Read our related editorial: The toaster did it
CYBER-ATTACKS on a nation's military and commercial computers have grown a lot more sophisticated since the days of the lone hacker targeting a system's defences just for the thrill of it.
Nowadays, electronic attacks are increasingly seen as a cheap and easy way for one nation to attack another. "It's the ultimate bargain hunter's way of destroying everyone's way of life," says Glenn Zimmerman, a cyberspace specialist at the Pentagon. "It may even be free."
So worried are governments by the prospect of an all-out cyber-attack that last month UN secretary-general Ban Ki-moon revealed that cyber-weapons are to be added to the list of arms falling under the remit of the UN's Advisory Board on Disarmament Matters, which develops policy on weapons of mass destruction. Ban said recent breaches of critical systems represent "a clear and present threat to international security", since the public and private sectors have grown increasingly dependent on electronic information.
But despite the threat, current NATO war games tend to treat cyber-attack simulations as an afterthought, according to military sources. Now the Pentagon is hoping to change that by developing a centre at which the military can play realistic electronic war games.
Called the National Cyber Range, the centre will mimic not only the hardware that might be used to inflict cyber-attacks, but also the likely behaviours of the people behind the attacks. The centre, being developed by the Defense Advanced Research Projects Agency (DARPA), is part of the US government's Comprehensive National Cybersecurity Initiative, launched last year.
Until now, cyber-attacks have been relatively limited in scope. In 2006, for instance, Russian hackers, angered by the removal of a Soviet war memorial, launched a sustained denial of service attack on government and business websites in former soviet state of Estonia. In 2007, Chinese hackers attacked US and UK government websites, knocking them temporarily offline, and in 2008 Georgia suffered massive internet outages alongside its military battle with Russia. In January, Kyrgyzstan became the latest victim when its two largest internet service providers were targeted by a denial of service attack from hackers in Russia.
As if such attacks weren't worrying enough, military and private sector security experts attending a recent Cyber Warfare conference in London claimed attacks can only get worse because our electronic infrastructure is so poorly defended. What's more, computer scientists do not yet know how to defend critical systems against attacks, says Amit Yoran of NetWitness, an electronic security company based in Herndon, Virginia. "We are largely blind and ignorant of how to protect ourselves against cyber-attacks," he told delegates. "Advanced threats continue to evade deployed solutions."
With this in mind DARPA is ploughing $30 million into developing its testing range for cyber-warfare countermeasures, or "cyber sidearms" as it refers to them. The facility will allow teams to engage in lengthy fights in cyberspace using faithful replications of the US military's global satellite, wireless and landline networks. Many of the range's functions are classified, but DARPA says it wants it to have a sophisticated "nation-state quality" enemy team against which to test its countermeasures.
Heli Tiirmaa-Klaar, an adviser to the Estonian ministry of defence, says that because a cyber-attack can destabilise a country without sending forces across a border, it is a likely first strike tactic. Russia did just that in the Georgian conflict last summer. DARPA shouldn't expect that such attackers will use easily fought viruses, says Yoran. "They have fantastic engineering resources and can develop customised and very powerful ones."
One likely target, says Julian Charvat, a cyber-terrorism analyst with NATO in Ankara, Turkey, is the control systems for power stations, chemical plants and water utilities. These Supervisory, Control and Data Acquisition systems (SCADAs) often lack adequate cyber-defences.
Another risk comes from the fact that western microchip firms have outsourced manufacture to Asia, where saboteurs could design hardware-based viruses into chips. "Our semiconductor devices now need authenticating," says Zimmerman. That could have a strange corollary: because the internet is to acquire many billions more IP addresses, machines will get internet addresses - leading to fears that rogue chips within, say, fridges, TV sets and cars could launch cyber-attacks.
Ultimately, the best hope lies in organisations like DARPA developing early warning systems for cyber-attacks, says Charles Williamson, a US air force cyberspace analyst at Ramstein Air Force Base in Germany. Convincing military leaders of the urgent need for such a system may not be easy, he admits. "Our biggest threat is senior leaders who think the computer is technologically equivalent to a toaster."
