Once upon a time we lived in a world in which wars were fought by brave soldiers who faced each other in furious combat in a way that today we would find it hard to recognize as valid. In the last decade, the way in which the states approach the concept of war has changed profoundly. The massive introduction of the technology component in our daily lives has meant that cyber attacks and cyber espionage operations are the main politically motivated activities undertaken by governments. This is cyber warfare.
U.S. government security expert Richard A. Clarke has defined in his book Cyber War (May 2010), “cyber warfare” as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”
The definition provided by the expert highlights two fundamental factors that distinguish a cyber war act by other cyber operations: the nation-state commitment and the intent of the offensive that could be conducted with the purpose of causing damage or to spy on an enemy’s networks.
Cyberspace is considered by the principal governments to be the fifth domain of warfare such as space, land, sea and air, and due to this reason, principal countries are mass investing in the development of new cyber capabilities to protect it.
This is the position of the U.S. Government on the cyberspace. William J. Lynn, U.S. Deputy Secretary of Defense, states that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.”This announcement of the U.S. Government is a public admission on the great importance related to the garrison of cyberspace and of the effort used for the development of a new generation of technologies and tools to protect the nation in this additional domain that is replete with pitfalls.
The military sector has strengthened the awareness that a threat moving through cyberspace may constitute a serious danger to the safety of citizens and the stability of the government. This consideration, however, is open to other scenarios, including the use of the military operations in cyberspace for offensive purposes that offer many advantages compared to a conventional attack.
Different from what leads to a conventional attack, a cyber attack can be conducted in a silent way in times of peace and this leads to having to consider the extremely insidious threat that requires a high level of alertness.
Governments all around the world are concerned about the security level of their digital infrastructures and are promoting the foundation of skilled cyber units to enable actions in the new domain. The position of President Barack Obama in 2009 declared America’s digital infrastructure to be a “strategic national asset,” and just one year later the Government created a new U.S. Cyber Command (USCYBERCOM) with the primary mission of defending American military networks and to conduct full spectrum military cyberspace operations in order to enable actions in all domains.
The U.S. is not the only nation that is investing in cyber warfare capabilities. China and Russia are operating exactly in the same way, also other states such as North Korea and Iran are improving their presence in cyberspace.
Official sources state that at least 140 countries are developing cyber weapons, and the number of cyber warfare operations has dramatically increased. It has been estimated that thousands of attacks are daily conducted against government systems around the world due to offensive foreign states … how many of them will be successful?
Every war is fought with proper weapons and in cyber warfare we are assuming relevant importance of the use of cyber weapons, tools and software used to offend enemies in cyberspace. But despite the high inflationary usage of the term “cyber weapon”, today there is no formal and legal definition for it. Let’s consider for example that The Dictionary of Military and Associated Terms of the Department of Defense, consisting of 550 pages of definitions for the defense sector, does not contain a specific definition of cyber weapon, and international law does not define in exhaustive mode what is meant for cyber weapon.
The impact of the absence of a global recognized definition for cyber weapons is serious. The lack of definition makes it impossible to distinguish a cyber weapon and its proper use, and to evaluate the legal and political responsibility of the aggressor and the real level of threat made in a cyber warfare context.
Why is the use of cyber weapons a proven choice for governments?
The primary factors of success are the efficiency and the reduced costs of these type of technologies. The case of the Stuxnet virus, the real first example of a cyber weapon, has demonstrated the impact that similar tools could have on critical infrastructures.
The use of cyber weapons is a little noisy. Those agents are silenced for the nature of the vulnerabilities that are exploited which provides a real advantage to those who attack. An attacker in fact could operate in time to avoidrevealing the real origin of attacks. The possibility to operate under coverage represents an escape from sanctions of the international community because the anonymous nature of the offense allows circumvention of approval by the world community to a military offensive.
From a military perspective, the preparation phase of a cyber weapon is easy to hide from prying eyes. Let’s consider that through intelligence researches it is easier to discover the building of a conventional weapon (e.g. missiles, drones, combat aircraft). The development of a cyber weapon is hard to identify.
The use of cyber weapons is complementary to conventional military strikes. It could be is possible to:
- Support offensive operations destroying enemy defense infrastructures.
- Probe the technological capabilities of the enemy by evaluating the ability of an agent to infect enemy system.
The advantages make cyber warfare very attractive for those “small” states that, despite having reduced funds for military expenses, and are able to compete with the most important countries in the new domain.
What are the targets for cyber weapons?
The spectrum is very wide. In general a cyber weapon could hit every critical infrastructure and vital system of a country such as:
- Industrial control systems, of particular concern are those components that oversee the operation of plants for energy production and delivery of services of various kinds, such as water utilities.
