AMERICAN PUBLIC UNIVERSITY SYSTEM. Charles Town, West Virginia. Cyber-Attacks: The New Front of Warfare. A Growing Threat to U.S.

Transcription

1 AMERICAN PUBLIC UNIVERSITY SYSTEM Charles Town, West Virginia Cyber-Attacks: The New Front of Warfare A Growing Threat to U.S. Security A research paper submitted in partial fulfillment of the requirements for the degree of MASTER OF ARTS in NATIONAL SECURITY STUDIES by Healey Chanon Sutton Department Approval Date: July 9, 2011 The author hereby grants the American Public University System the right to display these contents for educational purposes. The author assumes total responsibility for meeting the requirements set by United States Copyright Law for the inclusion of any materials that are not the author s creation or in the public domain.

2 Copyright 2011 by Healey Chanon Sutton All rights reserved.

3 DEDICATION I dedicate this research paper to my parents, who support me through everything and who I do not thank nearly enough.

4 ABSTRACT OF THE RESEARCH PAPER CYBER-ATTACKS: THE NEW FRONT OF WARFARE A GROWING THREAT TO U.S. SECURITY by Healey Chanon Sutton American Public University System, July 9, 2011 Charles Town, West Virginia Professor Ronald Mangum, Research Paper Professor The purpose of this research paper is to analyze the national security threats that the U.S. must face with cyber-attacks from individual actors and enemy nations. Cyber-attacks are a severe threat to U.S. national security that must not be underestimated. Cyber-attacks can not only threaten information security but could also cause physical harm to the U.S. There are ways that the U.S. can combat this growing threat. With a proactive approach and better coordination between various parts of the U.S., the threat of cyber-attacks can be met and the impact of cyber-attacks can be minimized.

5 TABLE OF CONTENTS CHAPTER PAGE Introduction History of Cyber Attacks Types of Cyber Attacks Costs of Cyber Attacks Case Study 1 U.S. Government/U.S. Military Case Study 2 Company A Case Study 3 Estonia and other Former Soviet Nations Implications for NATO What Can Be Done?...32 Conclusion...35 Works Cited...39

6 Introduction The face of warfare is continually changing and developing. As warfare evolves, the world sees new and often improved methods of fighting war off the battlefield. Recent U.S. war fighting efforts, for example, have been fought with an increased use of remote viewing capabilities, such as unmanned aerial vehicles ( UAV s). A large part of this evolution of warfare stems from the rise in cyber technology. There is a growing reliance on computers and Internet technology, both in the military and civilian worlds. As with any other technological development, with the benefits come those who will try to exploit it and cause harm. This is evident in the growing occurrence of cyber-attacks. Cyber-attacks vary in methods, severity and impact, and have been used against many parts of the U.S. infrastructure, including commercial and military targets. The source of these attacks is both domestic and foreign, and it is often difficult to discern the motives or the perpetrators of these attacks. In light of the growing threat of cyber-attacks, this research paper will address the following question: What threats do cyber-attacks pose to U.S. security and how can the U.S. defend itself? This research paper will answer this question in several ways. It will examine the potential cost and damages of cyber-attacks. The author will examine China s growing cyber warfare capabilities and how they have been utilized recently. This paper will also examine three areas which have been victim to cyber-attacks, in the U.S. and in parts of Eastern Europe, and will consider the implications of cyber warfare on the future of warfare in general. 1

7 There have already been numerous cyber-attacks against the U.S. government, U.S. interests and U.S. allies. While attacks are often harmless, some have been successful in gaining access to classified information or disrupting services. Many of these attacks are believed to have originated in China. The author will examine China s motivations behind these attacks and whether these attacks might foretell of a future escalation of conflict. U.S. national security strategy has adapted to include, and lend greater importance to, this growing cyber threat. It is arguable, however, that the U.S. is not giving cyber strategy the priority that is merited. Of particular concern is the targeting of what is known as critical infrastructure. Critical infrastructure is those categories of infrastructure which are considered essential to the U.S. with respect to defense and the economy. When considering the current and future threat of cyber-attacks, one must also examine attacks which have occurred in other nations, particularly in nations that are U.S. allies, such as occurred in Estonia in Cyber-attacks on U.S. allies could have implications for U.S. national security; the U.S. might need to lend financial or military aid to victims of future attacks, and a successful, disruptive attack on another nation could potentially impact the global economy or even the balance of power in a region. The U.S. has long enjoyed a worldwide military dominance. The cyber world is one aspect of warfare in which the U.S. could soon find itself to be lacking. The U.S. must maintain its military strength to defend itself and its allies against any threat. Over the coming decades, cyber warfare will become a more and more important aspect of the war fighting effort. The U.S. should continue to not only improve its defensive cyber capabilities but should also continue to build on its offensive capabilities. 2

