During the Electronic Frontiers Forum panel “Cyberwar and the Future of Cyber Conflict” (Sunday 10AM), Internet security expert Bruce Schneier gave the audience an overview of recent cyber attacks and issues in cyber security. He began by defining cyber war as the “spectrum of state-sponsored actions in cyberspace.”
In April, 2011, Estonia suffered an attack on its government sites, one of the first large-scale such incidents. Government sites were brought down. Because Russia and Estonia were clashing politically at the time, Russia was blamed. The Russians never took credit for the attack, though. One person was subsequently convicted, but Schneier used the episode to illustrate one of the chief difficulties with cyber conflict, knowing where attacks come from. In cyberspace, technology spreads capability. When something happens, determining whether it’s caused by a government or a hacker can be difficult. Before the advent of cyber conflict, war was determined by use of weaponry. For example, when a tank rolls into a country, it probably belongs to a government because only governments can afford tanks.
He detailed a list of similar incidents, noting that they can be preludes to physical, or kinetic, attacks, attempts to extort funds from governments, or substitutes for kinetic attacks.
Another problem with cyber war is knowing when it’s over. Not knowing what will happen next makes policy formulation difficult.
As an example, Schneier described a 2009 incident in which Canadians discovered the GhostNet intelligence-gathering program on the Dalai Lama’s computer. The target list was a “Who’s Who of those China wants to spy on,” but Chinese responsibility could not be definitely established.
He indicated that cyber attacks can be waged by governments, by individuals seeking to support their governments or causes, or by individuals acting with tacit government support. Such actions are not new. Schneier mentioned a 1982 incident in which malicious code was inserted in Canadian software that went to Russia. The code caused an explosion on the Trans-Siberian pipeline, the largest non-nuclear explosion ever.
Blowing up someone’s network, he said, is the least useful option. The most useful is controlling it, being able to add or delete messages or take down the system for a while when the user doesn’t expect an outage. Second best is eavesdropping on the system. Destroying it should be the last resort.
Although cyber attacks are not new, they now involve more non-governmental actors. Effective defense against any sort of attack depends on knowing who is attacking and why. These are the two things, Schneier said, that are unknown in cyber attacks, so defending against them is difficult.
Researcher Steve Belvin has developed a two-axis model, plotting attackers based on skill and focus. Those with high skill and low focus are hackers who engage in activities like identify theft. The other end of the spectrum, those with high skill and high focus, qualify as an advanced persistent threat (APT). With identity theft and bank account hacking, Schneier said, relative security is important. “Is my password stronger than the other guy’s? If it is, he’ll get hacked first, and I’m safe.” An APT, however, chooses a specific target for a specific reason. Relative security is no longer important. Absolute security, the question of whether the target is stronger than the attacker, controls the result.
He noted that “metaphors frame debate” and that saying we’re “at war with China” reinforces the idea we’re helpless and need protection more than saying we’re “dealing with Chinese hackers.” This is a particularly important difference when dealing with suppression of liberties. If law enforcement wants to eavesdrop on citizens, there is a higher tolerance for that during wartime.
Cyber warfare is asymmetric, Belvin said; countries having more cyber architecture in more important roles are also the most vulnerable. Currently, attackers have the advantage because attacking is easier than defending. Inability to attribute the attack to anyone makes responding difficult. Blaming the wrong source can spread the conflict.
Politically motivated hacking can focus on governments, political parties, individuals, corporations, and industries. In 2010, the United States formed the U. S. Cyber Command to guard against cyber attacks. A current issue, Schneier said, one critical to security, is whether government or free enterprise will control the security of critical infrastructure.
Asked about online voting, Schneier described the hacking potential as “enormous.” He said belief in the integrity of an election is crucial, and he opposes online voting because he knows of no way to secure it. Bank security, he noted, works on an audit basis, going back through transactions to determine what happened. That’s fundamentally incompatible with the anonymity of voting.