- Electric power supply grids.
- Systems for territory controls.
- Hospitals and government controls.
- Communications networks.
- Defense systems.
- Military air traffic and airspace control systems.
- Financial and banking systems.
During a recent interview, Eugene Kaspersky, CEO of Kaspersky security firm, declared on the cyberspace subject:
“The cyber domain is just like the real world, and in the real world we have treaties and oversight agencies to monitor adherence to them. It works for nuclear weapons, biological and chemical, so why not cyber?”
The statement is exhaustive and highlights the need for an International Cyber Regulatory commission, but first of all it is necessary to provide a valid definition to the concept of cyber weapon, and to do this on a legal standpoint is necessary to identify the purpose of its use, the context in which it is used, the subject/object that offends, and of course the target of the attack.
A very interesting definition of cyber weapon has been provided by Italian lawyer Stefano Mele, cyber warfare expert, in his publication “Cyberweapons – Legal and strategic aspects”:
“A cyber weapon is [an] appliance, device or any set of computer instructions designed to unlawfully damage a computer or telecommunications system having the nature of critical infrastructure, its information, data or programs contained therein or pertaining there to, or to facilitate the interruption, total or partial, or alteration of its operation.”
Another valid definition for cyber weapon commonly used by security experts is the following:
“An appliance, device or any set of computer instructions designed to offend the person through cyberspace.”
Both definitions are complete and legally valid and qualify a cyber weapon for it state-sponsored origin and its capability to cause huge damages to critical infrastructures and to cause loss of human lives.
Once we have defined a cyber weapon, it is possible to distinguish the cases in which it is specifically designed to offend from those in which the improper use of tools originally designed for other functions could be adapted for offensive purpose.
It could also be possible to distinguish it from other tools used in cyber warfare operation such as cyber espionage tools.
One of the most debated issues is the possibility to define ‘cyber weapon’ as a cyber espionage tool that presents a modular structure that makes possible the use of malware with offensive purposes. According to the definition provided it isn’t considered a cyber weapon due the absence of an offense to the person or the responsibility to cause serious damage to critical infrastructures, but many experts make a reasonable objection. These tool kits could be used also to conduct an attack against specific targets by simply loading a proper module developed for the scope.
To provide an example let’s consider the malware Duqu: It has a state-sponsored origin but the isolated instance revealed mainly a cyber espionage purpose. Despite this characteristic security firms have recognized that it has been developed using the same platform that created Stuxnet, the “Tilded Platform”. The malware created the innovative platforms that are known to have a modular structure that specify their behavior. This means that Duqu equipped with proper components is also adoptable for offensive purposes.
Case Study – Stuxnet
To give an idea of the efficiency of cyber weapons it is possible to analyze the figures related to its spread. An interesting source on the topic is the Symantec dossier “Symantec W32.Stuxnet Dossier Version 1.4 (February 2011)”, which provides useful statistics and information on the infection. Stuxnet is considered the first cyber weapon in history by many experts. For the first time in fact, a state sponsored attack has hit the critical infrastructures of a foreign country with the specific intent to destroy them.
Stuxnet is a malware detected in 2009 and that infected specific industrial control systems deployed in Iranian critical infrastructures such as a gas pipelines or power plants. The ultimate goal of Stuxnet is to sabotage these facilities by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. The agent has been developed to destroy Iranian nuclear program.
Stuxnet is a large, complex piece of malware with many different components and functionalities including zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface. The graph related to the geographic distribution of infections gives us two important pieces of information:
The use of a variety of propagation techniques has meant that Stuxnet has spread beyond the initial target. As the histogram shows, Iran wasn’t the only state targeted by the malware. Further infections are considered unintentional “collateral damage” caused by utilizing promiscuous initial propagation methodology. Are the authors able to control the spread of the agent? According to the declarations of many military officials, it isn’t possible to have the certainty that a malware will infect only the targets.
The agent mainly hits Iran, which reported approximately 60% of infected hosts. The concentration of infections in the country likely indicates that this was the initial target and was where infections were initially seeded.
The following chart reports the impact in terms of infected PCs for different variants of Stuxnet. The various instances in fact differ for methodology of diffusion and for the modules that compose them. The agent is mutated in time; that is another peculiarity of a cyber weapon, the possibility to change its behavior, changing the structure of one of its modules. Simply by loading a new payload, it is possible to make the malware more offensive.
Impact on Cyberspace
The spread of a malicious agent in cyberspace could lead to the loss of human lives and cause the destruction of critical infrastructures. These are considerable as a direct effect for which the cyber weapon has been designed, but there are also “collateral damages” caused by the uncontrolled diffusion of a cyber weapon.
