Archive | Cyberwar RSS feed for this section

GoI bars international vendors from National Optical Fiber Network project

By on January 22, 2013 in China, Cyberwar, Espionage, India, US

Afte the Centre for Development of Telematics (C-DoT) submitted a memo to the Government of India to to bar Chinese network vendors  Huawei and ZTE from bidding in the Rs 20,000-crore  roll out of a national optical fiber network (NOFN) project, the Government has decided to heed the advice and bar all international vendors from the project.

The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed  components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

Comments { 1 }

Stuxnet – chickens come home to roost?

By on January 21, 2013 in Cyberwar, Iran, US

General William Shelton, who heads Air Force Space Command and oversees the Air Force’s cyber operations, comments that Iran will be a “force to be reckoned with” in the future after it has perceivably strengthened its cyber defence and offense capabilities after the Stuxnet attacks.

“The Iranian situation is difficult to talk about,” Shelton told reporters. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

Has the chickens come home to roost or is this just more war mongering to get yet more defense buget share?

Comments { 0 }

Use of private companies in cyber operations

By on April 22, 2012 in Cyberwar, India, US

US Homeland Security Secretary Janet Napolitano’s recent comment that the administration has and will consider the participation of private companies in “proactive” cyber “counterattacks” has received its share of attention:

In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” noting someone else had raised the subject with her earlier Monday.

Before analysing this development and the concept in general, it needs to be stated that there seems to be some ambiguity, at least in my mind, about the statement(s) by  Napolitano. Napolitano’s use of “proactive” and “counterattack” together, as reported by San Jose Mercury News, seems confusing since “proactive” is a term that is used usually along with the concept of “defense.” In risk management lingo ‘proactive’ denotes the act of taking initiative by acting rather than reacting to threat events, while ‘reactive’ actions respond to past event(s) rather than predicting and acting before these perceived event. Thus “proactive” gels well together with “defense”, which in military literature refers to the art of preventing an attack, to mean the act of defending against an imminent attack by taking action before the act of attack has happened. This flies completely against the concept of counter-attack which is about, duh, countering an attack that has happened, something that automatically classifies the act as being reactive.

My guess is that Ms. Napolitano did mean counter-attack but by “proactive” she was trying to emphasis the fact that the reaction from the US will not be limited to acts of defense but will include counter offensive moves. Either way, I did end up smiling when I read the double negative that Ms. Napolitano used:

“Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” (…)

Now that my confusion regarding the use of “proactive counterattack” is out in the open, let us get to the main point of discussion – use of private companies in proactive cyber attacks by nation states. In traditional military engagement, private military companies have long been used to supplement the operational capability of the nation state’s army. In recent years the role has increasingly moved from support of military personnels in areas like security of the military base, protecting the convoy  etc., to a more traditional role played by active military personnels as part of an active war operation. The case of Academi (previously Blackwater) is a prime example of such private military companies.

The reasons have been numerous, the cost  being the obvious but not the main one, which is to avoid scrutiny, including Congressional oversight in the US, that seems to be reseved for the military personnels of the nation-state. A similar reasoning can be used within the cyberspace as well. Private companies engaged in cyber operations, regardless of its nature (defensive, offensive, counter-attack, proactive), can be set up to evade deep scrutiny and congressional oversight. This gives them the flexibility to be a lot more liberal about the means and mechanisms used without having to worry about repercussions.

The practice also provides a good means to exploit the attribution problem, which has so far been an issue rather than a way out for the US (pdf). By engaging private civilian companies it becomes harder for the subject of the attacks to concretely state that they were indeed targeted by the US. Even if they did, the fact that the attacks cannot be tracked back to hav been originated from the networks of the US military complex gives the US enough excuses to assert that they were not aware of nor authorised such attacks. Such a setup has been used with good results by the Chinese and the Russians.

In the narrower context of counter-attacks, the domain of cyber differs from the rest of the domain of land, sea, air and space in a crucial way in that the conduits/medium that are used for the attacks, the networks consisting of the backbone of routers, cables and other physical and software based systems, are owned by private companies. The four traditional domains differ from cyber domain in that in each of the four cases, the conduit of attack (land, sea, air and space respectively) are usually owned, at least in the extended sense of the word, by the nation states that is attacking or being attacked. This makes it easier for constructing a case for involving private companies since after all they are direct front line causalities in the event of an attack.

Another reason is of course the simple practical fact that the talent pool of experts expands drastically if private companies are also considered as part of the “recruitment” space. Cyber is the only domain in the list of five where the private sector holds a big pie of capable, qualified individuals who can provide service in these operations. Public-private partnerships just makes sense.