Read our related editorial: The toaster did it
A cyberterror attack or a fat pipe foul-up?
One Wednesday afternoon in the summer of 2006, the Pentagon lost most of its telecommunications links to the north and central US. Its analysts were frantically scrambling to find the cause of this outage when, 15 minutes later, they also lost all connection with the southern central US, too.
"We thought it was a terrorist attack," says Glenn Zimmerman of the Pentagon's cyberspace task force. Thankfully, it proved to be an accidental outage: a construction crew in Kansas City, Missouri, had dug up a bundle of fibre-optic cables with an earth mover, tearing apart 150 interstate "fat pipes" - and all the fibre they used for back-ups. By coincidence an unrelated construction crew in Oklahoma City then achieved a similar feat, breaking 400 more fat pipes. "Together, they obliterated communications for 36 hours," says Zimmerman.
A "Schmitt analysis" had determined that it was probably not a cyber-attack. Developed by Michael Schmitt, a military law expert at the European Centre for Security Studies in Garmisch, Germany, it assesses parameters like severity, duration, impact and invasiveness of any possible online onslaught.
But even if a Schmitt analysis says an attack warrants a response, the way cyber-attacks can be routed via proxies and botnets muddies the issue considerably, says Charles Williamson of the US air force in Europe. "If Hamas hijacked a server in the US to attack Israel, could Israel hit the US server?" Unfortunately, there is no cut-and-dried answer in international law, he says.
- Subscribe to New Scientist and you'll get:
- 51 issues of New Scientist magazine
- Unlimited access to all New Scientist online content -
a benefit only available to subscribers - Great savings from the normal price
- Subscribe now!
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
Have your say
Internet Security
Mon Mar 16 11:21:18 GMT 2009 by Eric Gysberts
The report on the vulnerability of the Intenet, etc, actualy is good news for humanity.
There have been many voices raised suggesting some form of censorship, however the exponential growth of the internet as a form of universal communication is the one safeguard, as a matter of fact the strongest defense for freedom of expression.
This is particularly relevant in the light of the recent UN Report on the ownership of news media falling into the hands of just a few corporations.
If this situation does not change, -- major Newspaper and TV presentation of so-called news will be become increasingly irrelevant and people will seek and get news on issues that can effect the societies they live in from Web-Based Information Centres which by the nature competition will vie for suscribers by giving information as factual and honest as posible.
It is important for every thinking man and woman with access to the internet to spread the message set out above.
Never before in history has there been a system available to every educated person to communicate with so many others over the whole world unencumbered by language or borders. This comment will be read literally by millions
Internet Security
Mon Mar 16 12:08:45 GMT 2009 by Chris Palmer
Eric, I may well be (literally) one of millions to read your comment but I will not read your comments too literally.
I agree with your general premise that the internet has the potential to be a force for good; empowering ordinary educated people with knowledge to counter the misrepresentation arising from large media corporations with their vested interests.
However, in actuality cyberspace is no different to any other media of mass communication; it can harnessed for the promotion of mis-information just as readily as for well founded truth.
Aside from that the structure of the internet does seem somewhat vulnerable. The more nations become dependent upon the internet for the execution of everyday affairs the more likely it is that an aggressor would seek to disrupt those affairs by disrupting the internet within that nation. I cannot see a great difference between that and Hitlers' attempts to disrupt the UKs north Atlantic supply routes in WW2.
I agree wholeheartedly that freedom of expression is a laudable goal. However, I am not assured that the internet necessarily facilitates freedom of opinion for the majority of people who would benefit most. Many people are vulnerable and easily led irrespective of the arena and/or vehicle.
Internet Security
Tue Mar 17 03:20:40 GMT 2009 by Blind Pilot
Oh noes! The Chinese have joined forces with the Russian to launch a cyber attack against my powerstation! They're hacking, break the 1st fire wall, the 2nd fire wall! They're at the gates!!!
/unplugs computer from the network
World War 3 averted.
