Inside Cyber Warfare - Jeffrey Carr [27]
Myanmar
On September 23, 2008, in anticipation of the first anniversary of the Saffron Uprising, the government launched DDoS attacks against three websites that support the monks: The Irrawaddy, the Oslo-based Democratic Voice of Burma (DVB), and the New Era in Bangkok. The newspaper the Australian covered the story that day, reporting:
The concerted attacks—which appear to originate in China, Russia and Europe as well as Burma—can only be the work of agents of the Burmese Government and may be an effort to compensate for its failure last year to stem the flow of images showing vast columns of unarmed demonstrators and their eventual dispersal under a rain of bullets and truncheons.
A representative of DVB reported that the attacks appeared to be coming from sites in Russia and China, which, if true, would indicate that the Myanmar government outsourced the attacks.
Cyber: The Chaotic Domain
The answer to the question posed earlier about which of the previously discussed events qualifies as an act of cyber war is “none of the above.” As of this writing, there is no legal entity known as “cyber war”; the only issue that has been defined by international agreement is a nation’s right to self-defense when attacked, and that applies only to the traditional manner of attack, i.e., “armed” attack.
The assortment of cyber attacks listed earlier, ranging from internal attempts to silence opposition movements (Zimbabwe, Kyrgyzstan) to state-employed hackers taking out strategic websites (Israel, the Palestinian National Authority), illustrates just how malleable this domain can be. Furthermore, it would be incredibly naive to think that every permutation of this domain has been seen by now, which raises the importance of regular war-gaming or other types of forward-thinking exercises. This, unfortunately, is not a universally agreed-upon strategy.
The Center for Strategic and International Studies (CSIS) issued a report in February 2009 entitled “The 20 most important controls and metrics for effective cyber defense and continuous FISMA compliance.” The following appeared in the report:
A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that “offense must inform defense.” In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008. That new proposed legislation calls upon Federal agencies to:
Establish security control testing protocols that ensure that the information infrastructure of the agency, including contractor information systems operating on behalf of the agency, are effectively protected against known vulnerabilities, attacks, and exploitations (emphasis added).
This is an extremely short-sighted approach to security. A tier-one hacker’s favorite pursuit is the discovery of a zero-day exploit, which means finding a vulnerability in the software that no one else has yet discovered. To look only to the past as a defensive strategy means that our cyber security protocols will always be playing catch-up.
With the risk of discovery almost nil, a disputed legal status, and little in the way of unified international law enforcement collaboration, the cyber domain is today’s equivalent of the untamed American West during the 1800s. Keyboards have replaced revolvers and hackers are the new gunslingers. However, as with the other analogies, this one breaks down in one important respect: land is a physical, three-dimensional