2010-10-25 - The Computer Laboratory

advertisement
Understanding Cyberattack as an
Instrument of U.S./National Policy
Herb Lin
Computer Science and Telecommunications Board
National Academies
25 October 2010
Project supported by the MacArthur Foundation, Microsoft,
and the National Research Council
1
Committee and report
Military
WILLIAM A. OWENS, co-chair (USN Retired, fmr VCJCS)
CARL G. O’BERRY, The Boeing Company (USAF Ret)
WILLIAM O. STUDEMAN, USN Retired (fmr NSA Director)
Foreign Relations and Diplomacy
KENNETH W. DAM, co-chair, University of Chicago
SARAH SEWALL, Harvard University
Information technology
THOMAS A. BERSON, Anagram Laboratories
DAVID D. CLARK, MIT
RICHARD L. GARWIN, IBM Fellow Emeritus (technology)
JEROME H. SALTZER, MIT, (retired)
MARK SEIDEN, MSB Associates
International and National Security Law
JACK L. GOLDSMITH, Harvard Law School
GERHARD CASPER, Stanford University
WALTER B. SLOCOMBE, Caplin and Drysdale
MICHAEL A. VATIS, Steptoe & Johnson LLP
Available free on Internet in PDF – last
slide will have details
2
On classification
• Study is entirely unclassified.
• To our knowledge, first comprehensive
integrated treatment of cyberattack from a
policy perspective to examine technical,
legal, ethical issues.
• Useful to know for policy makers to know
what is knowable on an unclassified basis.
3
The broad context
•
Nations are increasingly dependent on information technology, and thus
important IT functionality must be protected.
•
Cybersecurity: measures taken to protect or preserve a computer system or
network and the information it holds.
– Defensive cybersecurity (reports, legislation, op-eds…)
• Passive defenses
– Anti-virus and intrusion detection software
– Better password security
– Greater attack resistance in software
• More robust law enforcement mechanisms
– e.g., Convention on Cybercrime
– Offensive cybersecurity (a generally classified subject)
• Offensive operations can be used for defensive purposes.
•
Cyber conflict and cyber security have both defensive and offensive
dimensions, and comprehensive approaches require understanding both.
4
Basic taxonomy for
offensive cyber operations
• Cyberattack: action to destroy, degrade, disrupt adversary IT or
information therein
• Cyberexploitation: action to (very quietly) obtain information from
adversary IT
• Technical operations
– remote (e.g., DOS, virus, worm)
– close-access (e.g., USB key, sofware swap during shipment, compromised chip
in manufacturing supply chain)
• Social engineering operations
– Tricking, bribing, blackmailing, extorting someone to take action
• Technical and social operations are often combined
• Cyberattack and cyberexploitation are technically very similar, hard
for adversary to distinguish. (Also hard for news media to
distinguish.)
5
Key characteristics

Offensive operations can be conducted with plausible deniability

Offensive technology is relatively inexpensive, widely available, and easy to obtain.

A resource-poor attacker may have significant leverage, by

The indirect effects of cyberatacks are almost always more consequential than the
direct effects of the attack  must judge cyberattacks by total effect, and “indirect”
does not mean “not primary”
 But remember that adversaries make mistakes too, and all-source intelligence helps
 Many nonstate actors (companies, patriotic hackers, terrorists) can have influence and
may be able to cause some of the same kinds of effects as state actors.
 using automation to reduce personnel needed and increase tempo.
 stealing computing and financial resources;
 Effects can span an enormous range; cyberattack is a methodology, not a specific
weapon per se.
 A cyberattack is NOT of lesser consequence because it targets “only” a computer.

Effects may be significantly delayed in time from moment of insertion.
6
Operational considerations and realities
• Cyber operations can be selective or non-selective in targeting.
– Selectivity implies long lead time, complex intelligence requirements,
specialized skills, higher cost
•
Cyber operations (especially attacks) can be very complex to plan and
execute.
