If you’ve been closely following the news in the past few years about conflicts in regions such as the Middle East, the Balkans, the Caucasus and Central Africa, you might have noticed the regularity of phrases such as “terrorism,” “guerrilla tactics” and “asymmetrical warfare.” Simply put, these refer to the strategies weaker powers adopt against stronger ones. Unlike more traditional forms of Western warfare, which generally entail massive pitched battles between government-run professional militaries, this approach relies heavily on secrecy, stealth and speed, avoids direct combat whenever possible and often involves non-state actors. One of the most common forms of asymmetrical attack is what’s known as cyberwar, and it might be the most dangerous method of all.
Case Studies in Cyberwar
One recent example of this type of warfare is a flare-up between Peru and Chile. The two nations became embroiled in a hacker war due to a dispute over territorial fishing waters in the Pacific Ocean as well as (seriously) the ownership rights to a grape brandy beverage called Pisco. (That must be some really good stuff.) At any rate, the quarrel led a Peruvian hacker, who goes by the nom de plume Cyber Alexis, to break into the Chilean National Emergency Office’s Web site and post phrases such as, “We do as we like with our policy and our ocean,” and “Nobody can match ceviche (a Latin American seafood dish) and Pisco or equal their quality.” Take that Chile! This attack prompted a similar war-of-words counterstrike against a Peruvian judiciary page shortly afterward.
While that little conflict was relatively benign (and kind of funny), other recent attacks show how deadly serious cyberwar can be. For example, a coterie of proficient, disciplined hackers—nicknamed “Titan Rain”—operating out of the Guangdong province in China managed to infiltrate the U.S. military’s IT systems at the Defense Information Systems Agency and Redstone Arsenal offices in just a couple of days, even taking the Army and Air Force’s flight-planning software. “They have been systematically breaking into U.S. Department of Defense and Department of Defense contractor sites,” said Alan Paller, director of research at the SANS Institute, which operates the security-focused Global Information Assurance Certification (GIAC) program. “They’ve also been breaking into British sites and British commercial organizations’ sites and other allies’ sites.”
Silence Isn’t Golden
Obviously, there are some clever hackers out there who have the most malicious of intentions. Stephen Northcutt, the president of the new SANS Technology Institute, related an account of an especially shrewd maneuver he witnessed while serving as the information warfare officer in the U.S. Ballistic Missile Defense program. “I saw a guy upgrading his Internet Explorer at the Missile Defense Agency,” he said. “My intrusion detection systems watched as his connection was forwarded to Russia. He was actually downloading code into a government system in Colorado from Russia, thinking all the time that he was upgrading his Internet Explorer. That’s the level of ability that our enemies have.”
Although the threat has been discussed to some degree in closed-door sessions in the White House and Congress, the main thrust of the defense strategy has been to not talk about it. This also has been the prevailing attitude among most business leaders. “The American strategy for the past couple of years has basically been to keep all of this secret,” Paller said. “The problem with keeping it secret is that it may make you feel good, but it doesn’t get anyone to defend things. If you’re going to ask people to make sure their systems are safe, you have to tell them how bad the problem is, or they’re not going to have the motivation. The people who benefit from keeping it secret are the attackers, not the defenders.”
The Cyberwar’s Foot Soldiers
Government organizations and businesses are starting to get more proactive in protecting their IT systems, breaking out of what Northcutt called their “culture of denial.” This means employing experts who can grasp the central threats and defenses within IT security, Paller said. “The people who defend the nation are going to have to be able to secure computers,” he said. “We’re talking about the people who are going to be responsible for protecting what is really our nation’s future. The President has said that the next generation of warfare is going to be fought in large measure in (cyberspace). He didn’t have any choice, because the Chinese have already written doctrine that says they’re going to fight the next war on an asymmetrical basis.”
IT security professionals will have to go far beyond their conventional skill sets and job tasks—and increase their level of professionalism—to rise to the challenge of cyber-warfare. “If you compare the average person in IT security to a CPA, lawyer or doctor, you’ll see there is a lot of stringency in getting to those positions that does not exist in our industry,” Northcutt said. “So many of the people who claim to be IT professionals don’t know how to do anything that actually affects security; they only know how to write policy. What’s going to be required is a holistic understanding of the technical capabilities—everything from perimeter defense and detection to hardening of operating systems to the leadership to make this work in the real world.”
Brian Summerfield is Web editor for Certification Magazine. Send him your favorite study tips and tech tricks at firstname.lastname@example.org.