8 This study will demonstrate that cyber warfare is an extremely important part of the future of warfare. While a physical threat, one with the potential to harm U.S. citizens, for example, might not be imminent, the threat of cyber-attacks should not be underestimated. The U.S. must continue to emphasize cyber threats in national security considerations and continue to develop U.S. cyber warfare capabilities. 3

9 Chapter 1 History of Cyber Threats In order to study the potential for cyber-attacks against the U.S., it is important to first examine the history of cyber-attacks and how the threat has developed over the years. Ever since the development of the Internet, even before it was widely available for public use, people have found ways to take advantage of and disrupt it and its users. As one author noted, For practically as long as there's been an Internet, vandals, troublemakers and criminals have sought to exploit it (James 2009). As computer systems have developed and improved over the years, the reliance on technology has grown significantly. Today, a large percentage of the U.S. is online and a significant portion of commercial and government activity relies on computers and the Internet. As people become more and more interconnected, the opportunities for mischief and potential harm grow. As the incidents of abuse become more prevalent and more severe, the development of anti-virus programs and cyber security tries to counter these problems. The people behind cyber-attacks are always looking for new ways to conduct attacks. Internet attacks continue whether they are motivated by trying to access information or just trying to cause mischief and disruption. Although there are proactive approaches to preventing attacks, those wishing to do harm are constantly developing new methods of attack; defense is therefore often reactive. Computer hacking began in the late 1970s and early 1980s with the development of computer worms and viruses. The early 1980s also saw the increase of computer hackers -- people who attempt, and often succeed, to bypass security to break into computer networks. In 4

10 1983 computer hackers broke into several U.S. government networks, many of the hackers using basic home computers (Krebs 2003). In 1998, the U.S. saw one of its first successful attacks on government cyber systems. Hackers were able to take control of more than 500 computers, including military and government computers, in an incident later called Solar Sunrise. This attack [gave] the Defense Department its first taste of what hostile adversaries with greater skills and resources would be able to do to the nation's command and control center, particularly if used in tandem with physical attacks (Krebs 2003). Fortunately, in this instance the perpetrators of the attack were two teenagers in the U.S. Had it been from a hostile nation the damage could have been much more severe. The U.S. was lucky that it was a relatively inexpensive lesson in the importance of cyber security. These lessons have become more and more expensive as technology has advanced. The potential repercussions of these attacks have increased as, along with the potential financial damage, the potential for physical harm to the U.S. and its citizens has grown into a legitimate and threatening concern. The few years following the Solar Sunrise attack saw worms and viruses which caused millions, and sometimes billions, as with the Code Red worm of 2001, of dollars in damage (Krebs 2003). Concerns about the potential damage to human capital grow as well. As will be demonstrated in this study, the risks associated with cyber-attacks have expanded from concerns about accessing information and causing damage to systems. More recently, there is a growing concern that these attacks could lead to a significant loss of human life and damage to infrastructure. 5

11 A new form of attack, known as denial-of-service ( DoS ) attacks, began to appear in earnest in DoS attacks are different from worms and viruses in that, rather than trying to gain unauthorized access to a system, a flood of traffic is directed at the target, overloading its system and causing it to shut down. These can be used in conjunction with viruses; viruses or worms are used to gain control of other computers and servers and use them as part of a DoS attack against a target, known as a distributed DoS ( DDoS ). DDoS attacks have great potential to be used as part of the new front of cyber warfare. Estonia suffered a large scale DDoS attack in 2007, believed to have come from Russia, which caused significant outages but fortunately did not cause any lasting damage. More recently, a key method of cyber-attack has arisen in the form of what are called phishing attacks. These are attacks which attempt to trick people into providing personal information to what look like legitimate websites or downloading files containing malicious software. Whereas phishing attacks might be sent to thousands of recipients in the hope that only a few people might take the bait, spear phishing has arisen more recently as a more targeted threat. Although these concerns are comparatively new and constantly changing with the development of new technologies, the potential for damage using cyber-attacks, whether against government, commercial or personal interests, is severe. The U.S. relies on the Internet for a variety of needs, and therefore it will always be a target for people looking to cause harm, whether that harm is a simple prank or an effort to disable defense and weaken the U.S. in preparation for a military attack by an enemy nation. It is also important to note that cyber warfare is a relatively low cost pursuit for those who perpetrate it while it can be extremely expensive for the target to defend against, or recover 6