A cyber attack could cause similar damage of a conventional attack and the cases shown demonstrate the serious impact on citizens. The primary targets of cyber attacks and related damages are:
- Electronic national defense systems – by hacking a defense system of a country it is possible to control its conventional weapons, for example there is the possibility to launch a missile against the state itself or other nations.
- Hospitals – electronic systems present in hospitals and health centers could be exposed to cyber attacks that can compromise their functioning, causing serious consequences.
- Control systems of critical facilities – a cyber attack could compromise the management system of a chemical plant or a nuclear site, altering production processes and exposing large areas to risk of destruction.
- Water supply – water is an essential resource for the population. Interruption of the supply might leave large areas without water. The alteration of the control system might allow it to be functional but vulnerable to a successive attack such as water poisoning.
- Fully-automated transportation control systems and civil and military air traffic controls - all those systems do not require conductors or drivers, or give a sensible aid to the conduction and control of transportation. Consider the effect of an attack on train control systems or to an air traffic management system.
- Electricity grid management systems – this target represents the vital system of a country. Attacking these systems, it is possible to interrupt the electricity supply, causing the total block of the activities of a nation such as computers, trains, hospitals and telecommunications services. These represent a privileged target for a cyber attack, and their defense is a fundamental in every cyber strategy.
- Banking systems and financial platforms – financial systems are critical assets for a nation and their block could cause serious problems, such as the block of the economic activities of the targets. Despite being unable to cause the direct loss of human lives, a cyber attack could cause the financial collapse of a nation. The scenario is worrying; if we think that global finance today is strictly dependent on the economy of each single state, a cyber attack against a state could cause serious and unpredictable consequences to the entire economic system.
But the presence of cyber weapons is a dangerous factor that could have serious repercussions on cyber space. The fallout of large use of malicious applications and cyber warfare technology in general has a great effect on security and privacy of citizens.
In recent months, different silent malware have been detected all over the world stealing sensible data and destroying target systems. Agents such as Stuxnet, Flame and Gauss are surely results of state-sponsored projects that are infecting not only the real final target but that are menacing infrastructures of many countries in specific areas of the planet.
One of the most dangerous effects of the use of a cyber weapon is the difficulty to predict its diffusion. Cyber space has no boundaries, and Gen. John P. Casciano, a former Air Force director of intelligence, surveillance and reconnaissance of the U.S. Government, confirmed the concept, declaring:
“We will never have 100 percent assurance that a cyber offensive will work as planned.”
This means that the cyber weapon could also hit in unpredictable way other systems or networks that are not considered targets. In extreme cases it is possible also that it attacks the nation of the authors in a sort of “boomerang effect”.
The presence of a cyber weapon in cyberspace could open the possibility of a reverse engineering of its source code by ill-intentioned individuals. Foreign governments, cyber terrorist, hacktivists, and cybercriminals could be able to detect, isolate and analyze the agents, designing and spreading new cyber threats that are difficult to mitigate.
These agents are difficult to be discovered and could operate silently for years, like in the case of Gauss malware causing serious damages to the victims and also to other entities in cyberspace.
Another factor that exposes homeland security to serious risk in case of a cyber attack is the lack of citizen awareness on cyber warfare and on the proper response procedure in the case of attack. Most people totally ignore the term «cyber warfare» and the real world impact of cyber operations. Of course, the leak of knowledge is a considerable factor that could advance opponents in the on-going «cyber war».
COL Thomas Goss, chief of the command’s Strategic Initiatives Group, declared:
“While technology plays an important role in the cyberspace domain, it is not technology that will win on the 21st century’s cyber battlefields […] Time after time, in operations and in exercises, it is the people that will make the difference.”
The statement is a perfect synthesis of the strategic importance of a proper level of education on the subject. “The 2012 Army Strategic Planning Guidance” calls for the service to continue to recruit, educate, train and retain cyber professionals, building a pipeline for the next generation of cyber professionals.
New role for hackers and the birth of new 0-day market
An essential element of a «cyber weapon» is the exploit of an unknown vulnerability. Known as zero day vulnerability, it is a factor that influences its efficiency and makes it possible to target specific applications or infrastructures. Governments and private business have suddenly discovered the importance of discovering bugs in the most common applications, creating a new market for the new precious commodity.
NSA chief General Alexander at Defcon 2012
The exploit of the new vulnerability is the prerogative of the hacker’s work that has become of great interest. The figure of the hacker is totally changed in the eyes of the product manufacturer of the compromised principal application and of governments. In the past, hackers mainly operated for their pleasure and the need to measure their skills, and kept far from government affairs. Today they are the key figure in a market characterized by the “instantaneity” of any transactions involving vulnerability information.
