Editor’s Note: The following article was published in August for the Journal of Counterterrorism and Homeland Security International. The Journal is published by the International Association for Counterterrorism and Security Professionals, where David Gewirtz serves as cyberterrorism advisor.
A native of Fair Lawn, Gewirtz earned his bachelor’s in computer science at Worcester Polytechnic in Massachusetts in 1982. He was in the Ph.D. program in computer science at Berkeley before leaving to be a middle manager at a Silicon Valley startup, Pyramid Technologies, and then went to Living Videotext, owned by Symantec. Gewirtz wrote articles and books on the potential of digital commerce as early as 1992 and was featured in U.S 1 in April 1993 after he started two companies in Princeton — Component Software and Product Power. In June 1999 U.S. 1 featured him again after he founded ZATZ Puiblishing at 1377 Route 206 in Skillman.
Gewirtz is the editor-in-chief of ZATZ, which is now based in Florida and publishes five online magazines dedicated to digital technologies and 14 guides to various computer issues. Gewirtz can be reached via E-mail at firstname.lastname@example.org.
When it comes to a future cyberwar, the issue is no longer if it will happen. Instead, the concern is when it will happen, how bad it will be, and how many attacks we will have to withstand.
Cyberwar is inevitable. From the perspective of our enemies, waging a cyberwar is just too easy and too effective to ignore. Put bluntly, a cyberwar has an excellent return on investment.
Carl von Clausewitz observed, “War is a continuation of policy by other means.” Information warfare — a cyberwar — waged via computers and the Internet certainly can further a political agenda. What makes cyberwar such a potent threat, though, is the economic implications. Not only can a cyberwar damage enemies, unlike virtually ever other war-fighting modality, a well-run cyberwar can also become a profit center through activities like organized ID theft.
When most people think of war (and, for that matter, terrorist attacks), they most often think of an outcome with physical destruction and loss of life. But war (and terrorism) is most often waged to meet a desired end, whether to gain territory, reduce the strength of, or distract an enemy, or to simply cause damage. Cyberwar can be used here as well. It’s just more subtle and, therefore, can be all the more effective.
Traditional war is more like a bullet to the chest. Cyberwar is like a cancer — just as dangerous and deadly, but far more torturous over the long term. Like cancer, we’ve yet to find a cure for cyberwar.
We’ve seen attacks already. In May the National Journal reported that it was a suspected Chinese cyberstrike that caused the massive August, 2003, blackout that affected 50 million people over a 9,300-square-mile area of Michigan, Ohio, New York, and Canada.
A full cyberattack is likely to begin with a distributed denial of service, or DDoS attack. DDoS is a form of attack designed to bring computer systems and networks down by overwhelming them with a flood of data from many computers at once. Unlike traditional war and even terrorism, cyberattacks aren’t going to be initiated just by digitally-capable terrorist organizations like al-Qa’idah and known nation-state enemies like Iran and North Korea. They’re also going to come from countries with whom we’re supposedly allied, and from countries like Belarus and Ukraine with whom we enjoy lukewarm relations.
Defending against cyberwar won’t simply require defending against one very visible enemy, it will require defending against numerous visible and shady enemies all across the world. Cyberwar is an ideal strategic and tactical platform for digital guerrillas, with small groups of attackers hiding behind the digital brush of spoofed IP addresses, switching Internet addresses and pathways the way Viet Cong moved from rice paddy to rice paddy.
Although cyber attacks will take many forms, one deserves particular mention: botnets. These things are nasty, because like cancer, they attack from within. They cause our own computers — computers owned or operated by our friends, family, employers, employees, and even government servants and government agencies — to turn against us.
Botnets are not completely distinct from denial of service attacks. In fact, one of the more devastating forms of DDoS is one that originates from a botnet. But botnets can also initiate other forms of attack, from injecting malware (attack software) and viruses (another form of attack software) to generating E-mail spam and enabling identity theft.
Fundamentally, a botnet consists of a network of computers that have been compromised in some way. These computers, called zombies, are typically end-user machines running in offices and homes across the Internet. A user at the computer (someone like your mom or dad, your boss, or the kid from down the street) might have inadvertently accessed a questionable Web page, had open router ports, or run a malware E-mail attachment. In any case, once compromised, the zombie computer is available to be commanded and controlled from the botnet’s instigator (sometimes called a botnet herder).
Botnets are particularly dangerous because they’re massive force multipliers for an attacker. A botnet attack can be originated from a single computer which then goes on to infect a variety of zombie computers. Then those zombies propagate the infection — and so on, and so on, and so on.
Lest you think this is more science fiction than fact, let me draw your attention to the Netherlands in 2005. Three young men, age 19, 22, and 27, created a botnet intended to initiate a denial of service attack against a U.S. firm, steal identities, and distribute spyware. After several Internet service providers noticed unusual activity on their networks that October the Netherlands’ Computer Emergency Response Team discovered that the botnet consisted of 1.5 million compromised computers, all working in tandem to attack U.S. systems and consumers.