– Large range of options than most traditional military operations
– Analysis of (many) outcome paths may require specialized knowledge
(Stuxnet).
– Time and spatial scales can span many orders of magnitude
•
A cyberattack may be
– Usable only once or a few times
– Limited temporally in effect and/or limited in scope (if highly targeted)
– Technically fast but operationally slow; hence most suitable in non-timeurgent operational scenarios (e.g., early use); “speed of light” vs “speed
of law/thought/analysis”
7
Operational … (continued)
•
Target identification
–
–
•
Plan operation
–
–
–
•
May take place some time distant from obtaining access/vulnerability; defenses/configuration
may have changed
Perform assessment (distinguish between real success and faked success)
–
–

Gain access in advance (prepare the battlefield), determine vulnerability
Specify payload (identify effects sought)
Limit collateral damage (must know what is connected; cascading effects hard to predict)
Execute operation
–
•
Translating IP address, processor serial number, configuration, keyboard language into
target identification
Often a manual process
If exploitation, misinformation may be returned
If attack, target may only appear to shut down
Many answers depend on detailed intelligence information on targets, and thus
success of a cyber operation is highly contingent.
8
Possible connections of offensive cyber
operations for defensive purposes
• Before adversary attack
– Early warning of attack means living inside adversary network
– May need to pre-empt offensive cyber action about to be
undertaken by adversary
• During adversary attack
– May need to disrupt a cyberattack in progress by disabling
attacking computers
• After adversary attack
– Need for conducting forensic investigation that may require
multiple intrusions into proximate and intermediate nodes.
– Retaliation a possibility to discourage further attacks.
• And what of non-defensive purposes?
9
Illustrative non-defensive applications of
offensive cyber operations
•
Traditional military operations
– Suppression of adversary air defenses.
– Disruption of adversary plans for military deployment.
– Disruption of adversary critical infrastructure (e.g., power grids)
•
Covert action
– Influencing the outcome of a foreign election using electronic voting machines.
– Altering electronic medical records of adversary military leaders.
– Disruption of adversary infrastructure for censorship.
•
Cyberexploitation
– Exploration of adversary command and control networks to determine command
arrangements, orders of battle
– Probes of adversary military networks in preparation for later attack.
– Exfiltration of negotiating positions, political plans, commercial information.
10
U.S. policy today
National security
Law enforcement
Private sector
11
(parts of) DOD policy
•
DOD seeks superiority in the cyber domain--the state in which U.S. and
friendly forces have complete freedom of action in the domain and
adversary forces have no freedom of action.
– Revised in recent testimony by Keith Alexander, who questioned US ability for
the latter
– NRC report concludes that enduring unilateral dominance in cyberspace is
neither realistic nor achievable by the United States.
•
DOD implied declaratory policy on cyberattack:
– Cyberattack is just like any other weapon in the DOD arsenal except for
operational considerations.
– Cyberattack is better suited for early use, when there is time to collect
intelligence
•
•
DOD has publicly announced policy re cyberattack in the case of active
defense
USAF seeking capabilities for automated cyberattacks conducted for
defensive purposes.
12
Intelligence on cyberexploitation
and covert action
•
•
•
Intelligence collection (including cyberexploitation) undertaken to further
the interests of the United States outside CONUS – unlimited except if
US persons involved. Not a violation of international law.
Intelligence collection on behalf of specific US companies – not
undertaken as a matter of US policy (not true for some other nations,
e.g., France)
Covert action – regulated by US statute: “activities of the U.S.
government to influence political, economic, or military conditions
abroad, where it is intended that the role of the U.S. government
will not be apparent or acknowledged publicly.” Must be authorized
by findings of the President, and reported to appropriate individuals in
the U.S. Congress. Note alignment of plausible deniability requirement
and technical characteristics of cyberattack.
One reported example- US against USSR in 1982.
13
One public story regarding alleged US
cyberattack on the Soviet Union
•
Soviet Union actively sought to obtain Western technology (including
pipeline control software). US discovered the list of sought-after
technologies.