12 from, these attacks. Hackers also enjoy a level of anonymity which can often make them difficult to capture and prosecute. As technology continues to develop, it can become even more difficult to capture those behind cyber-attacks. When the attackers are pursued, successful investigations often lead only to another hacked computer (Henry et al. 2010, 148). Lynn (2010) summarizes: cyberwarfare is asymmetric. The low cost of computing devices means that U.S. adversaries do not have to build expensive weapons, such as stealth fighters or aircraft carriers, to pose a significant threat to U.S. military capabilities. A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States' global logistics network, steal its operational plans, blind its intelligence capabilities, or hinder its ability to deliver weapons on target. Knowing this, many militaries are developing offensive capabilities in cyberspace, and more than 100 foreign intelligence organizations are trying to break into U.S. networks. Some governments already have the capacity to disrupt elements of the U.S. information infrastructure. The U.S., including government, commercial and private interests, must spend significant amounts of money to defend against these attacks. If the attacks are successful it becomes even more expensive as government organizations and companies must repair the damage and regain cyber security. One can see how the threat of cyber-attacks has developed and grown over the years. As nations have become more dependent on Internet technology because of the increasingly interconnected world, the threat of cyber-attacks has grown. With this growing cyber threat, the cost and potential risk involved has increased tremendously. 7

13 Chapter 2 Types of Cyber-Attacks The threat of cyber terrorism and cyber-attacks which the U.S. currently faces is multifaceted. As discussed in Chapter 1, there are a variety of motives behind cyber-attacks, ranging from simple mischief to trying to cause real harm. In the recent history of cyber warfare, there have been numerous examples along the spectrum ranging from minor mischief to significant damage caused by cyber-attacks. There are several methods of conducting cyber-attacks, but for the purposes of this study this author will focus on DDoS attacks, phishing attacks and cyber espionage. One of the more common forms of cyber-attack is the DDoS attack. As defined above, a DDoS is a targeted flood of traffic intended to overload a server, causing it to crash. This was used to effect in Estonia in 2007, which will be discussed in Chapter 6. In order to conduct a DDoS, the cyber-criminal might gain illegal access to other networks in order to hide where they are located. When the attack is investigated, the source will appear to be from all over the world when in fact it might have originated from a person s home computer. DDoS attacks are also concerning because they do not require a great amount of skill or technical knowledge. Although skilled hackers might be the best candidates for conducting a DDoS, anyone with an average ability to use the Internet, and enough money and motivation, could mount a Denial of Service attack; botnets, which are programs used to conduct the attacks, are commercially available for purchase (Everard 2008, 120). A DDoS attack can cause a significant amount of disruption. If it is targeted against a bank, for example, people might not be able to use ATMs to access their money. While this is largely an inconvenience, if a successful DDoS is conducted against a more essential target, for 8

14 example, a power company, it could lead to not only costly but also potentially dangerous consequences. It is possible that in the future the U.S. may face cyber-attacks that could cause the deaths of its or its allies citizens due to the effects of a cyber-attack on an electrical system (Ashmore 2009, 21). Critical infrastructure could be targeted, leading to loss of life or significant disruption. As defined by the U.S. government, critical infrastructure includes telecommunications, power, gas and oil storage and transportation, banking and finance, transportation, water, emergency services and government continuity (Moteff and Parfomak 2004, 4). The second type of cyber-attack that has gained prevalence recently is known as a phishing attack. Phishing attacks take advantage of computer users using social engineering. A phishing attack often occurs by using s which appear to be from legitimate sources. The might direct the recipient to follow a link to a website, which will appear to be authentic. Once at this website, the user will be requested to enter personal information which the hacker will harvest. s might instead contain a file which, when opened, releases malware onto a computer and allows unwelcome parties to access information. The U.S. National Security Agency ( NSA ) conducted a study in 1997 in which IT specialists were instructed to try to hack into government systems using only commercially available software and without breaking the law. These employees were successful in a variety of ways, one of which was using phishing tactics by posing as staff and calling or ing employees at the targeted agency to gain password information; the IT specialists were surprised at how easily government and military members delivered their passwords without question (Ashmore 2009, 21). 9

15 While many years have passed since this exercise and in theory U.S. government agencies and other commercial organizations would have taken steps to prevent this type of relatively easy method of attack, human nature has not changed terribly much and phishing attacks such as these are still often successful. As discussed in Chapter 1, phishing attacks have evolved from random mass s and are now becoming more sophisticated and more targeted. These more targeted attacks are known as spear phishing. Spear phishing attacks are directed at a selected person or group of people, for example executives at a company, and use personal information to make the attack appear more legitimate (FBI Stories 2009). Company A, which will be examined in Chapter 5, was victim of some very cunning spear phishing attacks during its recent battle with cyber-attacks. The phishing attack which Company A faced is known as the Advanced Persistent Threat ( APT ). The APT is targeted attacks against specific organizations and industries with the primary goal of stealing information (Mandiant 2011, 5). The APT is directed at commercial interests, both domestic and foreign governments and non-government organizations. Cyber espionage is different from other forms of cyber-attacks because the source of the attack originates from inside the organization. This makes cyber espionage perhaps more difficult to defend against for companies, particularly if the person conducting the espionage is a high ranking individual. In the U.S. government the process of granting security clearances is intended to eliminate those employees who would have the potential to be persuaded to conduct espionage, but it is an imperfect process. Cyber-attacks originate from a variety of sources. People conducting cyber-attacks might be teenagers simply playing around on their computers and attempting to cause mischief, from groups trying to steal identities or achieve other financial gain, or cyber-attacks might come from 10

