37. Generally speaking, there are two types of cyber attacks: Distributed Denial of Service (DDoS) and malware attacks.
1. DDoS attacks
38. DDoS attacks aim to overwhelm a target by sending large quantities of network traffic to one machine. Attackers take over a number of other computers (botnets) and use them without the knowledge of their owners – for instance, the Estonia attack, roughly one million computers were hijacked in 75 countries.58 The goal of DDoS is to prevent legitimate users from accessing information and services, such as the actual computer, email, websites, online accounts (banking, etc.). DDoS attacks are extremely difficult to deal with because they do not attempt to exploit vulnerabilities of a system. Vulnerabilities may be patched, but essentially one cannot do much to prevent DDoS attacks.59
39. One of the first major attacks aimed to cripple a country’s critical infrastructure hit Estonia in May 2007. The e-government country experienced co-ordinated DDoS attacks on websites of the Estonian President and Parliament, almost all of its government ministries, political parties, major news organizations, two banks and several communication companies. The attacks came soon after Estonian authorities had relocated a Soviet war memorial in Tallinn – a step which spurred protests by ethnic Russians living in Estonia. The series of cyber attacks, which occurred weeks after the event, supposedly originated in Russia and were hosted by Russian state computer servers. Russia denied these allegations, but in March 2009, an activist with the pro-Kremlin youth group Nashi claimed responsibility for organising the cyber attacks on Estonia. It should be noted that Estonia is extremely dependent on the Internet. At the last parliamentary elections, ¼ of the voters cast their votes via Internet.
40. Another significant DDoS attack was launched against Georgia in the summer of 2008. This is of note due to the fact that it was coupled with the use of conventional military force, something that a number of experts predict will occur more often in the future. Georgia blamed Russia for the attack only for Russia to deny any involvement.60 A year later, the combination of cyber and conventional force was supposedly also employed in the case of the bombing of the Syrian nuclear reactor, which was allegedly orchestrated by Israel.61
2. Malware attacks
41. Malware – or “malicious software” – attacks refer to techniques capable of infiltrating one’s computer without the user’s knowledge and taking control of it, collecting information, or deleting its files (see examples of malware in the Annex). Attack malware can reportedly be bought online for several hundred dollars or even downloaded for free.62
42. Malware-based cyber attacks are increasingly being used for espionage. In 2008, the Unites States experienced a major attack on the classified networks of US Central Command in charge of oversee military operations in the Middle East and Central Asia. Based on available information, the attack was carried out by a foreign intelligence service, which used portable data storage devices to spread malware. In 2009, the GhostNet cyber espionage study conducted by the Information Warfare Monitor concluded that 1,295 computers in 103 countries, had been penetrated by GhostNet malware that allowed the surveillance and possible control of states’ critical cyber infrastructures. Worryingly, 30% of GhostNet’s targets were classified as high value.63
43. Espionage cyber attacks, however, can also be carried out against non-state actors such as private companies and think tanks. “Operation Aurora” carried out in late 2009/early 2010 is a case in point. Over several months, Chinese hackers managed to penetrate the networks of at least 34 financial, technological, and defence companies by exploiting flaws in e-mail attachments.64 One of the attack’s targets, the giant search engine Google, admitted that hackers had penetrated Gmail accounts of Chinese human rights advocates in the United States, Europe and China. A number of human rights organisations and Washington-based think tanks focusing on United States-China relations were also hit by the attacks. According to experts, the attack reached a new level of sophistication as hackers exploited multiple flaws of different software programmes – multiple types of malware codes were allegedly used against multiple targets and the whole process was very precisely co-ordinated. This series of attacks was aimed at gaining information about the latest defence weapons systems, source codes powering software applications of prominent technological companies, as well as gaining background about Chinese dissidents.65
3. Stuxnet
44. The Stuxnet is technically a malware, but its characteristics, originality and potential for disruption are so novel that it merits special attention. The Stuxnet worm has been described as “the most sophisticated cyber weapon ever deployed”66 and its widely-acknowledged role in damaging Iran’s Bushehr nuclear reactor and Natanz uranium enrichment plant has put Stuxnet firmly in the spotlight recently.67 Essentially, the worm is a direct-targeting cyber attack: it “sniffs” around its target’s operating system and only attacks if this system matches its targeting criteria, thereby making detection harder for other defences. Once it has acquired its target, Stuxnet deploys two extremely complicated programming payloads to “bomb” them. In the Iranian example, the first of these cyber bombs attacked the centrifuges in the nuclear plant, slowly "un‑synching" them so that they collided with each other, causing serious damage. The second cyber bomb compromised the digital warning, display and shut-down systems controlling the centrifuges, thereby blinding these systems to the reality of what was happening.