•
In 1982, the U.S. spiked software that was subsequently obtained by the
Soviet Union. The software was “programmed to go haywire, [and] after a
decent interval, to reset pump speeds and valve settings to produce
pressures far beyond those acceptable to pipeline joints and welds.”
•
The result -- a large explosion in a Siberian natural gas pipeline (visible from
space, looked like a 3 kiloton nuclear blast)
•
Beyond the immediate effect, “the Soviets came to understand [over time]
that they had been stealing bogus technology, but now what were they to
do? By implication, every cell of the Soviet leviathan might be infected. They
had no way of knowing which equipment was sound, which was bogus. All
was suspect, which was the intended endgame for the entire operation.“
•
Source: Thomas Reed, At the Abyss: An Insider's History of the Cold War, Ballantine Books, New York, NY, 2004
14
Law enforcement and private
sector action
• Law enforcement
– Cyberexploitation governed under various statutes re
wiretapping, access to stored information etc.
– Cyberattack limited, but not forbidden (e.g., jamming
of cell phones to protect President)
– Law enforcement authorities exempt from Computer
Fraud and Abuse Act (CFAA).
• Private sector
– Governed by CFAA, and prohibits private action
– Self-defense justification never attempted
15
On cyberdeterrence
16
The why and how of deterrence
• How can we persuade adversaries to refrain
from launching damaging cyberattacks?
• Deterrence seems like the obvious inevitable
choice in an offense-dominant world.
– Passive defense is inadequate and eventually will fail;
– Law enforcement actions are too slow and uncertain
in outcome.
• Deterrence of nuclear threats in the Cold War
establishes the paradigm – largely successful.
Based on a credible threat to:
1. Deny the attacker the benefits of an attack
2. Punish the attacker by imposing unacceptable costs
17
Deterrence (in classical form) …
•
Denial (#1) is too hard, hence punishment (#2) is a more appealing strategy.
•
Threat of punishment requires:
– Attribution of attack to adversary
• what system, which actor?
• Cyberattack does not require skills that are limited to small set of
adversaries
– Knowing that an attack has happened
• Noisy background
• Ambiguous effect (exploitation? Delayed effect?)
• Difficulty of correlating information across multiple affected sites
• Slow forensics
– Credibility
• Nations conduct many highly visible military training exercises in part to
demonstrate capabilities to potential adversaries. How should nations
demonstrate (secret) cyber capabilities?
•
Bottom line on cyberdeterrence – uncertainty about how traditional concepts of
deterrence (i.e., #2) apply to cyberspace. Thus, denial has greater appeal (cf., recent
Lynn Foreign Affairs article)
18
On escalation and termination
• Deterring escalation is just as important (perhaps more
so) as deterring onset of conflict.
• Unintended escalation particularly dangerous when
– operational actions are less visible to senior decision makers
– outcomes of actions are more uncertain (e.g., cascading effects)
• How can cyberconflict be terminated?
– Noisy background of criminal and hacker (and perhaps 3rd
nation) cyberattacks
– Requirements for “termination” – how to de-mine?
– How to suppress patriotic hackers?
19
International law and offensive
cyber operations
20
Jus ad Bellem
(conditions for engaging in conflict)
• UN Charter prohibits “threat or use of force against the
territorial integrity or political independence of any state”
(Art. 2(4))
– “Force” not defined. By practice, it
• includes conventional weapon attacks that damage persons
or property
• excludes economic or political acts (e.g. sanctions) that
damage persons or property
• UN Charter Art. 51 - “Nothing in the present Charter shall
impair the inherent right of individual or collective selfdefence if an armed attack occurs against a Member of
the United Nations..”
– “Armed attack” not defined, even for kinetic force.
21
When is a cyberattack a “use of force”
or an “armed attack”?
•
Easier:
– Exploitation w/o damage or degradation (no); cyberattack that causes physical
damage akin to kinetic attack (yes); use of cyberattack during acknowledged
armed conflict (not covered by Art. 2(4) but subject to LOAC jus in bello).
