Every now and then I get emails from readers of my blog. I mostly reply to them in private, but I recently got one question where I thought my reply might be of general interest. I took the liberty of editing the question somewhat, but in essence it was:

If you have any insight you can share with my class on cyber warfare and security, I would be delighted on hearing it.

My reply was as follows:

In general, I think that it’s an obvious conclusion that both offensive and defensive actions with regard to national telecommunications infrastructure is becoming an integral part of a nations security assessments. Note that I am not really scoping this to only what is known as “cyber warfare”. There are other options that will have as their secondary effect to harm a nations telecommunications, for example targeted attacks on power supplies in combination with attacks on diesel storage etc. To a lesser degree, I believe nations have spent time assessing their vulnerabilities and threat models. If we, for the sake of argument, use the term “cyber warfare” to include all kinds of harm done to a nations ability to use electronic communications there are a few definitions we need to agree on.

1. When is significant harm done? On line banking is down? Government web-sites down? When the government looses its failure to communicate with its citizens over electronic communication means (as opposed to analog means such as radio and TV). There is no one given answer to this. Significant harm will vary from country to country and over time, as citizens become more used to communicating, receiving news over the Internet, and trusting the information given.

2. The threat is asymmetrical. The threat in cyber warfare is as asymmetrical as terrorism, perhaps even more so. Some, or even a lot, of the threat is posed from organised crime that uses high-profile targets as “advertisements” to be used in future extortions. This threat is easier to organise and hide behind than a lot of other forms of asymmetrical threats. It’s also something that can be repeated—in the same form. That is, an attack plan does not become invalid just because it’s been used once or discovered. With asymmetry here I mean the fact that a small group of attackers, even one, can cause large scale harm and is hard to detect. Part of the problem is also that contrary to smuggling nuclear material or blowing up targets, cyber attacks are not criminal offences in many countries or cause for an extradition. Not to mention that in many of the countries where attacks are executed from, the local police lack the knowledge to follow the crimes up.

3. The threats are fairly mingled up with crime. It’s really hard to make the distinction between crime and cyber warfare. The first is ongoing 24x7 and the only technical distinction is the perpetrator behind it to turn an action into the second. How to deal with this in an effective way from the point of view of government will be hard. Law enforcement agencies will have the upper hand in that they have more operational experience and likely more operational contacts. Which are keys to handling attacks. While other government agencies are more likely to have control over critical infrastructure and assessments on what needs to be protected. These interests will need to meet in an effect way.

This list can be made long. What I have not touched upon are the offensive means of cyber warfare. These will, in my opinion, vary somewhat depending on the intended target, and on whether this is a retaliatory strike or a strike first action. In principle though, the means are either of target DoS attacks (either DDoS, physical or simply intrusion followed by actions that will cause harm. For example data deletion or modifications), or infiltration (for example targeted spread of trojans/viruses/worms). The first will most likely be based on well known techniques; the latter will most likely require some form of former knowledge of the systems intended to attack in combination of socialising of the intended targets. Neither of which is hard, and again is on going in the world around us.

The last item of interest is of course how to prevent and mitigate attacks. This is hard. Today this is more or less based on co-operation of the large service providers, and it’s hard to see either done without their co-operation. Up-to-date protective measures such as virus scanners, firewalls etc. are a necessity. But in a high security environment I would take this for granted. Still attacks do happen. The threat that shouldn’t be underestimated is of course malicious intent by “staff”. But that is not new. The same threat exists for manilla folders :-) And preventive measures are the same. In operational regard, I would again point to the text above. Operational experience and contacts are essential.

So to sum up, yes, I believe we will see more and more rough times for electronic communications. I believe we have little or no insight into what constitutes problems and when we believe harm has been done. There is really a lot of work ahead in this arena. A lot of threat models where the arrows are red and come from the east will needs to be updated and replaced. While I am sure the worlds national intelligence agencies are working on asymmetrical threats for terrorism, I am less convinced they understand what threats cyber warfare REALLY constitutes. Keep in mind that the attacks on Estonia, for all we know, where conducted in the open and by disgruntled individuals.