16 terrorist organizations or enemy nations wishing to steal information or cause harm. There are any number of motives in the spectrum between relatively harmless mischief and cyber terrorism. A common theme of cyber-attacks during recent years stems from what are known as hacktivists. Hacktivists are people or groups who are motivated by things such as nationalism or support for a cause; they use cyber-attacks to take a stand on an issue (Ashmore 2009, 24). This seems to have been a significant motivator in the large scale cyber-attacks against Estonia, believed to have been conducted by ethnic Russians, and also appears to be a theme in many of the people who are piloting cyber-attacks in China against other nations. These different methods of cyber-attack can all be effective in accessing sensitive national security information. This, in turn, creates a legitimate threat against U.S. national security. There are many potential results from cyber-attacks, ranging from compromised security information to physical harm of people or property. 11

17 Chapter 3 The Cost of Cyber-Attacks One major concern when considering the impact of cyber-attacks is that the target of the attacks often does not know what the potential cost is or will be. The costs of the damages which cyber-attacks can cause are two-fold. The financial costs, which are measurable, include the hours required to combat and eradicate the attack and the cost of hiring outside consultants to assist combatting the attack. Other measurable financial costs are incurred when an individual s personal information, such as bank or credit card details, is compromised. The potentially more damaging costs, however, are far more difficult to quantify. These costs largely center on the value of information which might have been gleaned from the attacks. When government organizations are hacked, it is possible that an enemy nation might have gained access to sensitive national security information. It is also possible that the hackers left loopholes in the system which can be used later as an access point for further hacking or damage. Financial Although the financial impact of cyber-attacks is easier to quantify than the cost of the less tangible damage which might have occurred, one can still only guess at the financial damage cyber-attacks cost. The Internet Crime Complaint Center ( IC3 ), which is a collaboration of the Federal Bureau of Investigation and the National White Collar Crime Center, is a repository of complaints about cyber-crime, including hacking, identity theft and economic espionage, to name a few (IC3 2011). In 2010, the IC3 received over 300,000 complaints (IC ). While many of these complaints are from people who are merely reporting a hacking or phishing attempt, but did not 12

18 fall victim to it, many people claim significant financial losses due to cyber-crime. Groups of victims of some scams reported hundreds of millions of dollars in financial losses (IC ). The cyber-attack on Estonia, which will be discussed in Chapter 6, included attacks against Estonia s banks. One bank estimated financial losses as a result of the attack of $1 million, but an additional, more difficult to measure financial cost stemmed from the fact that the attacks prevented credit card and automatic teller machine transactions from occurring for several days (Herzog 2011, 52). While on a global scale $1 million is not a terribly significant sum of money, it is difficult to quantify the cost of people not being able to access their money for days at a time or suddenly being unable to access electronic information. In the U.S. society is becoming increasingly paperless; for many people not being able to use credit cards or ATMs could mean that people are not able to make any purchases and it could interrupt business activities. Additionally, one must consider that these kinds of incidents reduce confidence in banking systems which, especially in recent years, are already harmed by fears of solvency and worries about reliability. Information To determine the less tangible cost of information which was accessed, the company or government organization must first know what was taken; this is not always a simple or straightforward process. Attackers encrypt data in order to make it difficult to tell what was removed. If a company cannot determine what was taken, they cannot take corrective action. In order to counter this, attackers must be caught in the act to see what they are specifically targeting. Additionally, the company or organization might not be able to see whether the attackers have established residence in the system to make it easier to return to at a later date. One type of 13

19 virus used in cyber-attacks is Trojans, which are used as part of attacks. In addition to the damage Trojans can cause by collecting log in information or further infecting systems, to name just a couple, Trojans can also leave a back door program through which the further removal or files can occur (Everard 2008, 122). The potential for hackers to not only cause havoc and potential harm but also to leave systems in place so that they can return at a later date is very disconcerting for U.S. national security concerns. This could mean that, even if cyber-attacks are discovered and counter-acted, there might still be a ticking time bomb of sorts remaining in the system. Because so many of these harmful files are disguised as legitimate ones, it is very difficult to be certain that every trace of the attack has been discovered and neutralized. The additional efforts necessary to be certain that systems are once again secure, which might involve a reset of systems, is a costly and time-consuming effort. 14

