CYBER DETERRENCE Methods & Effectiveness Author: Don Eijndhoven Company: Argent Consulting Date: November 2, 2010 Version: 1.1 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Table of Contents Table of Contents Executive Summary Issue Statement Background Cyber Deterrence – Methods and Effectiveness Infeasibility Futility Fear of Retaliation Conclusion Future Developments References 2 3 4 5 8 8 9 10 12 13 14 2 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Executive Summary Cyberspace as a warfighting domain contains ‘natural laws’ unlike any other environment we’ve seen so far, which presents unique issues to doing combat. Cyber Weapons are virtually impossible to regulate, as they consist out of programs that can be written anywhere, on any system, by anyone with skills that are legal to obtain and taught in virtually every country. Also, Cyber Weapons can be perfectly legal until the intent of the user changes; many of these are applications originally designed to test for security vulnerabilities. Cyber Warfare is highly asynchronous, meaning that a small force can do large damage, and is cheap enough in resources that it can be waged by any person or entity with the intent to do so. Parallels can be drawn with Deterrence Theory as applied in Nuclear and Bio Weapon Deterrence, but the ‘natural laws’ of the cyber environment cause them to miss the mark when it comes to effectiveness. Deterrence breaks into three categories: Infeasibility, Futility and Fear of Retribution. Deterrence through Infeasibility, which relies on raising the cost/effort of an attack to become more expensive than the gains returned by success, fails because cyber weapons are cheap and manpower may be free (depending on motivation). Deterrence through Futility relies on defenses being so strong that the object becomes impervious to attack, but this fails because defenses are based on code, and code is susceptible to human error, thus all defenses will have flaws. Deterrence through Retribution, which is what the Mutually Assured Destruction (MAD) Deterrence Strategy during the Cold War was based on, relies on attacker being deterred by possibility of retaliation by the target. This strategy fails because origins of cyber attacks can be obscured or even falsely indicate an innocent third party, rendering all threat (through any sanction) moot. 3 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Issue Statement Cyberspace is the first entirely manmade warfighting domain. Its ‘natural laws’ are unlike anything we’ve ever seen before and create the need for an entirely new array of weaponry and tactics. Due to the flexible and interconnected nature of cyberspace, which was designed around the premise of redundancy rather than security, many online resources are shared between government and private entities. This raises the potential for collateral damages to such an extent that many nations, especially those who depend on the internet for much of their critical services, are looking into trying to deter cyber attacks. In this regard, the following questions arise: What deterrence methods are there? Are there other deterrence models that may offer clues as to what works? How effective would those measures be in the cyber warfare context? It should be noted that Cyber Deterrence is a broad concept with much more depth than what can be covered in this research assignment and still stay in the allotted amount of pages. For this reason, some of the deeper aspects will be out of the scope of this paper. 4 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Background “The only difference between a cyber weapon and a security or capacity testing tool is the intent of the individual using it.” Kevin Coleman, Technolytics At the moment of writing, it is still heavily debated what the definition of “Cyber Warfare” truly is. At his confirmation hearing for the new Cyber Commander post, US Lt. General Keith Alexander couldn’t define the term when asked to do so. Richard Clarke1 defined Cyber Warfare as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption." in his book Cyber War2, but this is an incomplete definition, not covering other aspects of warfare such as intelligence gathering. Nevertheless I think we can all agree that at least to an extent it involves the exploitation of interconnected systems, thus overlapping with other trades such as ethical hacking and cyber crime. The software and skill used is often the same; security consultants and penetration testers often use the exact same tools as the people they are trying to keep out of their systems. The only real difference is –as Mr. Coleman says- a matter of motive. The Theatre To understand the topic of Deterrence in Cyber Warfare, we must first establish where it is fought. As covered in the issue statement, it is fought in the first entirely manmade domain that we call cyberspace. But what exactly is cyberspace? According to Wikipedia: Cyberspace is the electronic medium of computer networks, in which online communication takes place. It is the domain of electromagnetics readily identified with the interconnected information technology required to achieve the wide range of system capabilities associated with the transport of communication and control products and services. Current technology integrates a number of capabilities (sensors, signals, connections, transmissions, processors, and controllers) sufficient to generate a virtual interactive experience accessible regardless of a geographic location. Cyberspace is the dynamic realization of electromagnetic energy through the application of communication and control technology. In pragmatic terms, operations within this global domain allow an interdependent network of information technology infrastructures (ITI), telecommunications networks, and computer processing systems, integrated sensors, system control networks, embedded processors and controllers common to global control and communications across the electro-magnetic environment. 