The wholesale hiring of “ethical hackers” by NTRO, as reported by news outlets provides a seemingly similar setup in India with the crucial disadvantage that these “hired helps” are still directly associated with NTRO and hence NTRO can and will be held accountable for their actions, negating some of the crucial advantages of using private companies/individuals. What is needed is a deeper and longer term relationship between the government and private companies that makes defending the infrastructures that they both rely on as the central theme and working on means to do that, be it defensive postures or offensive gestures.

There are of course risks involved. Command structure gets blurred when the military structure merges with the private sector and without one, controlling these private parties becomes a risky process that cannot be taken for granted. This has been seen again and again in cases related to Blackwater. What if an unapproved action from the part of the private contractor is judged as an act of war by the other party and leads to a confrontational situation? A similar situation can arise when wrong magnitude of (counter)attack force is applied accidentally or otherwise by these third parties.

All these point to fact that use of private companies in cyber operations is tactically a good move and some would argue, a necessity. However it cannot be done at the drop of a hat since the “rules of engagement” is bound to be fickle in such symbiotic associations.

Comments { 1 }

Duqu: an indicator of the next Stuxnet?

By on December 8, 2011 in Cyberwar, Espionage, Pragati

The December 2011 issue of Pragati carries an article titled “Duqu: an indicator of the next Stuxnet?” by yours truly, reproduced below.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Stuxnet opened the Pandora’s box and there is no closing it.

Comments { 0 }

Dr. Martin Libicki on cyberwar at the 2010 McCain Conference

By on August 12, 2011 in Cyberwar

A good interview with Dr. Martin Libicki on cyberwar from the 2010 McCain Conference.

Comments { 1 }

Stuxnet and its Aftermath

By on July 4, 2011 in Cyberwar

Around June 2009, Stuxnet malware started to stealthily infect windows machines across the globe, staying dormant on most machines and specifically targeting Win-CC based industrial control systems of two vendors: one Finnish and the other Iranian. Stuxnet was determined to be highly sophisticated malware targeting SCADA systems — it specifically targeted the frequency converter module in a power supply capable of variable frequency output to control a variable-speed motor, typically used in centrifuge devices. Specifically, the malware would sabotage normal operation of the centrifuges operated in a specific range of very high frequencies, arbitrarily changing the speed of the motors for short periods of time.

Stuxnet exploited four zero-day vulnerabilities in Windows OS and spread via infected network Samba shares and USB sticks of regular desktops and laptops, but only became active when it was on specific SCADA industrial control systems. Stuxnet disguised its presence in infected systems by recording the “normal” readings on the machine and playing those recorded values back to the operator, thus fooling the operators into believing that the centrifuges were operating normally. Because Stuxnet disguised its presence, it was not detected until a year later in June 2010.

In January 2011, The New York Times reported that US and Israel jointly developed Stuxnet to sabotage Iran’s Uranium enrichment centrifuges, and that the malware was targeting a system with 984 machines linked together, identical to the configuration in Iran’s Natanz Enrichment complex.

Two months later, on March 17, RSA Corp. reported that its master database of token number generators or “seeds” were stolen in a hacker attack. RSA is a leading provider of SecureID devices used by many corporations to have employees securely login into the corporate networks from remote locations. In the following weeks, Lockheed Martin, a customer of RSA was targeted by a cyber attack that was attributed to data stolen from RSA.

On March 31, Comodo, a leading provider of authenticated SSL certificates reported that its site was also breached by a hacker attack originating from Iran, but the breach was detected and the compromised certificates revoked. It was later revealed that Comodo was also attacked using stolen data from RSA, and the Iranian hackers were able to issue digital certificates under Comodo’s root certificate compromising secure data transfer between Comodo’s customers, which include Google, Yahoo, Skype, Microsoft, and Mozilla, and entities that used their services.

On April 24, the Iranian govt. claimed to be victim of a second Stuxnet computer worm, which they calls the “Stars worm”, though there has been no third party report of this worm outside of the Iranian government. The Iranian government blamed SCADA manufacturer Siemens for this alleged worm. To date, it is not clear whether this second worm was actually another real cyberattack on Iran or whether Iran was over-reacting to some other windows malware, mistaking it for a Stuxnet worm.

Shortly after Iran’s reprisal attacks on US systems, on May 31, Pentagon released parts of its official cyber strategy document, which states that any attack on US nuclear reactors, subways, pipelines or other automated systems will be considered an act of war. Pentagon stated “If you shut down our power grid, maybe we will put a missile down one of your smokestacks” — a strong statement given the fact that attributing cyber attacks to culprits is not always possible or likely, given the existence of tools like anonymizing web proxy servers such as proxy.org. The essential thinking in Pentagon seems to consider the end effects of a cyberattack — if the damage caused by a cyber attacks results in damage similar to that of a physical attack, then the cyber attack is equivalent to “use of force”, the legal term for armed attack on a country. The timing of Pentagon’s statement seems to be towards preempting any further actions by Iran targeting critical US networks.

