Cyber Warfare Case Study: Estonia Jill Wiebke April 5, 2012

What is Cyber Warfare? Cyber warfare “is a combination of computer network attack and defense and special technical operations” (IEEE) 8 Principles: Lack of physical limitations Identity & privileges Kinetic effects Dual use Stealth Infrastructure control Mutability & inconsistency Information as operational environment Lack of physical limitations: the effectiveness of the attack has nothing to do with where in the world it originates Kinetic effects: an act of cyber warfare must have kinetic effects (electricity, water, change minds of decision-makers) – otherwise it is meaningless Stealth: hiding in cyberspace is/may be easier than in reality; hide evidence in data streams Mutability & inconsistency: cyberspace is imperfect, inconsistent, things may not happen the same way twice; unreliable – a step in an attack may not always work, or attacks not expected to succeed do Identity & privileges: everything is controlled by people (cyberspace is artificial, created by humans); goal of most attacks is to steal identity and privs of the entity that has the ability to perform the action the attacker wants to perform Dual use: attackers and defenders use same tools (vulnerability scanners, packet captures, etc.) Infrastructure control: whoever controls the part of cyberspace used by the opponent also control the opponent Information as operational environment: communication connections, network maps, etc. is the operational environment (as opposed to terrain, weather, etc. for kinetic warfare)

Things to Consider… Malicious cyber activity: crime, espionage, terrorism, attacks, warfare Classifications are made by intentions of perpetrator and effect of the act Definition of cyber attack is inconsistent “Easy” to change levels during an attack – difficult to determine the severity of the attack before it has ended Some say cyber attacks are a combo of cyber terrorism and cyber warfare, some say it should be its own cyber malicious event

Case Study: Estonia Baltic territory Capital: Tallinn Independence in 1918 Forced into the USSR in 1940 Regained freedom in 1991, Russian troops left in 1994 Joined UN in 2001, and NATO and EU in 2004 Known as an “e-society,” paperless government, electronic voting, etc.

Attacks on Estonia Who: That’s the real question, isn’t it? What: Distributed denial of service (DDoS) attacks on government, banks, corporate websites; website defacement When: April 27, 2009 – May 18, 2007 Where: Estonia Why: Another good question… How: Well-known attack types, but “unparalleled in size;” hundreds of thousands of attack computers http://www.industrialdefender.com/general_downloads/news_industry/2008.04.29_cyber_attacks_p1.pdf Rain Ottis, Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia

Attack Progression April 27: Estonian government websites shut down from traffic, defaced April 30: Estonia began blocking Web addresses ending in .ru Increased attack sophistication; targets now included media websites attacked by botnets 1 million computers were unwittingly employed to deploy botnets in US, China, Vietnam, Egypt, Peru May 1: Estonian ISPs under attack May 9: Russian victory in WWII – new wave of attacks at Russian midnight May 10: Banks are attacked http://msl1.mit.edu/furdlog/docs/washpost/2007-05-19_washpost_estonia_cyberattacked.pdf

Details Estonia had just decided to relocate a Soviet WWII memorial Large, well-organized, well-targeted attacks – not spontaneous – began hours after the memorial was relocated Malicious traffic indicated political motivation and Russian language background Instructions for attacking websites were posted in Russian language forums including when, what, and how to attack Did not accuse Russian government (not enough evidence), but attacks are believed to have originated in Moscow IP addresses of attackers belong to Russian presidential administration Russian officials denied any involvement; IPs could have been spoofed

Effects of the Attacks One person has been convicted – student in Estonia organized a DDoS attack on the website of an Estonian political party NATO enhanced its “cyber-war capabilities” Created a “cyber defense research center in Tallinn in 2008” Cyber Command – Full Operating Capability on Oct 31, 2010 http://www.msnbc.msn.com/id/31801246/ns/technology_and_science-security/t/look-estonias-cyber-attack/#.T3Mt7NmGWW9 http://www.stratcom.mil/factsheets/cyber_command/

Other Cyber Attack Examples Georgia DDOS attacks coincided with Russian invasion in August 2008 Stuxnet Worm that targets industrial control systems Infected Iranian nuclear facilities Titan Rain Suspected Chinese attacks on the US since 2003 “Nearly disrupted power on the West Coast” Security breaches at defense contracting companies (Duke article) http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5634434 Mention Anonymous

Magnitude of Cyber Warfare Attribution Nation-state actors Non-state actors “Hired guns” Trails end at an ISP New territory – no rules/standards Legal territory issues International laws do not exist yet Crime of Aggression definition Impacts Non-state actors: individuals or groups like Anonymous, learn online Independent companies for hire to conduct cyber attacks -> large copyright holders (Sony & Universal) hire independent companies to direct cyber attacks (DDOS) against people using file sharing software that is suspected to be sharing their copyrighted material. Could be done also be governments ISP trail: attacker may be ISP subscriber, or attack may have been routed through the ISP International laws: Territory: No geographic limitations, packets sent from point A to point B may not take the same route; example: during Georgian attacks, many Georgian websites moved to US servers. The server was in the US, but the “cyberspace” belonged to Georgia

Glimpse at Cyber Warfare Future The US heavily relies on cyber networks, so a cyber attack could be highly detrimental Physical impacts Disable water purification systems Turn of electricity Misrouting planes/trains Opening dams Melting nuclear reactors Communication network impacts Stock market manipulations Wireless Internet access outages Duke article

Why SAs Should Care Cyber attacks are increasing in threats, frequency, and intensity Targets range from government entities, banks, corporations, to private businesses We are the “cyber warriors” and “network ninjas” that will be dealing with the effects of cyber warfare

References https://www.cia.gov/library/publications/the-world-factbook/geos/en.html http://www.state.gov/r/pa/ei/bgn/5377.htm http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5634434 http://www.stratcom.mil/factsheets/cyber_command/ https://docs.google.com/a/utulsa.edu/file/d/0B7yq33Gize8yNjEzNDkxMGMtOWMyNS00ZDJhLTg4MDUtZDUwODQ2YjQwOTIw/edit?pli=1 http://www.industrialdefender.com/general_downloads/news_industry/2008.04.29_cyber_attacks_p1.pdf http://www.getgogator.com/News/Content/Articles/Malware/The%20Evolution%20of%20Cyber%20Warfare.pdf msl1.mit.edu/furdlog/docs/washpost/2007-05-19_washpost_estonia_cyberattacked.pdf http://www.msnbc.msn.com/id/31801246/ns/technology_and_science-security/t/look-estonias-cyber-attack/#.T3Mt7NmGWW9 ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6029360&tag=1 http://www.law.duke.edu/journals/dltr/articles/2010dltr003.html