Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
Finally, integrity attacks involve entering the system to change rather than extract information. They manipulate data in the virtual world as well as the systems and people who depend on that data
in the real world. Most often, these attacks intend to either change the user's perception or situational awareness or cause sabotage or subversion of physical devices and processes that are guided or operated by information systems. Such integrity attacks can be particularly insidious, since we rely on computer systems to understand what's going on inside these same systems.
Here, too, the goals and consequences of an integrity attack vary widely. The effect could be mere vandalism for political purposes, such as a defaced public-facing website of a government agency. An attack might be aiding or executing some sort of illegal endeavor, such as by changing access or identities to allow criminals through security barriers. Or it might seek to cause major harm of a strategic nature, such as damaging another country's ability to implement official decisions, to defend itself, or to provide services to its citizens (via delivery of electric power, health care, etc.). The data that is being changed, therefore, is what determines an integrity attack's importance. For instance, a hacker changing the software code for the White House website's welcoming picture of the president and a hacker changing the president's code for nuclear weapons commands are each conducting an integrity attack. But they will have vastly different results, and call for vastly different responses.
The difficult challenge is often not so much classifying these kinds of attacks as it is distinguishing them from each other, especially when they happen in real time. A confidentiality attack and an integrity attack both exploit vulnerabilities to gain entry to a system. They can use the same approaches and technical specs to get inside, but it's what the attackers do once there that makes the difference. Do they observe and steal data, change data, or add new data, depositing what is known in weapons terms as a “payload?” Often the victim won't be able to tell until the act plays out. To continue with our White House example, when the Secret Service notices a man sneaking over the fence, they don't wait to see whether he wants to peek at papers on the President's desk or plant a bomb there. The difference in the cyber realm, however, is that such drama can play out in a matter of nanoseconds.
To go back to our original “engagement” problem, defining these terms is only the start. Next is crossing the huge gulf between how different nations conceive them. Take the notion of “information,” which is the target of all these types of attacks whether
the intent is to disrupt, steal, or change it. But information and its flow across the Internet can be interpreted in vastly different ways. The provision of online news and connections across geographic borders via social networking tools has been described by American leaders as
an essential human right
. By contrast, the very same
free flow
has been described by leaders in Russia and China not as a human right but as an “information attack” designed to
undermine state stability
. As a result, in international exchanges US officials have talked about cyberattacks in terms of “assaults on and intrusion of cyber systems and critical infrastructure,” while their counterparts, from places like Russia, have discussed them as part of a
Western
“information war” to undermine regimes “in the name of democratic reform.”
Figuring all this out is going to take a very long “engagement,” indeed.
The name came from either a mash-up of the domain name “trafficconverter.biz” or a play on the German swear word for “fucker.”
In either case, “Conficker” wasn't so much innovative as it was nasty, combining several types of malware to enter into unprotected computers, hide under a random file name in the root directory, and use the compromised computer to connect out and build a botnet. It first surfaced in late 2008 when a vulnerability was discovered in Microsoft Windows programs. The company rushed to release a patch to the public, but as many as 30 percent of users did not apply the protection. Soon after, security experts in different parts of the IT industry detected the first moves of what became known as “Conficker,” a computer worm. Within a few months of Conficker's appearance, some seven million computers had been compromised into one of the biggest botnets in the world. Computers in networks ranging from the French navy to Southwest Airlines were all pulled into what one security expert called “the
Holy Grail of a botnet
.”
Spooked by its scale, a diverse group of investigators representing security firms, consumer software companies, ISPs, and universities assembled to battle Conficker. Still, no one could figure out the worm's exact purpose or origin. Someone was building a massive botnet, but who was doing it and why? Then the team found
a tantalizing hintâan early version of the malware checked the targeted computer's keyboard layout. If it was set to the Ukrainian language, the attack aborted. But what did this mean? Was it a sign that it was authored in Ukraine (not Russia or China, as some had originally thought) and the authors wanted to avoid infecting their compatriots and avoid committing a crime in their own local jurisdiction? Or was it a clever bit of misdirection, designed to make it seem like
whoever designed it was Ukrainian
? Years later, the who and why of Conficker still remain a mystery.
As this episode illustrates, beyond the issue of terminology, there are other dimensions that make the cyber arena so challenging to secure and therefore need to be explored further. Perhaps the most difficult problem is that of attribution.
Many forms of malware take control of the victims' computers and form a botnet that links unrelated computers and enables the controller to leverage their combined computing and communications capabilities. The resulting network of secretly linked devices can easily grow to extraordinary dimensions. For example, in 2010 three not so terribly sophisticated Spaniards created a global botnet that included
over 12 million computers
using a program they bought on the black market. In other cases, a controller may seek to capture and leverage only a small number of computers. Controllers use this tactic when concealing their identity is a priority.
Three key features of this capability to capture and utilize other computers are particularly important. First, there are no geographical limits. For example, someone in Brazil can compromise computers in South Africa to launch attacks on systems in China, which might be controlled by computers physically located in the United States. Second, the owner of a captured computer often has no idea that it is being used by a remote actor for pernicious purposes. Of the computers that attacked Estonia in the cyber incidents of 2007, 25 percent were US-based, even though the attack was originally Russian sourced, as we describe later. And third, when some pernicious activity is perpetrated, sophisticated analysis can typically, at best, identify the computer being used to launch the attack. It is far more difficult to determine whether that computer is being operated remotely and, if so, by whom.