1 2 Richard A. Clarke, US Government security expert Clarke, Richard A. Cyber War, HarperCollins (2010) 5 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting The article goes on to describe the social experience of the internet, but the truth is that as a civilization we have yet to truly grasp the ramifications of having such immense interconnectivity between information and services. This same lack of comprehension is likely at the very core of Lt. General Alexander's problem with describing cyber warfare. For the purpose of this research paper the Wikipedia definition of cyberspace will suffice. The Weapons The distribution of such software, or “proliferation of cyber weapons” in military parlance, is widespread and often public. In many cases the software is freely downloadable. A few simple Google searches can give you access to the digital equivalent of your local gun store. For more malicious purposes such as identity theft or creditcard fraud there are entire black markets where the latest zero-day exploits3 can be bought for relatively small amounts of money. There are groups that can have your malicious code modified and tested to evade the top 10 antivirus software suites for a nominal fee. There’s even an auction system for zero-day exploits on Twitter.4 Companies specializing in security consulting and penetration testing can opt to buy subscriptions to exploit code through state of the art delivery platforms such as Core Impact Pro5, Immunity Canvas6 or the wellknown Metasploit Framework7 that is freely available. All these options are available to the general public, and all of these options can be used in furtherance of cyber warfare. It is good to note that since nations tend to have more resources than individuals and commercial entities; this also gives them the option to have their cyber weapons developed in-house by specialists. Another option, one that is generally considered to only be in reach for individual nations for their resources, is the ability to infiltrate an adversary’s electronics supply chain and corrupt it from the inside. This sort of attack could contain a hardware engineering aspect as well as a software aspect. 3 Software aimed at exploiting vulnerabilities for which a patch has not yet been developed. http://twitter.com/0daybid 5 http://www.coresecurity.com/content/core-impact-overview 6 http://www.immunitysec.com/products-canvas.shtml 7 http://www.metasploit.com 4 6 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting The Players An estimated 100+ countries8 have already started to develop Cyber Warfare programs to deal with this potential threat, but they are hardly the only players when it comes to cyber warfare. With a technology as prevalent as the Internet, this potential battlefield is accessible to all layers of society. Furthermore it is important to note that cyber warfare is very asymmetrical. Resources don´t necessarily guarantee the upper hand in a conflict, as a single person with a single exploit can potentially inflict as much damage as a whole battalion using supercomputers. Everything depends on the particular environment, the quality of the exploit and the skills of the attacker. As such, we should count everyone that has the motivation to make itself felt. This would include players such as terrorists, religious extremists, outfits of organized crime, ideological radicals, mercenaries et cetera. This is relevant information because each deterrence tactic will carry a different effect from one group to the next. 8 The numbers vary. The Air Force Law Review estimates 120 countries in their article in the winter of 2009, Spy-Ops says 140 in a 2008 article in Outside The Beltway. 7 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Cyber Deterrence – Methods and Effectiveness Deterrence is a theory taken from behavioral psychology about preventing or controlling actions or behavior through fear of punishment or retribution. We see it in use every day as part of our legal system, but it is also relevant in warfare. Deterrence Theory was especially relevant during the Cold War with regard to the use of nuclear weapons and sprouted strategies such as Mutually Assured Destruction (MAD). This revolved around there being too many nuclear missile launch points to take out in a single strike, thus ensuring severe retribution by the aggrieved party. As to deterrence methods, there are really only three that come into play; 1. Infeasibility – “Getting the required resources to perform an attack is too hard.” 2. Futility – “I know that my attack will have no effect on my target.” 3. Fear of Retaliation – “Damage done to me in return is too high a price to pay.” Infeasibility The concept of Infeasibility as it pertains to Cyber Deterrence revolves around curtailing the flow or proliferation of the means by which attacks can be executed (e.g. cyber weapons). When compared to other deterrence strategies such as the ones used with Nuclear or Biological Warfare, the most important difference is the physical aspect; Cyber Weapons have none. Nuclear or biological weapons can be regulated because its base materials such as weapons-grade uranium or a strain of Y. Pestis are difficult to make (or control, in case of diseases). The only requirement for building a cyber weapon is a computer to write the code on, and until (and likely after) it is actually used to write malicious code it is undistinguishable from any other. Also, programming malicious code does not make high demands on the hardware of said computer. The cheapest current system will probably suffice. The rest is a matter of intelligence and skill. With the prevalence of internet access worldwide and the amount of knowledge on the subject that is thus readily accessible, the required intelligence and skill is reduced severely. With so few resources necessary and their availability so high, it is highly unlikely that the proliferation of cyber weapons can be halted successfully. 8 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Futility Making the attacker believe an attack would have no effect requires the attacker to believe your defenses are insurmountable. In the physical realm this could be achieved by placing ones’ defensive works in plain view for all adversaries to see. There are castles and fortifications all over Europe that have never been attacked because they were deemed impregnable. However, it is likely that the defenses will be tested by the attacker regardless of how strong they look. This is especially true in cyberspace, where exploit code is freely available for virtually all network-capable software and Operating Systems, and automation makes even the most arduous and repetitive tasks (such as brute-forcing passwords) potentially viable. Another key ingredient here is Anonymity. It is relatively easy to route attacking traffic through systems that don’t log anything, thus obscuring the trail back to the attacker and making attribution difficult (if not impossible). This lack of attribution will be discussed in greater detail later. Finally it is important to note that all software is eventually written by humans, and thus vulnerable to human error. Though the numbers vary wildly due to influence of Quality Control processes and programmer skill, it is commonly assumed 9 that the Industry Average is 15 – 50 errors per 1000 lines of code. This means that virtually every OS or program will contain errors, and a percentage of these will compromise its security. When these bugs find their way to products that are sold to the public, they may be found and exploited. Therefore, any product that is considered safe today may not be safe tomorrow. Regardless of how much effort is put into building ones’ network defenses; they are invisible to the attacker until he explores or attacks them. Even then, it is entirely uncertain any attacker won’t press on his attack simply because he does not know he has been detected, believes himself anonymous or feels himself immune to prosecution. 