Once the vulnerability is discovered, it has to be managed with great attention to avoid being divulged, and must be proposed to the proper organization that operates as a broker in the new market and is able to keep secret the discovery, “short circuiting” a demand and offer.
The market and its actors are shrouded in mystery. Many experts sustain that it is in need of a regulation, but the problem is far from simple. Introducing controls on the negotiation of such exploits could hijack sales to areas difficult to monitor with dangerous consequences.
Governments are really interested in these hacks because they could use them for their cyber operations like cyber espionage or exploiting of target infrastructures. China, Russia and U.S., but also North Korea and Iran, have publicly demonstrated a large interest in the hacking world. In many cases the governments have announced the recruiting of the best hackers to create new cyber units, for example NSA chief General Keith B. Alexander during last edition of Defcon Hacker Conference, asked hackers for help securing cyberspace.
Cyber war era – conflict without rules
The worldwide security community is aware that we are in the cyber era and today cyber conflicts are fought without rules and regulations. Every state is able to invest in the development of cyber capabilities, and due to the nature of the technologies each is able to use it without being discovered, and creates serious damage in time.
As usual the common people are the most impacted by the silent cyber offensive. Main factors that expose the population to risk of cyber attacks are:
- Large-scale diffusion of computer and communication networks.
- Unmanaged and vulnerable interconnections between critical systems.
- Rapid evolution of the technological landscape.
- Lack of boundaries in cyber space.
From a regulatory perspective, it is essential to provide the following responses:
- What is meant by the use of force in cyberspace?
- When should a cyber attack be considered an armed attack?
- What are the methods and levels of proportionate response to a cyber attack?
- Which set of rules should apply to this kind of response?
- How do we establish the legal liability of the actors involved in cyber operations?
How do we balance national security needs with the imperative need to protect individual freedoms of citizens?
The cyberspace is considerable as a new domain in which the use of cyber weapons must be regulated exactly in the same way as for nuclear or chemical arsenals in conventional warfare. Eugene Kaspersky stated on the argument:
“The cyber domain is just like the real world, and in the real world we have treaties and oversight agencies to monitor adherence to them. It works for nuclear weapons, biological and chemical, so why not cyber?”
The relative simplicity in the development of a cyber weapons and the race to cyber arms observed in recent years requires globally recognized regulation. It is desirable that a single agency representing all the states of the world will define a body of cyber rules and seek to regulate the use of cyber weapons and other cyber tools in cyberspace.
The target is very challenging. There are obvious strengths by governments that in this critical moment don’t want to be limited their capabilities in cyber war. They are conscious that secretly many adversaries are continuing the investments on a so critical domain and are afraid of cyber offensives that could find them unprepared. Under this premise, it is very difficult to predict how the debate will evolve, in the meantime some security experts are trying to formalize a regulatory agency to apply to Cyber Warfare.
One of most interesting works on the subject is the “The Tallinn Manual on the International Law Applicable to Cyber Warfare”, a document written by an independent ’International Group of Experts’ to examine how extant international law norms apply to this ‘new’ form of warfare.
The study tries to clarify the position of the states in the cyberspace defining jurisdiction, control and legal responsibilities.
«A State bears international legal responsibility for cyber operation attributable to it and which constitutes a breach of an international obligation.»
The experts have provided a legal definition for a concept such as a cyber attack and a cyber weapon, following an abstract from the first draft release:
«A cyber attack is cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects»
The manual provides detailed specification on targets, highlighting the duty of care during attacks on dam, dykes and Nuclear Electrical Generating Stations, and the needs to preserve children, journalists, medical and religious personnel. In cyber warfare, the context is fundamental to introduce the concept of cyber weapons, and experts have approached it defining the ‘Means’ of cyber warfare are cyber weapons and their associated cyber systems.
Cyber weapons are cyber means of warfare that are by design, use, or intended use, capable of causing either injury to, or death of, persons. The ‘Methods’ of cyber warfare are the cyber tactics, techniques and procedures, by which hostilities are conducted.
An example of Means and Methods could be provided referring to a DDoS attack conducted using a Botnet. In this case the botnet is the ‘means’ of cyber warfare while the DDoS attack is the ‘method’.
The manual also states two fundamental concepts:
- It is prohibited to employ means or methods of cyber warfare that are of nature to cause superfluous (aggravates suffering without military advantage) or unnecessary suffering.
- Every time the means or methods of cyber war are used it is necessary to conduct a legal review to determine their technical description, nature of targets, effects on targets, precision and scope of intended effects.
