1
WEEK 8 ESSAYS
Robert Sharpe
INTL 440 Cyber-Warfare
American Military University
Dr. Kimberly Dunkerley
27 September, 2014
Essay 1: Titan Rain
Titan Rain was the name the FBI gave to a group of hackers targeting the information systems of the US government, defense industry and the military throughout 2003-2004.[1]This attack is considered one of the largest cyber-attacks to date. In a 2005 TIME Magazine article detailing the discovery of Titan Rain, Nathan Thornburgh’s states, “Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab and defense- contractor facilities tell TIME that Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced.”[2] The espionage operations of Titan Rain were those of an organized, professional group and, although unprosecuted, the trail leads again to China.
The Titan Rain Operation involved access and control of a network; it did not include the delivery of any virus or worm that would affect the system and gain the attention of network security. This attack was not designed to bring down the network or deny others access to it. The intent was for the network to function in a manner that would not raise any attention and, as such, would allow for future access. The attackers were able to operate without discovery and make repeated visits to compromised networks for collection of filesthat could be considered of strategic importance. Titan Rain serves as an example that although incidents of cyber espionage can be discovered, analyzed and traced back to their origins,without proper policy measures all that can be gained from these efforts is knowledge about how to defend against specific attacks. This does not prevent hackers from finding other methods that will allow them access to classified information or deter them from continuing operations.
Thornburgh’s article states that it was Shawn Carpenter who first discovered what came to be known as Titan Rain on March 24th of 2004 but, other sources state it was initially discovered in 2003.[3] This is illustrative of the difficulty in connecting the dots in cyber events. One attacker can simultaneously attack multiple networks. If network security is an internal function or contracted it is difficult to compare attacks and find similarities. Without a centralized body of knowledge detailing attacks and malware cyber security professionals must resort to social and professional networks to gain knowledge about new attacks. In Carpenter’s case he had already been involved in investigating an attack at Lockheed Martin, so he was aware of the tactics, techniques and procedures of what came to be known as the Titan Rain group. It was when he compared notes with an individual in ARMY Cyber intelligence that the scope of the events he was viewing became clear.
The Titan Rain attacks were sophisticated in which attackers were successful in penetrating secure networks containing classified information and stealing specific data quickly without being blocked by firewalls or caught by intrusion detection systems. The attacks were facilitated by methods that did fall into a known indicator of compromise. It was a human (not a security program) that discovered the espionage and traced it to the originating router. Hackers understand security software and discover ways to circumvent cyber security measures. It is human observation of network traffic and computer behavior that often leads to initial discovery. Thornburgh states, “They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes.”[4]The beacon meant that they did not have to search for the network of user station in the future; contact was being initiated by the compromised machine through undetected code installed on a networked device. In most instances this malware is delivered into a user’s machine when an infected attachment or link to a corrupted website is opened. Brian Krekel provides an explanation of beaconing in, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation
The malware that these operators employ often tries to communicate with (or “beacon” to) a pre-established command and control server located in a variety of countries. This beaconing can continue for extended periods of time before the operators are ready to engage, establish a connection with and then take control over the victim system.[5]
Although the attacks attributed to Titan Rain were sophisticated they were not untraceable. Carpenter was able to trace the attackers IP addresses back to specific routers in China. The attack took place over the medium of the internet and were traced back by the same. It is most probable that malware consisting of backdoors and remote access tools had been delivered through social engineering attacks. If so, it would mean that the operation involved a period of network reconnaissance prior to delivery of malware and initiation of attack.
The response to this incident and the multitude of others like it was blocking IP address and the attachments that deliver malware. As a response this fails, as it does not take any measures to reclaim information or prevent such actions being performed by the same parties against the same networks.
Essay 2: Cyber Warfare
It is uncertain how future wars will be fought but, cyber-warfare will be a part of any future conflict. Cyber-attacks enhance military capabilities and increase the number of potential targets; often these are not what would be considered acceptable traditional military targets.While it not a replacement for conventional methods, cyber warfare has altered the future and definition of war more than other force.
It is undefined how cyber Cyber-warfare fits into a broad spectrum of military operations, as there are multiple aspects of warfare it can be applied to. Many current practices might cease to be used or become ineffective after they have been applied in a cyber-warfare operation. This is a period of experimentation and development, both in cyber operations and the policy that governs it. [6]In the future war could occur without any direct conflict; Cyber-warfare can target entities of such value to a nation that direct conflict would seem to offer less benefit and return. It could be argued that cyber-warfare has the potential to civilize war by moving it away from the citizens and towards the institutions of a nation or state. If so, the use of cyber-attacks is ethical. As it stands there is wide gap between this possible future and current application.
Current cyber-warfare operations and theorytarget tradition military capabilities. Cyber espionage is often performed to gain information that will allow a nation to develop the military capabilities of more powerful nations. These cyber-attacks are being performed while there is no direct military conflict or declaration of hostilities. The medium of the internet allows cyber war to be a constant presence lurking in the shadows unseen. If future wars follow the course of current applications of cyber operations they could include cyber tactics employed to impede an enemy’s deployment capabilities, disrupt the supply chain, and destroy an enemy’s ability to communicate or blind sensors prior to an attack. Cyber weapons could include “use of force” in which a cyber-attacks effects are similar to that of a conventional weapon.[7]Regardless of how cyber weapons they are applied, cyber warfare is a force multiplier.
