Cyber War: The Next Threat to National Security and What to Do About It (3 page)

Whatever method the Israelis used to trick the Syrian air defense network, it was probably taken from a playbook they borrowed from the U.S. Our Israeli friends have learned a thing or two from the programs we have been working on for more than two decades. In 1990, as the United States was preparing to go to war with Iraq for the first
time, early U.S. cyber warriors got together with Special Operations commandos to figure out how they could take out the extensive Iraqi air defense radar and missile network just before the initial waves of U.S. and allied aircraft came screeching in toward Baghdad. As the hero of Desert Storm, four-star General Norm Schwarzkopf, explained to me at the time, “these snake-eaters had some crazy idea” to sneak into Iraq before the first shots were fired and seize control of a radar base in the south of the country. They planned to bring with them some hackers, probably from the U.S. Air Force, who would hook up to the Iraqi network from inside the base and then send out a program that would have caused all the computers on the network all over the country to crash and be unable to reboot.

Schwarzkopf thought the plan risky and unreliable. He had a low opinion of U.S. Special Operations Command and feared that the commandos would become the first Americans held as prisoners of war, even before the war started. Even worse, he feared that the Iraqis would be able to turn their computers back on and would start shooting down some of the two thousand sorties of attacks he planned for the first day of the air war. “If you want to make sure their air defense radars and missiles don’t work, blow them up first. That way they stay dead. Then go in and bomb your targets.” Thus, most of the initial U.S. and allied air sorties were not bombing raids on Baghdad headquarters or Iraqi Army divisions, they were on the air defense radar and missile sites. Some U.S. aircraft were destroyed in those attempts, some pilots were killed, and some were taken prisoner.

When, thirteen years later, the U.S. went to war with Iraq a second time, well before the initial waves of American fighter-bombers swept in, the Iraqi military knew that their “closed-loop” private, secure military network had already been compromised. The Americans told them.

Thousands of Iraqi military officers received e-mails on the Iraqi Defense Ministry e-mail system just before the war started.
Although the exact text has never been made public, several reliable sources revealed enough of the gist to reconstruct what you might have read had you been, say, an Iraqi Army brigadier general in charge of an armored unit outside of Basra. It would have read something like this:

Not surprisingly, many Iraqi officers obeyed the instructions CENTCOM had e-mailed them, on the secret Iraqi network. U.S. troops found many units had neatly parked their tanks in rows outside their bases, thus allowing U.S. aircraft to neatly blow them up. Some Iraqi army commanders sent their troops on leave in the hours before the war. Troops put on civilian clothes and went home, or at least tried to.

Although willing to hack into Iraq’s network to engage in a psychological campaign prior to the onset of the conventional attack, the Bush Administration was apparently unwilling to destroy Saddam Hussein’s financial assets by cracking into the networks of banks in Iraq and other countries. The capability to do so existed, but government lawyers feared that raiding bank accounts would be seen by other nations as a violation of international law, and viewed as a precedent. The counsels also feared unintended consequences
if the U.S. cyber bank robberies hit the wrong accounts or took out entire financial institutions.

The second U.S.-Iraq war, and the more recent Israeli attack on Syria, had demonstrated two uses of cyber war. One use of cyber war is to make a conventional (the U.S. military prefers the term “kinetic”) attack easier by disabling the enemy’s defenses. Another use of cyber war is to send propaganda out to demoralize the enemy, distributing e-mails and other Internet media in place of the former practice of dropping pamphlets. (Recall the thousands of pieces of paper with instructions in Arabic and stick-figure drawings dropped on Iraqi forces in 1991, telling them how to surrender to U.S. forces. Thousands of Iraqis brought the pamphlets with them when they did surrender.)

