. In both cases a further reason may be to exact revenge. Whatever the motives behind an attack, the process of attack will be different in crime as opposed to warfare.

Cyber crime and cyber warfare both entail computers and networks as attack tools or targets. These procedures are collectively called Computer Network Exploitation (CNE) with the subsets of Computer Network Attack (CNA) and Computer Network Defence (CND).

Malware

The general term used to describe what is being done to harm systems is malware, a word which is a concatenation of malicious and software.

The most prevalent form of malware used for crime, is spam, which usually comes in the form of an email and seduces people to divulge personal information, especially financial information. Whether an individual or a corporation, information is the most sought after prize by cyber criminals. In a survey conducted in 2009, 54 per cent of businesses cited theft of customer data, as representing their most serious threat. This is followed by online fraud at 52 per cent.

Malware emails may also contain code which includes viruses, trojans and worms. Unlike spam which is dormant unless the targeted user carries out an action, Trojans and worms may contain malicious code such as key loggers, which transmit the user’s keystrokes to the exploiter, as well as other methods to transmit user information to unauthorised people. In the case of cyber warfare, spam is usually not as useful. It seems most likely that military users of networks are not likely to be fooled by spam in a cyber war. In this case a denial of service attack (DoS) or distributed denial of service (DD oS) is more likely to achieve the desired effect. Alternatively, if the attacker has sufficient technical skills, then injecting code to change the normal functions of the enemies’ systems would prove even more effective. Even at this level of sophistication, this would usually be seen as a tactical or operational attack rather than a strategic one. Indeed it is unlikely that a cyber war attack is going to have long term strategic effects.

Indeed, a cyber war might not concentrate on the enemy’s military, but also include attacks on the target nation’s infrastructure. If enemy forces penetrate a Supervisory Control and Data Acquisition (SCADA) system, they have the capability to disrupt or destroy entities which underpin a nation’s normal life. Some examples might be; to attack a SCADA system at a city’s sewage works and manipulate the gates so that sewage spills into the surrounding area and possibly contaminate a city’s water supply. Or if a large industrial site is targeted, especially if that site deals in volatile materials, then all manner of chaos could ensue, including explosions and the leakage of unwanted materials contaminating the surrounding communities.

Interestingly both cyber criminals and cyber warriors can be expected to attack financial and telecommunications systems, including a nation’s banking and currency operations, but for different reasons, as previously outlined. A cyber warrior would likely attack using DDoS to cripple the systems. A criminal on the other hand would exploit the banks to steal the information and money and also the communications system in order to communicate anonymously and for free.

Attribution

Another commonality is the strong desire to avoid attribution. Ideally, the target should not be aware of having been attacked. A secondary goal would be to maintain anonymity as long as possible, to avoid suspicion. Finally, plausible deniability becomes the last hope for avoidance, before the attacker is positively identified. Whether a criminal perpetrator or cyber warrior, an attacker can avoid detection and location by IP address spoofing. There various ways to do this and mobility can be a decisive factor in avoiding being located. By using mobile devices and publicly available sockets to access the internet, a user regularly has a different IP address. 

These so called sockets can be found in internet cafes as hard wired connections, but can also be found at numerous locations offering free WiFi. When those connections are not suitable, war driving, which is the process of roaming an area to find poorly or unprotected routers, can provide an attacker with copious anonymous IP addresses. Non mobile spoofing is less labour intensive than remaining constantly moving and seeking new sockets, but there is a serious disadvantage. The same vulnerabilities of TCP/IP which allow spoofing also support very informative packet sniffing which may reveal the true IP address of the originating host.

Therefore as discussed, cyber crime and cyber war have many parallels and are more similar than they are different. However there are some substantial differences. Not all cyber crime involves the exploitation of other people’s computers. In the realms of conventional crime, a criminal may be using commonplace software to plan and help in the execution of a crime project which has no other connection to computers. Another criminal use of a computer might include the storing and/or distribution of child exploitation images. In the sphere of warfare, conventional wisdom about traditional or kinetic warfare, says that a defender has a three to one advantage over the attacker. Also, it is very obvious that an attack has taken place if people are being shot and things are being blown up.