Much like conventional warfare, there are actions that if taken (and attributed to an entity in cyber-warfare) will gain international criticism and condemnation. Cyber operations need to be aligned with the just war theory. The intent of actions must be considered as well as the effects. It must be determined what actions in cyber operations are unethical and therfore would be considered an act of war. A kinetic attack that kills personnel or occurs on sovereign territory should be considered hostile and an act of war but, transferring these concepts into the cyber realm proves difficult. According to Dr. Larry M. Wortzel, “Chinese military officers noted that scholars hold differing opinions about whether a computer network attack may constitute an act of war. Some argued it meets that definition, but others argued that a network attack alone without corresponding conventional attacks does not constitute an act of war.”[8] Chinese military strategy thinks of information warfare and computer network attacks as bloodless and therefore acceptable. In cyber operations an attack against an enemy’s network could be interpreted or stated as being defensive but, the line of what is defensive and what is offensive depends upon viewpoint. If actions are taken to directly prevent actual military conflict and bloodshed it is ethical. If the pretense is to prevent future attacks and the actions are cyber espionage to facilitate a military buildup that will dissuade enemies from attacking a line has been crossed. Kerkel states, “This concept may also have implications for PRC leadership willingness to use IW weapons preemptively if they believe that information-based attacks don’t cross an adversary’s “red lines”.[9]Kerkel’s statement reflect a similarity in cyber-warfare to Cold War tactics when two superpowers would push the limits to determine the opposition’s abilities, reaction and “red line.”
There is a problem with Chinese interpretation of the appropriateness of Cyber operations if considered in light of the definition provided in the week 8 lesson of INTL 440, Cyber Warfare, which states, “Cyber Warfare is any offensive or defensive action taken to penetrate other nations or adversary’s information, information-based process, information systems, and computer-based networks.”[10] From this definition any action taken upon or against a network that is not owned by the organization itself could be construed as an act of cyber-war. Larry Wortzel states, “More work needs to be done on in defining when cyber penetrations or attacks amount to acts of war, where the perpetrator knows that a computer network attack may “directly cause destruction and serious injury.”[11]His statement is even more poignant when the availability of the weapons used in cyber-warfare are considered. There is a serious threat posed by entities other than states in cyber-warfare. The War on Terror has highlighted some of the difficulties a nation state has in war against non-state enemies. Cyber-warfare techniques provide opportunities for asymmetrical warfare and the United States offers many targets.The anonymity of the internet and the difficulty in tracing attacks to originators could lead some parties to take extreme actions.Even the best cyber defense measures and forensics would fail shortly after a successful attack on the energy grid that powers them.
The difficulty lies in a combination of the global nature of the internet itself and realpolitik. As it stands the United States needs to continue to defend itself from attacks by investigate, analyze and attribute acts of cyber espionage and attack as they provide the clues that can assist in preventing hostile parties from performing successful cyber-warfare operations in the future. Active defense through networking protocols is no substitute for the ability to destroy an attacker’s equipment. The next step is for policymakers to understand this threat and act accordingly.
BIBLIOGRAPHY
Andress, Jason, and Steve Winterfeld. “Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners” Syngress Publishing, 2011.
Dunkerley, Dr. Kimberly.“Future of Cyber Warfare, Course Reflection, and Review” American Military University 2014.
Krekel,Bryan.“Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation.” Northrup Grumman, October 9, 2009.
Thomas, Timothy L. Google Confronts China’s “Three Warfares” Strategic Studies Institute 2010.
Thornburgh, Nathan. “Titan Rain” TIME Magazine, September 5, 2005.
Wortzel, Larry M. “China’s Approach to Cyber Operations: Implications for the United States” Testimony before the Committee on Foreign Affairs, House of Representatives, March 10, 2010.
[1]Titan Rain, Federal Bureau of Investigation name for a group of hackers from Guangdong province who stole information from US military labs, the National Aeronautics and Space Administration, the World Bank, and others. Timothy L. Thomas, Google Confronts China’s “Three Warfares”, 2010 p.2
[2]Nathan Thornburgh, Titan Rain,(TIME Magazine, September 5, 2005)
[3]Andress, Jason, and Steve Winterfeld. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners(Syngress Publishing, 2011) p.13
[4]Thornburgh
[5]Bryan Krekel, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, (Northrup Grumman, October 9, 2009) p59
[6]Increasingly, Chinese military strategists have come to view information dominance as the precursor for overall success in a conflict. The growing importance of IW to China’s People’s Liberation Army (PLA) is also driving it to develop more comprehensive computer network exploitation (CNE) techniques to support strategic intelligence collection objectives and to lay the foundation for success in potential future conflicts. Krekel p.7
[7]If cyber warfare is used to crash a plane or shoot down a missile, it is considered “use of force”. Simply if it has the same kinetic attack as conventional warfare, it is considered equivalent use of force.Dr. Kimberly Dunkerley, Week 8 Future of Cyber Warfare, Course Reflection, and Review, INTL 440, American Military University 2014
[8]Larry M. Wortzel, China’s Approach to Cyber Operations: Implications for the United States, Testimony before the Committee on Foreign Affairs, House of Representatives, March 10, 2010 p.5
[9] Krekel p.20
[10]Dr. Kimberly Dunkerley
[11]Wortzel p.8