45. This characteristic makes Stuxnet unique in that it specifically attacks and compromises the Supervisory Control and Data Acquisition (SCADA) systems of critical national infrastructures. Thus, the real danger of Stuxnet is that, although the Iranian example was a specifically targeted attack, the same method could be used to virtually attack any information technology system used in any critical infrastructure around the world. Stuxnet has therefore been described as a “cyber weapon of mass destruction”.68 Of particular note is that the vast majority of complicated information technology systems controlling critical national Infrastructures that are potentially vulnerable to Stuxnet are located in NATO and NATO partner countries. Related to this, British Telecom has estimated that 65 % of cyber attacks on critical infrastructures exploit pre-existing configuration errors in the controlling system’s software, highlighting the need for standardisation across the Alliance.69
NATO and Cyber defence
1. NATO’s cyber agenda
46. The cyber domain is often described as the “fifth battlespace”; representing both opportunity and risk for the military. In the context of the revolution in information and communication technology, the military institutions of major powers have been working relentlessly to interconnect commanders, soldiers, sensors and platforms in order to improve agility and achieve better situational awareness. Today, more than 1/5 of US defence and security acquisitions are in the cyber sector.70 “Network-centric capabilities” has become a buzzword in militaries, while new technologies enable commanders to make better-informed decisions and to reduce human losses by, for example, operating an unmanned aerial vehicle (UAV) over Afghanistan from a base in Nevada.
47. On the other hand, our armed forces are now faced with risks they have not experienced before, such as the incident reported by The Wall Street Journal in December 2009, when Iraqi insurgents managed to intercept feeds coming from American UAVs using inexpensive software that is available on the Internet.71 The Pentagon computer systems are probed up to six million times per day, according to US Cyber Command.
48. NATO’s increasing involvement in cyber security is therefore inevitable. As NATO Secretary General Anders Fogh Rasmussen put it: “[t]here simply can be no true security without cyber security”. The Alliance has included this issue on its agenda since 2002 when it approved a Cyber Defence Programme – “a comprehensive plan to improve the Alliance’s capability to defend against cyber attacks by improving NATO’s capabilities”. However, it was not until the 2007 attacks against Estonia that NATO embarked upon developing a comprehensive cyber defence policy that would include not only the protection of the Alliance’s own networks but would also augment the cyber security of individual member states. The Group of Experts’ Report (the "Albright report") recommended that NATO must accelerate its efforts to respond to the dangers of cyber attacks. It recommended focusing on protecting NATO’s communications and command systems, helping Allies to improve their ability to prevent and recover from attacks, and developing an array of cyber defence capabilities aimed at effective detection and deterrence.
49. At the Lisbon Summit, NATO member states committed the Organisation to developing a revised NATO Policy on Cyber Defence that was adopted by NATO Defence Ministers in June 2011, together with the Action Plan that sets out the details of implementing the Policy. The contents of the Policy remain classified, but, according to the official NATO press release, the Policy addresses all key aspects relating to the Alliance’s cyber security, including bringing all NATO structures under centralised protection, clarifying NATO’s response mechanisms to cyber attacks, integrating cyber defence into NATO’s Defence Planning Process, devising the framework of assisting national efforts of individual Allies, facilitating better information sharing and setting up principles of closer co-operation with non-NATO countries, international organisations and the private sector. This Policy will most likely require regular revisions and updating as the developments in the cyber domain are remarkably frequent.
