Cyber Warfare and Attribution

Stories like the July 4th cyber attack are raising our awareness of the cyber battlefield.  Given the media focus on bots, rootkits, and malware, it is easy to overlook the core of these attacks – human conflict.  In the Art of War, Sun Tzu stressed the understanding of those who wield the weapons of war.  Security expert Richard Stiennon of IT-Harvest applauds this perspective.  Below are highlights from the SecureLexicon Art of War podcast with Mr. Stiennon.

The Cyber Battlefield

According to Sun Tzu, victory is predicated on understanding both yourself and the opponent.  This understanding goes beyond knowing attack techniques.  One must understand the mind and spirit of the enemy.  This is where our cyber strategy falls short.  “At the very low level”, said Stiennon, “the typical enterprise-driven individual treats attacks as if they are nameless, faceless packets coming at them – and that’s how most vendors have created their products.”  While this approach has its merit, it fails to provide forensic intelligence that reveals the nature of the attacker.

“On the larger theater, where there’s hactivism going on, there is more study of who the attackers are.”  Mr. Stiennon cited Hamas vs. Israel and Russia vs. Estonia.  While these exemplify a focus on attribution and the understanding of attacks, “no one does it better than China,” said Stiennon.  When asked how we can counter the methods employed by China, Stiennon said “certainly we don’t want to engage in counter cyber espionage.”  He feels that we should defend ourselves using the information gleaned from examining these attacks.  According to Stiennon, “we must watch them and block them at every possible opportunity.”

Winning the Hearts and Minds of Would-be Attackers

Understanding the environmental context of the battlefield and its populace is, according to Stiennon, “one of the key turning points in understanding the new cyber domain for warfare.”  Crowd sourcing is powerful because it employs other people in the conduct of an exploit.  According to Stiennon, crowd sourcing is effective because of its “very low cost in terms of technical investment and low cost in terms of political fallout.” Its effectiveness, however, depends on the instigator’s ability to rally support for the attack.  Stiennon described how crowd sourced cyber attacks on Iran evolved from attack tools posted on web sites for download to web application that “tricked people into being a part of the cyber army.”

“Invincibility is in oneself.  Vulnerability is in the opponent.”- Sun Tzu

Sun Tzu advised that the enemy be enticed into actions that reveal useful information about their operational capabilities, tactics, and strategies.  “I think this is very critical for the aspect of cyber war that we are having the most trouble with – attribution,” said Stiennon.  He supports the use of honeypots/honeynets to gain knowledge of our adversaries through forensic analysis of their attacks.  These cyber artifices require careful coordination between operational, tactical, and strategic activities to make them convincing.

My interview with Amit Yoran detailed how our analysis of the opponent must have forensic rigor.  We must understand the weapon, the attacker’s identity, how it was used, and what effect it had.  I hold that our analysis must also determine the “why” behind the attack.  Before engaging his opponent, General George S. Patton studied the works of his counterpart; his books, articles, poems, etc.  His goal was to understand the mind of that individual.  We must do the same.

The Conditions for Victory

According to Stiennon, “a cyber conflict is going to be part of another conflict.  If the goal were simply the cyber attack, it would be an ineffective goal because we recover from cyber attacks.”  For example, the SQL Slammer worm shut down several Internet transit providers in 2003.  However, its effects lasted for about twelve hours.  Mr. Stiennon holds that a cyber attack could be employed effectively as a distraction or as a means to disrupt communications.  “The goal of information, as state in US and Chinese military manuals, is information dominance.  This means that you have complete control over, and complete access to, the enemy’s information and ability to shut off the enemy’s ability to communicate.”  Meeting this goal through cyber attacks alone is unlikely given the current exploits.

According to Stiennon, accountability at all levels of the enterprise is critical to security.  “I think the lesson learned from many wars is, from a defensive standpoint, cyber war is very distributed. You won’t be able to fortify a particular perimeter and be any stronger because you have to defend everything, everywhere.  That means that you have to delegate all the way down to system administration level responsibility for security.”  Mr. Stiennon adds that this responsibility must have associated rewards and punishments.

Closing Thoughts

War has not changed.  The weapons of disruption, corruption, and destruction reflect only the evolution of human creativity and innovation.  We must understand the conflicts that drive their use, be they individual, corporate, or international.  Without this insight, we are doomed to cyber attrition.

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)