However in a cyber war the advantage falls to the attacker as the attacks are likely to be from a distance, un-attributable and it is likely that in some circumstances it will not even be obvious that an attack has occurred until it’s too late. More importantly it may happen that a cyber attack has occurred and it is never known for certain when things go wrong, whether the problems being experienced, are in fact the result of a cyber attack.

So where do Information Operations (IO) fit in?

Interestingly, IO as a principle does not imply any technology as it is a discipline, which transcends technology. That said however, technology is a substantial enabler for IO to be carried out. Definitions are always difficult but important and there are many definitions of IO from a variety of sources. One very succinct version states; “IO is the integrated employment of capabilities... to influence, disrupt, corrupt or usurp adversarial human and automated decision-making, while protecting our own.”

It might seem an oversimplification to just say; the purpose of IO is to shape the information environment. However, since shaping the information environment implies that the information available to the enemy should be such as to force them to make decisions detrimental to their cause. Meanwhile one’s own information environment should afford confidence about the integrity and availability of the provided information and be conducive to winning the conflict. This has become a critical issue for western militaries who are already struggling to implement Network Centric Warfare with its inherent technical and operational difficulties. If a soldier’s PDA with integrated GPS, 3G, WiFi, Bluetooth and Magnetic Compass, suddenly fails to compute a firing solution, what caused the problem? Is it the result of a cyber attack, or just a glitch? Dare one ask whether the batteries are fully charged?

Another area in which IO needs to be examined is in the field of asymmetric warfare. This was previously the name for a situation where a superior military force was fighting against an enemy poorly armed in comparison with the technologically advanced military. Insurgencies and terrorist activity are two examples. However the landscape is changing rapidly. There is an increasing convergence between military and commercially available technology. Recently IBM saw the crossover in their own company where the past paradigm of the company doing innovative research to develop military systems, has given way to militaries buying Commercial of the Shelf (COTS) and “increasingly there is more similarity than dissimilarity between Information Age challenges”.

This situation has become extremely dangerous to governments and their militaries. It is now possible that non-government entities can bring the same or better technology to the fight, compared to a sophisticated army. Even individuals can buy laptops as powerful as those available to troops. Now that smart phones can be a terminal on the web, any smart phone can either directly attack a network, or become a willing ‘bot’ in a ‘bot-net’ which is a powerful tool for pressing a DDoS attack. 

Therefore a cyber attack on a mobile network centric force can actually be a lot more symmetrical in effect than a network enabled military might expect. In fact recent events in the Middle East have dramatically proven the supremacy of ‘viral herding’ by civilians, over riot police and a nation’s military. Due to the availability of social networking sites and the capability of cell phones to send text messages to a list rather than just ‘one to one’ communications, means that a protest rally can be organised at nearly light speed. Suddenly the information environment is in the advantage of the herders.

To illustrate the problem for authorities, it is a simple matter of exponential maths. If the original herder sends a message with details of a gathering to just two people and asks that each passes the message to only two others, then it won’t take long to have an enormous number of recipients of the information. One person contacts two, who then contact four more, if that chain continues a total of 16 times, 65,536 people will have the information, or if the process happens 20 times, the total becomes 1,048,576 and if that 20th generation from the original, again just send the message to two people each, it becomes obvious at that point that over 2 million people know what’s happening.

Conclusion

Contrary to some rumours in the media, a nation can’t just turn off the internet or the cell phone SMS network, since that would cripple communications for everyone not just the insurgents. In fact, once the herding ‘goes viral’, it is too late for the government to react. At this point the government has lost the information war and as was seen in Egypt, the government fell in under two weeks, to ostensibly peaceful and un-armed civilians. This is a clear example of network technology being used to quickly and massively disseminate very simple information to fill the streets with so many insurgents that it completely overwhelms better armed and equipped government forces.

Another problem for authorities is that smart phones with cameras provide protesters with an instant propaganda mechanism, as photos and video clips find their way onto web sites and sympathetic TV networks. Proving that information in the right hands at the right time has the potential to be more powerful than guns.