•
Harder:
–
–
–
–
Economic damage without physical damage
Temporary, reversible interference with computer system
“Mere” data destruction or degradation
Introduction of Trojan horse software agents
• Payload with exploitation and attack capabilities? (cf. human spy skilled in sabotage?)
• Payload to accept a future upgrade with unknown capabilities?
• Destructive payload with delayed action capability? (cf., pre-planted remotely
detonatable mine)
• Empty payload – a shell that can be remotely upgraded in the future
•
Cyberattack that has effects comparable to a kinetic armed attack is also an
armed attack, but few good analogies to past kinetic precedents.
22
When is a cyberattack a “use of force”
or “an armed attack”?
• Answers matter to attacked party, because they
influence when and under what authority law
enforcement (vis a vis military) takes the lead in
responding, and what rights the victim might
have in responding.
• Answers matter to attacking party, because
they set a threshold that policy makers may not
wish to cross in taking assertive/aggressive
actions to further its interests.
23
Some hard scenarios under the UN charter
•
Economic damage without physical damage
–
•
Political interference without physical damage
–
•
•
•
Use of a third nation’s routers to carry a cyberattack?
Ambiguities between legal exploitation and illegal attack?
–
•
•
•
Corruption of database responsible for military logistics scheduling?
Violations of neutrality in cyberspace?
–
•
DOS attack?
“Mere” data destruction or degradation
–
•
Hacking electronic voting machines?
Temporary, reversible interference with military/critical infrastructure systems
–
•
Raiding a national treasury?
Introduction of agent for exploitation with remotely upgradeable capabilities?
Attacks on dual-use infrastructure?
Requirements for separation of military and civilian infrastructure?
Inherently clandestine and deception-based attacks? (perhaps analogous to
submarine warfare in 1914?)
National responsibility for non-state actors?
Time delay between insertion and use for attack?
24
Jus in Bello (behavior during conflict)
• Principle of Non-Perfidy
– Cannot pretend to be legally protected entity
• Principle of Proportionality
– Collateral damage on civilian targets acceptable if
not disproportionate to the military advantage gained.
• Principle of Distinction
– Military operations only against “military objectives”
and not against civilian targets
25
Non-perfidy
• Requirement for identification of USG cyberattacks?
– USAF insignia on airplanes and cruise missiles.
– Military personnel in distinctive uniforms.
– Trojan horses with distinctive identifiers “This agent is a bona fide
weapon of the US government”?
– Public infrastructure so that any victim can verify the authenticity of such
an identifier?
• Requirement for identifying military and civilian targets in
cyberspace?
– Nations have obligations to enable identification of military assets
(distinctive vehicles with insignias) and are entitled to identify entities
legally immune to attack (Red Cross on ambulances, white flags).
– What must be done to identify military computers/networks? IT assets
of hospitals and religious institutions? Who will verify the latter?
(International Red Cross?)
26
Proportionality: uncertainty regarding
outcome of a cyberattack
• Outcomes often more uncertain than for
attacking physical targets
– Indirect, cascading effects
– Collateral damage difficult to calculate
• No empirical or theoretical basis on which to estimate
collateral damage (no cyber “blast radius”)
– Uncertainty amplified by need to gather intelligence
promptly in many tactical situations
• Experience in Balkans suggests long lead times
for decisions on using cyber operations, due in
part to JAG review
27
Distinction: Legitimacy of attacks that disable
computer-dependent civilian services
• Military communications often take place over
the Internet; military forces dependend to some
extent on commercial power grid. Are the
national infrastructure for Internet (e.g., routers)
and power grid valid military targets?
• To what extent are computer-dependent civilian
services or communications “essential” to life in
a modern society? Does disruption in these
services rise to the level of causing death and
destruction?
28
Arms Control Regimes for
Cyberattack?
29
Why might regimes be desirable?
• Reduce likelihood of conflict, damage if conflict
occurs.