Really people, do you think and powerplant/chemical refinery/water station can survive for a few hours without checking it's email?
Unlike mututally assured destruction, if the superpowers all decided to push their "cyber buttons" at once, the entire world will continue to tick until they decide the whole thing was silly and unpush the button.
Maybe investing some time in solving non-cyber cholera in Zimbabwe or non-cyber illiteratcy in the US might be a wiser investment...
Internet Security
Tue Mar 17 21:10:58 GMT 2009 by HAL
(re: Oh noes!) Such facilities often operate with autonomous control systems that, once disrupted, could spell disaster for the facility and/or result in the loss of human lives (imagine a reaction isn't quenched due to the failure of emergency systems). In light of this, your opinion is not only ignorant, it belittles the importance that electronic infrastructure will have in the future. Precautions need to be taken today to assure that the integrity of electronic infrastructure is maintained.
Admittedly, the security and integrity of electronic infrastructure is just one problem facing the modern world. As you pointed out, there are many other issues that need to be addressed. I don't think anyone is losing sight of that. In fact, $30M strikes me as a relatively small amount of funds to direct towards defending against such a viable and cost-effective instrument of modern warfare (re: cyber-attack)
No More Facebook?
Mon Mar 16 15:09:32 GMT 2009 by Dimitris
I can imagine how tragic it must have been for both the Estonian public sector employees and the Georgian military commanders to be left with no access to Facebook during those nasty cyber attacks. And because some guy in Talinn could not speak on MSN with his girlfriend, we will have to pay through our noses to "fortify" networks like that? Or are we to understand that the Georgian military chain of command operates through emails on open networks?
And how exactly is my fridge an undercover foreign hacker? Is it going to tell my microwave to overcook my lunch?
No More Facebook?
Mon Mar 16 23:21:41 GMT 2009 by thret
Well, maybe you don't work online. Trust me, there are a lot of people losing a lot of money whenever the internet goes down.
Also, this article sounds like the basis of a movie. It has been a while since we had a good hacker flick
No More Facebook?
Wed Mar 18 02:20:41 GMT 2009 by Lachy
A lot of business is done online; think eBay, stock market, etc as well as communications as you mentioned above. Even things like cable TV and mobile phone networks can be affected by outages.
What your fridge will probably do is act as a spawning point, since as you pointed out there is little it really can do (freeze or dethaw all your food maybe?). Basically the computer chips inside it, if connected to the net as the article hints at, can act sort of like an infected email host pumping out copies of the virus (or once the main attack is over, be an enclave where the virus sits until someone accidentally activates it).
The Information Paradox
Tue Mar 17 11:39:11 GMT 2009 by Chris Palmer
.. and is it not somewhat paradoxical given the lengths we go to avoid beginning a conversation with a stranger in our densely populated urban environments; when passing in the street, riding on public transport and even at public events, for example, that we go to such lengths to make friends or exchange our opinions in a virtual network devoid of all the other pleasantries of actual human contact?
The collective pool of human knowledge has its' origins many hundreds of thousands of years ago swapping stories around a campfire. Myth and legend contributed to understanding just as did genuine knowledge of the habitat. Despite the advancement of the collective pool of human knowledge to the present day there is still much myth and legend which exists within that. Some is deliberate mis-information. Some is bad application of science which becomes embedded in mainstream acceptance. Much of it arises because we think we think we are so smart and overlook common sense from the past.
Rather than being liberated by the information age we are enslaved by it. You logged back in to see what others thought of your comments, didn't you?
Sure, we are granted a vehicle for the expression of views but not necessarily for the exchange of opinions.
And do not believe that you have complete freedom of expression. In a recent email to corporate email address I used the words "deep penetration" in an entirely innocent and legitimate context and joked, "would that pass the spam filters?"
Be sure of this, include certain "trigger words" in your email or web comments and your words will come to the attention of security forces of powerful nations.
In the information age it strikes me as ironic that it is so difficult to swap a good story ....
All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.
If you are having a technical problem posting a comment, please contact technical support.
PRINT
SEND