20 Chapter 4 Case Study 1 U.S. Government / U.S. Military The U.S. government is a key target for those enemies of the U.S. who might wish to conduct cyber-attacks. As with many other nations, the U.S. government enjoys a large amount of on-line connectivity. While this is advantageous in many ways it saves money and improves efficiency, for example, it also creates the possibility that outside parties can break into systems and that the systems can be exploited. One major concern for the U.S. government is the potential for Supervisory Control and Data Acquisition ( SCADA ) systems to be compromised. SCADA systems are connected via a network and are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation (National Communications System 2004, 4). SCADA systems control critical infrastructure. Because SCADA systems are connected via a network, they can be attacked by hackers or damaged by cyber espionage. This should be a significant concern for U.S. national security because it is an area that could cause significant harm to the U.S. population. In 2008, researchers were able to conduct a cyber-attack on a power generator which caused it to self-destruct; they determined that a similar attack could be easily mounted against the current U.S. power system with only $5 million in investments and three to five years of preparation (Henry et al. 2010, 152). SCADA systems are another example wherein technological advances have improved operations, but at the expense of increased security risk. Over the past decade, SCADA systems have increasingly utilized standard technologies; this has made it easier for the industry to 15

21 integrate various diverse systems together, it has also increased the risks of less technical personnel gaining access and control of these industrial networks (National Communications System 2004, 41). If a nation were planning to attack the U.S., an attack on SCADA systems could precede it. If an external attack could cause wide spread power outages across many cities, it could be a primer for a military invasion a terrorist raid, or a setup for massive illegal operations (Henry et al 2010, 149). It is believed that al-qaeda has included cyber terrorism as a possible outlet for their activities. In 2002 the U.S. government described training manuals from al-qaeda training camps which had explored vulnerabilities in SCADA systems with the intention of conducting attacks (Everard 2008, 123). SCADA systems are vulnerable to any number of cyber-attack methods. One U.S. government organization describes the various methods that could be used to damage or compromise SCADA systems. DDoS attacks can be used against SCADA systems, leading to a system shut down; viruses can be planted in the system, allowing an outside party to take control; or sensitive information or login details can be stolen, just to name a few (National Communications System 2004, 42). Attacks on SCADA systems are not a new concept; to date there have been cyber-attacks which have impacted critical infrastructure although none has yet led to a significant catastrophe. In 2008, a cyber-attack led to power outages in numerous cities and were followed by extortion demands (Piggin 2010, 37). Another example of the potential catastrophe resulting from cyber-attacks against SCADA systems arose in 2009 and 2010, with the Stuxnet worm. Stuxnet appears to have been directed against nuclear facilities in Iran to disrupt enriched uranium processing (Davis 2011). 16

22 The intention of Stuxnet was to reprogram systems in a manner that would sabotage [an industrial] plant, hiding the changes from programmers or users (Piggin 2010, 38). As was discussed in Chapter 3, one of the key problems with recovering from cyber-attacks is the potential that a company or government organization will not be able to determine the damage that was caused by an attack, and therefore will not be able to counteract that damage. A large source of cyber-attacks against the U.S. appears to stem from China. Although state-sponsored cyber-attacks have not often been proven, it is known that groups of patriotic Chinese hackers have been attacking American websites for a number of years (Henry et al. 2010, 150). China s motivation for conducting cyber-attacks is in line with China s own national strategies. Hjortdal notes that China derives a greater benefit than other nations from increasing its cyber warfare capabilities; the superior military capability of the U.S. will not easily be matched, so cyber warfare capabilities can act as a deterrent against U.S. military might (2011, 3). The types of cyber-attacks, which were discussed in Chapter 2, have all been used against the U.S. government. The U.S. is under frequent attack from hackers. Ashmore notes that the U.S. government is able to protect itself from cyber-attacks, but the U.S. IT system is not completely impenetrable (2009, 20). One advantage that the U.S. enjoys is that, because of the size of the country, its large population and infrastructure, and large government, there is a significant amount of redundancy in place. This helps reduce the risk of attacks such as DDoS attacks. This type of attack should not be ignored, of course, however the likelihood that a DDoS attack in the U.S. could lead to a wide-scale shut down of services, as occurred in Estonia, is fairly low. It is possible, however, that a targeted DDoS attack could occur against one area of critical infrastructure. Attacks 17

23 against SCADA systems, for example, could lead to large financial costs or significant loss of life. The more present threats, however, stem from the other two methods of attack which have been discussed: cyber espionage and spear phishing. Cyber espionage has come to the forefront of fears about cyber issues, particularly in light of the recent massive leaks of classified government documents which were then released to the public via forums such as WikiLeaks. The controversial WikiLeaks website, which obtains and disseminates illegally obtained classified information to the public, has recently been at the forefront of national security concerns. The WikiLeaks issue is indicative of a large part of the cyber threats which the U.S. is currently facing. WikiLeaks is one glaring example of a subculture of hackers, known as hacktivists, who do believe that all information should be available to the public, and they take it upon themselves to obtain and disseminate that information (Ludlow 2010, 25). Although the freedoms the U.S. enjoys should be maintained, some information must remain classified in order to ensure the security of U.S. citizens. If the military and government released every bit of information it had, it could open the doors for any number of hostile actions by terrorist groups or hostile nations, both on U.S. soil and directed at U.S. interests abroad. Part of U.S. security is maintaining classified information. WikiLeaks itself cannot necessarily take full blame for these security breaches. It is clear that WikiLeaks provides a forum to release this confidential information, however if operational security had been maintained on government premises, the information would not have been easy to steal to provide to WikiLeaks. The recent release of information on the WikiLeaks site occurred because of a failure to implement routine measures to secure physical premises where 18

