Is it OK to Call It Cyberwar Yet?

Tuesday, September 21, 2010

Joe Schorr


An Act of War at it's most basic level is really state-sponsored crime; violating a border/invasion, hijacking vessels, kidnapping/enslaving citizens, regicide, assaulting an ally/neighbor, disrupting commerce or destroying property.

If you did these things, you'd go jail. If a nation does them, like Britain impressing US sailors prior to the War of 1812 or Japan crippling the US fleet on 12/7/41, war ensues.

As shown above, proving the scale of a crime, that is, proving the culprit to be a nation versus individuals is important. In regards to Cybercrime and Cyberwar it is very important. Given the amount of debate on whether Cyberwar is even a valid term, there is one recent event that appears to lend credence to it's apologists.

The ongoing investigation into the Stuxnet Worm may just be the smoking gun that brings validates the term Cyberwar and quiets those who see it as just a conspiratorial money-grab by the military-industrial bogeyman.

Whether the Stuxnet Worm's behavior is 'criminal' is without question. And the 'guilt' of it's creators is undeniable. It's the scale of the exploit's background that points to state-sponsored crime and thus, to an Act of War. By taking even a cursory look at the targets and sophistication of the attack, one quickly sees that this looks like a state-built worm that has been exposed in the wild.

Targeting: Stuxnet attacks SCADA systems and delivers full control to the attacker with the goal of re-programming the systems. SCADA is the command and control for what are traditional kinetic warfare targets; infrastructure, power, heavy industry and manufacturing. On a strategic level, there was a disproportionate infection rate that makes Iran, with over 60% of the infected hosts, looking like the likely target.

To build this worm one would require knowledge of factory floor and infrastructure operations, knowledge of the Siemens architecture, and access to actual hardware to testbed the worm. The worm is built to limit it's infection rate to control spread to within a target’s confines. It also looks to be team-built with diverse SMEs participating while exploiting and unprecedented four Zero-day vulnerabilites and requiring multiple stolen certificates.

In the words of Liam O Murchu from Symantec's response team, "Someone had to sit down and say, 'I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days, and then pull together all these resources.’ It was a big, big project."

The likelihood of criminal gangs or tiger teams of individual hacktivists pulling this off are extremely low. And when the obvious answer appears to be a state creating and coordinating an attack like this, at what point do we admit there is indeed a Cyberwar being waged?

For those like myself who believe we are already in a Cyber 'Cold War', then an attack designed to take over control of a nation's infrastructure raises the heat up a quite a bit. This is beyond espionage, way beyond. I think it's OK to say it now.

Go ahead, say it: "Cyberwar" It won't hurt, not saying it anyways...

Possibly Related Articles:
Post Rating I Like this!
Jim Tiller Very nicely stated Joe. This is a complex topic once you pull back the covers. First, we have to define "war" and then map that against what we're seeing in the digital domain... and I think you did a great job here. We have to accept the "state sponsored" activities that are raising the bar on this "cold war" becoming something more, well let's just say not so good.
Jason Ross The tough part of all this is doing what you elegantly point out as the critical piece: conclusively tying these malicious activities back to a single entity: nation-state or otherwise.

It's easy to say "we see packets coming from country X" or "our data is being exfiltrated to servers in nation Y", but it's extremely difficult to say that the perpetrators of these events are actually affiliated with country X or nation Y.

In a traditional physical attack, the aggressor is easily identified: simply look at the uniform or markings on the machinery to see where they are from.

These identifiable traits are largely lacking, or even deliberately misleading, in a digital attack. We're just beginning to really define what a 'cyberwar' is, but certainly the misdirection and relative anonymity of the attacker is a key part of its nature.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.