The raid on the Syrian nuclear facility and the U.S. cyber activity that preceded the invasion of Iraq are examples of the military using hacking as a tool to assist in a more familiar kind of war. The use of cyberspace by nation-states for political, diplomatic, and military goals does not, however, have to be accompanied by bombing raids or tank battles. A small taste of what a stand-alone cyber war could look like came, somewhat surprisingly, in a little Hanseatic League city of 400,000 people on the shores of the Baltic. The city of Tallinn had become, once again, the capital of an independent Estonia in 1989 when the Soviet Union disintegrated and many of its component republics disassociated themselves from Moscow and the U.S.S.R. Estonia had been forced to become part of the Soviet Union when the Red Army “liberated” the Baltic republic from the Nazis during what the Russians call “the Great Patriotic War.”

The Red Army, or at least the Communist Party of the Soviet
Union, didn’t want Estonians, or any other East Europeans, to forget the sacrifices that were made “liberating” them. Thus, in Tallinn, as in most East European capitals, they erected one of those giant, heroic statues of a Red Army soldier that the Soviet leaders had such a fondness for. Often these bronzes stood atop the graves of Red Army soldiers. I first stumbled upon such a statue, almost literally, in Vienna in 1974. When I asked the police protecting it why neutral Austria had a giant Communist soldier in its downtown, they told me that the Soviet Union had put it up right after the war and had required the Austrians to promise never to take it down. Indeed, the statue is specifically protected in the treaty the U.S. and Austria signed, along with the Soviets, when American and Soviet troops left Austria in 1950. Back in the 1970s, the Viennese almost uniformly described the enormous bronze as “the only Russian soldier in Vienna who did not rape our women.” It seems these statues mean a great deal to the Russians, just as the overseas graves of American World War II dead are sacred ground to many American veterans, their families, and their descendants. The giant bronze statues also had significant meaning to those who were “liberated,” but that meaning was something entirely different. The statues and the dead bodies of Red Army soldiers under them were, symbolically, lightning rods. In Tallinn, the statue also attracted cyber lightning.

Tensions between ethnic Russians living in Estonia and the native Estonians themselves had been building ever since the little nation had declared its independence again at the end of the Cold War. The majority of Estonians sought to remove any sign of the five oppressive decades during which they had been forced to be part of the Soviet Union. In February 2007, the legislature passed a Forbidden Structures Law that would have caused anything denoting the occupation to be taken down, including the giant bronze soldier.
Estonians still resented the desecration of their own veterans’ graves that had followed the appearance of the Red Army.

Moscow complained that moving the bronze soldier would defame the heroic Soviet dead, including those buried around the giant bronze. Seeking to avoid an incident, the Estonian President vetoed the law. But public pressure to remove the statue grew, just as a Russian ethnic group dedicated to protecting the monument and an Estonian nationalist group threatening to destroy it became increasingly militant. As the Baltic winter warmed into spring, the politics moved to the street. On April 27, 2007, now known as Bronze Night, a riot broke out between radicals from both ethnic factions, with the police and the statue caught in the middle. Authorities quickly intervened and moved the statue to a new, protected location in the military cemetery. Far from quelling the dispute, the move ignited indignant nationalist responses in the Moscow media and in Russia’s legislature, the Duma.

This is when the conflict moved into cyberspace. Estonia, oddly, is one of the most wired nations in the world, ranking, along with South Korea, well ahead of the United States in the extent of its broadband penetration and its utilization of Internet applications in everyday life. Those advances made it a perfect target for cyber attack. After Bronze Night, suddenly the servers supporting the most often utilized webpages in Estonia were flooded with cyber access requests, so flooded that some of the servers collapsed under the load and shut down. Other servers were so jammed with incoming pings that they were essentially inaccessible. Estonians could not use their online banking, their newspapers’ websites, or their government’s electronic services.