The Obama Administration indicated its intention to fund a “internet in a suitcase” project that would quickly establish a wireless network over a large area that can connect to the internet, in countries where governments were monitoring or shutting down communication networks. This project is to be financed by a two million dollar US State department grant and its intended targets are the governments of Iran, Syria, and Libya, among others. This project is said to be based on mesh networks, where each node in the mesh acts as a router to relay information from other nodes, in addition to sending/receiving information of its own. Data is either broadcast or dynamically routed from any source to any destination node, automatically dropping unresponsive nodes and adding newer nodes that join the mesh. However, there are key logistical problems with the “Internet in a suitcase” project, such as ensuring that the hardware does not fall into enemy hands, which would compromise the project and aid the very regimes that it targets. Iran responded with bravado that “Internet in a suitcase is no match for Iranian intelligence” though they failed to specify how they planned to defeat operation of “Internet in a box” in Iranian territory.

All of the above events indicate that States all over the world are actively working to subvert or sabotage networks of adversarial nations, while terming any such act on themselves as “use of force” or a political “act of war”. This also motivates the question of how technologically advanced States vulnerable to crippling cyber attacks can deter such attacks from adversaries. Thus, while the US escalated its response to Iran’s attacks on US territory, US’s response to potential Chinese attacks on US cyber infrastructure was the opposite.

On June 14, Kissinger and Huntsman called for a bilateral agreement between US and China that designated some areas of cyberspace off limits for hacking. The ostensible reason for this detente between US and China was to forestall possible deterioration in relations if the issue was not addressed beforehand. This development has lead to increased calls from within various governments for a more organized structure to respond to cyber attacks, which is easier said than done. States with opposing ideologies that join hands to form a common platform defend against cyber attacks would be building on a foundation of contradicting goals and motivations, implying that such a platform may well never come into existence.

The lack of such a platform for cooperation among States leaves the door open for States to continue Stuxnet like attacks on each other’s capabilities, with the more powerful states deterring less powerful states by equating certain classes of cyber attacks with State support as equivalent to “use of force”, requiring a military response. This also motivates all nations to have their offensive cyber capabilities conducted by “citizens groups” or other ways to deny any plausible involvement of a State in a cyberattack.

Given the low rewards for States to cooperate in a global common cyber-defense platform, the chances are that the more technologically adept states will call for a truce, potentially deterring each other from provoking conflict. However, less powerful states may well have to bear the brunt of cyber attacks from the more powerful states, since they would not have the means to retaliate.

Comments { 8 }

The second “attack” – a no hold barred for Iran?

By on April 29, 2011 in Cyberwar, Espionage, Infection

Iran says it has been targeted by a second computer virus.

Iran has been targeted by a second computer virus in a “cyber war” waged by its enemies, its commander of civil defense said on Monday. Gholamreza Jalali told the semi-official Mehr news agency that the new virus, called “Stars,” was being investigated by experts.

“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations,” Jalali was quoted as saying. He did not specify the target of Stars or its intended impact.

“The particular characteristics of the Stars virus have been discovered,” Jalali said. “The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organisations.”

While it is interesting to figure out  what “congruous and harmonious with the system” actually means, even more interesting is what kind of mischief someone in this position can conjure up and blame it on “clear and present danger to critical national infrastructure”. Many believe that Iran was successfully targeted by the Stuxnet worm.  Given this history, how many would fault Iran if it decides to “hunt down” machines/entities that are helping spread this new virus against it? Will such a strategy be acceptable by the world at large? Would the US or China or for that matter India be able to use similar logic to implement an active defense strategy? How can the international community verify Iran’s claims?

Important question with no clear answers. What do you think?

Comments { 2 }

Official Indian word on Stuxnet’s effect

By on March 17, 2011 in Cyberwar, India

Minister of State for Communications & Information Technology has provided the official version of the impact of Stuxnet on critical infrastructures in India. In a reply to a written question in Rajya Sabha on 11th March, he provided the information that:

Some computer systems in India were also infected by the Stuxnet, but none of the infections have so far been reported in sensitive Industrial systems.