24 secret data could be accessed; a soldier was able to copy files onto external storage devices, in this case CDs and DVDs, and smuggle the information out (Guinchard 2011, 83). The Stuxnet worm also demonstrated the risks associated with external hardware being utilized with sensitive computers. Stuxnet was determined to access systems using external USB drives set to auto-execute when inserted into a computer (Piggin 2010, 38). The Stuxnet worm was so effective in part because, in order to install the malware onto a PC which in this case helped control a nuclear plant, it did not require any user interaction beyond inserting [a USB] drive into the computer (Davis 2011). One positive result of the recent events such as the WikiLeaks scandal and the Stuxnet worm is a renewed effort to examine data security practices in the U.S. government. A number of suggestions have been made to prevent future similar occurrences. These suggestions include ensuring that employee access is in line with clearance level, although this would not have prevented the recent WikiLeaks incident; removing hardware from computers, such as USB ports and CD or DVD burners that would allow document withdrawal; or, when that hardware is necessary, installing data loss prevention software which can track what information has been accessed and downloaded (Wiler 2011, 4). Davis (2011), speaking about defending against attacks such as the Stuxnet worm, emphasizes protecting against the use of external storage devices such as USB drives; security software is available that can block the loading of programs from external drives and therefore could prevent something like Stuxnet from being so simple to load onto a PC. The government has developed measures which will hopefully stem the recent flood of classified information from government computers out to the public. There are tighter restrictions and security against things like external flash drives brought into government offices. 19

25 Unfortunately, there are almost always ways for people to steal information to sell to the highest bidder. One hopes that the security clearance process that those who will be handling classified information must go through will help weed out those who are likely to be susceptible to things like bribery or blackmail, but unfortunately it is not a perfect process. There is also the potential for government employees to engage in cyber-attacks. If an employee is disgruntled or a former employee is angry about their termination, they might decide to conduct an attack against U.S. government computer systems. In Australia, for example, an angry former employee hacked into a computerized waste management system and caused a sewage spill into parks, rivers and a local business (Everard 2008, 123). If a similar successful attack occurred in the U.S., it could lead to drinking water contamination or, depending on what piece of infrastructure was attacked, any number of problems ranging from inconveniences to serious illness or death of U.S. residents. The other form of attack that can be directed against the U.S. government is phishing, or spear phishing, attacks. Spear phishing attacks share similarities with cyber espionage in that the target is specifically chosen and the actions taken are detailed based on the target. Phishing attacks attempt to trick people into inviting attackers into a system by downloading malicious software included in files which appear to be innocuous or by clicking links which will cause malware to be loaded onto a computer and, eventually, spread through an organization via the network. One example of the type of virus or malware which could be loaded onto government computer systems using phishing techniques is the Slammer Worm, which in 2003 disrupted banking, airlines, infrastructure and emergency services, and disabled the safety monitoring system at a nuclear power plant for [a] combined period of 11 hours (Everard 2008, 124). It is 20

26 not difficult to imagine the potential catastrophe that could take place as a result of disabling nuclear plant safety on conjunction with another attack, whether an additional cyber-attack or an armed attack. Another challenge which the U.S. government must face stems from the fact that the U.S. government relies on private companies for a great deal of operations. Organizations such as Company A, which will be examined in Chapter 5, provide a variety of services to the U.S. government involving critical infrastructure. Additionally, while the government is responsible for U.S. national security, much of the U.S. s critical infrastructure, which helps to keep the U.S. secure and operating smoothly, is under private purview. It is somewhat enigmatic that, Traditionally it falls on governments to promote the public good, with the involvement of the military in exceptional cases, and the private sector is kept at bay. This framework runs counter to the very organization of the [critical infrastructure], where the private sector dominates and will not naturally contact the military (Guinchard ). The U.S. government is tasked with protecting private industry without interfering in the operations of private companies. Many companies which deal with the U.S. government have separate government subsidiaries or departments so that their staff can maintain the requisite government security clearances. When making proposals for U.S. government contracts, companies must fill out the Department of Defense forms which ensure that their IT security protocol meets the standards necessary for work on U.S. government tasks. While these steps help mitigate the IT security risks, there is still a significant cyber threat which must continue to be addressed. 21