50. At present, individual members continue to bear the principal responsibility for the security of their networks, while relevant NATO structures, apart from protecting their own networks and providing support for NATO operations, are expected to assist member states by sharing best practices and dispatching Rapid Reinforcement Teams in case of emergency. At present NATO cyber efforts are purely defensive in nature, and there is a particular focus on protecting member states Critical National Infrastructures.
51. Key NATO institutions in the area of cyber security include:
NATO Cyber Defence Management Authority (CDMA), which is responsible for co-ordinating cyber defence systems within NATO and providing advice to member states on all the main aspects of cyber defence. NATO CDMA operates under the auspices of the new Emerging Security Challenges Division in NATO HQ;
The Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, which was established in 2008, is responsible for research and training on cyber warfare;
The NATO Consultation, Control and Command (NC3) Board and NATO’s Consultation, Control and Command Agency (NC3A) control the technical aspects and operational requirements of NATO’s cyber defence capabilities;
The NATO Communication and Information Services Agency (NCSA), through its NCIRC (NATO Computer Incident Response Capability) Technical Centre, provides technical and operational cyber security services for NATO and its operations and is responsible for responding to any cyber aggression against the Alliance networks.
52. NATO conducts annual exercises aimed at enhancing the understanding of NATO’s cyber defence capabilities and identifying areas for improvement. This year’s exercise, Cyber Endeavor was scheduled to take place from 5-22 September 2011 in Grafenwöhr, Germany.
53. A lot remains to be done, however. NATO’s principal cyber unit – NCIRC – is only partially operational and does not yet provide 24/7 security for all NATO networks. Full operational capability is expected to be achieved in 2012. NCIRC is also only engaged in passive defence, monitoring network activities and dealing with incidents.
54. With the NATO Policy on Cyber Defence being classified, discussion continues on how NATO should react to cyber attacks against one of its member states. In particular, questions arise as to the relevancy and practicality of invoking Article 5 of the Washington Treaty in response to a cyber attack. The Washington Treaty refers specifically to “armed attacks”, but the New Strategic Concept is vaguer and the word “armed” is dropped in reference to collective defence. While this does not change the Washington Treaty, one can presume that the Alliance is more open to the idea of applying Article 5 if a cyber attack on member states were to cause significant casualties. However, questions still arise as to what response mechanisms the Alliance should employ against attackers. Should the retaliation be limited to cyber means only, or should conventional military strikes also be considered? Furthermore, the Alliance must decide to what extent it can engage in co‑operation on sensitive cyber issues with partner countries, such as Russia.
2. National policies of member states
55. As noted above, member nations bear the principal share of responsibility for their cyber security. Before the 2007 attacks against Estonia, most European nations were developing national strategies to promote Information Society focusing on economic and cultural benefits offered by new communication and computing technologies, largely neglecting possible risks. Since 2007, the need for a more balanced approach has been increasingly acknowledged.72
56. The 2010 UK House of Lords report on cyber security noted wide differences between various European countries in terms of preparedness to meet cyber threats. Since in the cyber domain the system is as strong as the weakest link, the report stated that the European countries “have an interest in bringing the defences of the lowest up to those of the highest”.73 The exact level of preparedness is difficult to measure, however, due to a lack of full understanding of the complexity of the cyber domain.