He then goes on to explain the steps being taken to tackle the problem of virus and protection of sensitive installations in the country, which includes the use of alerts and advisories being produced by CERT-In and workshops being conducted by it. With such a mandate one would assume CERT-In is on the top of things at least when it comes to issuing advisories. Not so! They issued the advisory on Stuxnet on July 23rd 2010, long after Virusblokada reported W32.Stuxnet (June 17), Microsoft issued the advisory 2286198 (July 16) and after Siemens report that it is investigating reports that the malware is infecting  the SCADA systems (July 19). With such a lag in issuing the advisory, it would be hard to give CERT-In any credit for the reported absence of Stuxnet in “sensitive Industrial systems”.

As usual these official press releases opens up more questions. For one, where exactly were the computer systems that were infected by Stuxnet found? This is second to the more intriguing question – what is with the title of the press release – “Protection of Sensitive Installations from but ‘Free Virus’”?

Comments { 0 }

Book review – “Cyberpower and National Security”

By on February 4, 2011 in Books, Cyberwar

US President Barack Obama announced last year that America’s digital infrastructure is a “strategic national asset,” and set up a new Cyber Command headed by the director of the National Security Agency, signaling the importance of cyberpower in a nation’s internal and foreign policy. “Cyberpower and National Security” is one of the most comprehensive and scholarly books available on the topic of cyberpower.Cover of "Cyberpower and National Security"

The book is divided into six broad sections. The first three chapters form the foundation section that aims to identify and discuss major policy issues and formulate a preliminary theory of cyberpower. Chapter 1 looks at the key policy issues, categorizing them into structural and geopolitical. Chapter 2 establishes a common vocabulary for the cyber domain, with definitions for key concepts of cyberspace, cyberpower, and cyber strategy. Chapter 3 presents the initial theory of cyberpower.

Chapters 4 to 9 form the second section, “Cyberspace.” Chapter 4 looks at structural elements that constitute cyberspace, while chapter 5 identifies vulnerabilities affecting the critical national infrastructure of the US, including power grids, communication systems, and cyberspace infrastructure. In chapter 6, the authors look at trends in cyberspace: proliferation of broadband, the move to Internet protocol, version 6 (IPv6), increasing software complexity, the rise of online communities, and so on. Chapter 7 looks at the information security issues affecting the Internet, both on a small and large scale. Chapter 8 raises several policy issues that the authors think are relevant to the future of cyberspace, including security, identity, and location-aware computing, while chapter 9 explores the biotech revolution and the blurring of lines between humans and technology.

Section 3, “Military Use and Deterrence,” consists of four chapters. Chapter 10 looks at environmental power theories, compares them to cyberpower, and comes up with common features. Chapter 11 considers the question of whether networking operators do indeed improve operational effectiveness. Chapter 12 provides an overview of the cyberspace and cyberpower initiatives undertaken by the military, and chapter 13 looks at the contentious issue of the deterrence of cyber attacks.

The chapters in section 4, “Information,” look at the power of information and its role in the military and government. Chapter 14 examines the strategic influence of cyberspace information on international security. Chapter 15 explores the challenges associated with influence operations at the tactical level, while chapter 16 looks at the related issue of how information and communication technology and strategy can influence stability operations. This topic is further pursued in chapter 17, which analyzes various policy and institutional activities.

Section 5, composed of three chapters, looks at the way cyberpower can empower nations, terrorists, and criminals. Chapter 18 considers the way crime has advanced in cyberspace, especially the use of cyberspace by organized crime to further their agenda. Chapter 19 tries to scope the term “cyber terrorism,” and considers the debated question of whether it exists or is just a myth. Chapter 20 looks at the use of cyberspace by China and Russia.

In the last section, chapter 21 looks at the complex and sensitive issue of Internet governance and how the US can achieve “Internet influence” in the face of pressure from other nations. Chapter 22 discusses legal issues associated with cyber warfare, particularly two classes of problems: lawful resort to force and use of force in wartime. Chapter 23 provides a critical assessment of the US federal efforts to protect critical infrastructure. The last chapter pushes for setting up a Cyber Policy Council to provide a structured solution to some of the vexing problems in the area.

Compared to other books on the topic [1,2], this book is very detailed and theoretical in its coverage. Given its comprehensive coverage, it should be read and digested by those who have more than a passing interest in cyberpower and cyber strategies but with a liking for a more scholarly treatment of the problem space.

1)Carr, J. Inside cyber warfare. O’Reilly, Sebastopol, CA, 2009.
2)Clarke, R.A.; Knake, R. Cyber war: the next threat to national security and what to do about it. Ecco, New York, NY, 2010.
Comments { 1 }

Catch-up

By on January 26, 2011 in China, Cyberwar, Links

This blog has been silent for some time but that if all goes well, that will change from now. In order to get to up to date with the happenings on the “cyberwar” front, here are couple of interesting articles that have been published in the last couple of months:

Comments { 0 }