• Allies significantly more dependent on IT, thus
restrictions on cyberattack asymmetrically
benefit Allies
• Delegitimize cyberattack as a military weapon
and discourage other nations to develop such
capabilities for use against Allied interests.
30
Reasons for skepticism?
• Other nations will develop cyberattack
capabilities under any circumstances. (Some
see cyberattack as an ideal instrument of
asymmetrical warfare.)
• Verification of limiting capabilities essentially
impossible.
– Can’t restrict code, expertise/knowledge, underlying
technology
– Infrastructure needed to conduct attacks is small,
easily hidden.
31
Restrictions on use of cyberattack?
•
Refrain from striking at national financial systems or power grids (similar to
“no kinetic attack on hospitals” or “no blinding lasers”)
•
May require cooperative measures (e.g., electronic identification of
permitted and/or prohibited targets)
•
Attackers can violate such agreements (just as a kinetic attacker can target
ambulances or fire mortars from sanctuaries), and compliance in wartime is
not assured.
•
However, such agreements:
–
–
–
–
Help to create international norms regarding the acceptability of such behavior.
Inhibit training that calls for violation.
May be enforced to some degree through threat of reciprocal use.
Probably most useful prior to the onset of conflict, because a signatory would
have incentives to comply to avoid unwanted escalation.
32
Many complicating factors
• Living with any regime we claim to want – must be reciprocal.
• Routine cyberexploitation during crisis might be escalatory;
refraining from cyberexploitation during crisis may deprive NCA of
valuable tactiacl information (e.g., early warning).
• Difficulty of technical attribution makes proving a violation hard.
• Non-state attackers (patriotic hackers, terrorists)
• Widespread diffusion of relevant technology and expertise
• Private sector ownership/operation of cyberspace
– May require high degree of intrusiveness on the behavior of individuals
and of the private sector.
– Possible national responsibility for private sector actions
33
Collateral agreements/understandings
may be helpful
• Examples from non-cyber world
– Advance notification of ballistic missile launches
– Measures to prevent dangerous incidents at sea
– Hotlines to promote communication during crisis
• Possible collateral agreements for cyber
– Agreements to cooperate promptly in investigation of
cyberattacks from home territory
– Agreements on sufficiency of evidence to presume
attribution
34
Private Sector Equities
35
Google and China
•
Google raised two issues (“Operation Aurora”)
–
–
•
China held responsible by Google for these actions.
–
–
–
–
–
•
•
Attempts to compromise email accounts of Chinese human rights activists
Penetrations of 34 companies (mostly in Silicon Valley) to obtain corporate data and software
source code.
Targeted attack against specific individuals, using previously unknown vulnerability in Internet
Explorer that allows remote code execution.
Google undertook its own forensic investigation, gaining access to a computer in Taiwan and
monitoring its operations to identify penetration targets.
Attribution to China made largely on the basis of attack’s technical sophistication and breadth
and the targets of the cyber operations.
Some reports indicate that malware used in latter penetration employed an algorithm
contained in a technical report published only on Chinese-language Web sites.
Non-circumstantial evidence is scarce—highlights difference between technical attribution
and political decision to hold a nation accountable based on all sources of information.
Subsequent Google action to un-censor its China search engine
Some actions traced to elite Chinese IT schools
–
Many possible/plausible explanations (gov’t sanctioned activity, overly enthusiastic students,
contest, final exam)
36
Some questions raised by
Google/China engagement
•
Google action to uncensor its search engines - retaliation for Chinese
actions?
•
How and to what extent, if any, should private entities be allowed to shoot
back? Does private shoot-back increase or decrease likelihood that a
private entity will be attacked?
•
How and to what extent, if any, should private entities be allowed to conduct
their own foresnic investigations (which may involve some degree of hackback)?
•
Private actors in U.S. engaging in cross-border offensive operations
(patriotic hackers, U.S. corporations acting in self-defense) have legal
implications for the U.S.
