About shehjar

Author Archive | shehjar

Early-Warning Indicators for Predicting Cyberwar Operations

[It gives me great pleasure to welcome Shehjar Tikoo to this blog. Shehjar is a Research Associate at the Cyber Strategies Studies team of The Takshashila Institution – Srijith]

“The dawn of offensive cyber-warfare” has brought with it highly sophisticated target selection that goes beyond attacking virtual assets like websites and banking front-ends. The latest in the line is the Stuxnet epidemic that targeted a specific electronic chip apparently used in Iranian nuclear reactors. One expert even attributed a malfunction in INSAT-4B to Stuxnet because it used the same electronic chip.

In the current cyber defense climate, traditional military or political approaches to deter attacks are ineffective because of the problem of attribution, i.e. identifying the attacker. The anonymity afforded by the internet administrative regime not only works to the advantage of much needed individual freedoms but also provides a veil behind which attackers hide. With the potential for taking down banks, power grids, stock exchanges and medical systems, cyber attacks can now have devastating effect on lives and economies.

Attempts to attribute cyber attacks normally focus exclusively on cyber world. This, however, is a sure-shot path to attribution hell. Just like the victims have to deal with the physical-world aspects of an attack, the attackers too are limited by it. The interconnections between the virtual and the physical world is an observation on which an early warning system can be built. Consider the recent reports of Chinese internet hijack. It was observed that internet traffic that should not have been flowing into computers in China actually was being diverted there. Based on who you ask, the amount of traffic diverted into a particular Chinese ISP ranged from 1% to 15% of all the traffic on the internet. The diversion used a weakness in the way traffic over the internet is routed from the source to destination. Regardless of whether it was actually a hijack, a configuration mistake or a trial run, the fact remains that this weakness in internet is a powerful tool in the hands of state and non-state actors for snooping on confidential data. Such an exercise would require massive resources in terms of processing power, data storage, power and cooling and trained manpower. It would require months of preparation in order to get the server farms operating at maximum performance and for developing tools for analysing the huge amount of data captured. Each one of the variables above would require an administrative backend in order to enable the setting up of such server farms. It would need the appropriate human resources to run the farms, leading to the need for recruitment and training. It would need equipment which would have to be manufactured or procured. Manufacturing in turn will need raw materials which could come from almost anywhere in the world today. On the one hand, the large number of variables can make it a difficult exercise when it comes to tracking supplies of such equipment and raw materials. On the other hand, it increases the number of interactions that need to take place with the physical world in order to undertake a cyber operation of that scale. An argument can be made that the larger number of sources of raw materials makes observation harder but businesses are already using advanced data analytics to mine similar information in order to gain a competitive edge. Spikes in power consumption, sales of microchips, storage media and specialised cooling equipment are just some of the other obvious signs that such a project is being undertaken. And surely enough, these are exactly the kind of things that traditional intelligence gathering and analysis excels at. Remember how the unusual supply movement in the areas opposite Kargil were interpreted correctly by some as a sign of enhanced operational readiness of Pakistan Army?

In the case of China, with its massive manufacturing base, it could be argued that the equipment could be sourced internally. However, there are so many raw materials that go into setting up an operation of this scale that a persistent supply chain expert should be able to identify relevant flows for use in cyber early warning or cyber forensics.

Measures taken by states make it tougher to see through the mask of purchases for cyber operations. As the USCC report points out, in China, a large onus for censorship is offloaded to private enterprises, with Baidu as an example of how US capital and US board-members run a company that engages in such censorship. Of course, the work-around would be to analyse regulations in China, again pointed out by the USCC report, that “provide unfair advantage to homegrown technology companies” and watch those companies that benefit from them. Such tasks are well within the duties and expertise of agencies that deal with economic intelligence. It is time that such traditional strengths be used in attributing cyber attacks.

An argument could be made that cyber early warning would not be feasible against a silent multi-month effort like that against Indian government and Tibetan computers. True, there are major differences. For one, the alleged reason the Tibetan government officials suspected an espionage angle was because, during negotiations, Chinese officials were already well-prepared with counter-arguments against the Tibetan positions. As the Shadows in the Cloud report alleges, this was because the secret negotiation papers were exfiltrated by malware installed on Tibetan computers. The point to remember is that a cyber early warning system attempts to overcome the attribution problem. It cannot help if a system’s security mechanisms are broken and basic access policies to confidential data are absent or ignored. This is a system and network security problem and cannot be solved within the scope of an attribution system.

Physical-world indicators can help in attribution. A sophisticated early warning or alarm system can even help predict attacks rather than just help in attribution after an attack. Such a system would require aggregation of indicators from other fields like politics and military. Analysis of such indicators is already performed as part of traditional intelligence-gathering and there is no reason why such collection and analysis cannot be extended to track cyberwar operations. Interested readers can find the theoretical framework behind cyber early warning developed by Ned Moran discussed in Jeffrey Carr’s excellent book, Inside Cyber Warfare: Mapping the Cyber Underworld.

Comments { 1 }