27 Chapter 5 Case Study 2 a Telecommunications Company The threat of cyber-attacks is relevant to many aspects of U.S. national security. Not only is there a threat from the perspective of sensitive government and military concerns, there are also significant threats to private industries. Of particular worry are those private industries which fall under the category of critical infrastructure, including the telecommunications industry. Communications are considered critical infrastructure due to the fact that, in the event of a disaster, maintaining open lines of communication is of paramount importance. This author met with an Information Security Analyst at a telecommunications company which shall be referred to as Company A; unless otherwise noted all information came from this analyst. Company A is the target of an advanced hacking group commonly referred to as the APT. The APT is defined at Company A as a state sponsored, persistent, human backed threat directly targeting [Company A] for a specific purpose (Anonymous 2011). The company learned of an APT attack in the second half of 2010, and the resulting investigation identified five different APT groups present within the environment. The identified APT groups ranged from amateur to elite but shared the same goal; state sponsored information reconnaissance. Of the variety of APTs which have been discovered over recent years, a large percentage of these attacks have been directed at the industries in which Company A is involved. According to one study, 42% of the APT victims were commercial, and of those 20% were involved in the communications sector (Mandiant 2011, 5). The 2010 APT attack on Company A is believed to have originated from China. The motive for the APT is believed to be data mining, or information gathering. Company A is unique in its mission and equipment, so non-public information which Company A possesses 22

28 would be of interest to foreign governments. Company A also has large ties to the U.S. government, which further makes it a target for cyber-attacks. Company A discovered that some of the APT attacks were targeted at specific project information, including projects specific to the company s interactions with the U.S. government, including the military. The method used to conduct the attack against Company A was quite sophisticated. The hackers sent s designed to appear to come from employees of the company and included links or attachments which the recipient of the was asked to click or open resulting in malicious software compromising the user s computer and Company A s environment. To add an additional level of sophistication to these attacks, the s appeared professional by using proper spelling and grammar, including relevant topics, and using actual employee signatures. As a result, the attackers were successful at convincing many employees to click on harmful links or open malicious attachments. As discussed in Chapter 3, the price of these attacks on Company A is two-fold: the measurable financial cost and the intangible cost of the information which might have been accessed by the parties conducting the attacks. The financial impact of these attacks to Company A was significant. Company A consulted with outside experts to help combat the impact of the 2010 APT attacks which generated a large amount of expenses for the company. In addition, the incident response team had to devote countless hours towards combating these attacks and devised a plan for inevitable, future attacks. Likely more damaging than the financial impacts is the concern that China, who is believed to be behind the elite APT attacks, was able to access information. As mentioned above, 23

29 one of the great challenges of these cyber-attacks is trying to determine exactly what information was accessed. Company A is a unique company which specializes in an area of telecommunications that would be of great interest to enemy nations. Countries such as China have an interest in developing their technological capabilities in this area, so these attacks might have been intended to discover information to improve China s capabilities. It is also possible that China, or other groups which might wish to harm the U.S., is trying to discover ways to disrupt communications systems by attacking key telecommunications providers such as Company A. Fortunately, Company A was able to discern which files were infected and used in the APT attack. The files were effectively removed and all traces eliminated; the attackers were unable to leave files which could create an access point for a future attack. In order to gain access to Company A s secure systems in the future, there would have to be another successful attack. Knowing how the APT presented, Company A is well prepared for any future potential attack and will be able to recognize another attempt. The main security concern for Company A is that it might be unclear what information was accessed. This is where the potential security threat asserts itself. Company A has sensitive information which might be of use to another nation, particularly one like China, so not knowing what information was stolen could present a security risk. Company A has taken actions to help reduce the chances that future cyber-attacks will be successful. Because it was determined that initial compromises stem from the malicious s described above, Company A took proactive measures to notify employees that s originated from outside systems. Company A also increased system filters and conducted numerous company meetings to emphasize to employees how to approach cyber security. The 24

30 importance of employees reporting anything suspicious, particularly if someone suspects that they might have inadvertently clicked on a harmful link, is emphasized on a regular basis. It is hopeful that these steps will reduce the impact of future APT attacks or other forms of cyber-attacks. While there is no way to make computing systems impenetrable, taking preventative measures will help minimize the potential damage from future attacks. All companies must find a balance between cyber security controls and the business ability to operate effectively in a manner that reduces the risks of cyber-attacks and generally maintains the integrity of company security. 25

