The global military community witnessed the first cyber war earlier this year.
While many consider the three week attack on Estonia a non-event, others point to it as a sign of things to come.
One of the most common cyber attack strategies is the network effect on the weakest link theory. The strategy requires the aggressor to identify and attack the weakest link on the network, and then use it as a cover to give the appearance of legitimacy and rapidly propagate the malicious code throughout the rest of the network.
The weakest link could be a system missing one of its security patches or an ill configured firewall. DoD networks withstood an estimated 80,000 attacks in 2007 so they are fairly well hardened and fortified.
That is not the case with many private sector systems. Cyber defense requires a much tighter cooperative relationship between defense organizations and the private sector. At this time there are NO minimum security requirements for computer systems. In the private sector system protection goes from next to nothing to as hardened as DoD systems. Addressing the weakest link will be the greatest challenge and threat to protection our nations Information Infrastructure.
[Editor’s Note:DT contributor Kevin Coleman is a strategic advisor and certified management consultant with technolytics and the former Chief Strategist of Netscape.
{ 18 comments… read them below or add one }
As usual you are right on the money. And you can tell Soylent Green is in the business because what he said jokingly was true. We all better hunker down and create meaningful security requirements and enforce them or we will pay a hefty price.
The DoS on Estonia wasn’t cyber-war, but it was the first significant cyber-terror attack. The Russian security services had no more to do with it than any other country who quietly encourages criminals or terrorists to do things that serve a nation’s goals. (by the way, that’s EVERYONE.)
The real lesson to draw from it, though, is “geez, Estonia’s really small.” Soy’s right that people will always screw up your security system, wrong to think you can actually get fix this. There’s no patch for stupid. You can’t cover all your possible vulnerabilities, so pick your critical choke points and watch those. Estonia’s choke point is that it’s teeny and, well, chokeable– they needed better arrangements for large-scale traffic shaping and redundancy on their critical links.
Education and awareness is the key that all of you have shown. As Ron White the comedian said – “YOU CAN’T FIX STUPID” or as a friend in the CIA told me “we made it idiot proof and they just sent us an improved idiot”
I am quoting the DCINT Cyber Operations & Cyber Terrorism Handbook 1.02 by the U.S. Army Training and Doctrine Command that states acts of cyber war and terrorism are defined as
In some respects, I am thinking the best policy for any truly sensitive information is not to have it on a computer.
It is hard to hack a file cabinet in a locked room.
I know this would make things harder, but look at the Japanese and Germans in WW2. We cracked their code and it was all over.
It is not just government and the DOD I am worried about, what about the defense contractors?
The worse part about a real good foreign government hacker is we may never know that they are in our systems.
On the flip side of this, for all its successful espionage, the information the Soviets stole did not save a bad system.
But you could argue it kept it going for a couple more decades…..
So the question is, by disrupting our information systems and stealing our technology (defense and economic), will it help China, the Russians and anyone else who employees this strategy, in the game?
And for how long?
It’s highly speculated the attack on Estonia came from a bunch of Russian hackers (read not the government) who pulled together in a time when their national pride was being insulted. It turns out the government of Estonia was moving a monument to Russian soldiers around the same time of the attack. Think of the attack as a mob mentality, it just turns out that this mob controls tons of botnets and lent them out, probably for free. The argument can be made that the Russian government was complicit by not stopping the attack.
Corporations (read private sector) handle risk as it relates to dollars. Until a breach costs corporations more money than it takes to protect against a breach, they won’t do a damn thing. Don’t even think about asking Congress to make a law regarding a baseline security requirements. They’ll just make it worse.
It should also be noted the Russian government allows hackers, namely the Russian Business Network (google it), to operate with impunity and more than likely uses them as a tool when needed. Seems that it’s business as usual in the new Russia.
> The global military community witnessed the first cyber war earlier this year.
Aww come on!!! Anyone who was on IRC in the 90`s remembers the netsplits and channel takeovers! Just because the 80 year old US and NATO brass that manged to ignore even the
A few more pieces of information if I may.
1. At the peak the DDoS generated 4 million bogus transactions per second.
2. This was traced back to Russia
3. The reason for the war/attack was that Estonia moved a statue of a Russian war hero
4. NATO responded with their cyber team about two weeks into the event.
5. The information infrastructure of Estonia was totally disrupted – neither credit card transactions, nor debit card transactions.
6. As one United Nations source put it “the only thing missing was a declaration of war”
A bit of additional intel about the cyber war.
Proposed NATO Cyber Defense Centre
The aim of the centre would be to promote cooperation between NATO members on cyber defence, to draft training programmes and deal with the legal aspects of fighting cyber terrorism.
The centre would not be countering attacks in cyber space but would deal with conceptual work.
One recent report
http://www.mcafee.com/us/research/criminology_report/default.html
Since we’re talking about network security…
http://www.youtube.com/watch?v=WhUWffcZKkQ
Oh, the parody! ;)
Anybody get the joke? Anybody? Nobody… Oh, well.
PS.
“US military propaganda team busted”
http://www.theinquirer.net/gb/inquirer/news/2007/12/13/military-propaganda-team-busted
“Help! I’ve been spammed by Nato”
http://www.theinquirer.net/gb/inquirer/news/2007/11/14/nato-does-spam
“Cyber attack on Estonia scary, says Bush”
http://www.theinquirer.net/gb/inquirer/news/2007/06/26/cyber-attack-on-estonia-scary-says-bush
I wonder if some day governments hand out a Letters of Marquee during “Cyber Wars”… it’s a strange world.
I would click on the links that you have listed but I am affraid then I would become one of the schmucks you talk about!
Concerned, :)
It’s all good, the youtube’d link was a parody on the old “Smurf Attack”, using the U.N. video to terrorize children. ;)
http://www.cert.org/advisories/CA-1998-01.html
Theinquirer.net is just nice BrItIsh site for techie stUff.
“Kevin Coleman certified management consultant” and this makes qualified to talk on Network Security ?
That is equitant to asking senior accounts Manager at Cisco What’s the best to configure my network switch.
Judging by the way Kevin is talking he’s a suit with a vague understanding a about the issue. As for the Cyber Operations & Cyber Terrorism Handbook 1.02 its written by suits for suits. its written more like a magazine article than a hand book. Is contents no useful information.
Thanks TB, I missed the point a bit.
Until Kevin elaborated on what actually happened I thought it was not that bad.
Shutting down all card transactions could put a real dent into someone
Prevention starts with the original program disigner. Such attacks are enevatable. Well Planned far in advance, extreamly difficult to dicover.Embedded to be executed precisely for a designated breach.
Often the program is designed by some of the pioners in the industry!
Our I.T counter intel people should take a intense look at some C.E.O.S of major public companys i.e E-Bay for example.
Look into P. Omydar just for fun (Deep)
Also alot of Oxford students of the same time period.
Covertsurf Out!
518971
James
I am not a stuffed suit. Outside of being the Chief Strategist of Netscape, a masters in computer science and I have been working in the software industry and starting hacking code back in the late 80s.
If we are serious about fixing the security problem with DOD computers, then disconnect the stinking internet! The only way to prevent any kind of attack, without spending hundreds of millions of dollars, is to cut the connection. Internet access is not required for the military to do it’s job. Compare the costs of what is being spent on security, against what is should cost for imbedded communications systems and the determine how best to tackle the problem. It may be too late because those who are up and coming in the military have grown up with the internet, and everything they do revolves around the internet.