Even if a computer is not being remotely accessed, in many situations (such as with a computer at a university or an Internet café)
it is difficult to determine the identity of those sitting behind the computer, their nationality, or what organization they represent. Such information would be crucial in a crisis but is rarely available in a timely manner, and attempts to gather it raise huge privacy concerns.
It does not take much imagination to see how damaging these problems can be. Take how cybersecurity concerns have increasingly poisoned US-Chinese relations (which we personally witnessed as part of exchanges with US and Chinese cyber experts and officials). Since many in the United States assume that the Chinese government has significant control over its citizens, it is easy to assume that the government is behind most insidious activities launched by computers located within China. But, of course, this also means that bad actors elsewhere may be incentivized to target Chinese computers for capture and use in their activities, to misdirect suspicions. This very same logic, though, also enables Chinese actors to deny responsibility. They consistently argue that activities actually launched from China are being perpetrated by others who want to take advantage of the widespread suspicions of China, pointing to the large number of vulnerable, unpatched computers in their country. And the same type of misdirection can be carried out using computers physically located inside the United States. Essentially, you get a lot of finger-pointing and not much certainty.
The issue is that establishing attribution is not the same as establishing complicity. It is sometimes possible to track an actor's efforts to a certain geographic locale, but it is more difficult to establish any formal government role, whether as perpetrator or sanctioner of the operation. As we explore later, “patriotic hacker” communities and other nonstate groups, including student and even cybercriminal groups, have been mobilized by their governments for such purposes. They offer
deniable, but directed, attack
. Ronald Deibert is a leading Canadian expert who has tracked various cyber espionage networks like GhostNet, which stole information from over 1,200 computers in 103 countries. He explains, “
Attacks can be âcrowd sourced'
by governments ⦠or arise from acts of spontaneous participation, or both. In such an environment, it complicates the task of assigning blame to a state and forming an appropriate response. This is potentially destabilizing to the global order.”
Attribution is further complicated by the fact that in some kinds of attacks, it is difficult to initially determine if what is going on is “hostile.” A shift in routing information at an Internet access point, for example, might be a normal update or it could be a malicious attempt to reroute Internet traffic. A stream of unusual traffic that hits a system's firewall could just be a misconfigured application somewhere in the world, or it could be a probe of defenses. Packets are not like ICBMs, where radar can quickly detect the missile for what it is.
On top of this, once malware enters a system, it does not always bear any telltale sign of its origin or intent. Unlike bullets or even atomic bombs (each nuclear reactor has a distinctive “signature” to which a bomb's fissionable material can typically be traced), when malware is uncovered it often does not point to a particular culprit.
What this means is that “proving” attribution is a crucial but excruciatingly difficult task. In TV shows like
Law & Order
or
Perry Mason
, the prosecutors tell juries to focus on three aspects of a crime to determine a culprit's guilt: means, motive, and opportunity. The same is true in cyber sleuthing, where investigators must often painstakingly connect the dots. For instance, Ron Deibert's team of researchers confirmed that a group of Chinese hackers conducted a series of cyber intrusions (known as the “Byzantine Hades” attacks) aimed at Tibetan groups, including the office of the exiled Dalai Lama. They did so by tracking communications from the infected computers back to control servers that had previously gone after Tibetan targets during the
2008 Olympics in Beijing
.
But this is also where TV has it wrong. Contrary to what the lawyers say in those dramatic shows, a real court can't convict just on the mere presence of those three elements. There has to be
compelling proof
that the means were used and that the motivated defendant being charged actually acted upon the opportunity. Often in these cyber situations, one can point a finger, but not with the needed precision. The investigators of Byzantine Hades, for example, could confirm it was a team of hackers located in China, yet as Deibert explained, “
We could not pinpoint the attacks
to the Chinese government itself, but they certainly would benefit by the information that was stolen from compromised victims.”
In cybersecurity, we are instead usually left with an attribution dilemma. One has to weigh the potential gains versus losses of pointing the finger at the group or person you think is behind a cyberattack. In deciding this, your real-world goals then matter more than what took place in the cyber realm. Are you trying to figure out who harmed you as a prelude to justifying your own counterattack? Or are you simply trying to communicate that you know which people are behind an attack, in order to “out” them, blow their cover, and maybe cause some kind of public shaming that will force them to stop? Different goals and different actions require different standards. The US government's 2011 counterintelligence report is a good example. It was willing to point a finger at China's general direction for cyber theft, in the hope of causing some shaming effect, but it repeatedly indicated at the very same time that it
lacked
“absolute certainty” that would have forced matters further.
Two years later, the
New York Times
went one step further when Chinese hackers were caught trying to penetrate its networks. Working with the Mandiant computer security company, it tracked the activities to a specific set of IP addresses assigned to a neighborhood in Shanghai that was home to a specific unit of the Chinese military. The
Times
published a front-page article with a picture of the unit's headquarters. The reporters then tracked down individual hackers using clues mistakenly left on social media, including the hackers' personal mobile phone numbers and even that one was apparently a “keen Harry Potter fan” but not a great speller (all his security questions and passwords revolved around “
Harry Pota
”). Yet the Chinese government continues to deny the allegations, and few people think we'll see a TV-style dramatic courtroom confession.
The takeaway here is twofold. First, attribution has an inverse relationship to scale. The more people involved, the bigger their operations (and likely impact), but also the more likely that someone will make mistakes that allow them to be tracked down. But, secondly, the context and goals of this backtracking matter greatly. You might use far different standards if you were trying to prosecute in a court of law than in a court of public opinion. Simply put, lawyers may want evidence “beyond a reasonable doubt,” but this is not always possible in cybersecurity.