To put this computing power into perspective, the fastest monolithic supercomputer ever recorded was the IBM Roadrunner at the Los Alamos National Laboratory, which on June 8 sustained a processing rate of 1.026 PFLOPS (or about 10 to the 15th power floating point operations per second). In March Folding@home, a network of consumer-level PCs and PlayStation 3 game machines working together to understand protein folding and molecular dynamics, reached a sustained performance level of two PFLOPS (almost double that of the government’s supercomputer) with approximately 300,000 active PCs.
With 300,000 consumer PCs and PlayStation 3 game machines, Folding@home essentially became the world’s fastest legal supercomputer. Then again, our three young Netherlands men operated a computer network five times larger — in effect, they had created a network with computational capacity at least five times greater than any supercomputer on the planet.
How accessible is the technology necessary to launch a botnet? Let’s say you’re a smart kid living in Belarus. For as little as $314 — about 663,000 Belarusian rubles or about two week’s salary for a city dweller — you could buy a low-end PC capable of running the free Linux operating system. That one PC could easily initiate a botnet infestation that could propagate to thousands or millions of PCs.
What makes a botnet so terrifying is that it can initiate its attack from inside the firewall. Think of a firewall around your network the way you might a fence around your swimming pool. The fence is designed for privacy, and to prevent uninvited guests and stray animals from getting into your pool, but it’s mostly intended to prevent your neighbors’ kids from hurting themselves in your pool and protect you from the potential liability.
A firewall or router does the same general thing on the digital plane. It prevents outsiders from getting into your network, using your network for illegal activities, and accessing your private data. But while having a firewall is important, it can’t protect you from yourself. Like the situation where you open your pool’s fence to let the neighbor kid come in to swim, when you open an E-mail attachment or visit an inappropriate Web site, you’re often opening your network to attack.
And once a bot has gotten a foothold on a computer inside your network, it has free run of your network, and often free run to leave your network and attack other computers. This is a particular problem with workers who use laptops on open Internet connections, like at hotels and coffee bars. While the laptop is outside the firewall, it might be infected. Once it’s brought back to work and plugged into the corporate network within the firewall, there’s nothing stopping it from propagating infection throughout the entire, supposedly secured network.
Beyond the potential economic damage a cyberattack can wreak upon us there’s the potential of physical damage as well. More and more of our critical systems rely on computing technology and more and more of that technology has an Internet connection — effectively linking everything to the bad guys in mere milliseconds.
The Airbus Concurrent Engineering system uses PTC’s Internet-enabled software and maintenance services on all aircraft programs. Imagine what could happen if the maintenance records were tampered with by an intruder.
This stuff is real. In 2006 a hacker took control of the University of Washington Medical Center’s internal network and downloaded the admissions records of 4,000 heart patients. The hacker gained entrance through a Linux system running in the hospital’s pathology department. He claims he only downloaded the records, but imagine the damage he could have done had he changed records .
In 2007 an attack against the office of the U.S. Secretary of Defense penetrated the network and managed to steal sensitive U.S. defense information. In 2006 Jeanson James Ancheta performed DDoS and hacking attacks against the Naval Air Warfare Center in China Lake and the Defense Information Systems Agency.
And in May the General Accounting Office issued a report decrying the Tennessee Valley Authority’s cyber-security. The TVA operates 11 coal-fired fossil plants, eight combustion turbine plants, three nuclear plants, and a hydroelectric system that includes 29 hydroelectric dams and one pumped storage facility in the southeastern United States. TVA is the nation’s largest public power company.
According to testimony before the Subcommittee on Emerging Threats, Cybersecurity, the TVA did not fully implement appropriate security practices to secure the control systems used to operate its critical infrastructures. It’s almost mind-boggling to consider the sort of critical infrastructure damage and threat to public safety a cyberattack could cause were it to compromise any of the TVA’s facilities.
When it comes to cyberwar, we’re fighting on a virtually unlimited number of fronts and against some of our own resources turned against us. We’re fighting against massive weapons systems built by our enemies from readily available consumer products that are easily accessible and affordable.
So – can we defend ourselves?
Quite honestly, I despair of giving you good news. Nearly all cyberattacks rely on exploiting an inherent vulnerability or sloppiness in our internal security. But because attacks can be perpetrated through poorly informed citizens and because of the high-level of knowledge necessary to insulate our systems from attack, there can be no doubt about the conclusion.
We can take some steps to protect ourselves. Simple actions like updating vir us definitions regularly, installing operating system updates, and never opening E-mail attachments can help. Upgraded versions of operating systems reduce some of our exposure. And consumer education, encouraging a higher level of understanding about computer security, can reduce our overall vulnerability by some percentage.