57. The highest level of preparedness in the Alliance is in the United States and the United Kingdom. The United States feels more threatened by cyber attacks than any other nation due to its highly pervasive use of information and communication technology as well as to its status as a superpower. President Obama identified cyber security as a strategic priority. From 2010 to 2015, the US government is expected to spend over US$50 billion on its cyber defences.74 The Departments of Defense and Homeland Security share the responsibility for the security of American government networks and implement this mandate through several agencies such as National Security Agency and US Cyber Command (inaugurated in 2010 and specifically tasked to protect US military networks). In terms of legislation, three separate Acts streamlined executive responses to cyber warfare on critical national energy infrastructures, while another Act co‑ordinated wider cyber security efforts, including those against financial institutions and industry.75 In July 2011, the Pentagon released its new Cyber Strategy (known as “Cyber 3.0”). The document considers cyberspace as an operational domain and focuses on “active defence”, i.e. strengthening traditional network protection measures with other capabilities such as signal intelligence. It is not clear, however, if the document empowers cyber defence institutions to go after an attacker. The new Strategy also emphasises closer interinstitutional, international as well as public-private co-operation.76 The Strategy, focusing on defensive measures, has also proved false the allegations that the United States was considering militarising cyberspace and prioritising development of offensive cyber weapons.
58. The UK’s leading cyber agency is the Government Communications Headquarters (GCHQ). Cyber security occupies a central place in the National Security Strategy and the Strategic Security and Defence Review published in October 2010. Experts note that the “review contains all the early signs of a well-balanced and (now) better-funded approach to UK cyber security.”77 The UK Computer Misuse Act is also hailed as “a robust and flexible piece of legislation in terms of dealing with cybercrime”.78
59. That said, even in the United States and UK there are still important questions that need to be addressed. In particular, experts note the insufficient degree of co‑operation between the government agencies and private sector which owns most of information capabilities and infrastructure – more than 90% of American military and intelligence communications travel through privately-owned telecommunications networks.79 However, private entities are reluctant to allow greater government involvement and monitoring. The UK House of Lords report noted that representatives of the commercial United Kingdom Internet industry showed little interest in giving evidence for this report. Many experts stress that private industry makes its decisions on cyber security measures based on financial rather national security calculations.
60. While the United States and the UK tend to lead on these matters, other NATO members have also updated their existing legal frameworks and made cyber security increasingly prominent in their security strategies. In particular, significant progress has been achieved in establishing Computer Emergency Response Teams (CERTs). A CERT is an organisation that studies computer and network security in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and to offer other information to help improve computer and network security. The 2010 House of Lords report identified the lack of CERTs in some European countries as a major concern. However, in 2011 the situation seems much better. According to the register of the European Network and Information Security Agency (ENISA), CERTs were established in all European NATO countries. Furthermore, the establishment of more advanced Computer Security and Incident Response Teams (CSIRTs) is being promoted. CSIRTs are CERTs that have extended their services from being a mere reaction force to a more complete security service provider, including preventive services like alerting and security management services.80
61. However, there is no basis for complacency. Establishment of new institutions must be followed by more intensive schedule of joint exercises. The legislative basis must also be further reviewed and updated to take into account the new realities of the cyber domain. According to NATO Deputy Assistant Secretary General Jamie Shea, legislative frameworks in many NATO countries are lagging behind in cyber term realities.81 At the meeting with NATO Parliamentarians in The Hague on 19 April 2011, NATO C3 Agency General Manager Georges D’hollander said that not all NATO member states have adopted legislation that would make it mandatory for the private sector to protect their data and their networks. For instance, it should be mandatory to install safeguards that would prevent computers or networks being hijacked and used as ‘botnets’. NATO C3 Agency’s Principal Scientist Brian Christiansen also suggested that all NATO nations should employ the so-called “red teams” that use hackers’ methods to probe security levels of various national networks (without malign intentions, of course).
62. The less advanced NATO nations must realise that in the cyber domain there cannot be a free ride. One study notes that nations that do not have adequate legislative and institutional framework to protect their cyber assets are less likely to receive assistance from the international community because “in a rapid reaction situation, existing procedures better support effective interaction (…) because there is a certain amount of ‘homework’ that can only be performed by the victim.”82
Share with your friends: |