What had hit Estonia was a DDOS, a distributed denial of service attack. Normally a DDOS is considered a minor nuisance, not a major weapon in the cyber arsenal. Basically it is a preprogrammed
flood of Internet traffic designed to crash or jam networks. It is “distributed” in the sense that thousands, even hundreds of thousands, of computers are engaged in sending the electronic pings to a handful of targeted locations on the Internet. The attacking computers are called a “botnet,” a robotic network, of “zombies,” computers that are under remote control. The attacking zombies were following instructions that had been loaded onto them without their owners’ knowledge. Indeed, the owners usually cannot even tell when their computers have become zombies or are engaged in a DDOS. A user may notice that the laptop is running a little slowly or that accessing webpages is taking a little longer than normal, but that is the only indicator. The malicious activity is all taking place in the background, not appearing on the user’s screen. Your computer, right now, might be part of a botnet.

What has happened, often weeks or months before a botnet went on the offensive, is that a computer’s user went to an innocent-looking webpage and that page secretly downloaded the software that turned their computer into a zombie. Or they opened an e-mail, perhaps even one from someone they knew, that downloaded the zombie software. Updated antivirus or firewall software may catch and block the infections, but hackers are constantly discovering new ways around these defenses.

Sometimes the zombie computer sits patiently awaiting orders. Other times it begins to look for other computers to attack. When one computer spreads its infection to others, and they in turn do the same, we have the phenomenon known as a “worm,” the infection worming its way from one computer through thousands to millions. An infection can spread across the globe in mere hours.

In Estonia the DDOS was the largest ever seen. It appeared that several different botnets, each with tens of thousands of infected machines that had been sleeping, were now at work. At first, the Estonians thought that the takedown of some of their webpages was
just an annoyance sent at them from outraged Russians. Then the botnets started targeting Internet addresses most people would not know, not those of public webpages, but the addresses of servers running parts of the telephone network, the credit-card verification system, and the Internet directory. Now over a million computers were engaged in sending a flood of pings toward the servers they were targeting in Estonia. Hansapank, the nation’s largest bank, was staggered. Commerce and communications nationwide were being affected. And the attacks did not stop.

In most previous eruptions of a DDOS attack, one site would be hit for a few days. This was something different. Hundreds of key sites in one country were being hit week after week, unable to get back up. As Internet security experts rushed to Tallinn from Europe and North America, Estonia brought the matter before the North Atlantic Council, the highest body of the NATO military alliance. An ad hoc incident response team began trying countermeasures that had been successful in the past with smaller DDOS attacks. The zombies adapted, probably being reprogrammed by the master computers. The attacks continued. Using trace-back techniques, cyber security experts followed the attacking pings to specific zombie computers and then watched to see when the infected machines “phoned home” to their masters. Those messages were traced to controlling machines, and sometimes further traced to higher-level controlling devices. Estonia claimed that the ultimate controlling machines were in Russia, and that the computer code involved had been written on Cyrillic-alphabet keyboards.

The Russian government indignantly denied that it was engaged in cyber war against Estonia. It also refused Estonia’s formal diplomatic request for assistance in tracing the attackers, although a standing bilateral agreement required Moscow to cooperate. Informed that the attacks had been traced back to Russia, some government officials admitted that it was possible perhaps that patriotic
Russians, incensed at what Estonia had done, were taking matters into their own hands. Perhaps.

But even if the “patriotic Russians” theory were to be believed, it left unanswered the question of why the Russian government would not move to stop such vigilantism. No one doubted for a minute that the KGB’s successors had the ability to find the culprits and to block the traffic. Others, more familiar with modern Russia, suggested that what was at work was far more than a passive Russian police turning a blind eye to the hooliganism of overly nationalistic youth. The most adept hackers in Russia, apart from those who are actual government employees, are usually in the service of organized crime. Organized crime is allowed to flourish because of its unacknowledged connection to the security services. Indeed, the distinction between organized criminal networks and the security services that control most Russian ministries and local governments is often blurry. Many close observers of Russia think that some senior government officials permit organized crime activity for a slice of the profits, or, as in the case of Estonia, for help with messy tasks. Think of Marlon Brando as the Godfather saying, “Someday…I will call upon you to do a service for me…”