Do you believe that in the present scenario these concepts find control of the application?
It’s obvious that before we face serious and irreparable consequences, the introduction of a regulatory platform is desirable.
Economic data on the development of cyber capabilities
In the first part of the article, the current cyber warfare scenario has been introduced. The majority of countries are investing to improve their cyber capabilities for defensive purpose, but not only. It is not simply to gather information on ongoing projects, but in many cases governments provide details on them to publicly demonstrate their commitment in cyber warfare.
Plan X is without doubt one of the most known projects, promoted by U.S. government and developed by the DARPA division, for development of new cyber warfare technologies. The project is not the only one ongoing in U.S. The Air Force Research Laboratory (AFRL) gave six firms contracts valued at up to $300 million under a program called Agile Cyber Technologies (ACT), to provide cyber weapons on-demand under a form of contracting known as Indefinite Delivery-Indefinite Quantity (IDIQ). There aren’t specific info regarding similar projects conducted by other active countries such as Russia and China, due to the lack of transparency in the matter, but it is sure that those governments are massively investing in cyber warfare technologies. The Russian Armed Forces in the “Information Environment: Principles, Rules, and Confidence-Building Measures” announced a national need in the development and regulation of cyber weapons, and Chinese PLA is considered a heavy investor in cyber warfare. Consider also the effort spent by UK and Iran.
Recently other nations have confirmed their engagement in the new domain. The Scandinavian nation’s Ministry of Defense aims to create malware and exploits to launch online counter-attacks to threats. Meanwhile Taiwan is investing in new ‘cyber warfare’ capabilities and also NATO (North Atlantic Treaty Organization), to upgrade its defense capabilities, will spend during 2012 around 58M USD.
Figure – Cyber warfare expense for countries
In the above table are proposed some figures relating the total expense of the most active countries in cyber warfare. Note China and the U.S. have allocated considerable investment for the development of new cyber technologies.
Analyzing the global expense in cyber warfare, it is possible to understand the economic impact on each nation’s demonstration of the strategic importance to adopt a proper cyber strategy and of course to develop a cyber weapon arsenal.
How much does a cyber weapon cost?
It’s quite impossible to establish an exact cost for the development of a cyber weapon that depends on many variables, but a valid and realistic estimation has been provided by the famous hacker Charlie Miller, who proposed some interesting figures in the presentation «How to build a cyber army to attack the U.S.»
The hacker hypothesized a project with a total duration of a couple of years that involves around 592 professionals that cover various job roles from vulnerability analysts to managers. The study demonstrates that the development of the cyber weapon needs highly skilled professionals that work in structure with rigid hierarchies with unlimited availabilities in term of equipment. The simulation revealed an expense of $45.9 million in annual salary (average annual salary $77,534) and $3 million in equipment.
Figure – Composition of team for cyber weapon development
Despite that the amount could appear expensive, if it is compared with the cost of a conventional weapon it is really cheap. For this reason many government are establishing cyber units dedicated to the development of new offensive technologies.
The article has proposed several aspects related to the concept of cyber weapons, providing a picture of actual cyber warfare scenario under different perspectives, highlighting the importance to define a globally recognized regulatory platform. Despite the common concern of many governments, some experts believe that the concept of cyber weapons is too “abstract”, and due to this reason they underestimate its hazard. The main arguments proposed by these skeptics are:
- To date government cyber weapons affected a few thousand people.
- All publicly-known cyber-weapons have far less ‘firepower’ than is commonly assumed.
- The principal benefit of cyber-weapons may be using them in conjunction with a conventional military offensive; this implies the benefit pay off of “weaponised” instruments of cyber-conflict may be far more questionable than generally assumed.
Synthesizing their point of view on the cyber weapon argument, the “cyber war would not actually be war because there aren’t loss of human lives, same thought for cyber weapons”, but analyzing the recent incidents and the continuous discoveries of malicious state-sponsored malware, it is possible to understand the great activities in cyberspace and related unpredictable repercussions on civil and military infrastructures.
Governments have acquired a high sensitivity in cyber warfare and the awareness that cyber threats through cyber space could impact homeland security exactly in the same way of conventional attacks.
The future will be characterized by an intensification of state-sponsored cyber operations. Cyberspace will change deeply, and with it the concept of cyber security. Governments, business and private business must be prepared for the challenge, not underestimating the risks.
Let’s close with a statement, extracted by the trailer of the film on the hacking world, “Reboot”, that synthesizes the importance of preserving digital assets of a country:
“We are all connected on a vast global network and whoever controls the network controls the world.”