– U.S. responsibility potentially implicated if private actions rise to “use of force”
– Possible interference with US government cyber operations
37
More broadly…
• Certain cyberattacks undertaken by the United
States are likely to have significant operational
implications for the U.S. private sector.
– Internet-based attack may require cooperation of
U.S./Allied ISPs (ISPs usually asked to suppress
cyberattacks – what about shutting down a US
attack?)
– Shaping the cyber battlefield may require cooperation
of U.S./Allied IT vendors and service providers.
– Adversary response to U.S. cyberattack may affect
U.S. ISPs and critical infrastructure may be affected
38
Some broad observations
and issues
39
Bear in mind…
• Cyber conflict is not separate from other spheres of
potential conflict.
• Options for responding to cyberattacks on the
United States span a broad range and include a mix
of dynamic changes in defensive postures, law
enforcement actions, diplomacy, cyberattacks, and
kinetic attacks.
• Cyber conflict is not just relevant to US government,
and issues arise in deterring attacks on private
sector entities.
40
Nuclear conflict as analogy for cyber
• Many superficially obvious connections
– Relevant concepts: early/tactical warning, attack assessment, stability,
deterrence, offense dominance, counterforce, countervalue, escalation
control, first use, first strike, secure second strike, war termination,
launch under attack, launch on warning, employment options,
proliferation, fratricide, laws of war, cascading effects; unpredictable
effects; command and control…
• But deeper analysis suggests badness of fit
– Private sector doesn’t have nuclear weapons.
– Many of the same questions/issues arise in cyber as in nuclear (as well
as in many other forms of conflict)
– Answers to these questions are mostly very different
• Some suggest biological weapons are a better metaphor from a
strategic point of view (deterrence, arms control, and so on).
41
Fostering a national debate on cyberattack
The U.S. government [and other nations] should conduct a broad,
unclassified national debate and discussion about cyberattack
policy, ensuring that all parties are involved in discussions and
familiar with the issues.
•
Some aspects of cyberattack SHOULD be classified, e.g.
–
–
–
U.S. interest in a specific cyberattack technology
Fragile and sensitive operational details that are not specific to the
technologies themselves
Capabilities and intentions of specific adversaries.
•
But these are not relevant to answering questions about declaratory
policy, and thus secrecy about policy issues serves to inhibit necessary
discussion about them.
•
Impossible to have a coherent discussion of policy while discussing only
the defensive side; discussing defense only leads to a “victim” mentality.
42
C2 for offensive cyber operations
• Early use of cyberattack may be easy to
contemplate in a pre-conflict situation, so a
greater degree of operational oversight for
cyberattack and cyberexploitation may be
needed compared to use of other options.
– Confusion on adversary’s part regarding intent of
cyber operation – an exploitation may be seen as an
attack.
– Operational footprint left by cyberattack activities is
small, and routine activities may be less visible to
senior decision makers.
43
Some interesting fundamental questions
•
In light of the poor track record of deploying cyber defenses adequate to meet the
threat, how and to what extent can offensive cyber operations enhance
cybersecurity?
•
In light of limited law enforcement response capabilities, how and to what extent, if
any, should private entities be allowed to shoot back or investigate? Does private
shoot-back increase or decrease likelihood that a private entity will be attacked?
•
What can/should a nation do in cyberspace in conditions short of avowed armed
conflict or in response to actions that fall short of armed attack or uses of force?
•
How (if at all) should an attacking nation enable adversaries to differentiate between
exploitation and attack?
•
How, if at all, are existing international legal regimes (e.g., the laws of armed conflict,
the Geneva Conventions) adequate to manage cyberconflict?
•
What is the role of international cooperation and agreements in managing cyber
conflict?
44
Report explores all these issues
in much greater detail
Herb Lin
Chief Scientist, Computer Science and
Telecommunications Board
National Research Council
202-334-3191, hlin@nas.edu
Download reports free –
Search for
Macarthur Foundation,
Cyberattack, Policy
NRC report, deterring
cyberattacks
(latter has 50 interesting
research questions)
45
Download