31 Chapter 6 Case Study 3 Cyber-Attacks on Estonia and other Former Soviet Countries 2007 saw a string of cyber-attacks on various nations which are former members of the Soviet Union. The first of these occurred in Estonia in April and May of 2007 following a controversial move of a memorial that commemorated Russia s defeat of the Nazis in World War II. There were ongoing ethnic tensions leading up to this action, but the movement of the memorial seems to have been the spark that set off the conflict. Ethnic Russians living in Estonia rioted against this action and a sustained massive cyber-attack on [Estonia s] information infrastructure occurred (Ashmore 2009, 4). The cyber-attack on Estonia, which was a DDoS attack, is very important when examining the potential national security impact of cyber-attacks on the U.S. for three main reasons. The first, and perhaps more significant, reason that the Estonian case study is so important is that it could represent a prototype of a new form of economic warfare in the 21 st century ( Estonia Cyber-Attack, April-May ). The U.S. must examine the Estonian case because a similar attack might occur against the U.S. at some point, and the U.S. must be prepared for it. The second reason that the Estonian case study is important is that it could have implications for the national security of the allies of any nation which is targeted with cyber warfare. This could impact U.S. national security because, in the event that cyber-attacks lead to a significant loss of life, as could happen if successful attacks occur against SCADA systems, for example, the U.S. could be drawn into military conflicts to assist allies. This might be especially relevant with regard to U.S. membership in NATO, of which Estonia is also a member. 26

32 The collective defense aspects of the NATO agreement could have a significant impact on U.S. national security if a fellow NATO member sustained a major cyber-attack that is considered an act of war. The attack on Estonia, because it appeared to be in response to the controversial movement of the Russian commemorative statue, was considered by many to be an example of cyberwar, an organized attempt to bring an entire country s computer network to its knees ( Estonia Cyber-Attack, April-May ). The final reason to focus on the Estonian incident in this particular case study is because it was the first of its kind. The cyber-attack against Estonia was the first cyber-attack that was directed at the national security of a country (Ashmore 2009, 4). Although DDoS attacks had occurred before, this was the first incident where a cyber-attack was used directly at a nation. Because this had never occurred before it was a wake-up call to the world that critical infrastructure could be targeted digitally by state-backed actors or by autonomous individuals such as hacktivists (Herzog 2011, 56). Estonia is one of the more technologically advanced countries in the world. One author notes that Estonia has become a marvel of e-government, where online procedures dominate (Kampmark 2007, 288). While many people around the world enjoy the benefits of technological advances including things like the widespread availability of the Internet, the cyber-attack on Estonia is a glaring representation of the potential harm that can be caused by widespread connectivity. Estonia is not the only nation to have suffered from cyber-attacks believed to have originated from Russia, although for the purposes of this research paper it is the most important. In 2008 another DDoS attack was conducted, this time against Georgia. While this attack was not as large as the attack against Estonia Georgia is not as reliant on IT infrastructure so 27

33 services were not impacted as they were in Estonia it has its own significance: the attack occurred while Georgia was engaged in combat with Russia (Ashmore 2009, 10). Lithuania and Kyrgyzstan also suffered cyber-attacks shortly following those that occurred in Estonia and Georgia. In both cases, the attacks appeared to be in response to actions that were perceived to be anti-russian and, as in Estonia and Georgia, both attacks involved DDoS attacks. The other aspect of these attacks which all four cases have in common is that, although Russian involvement was heavily suspected, it was unable to be proven; it appears evident, however, that opposition to the Russian government, particularly by former satellite nations, will result in cyber-attacks (Ashmore 2009, 12). One advantage of cyber-attacks, in addition to its relative low cost, is that it is often difficult to determine who the attacker was. Cyber-attack origins are difficult if not impossible to trace, especially since botnets can be constructed to include computers from around the globe; in the Estonia case, the DDoS attacks were discovered to have stemmed from computers in a variety of countries including the U.S. and Vietnam ( Estonia Cyber-Attack, April-May ). Even though Russian IP addresses were discovered behind the attacks, if hackers can route the attack through the U.S. and Vietnam, hackers could also have deliberately made it appear that Russia was behind the attacks by routing the attack through Russian IP addresses. Russia could argue that it would be advantageous for a group to make it appear that cyber-attacks are originating from Russia in order to lead to sanctions or other punitive actions on the part of Estonia or one of Estonia s allies. Because it is difficult to prove the person or people responsible for cyber-attacks, it is difficult to respond to them. 28

34 Chapter 7 Will Cyber-Attacks be Considered War? Implications for the U.S. as a Member of NATO Cyber-attacks are a new and developing form of warfare, and any type of war has great potential implications for the U.S. not only as a world leader but also as a member of the North Atlantic Treaty Organization ( NATO ). A key aspect of membership in NATO for all countries is the well-known Article 5 of the North Atlantic Treaty. Article 5 includes the following language: The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area (NATO). Article 5 indicates that, if a NATO member is attacked, other NATO members will respond, militarily if necessary, in order to resolve the conflict. Today, cyber-attacks are not formally considered acts of war. However, labeling cyber-attacks as similar to armed attacks might occur in the near future. If cyber-attacks become equivalent to acts of war, by NATO s definition, it could have a significant impact on U.S. national security. As cyber warfare increases in prevalence and the potential for damages grows, it is inevitable that international laws regarding cyber warfare will become more in depth and will 29