9 Source: Code Complete, 2nd edition by Steve McConnell 9 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Fear of Retaliation By facing the risk of losing more in a retaliatory strike than there is to gain from attacking, an attacker may be effectively deterred. This has been the main theory during the Cold War, where the Mutually Assured Destruction strategy effectively staved off a nuclear war between the US and Russia. A comparison between Nuclear Deterrence and Cyber Deterrence is often made, but there are a great many downsides to this strategy in cyberspace. Firstly, as stated previously, it is very easy to obscure one’s identity as an attacker. Malicious traffic can be routed through a multitude of anonymous (e.g. non-logging) routers, obfuscating the origin of the packets. Furthermore, we can only (theoretically) trace attacks back to the system that sent it, and still not be able to determine the person who launched it. If a foreign operative launches an attack from an internet café in a third nation, this may implicate guilt where there is none and may cause retribution to damage an innocent party. Second, cyber attacks differ from kinetic attacks in that the damage (or even success) of an attack need not be obvious. Successful cyber attacks have been known to go unnoticed for months. Also, attacks may not have to be aimed at causing destruction or disruption. Instead, it may intend to corrupt data and be specifically designed to stay hidden for longer periods of time. Third, retaliation may not be in the best interest of the aggrieved. Retaliation indicates that an attack has at least taken place (successful or not), which may not be desirable. It is generally assumed that the severity of retaliation is an indication of how successful an attack was. Will response be in kind, or escalatory? Will retaliation be public, or sub-rosa? Public perception is a very important political factor, so proportionality is an issue as well. Also, what is the threshold for retaliation? Is that a public threshold, or has no official declaration of intent been given? These are all very relevant questions that must be answered. Fourth, retaliation may not be possible. The attacker’s defenses may be strong enough to withstand retaliation. Also, retaliation may not be successful when it is attempted. As stated previously, the retaliation may not even be detected when it is successful, and is most likely not detected when it fails. Even when an attack is both successful and detected, it may not be distinguishable from the swathe of automated attacks that usually plague government websites10, and so is not recognized as retaliation. One possible solution for that is using the same attack as the original attacker used, but of 10 US Defense Secretary Robert Gates stated that the US government experiences cyber attacks on their network daily and constantly. See ZDNet article. 10 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting course odds are good that the attacker fixed this vulnerability in his own network as soon as it was discovered. Timing is also very important. If retaliation comes months after the initial attack, it may be perceived as an original attack rather than a retaliatory strike. Inaction -or worse, incompetence- may make the retaliator seem blind, weak or incapable, which lowers the level of deterrence. Research11 indicates that the certainty of punishment is a greater deterrent than the severity of the punishment (or retaliation in this case). Unfortunately, the attribution problem makes the likelihood of getting caught seem very low. Even when the aggrieved party decides to retaliate, it is not always perceived by the target. This makes Retaliation as a deterrence strategy in Cyber Warfare a tricky one at best and a dangerous one if it hits the wrong target due to faulty attribution. 11 Source: The book “Criminology” by Larry J. Siegel 11 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Conclusion It is clear that cyberspace as a warfighting domain does not lend itself well to conventional weapons and tactics. Many concepts will be far less effective, completely ineffective or even counterproductive because the rules of the game are fundamentally different. The lack of a physical dimension is probably the most fundamental; it wreaks havoc with establishing network boundaries or attribution. A bullet fired in anger is comparatively easy to trace because of physical evidence. It is far easier to determine who fired it, what his or her affiliations are, what his or her motives are and whether or not the attack is part of a larger attack. The damage done by the bullet is also usually visible and obvious. The same can not be said for cyberspace. In cyberspace, an attack may succeed or fail without the attacker knowing what the status of his attack is. When the attack fails, it is usually not even noticed. It may not be noticed even if it does succeed. When an attack succeeds, the damage (if there is any) may not be obvious, either by design (when the intent is corruption of data) or because the attack simply did not behave as intended. The system from which the attack was launched may never be found, nor its operator. The attackers’ involvement may never be proven, and the intent of the attack may never be established. It is also far easier for any attacker to plant false evidence to involve an innocent third party than it is in physical space. Essentially there is uncertainty in every relevant aspect of the situation, and very little –if anything- can be controlled in a fashion that alleviates the problems. Until the technology and the rules of the environment solidify in a way that changes these circumstances which -given the nature of cyberspace and the behavior demonstrated thus far- may never happen, it will remain unsuited for traditional forms of deterrence. 12 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting Future Developments It is my belief that in the future we will see a greater development in privatesector Intelligence endeavors through HUMINT, SIGINT, OSINT and perhaps even MASINT, aimed at providing intelligence about impending attacks, the players involved and the motives behind the attacks. This could serve as (potentially circumstantial) evidence after the fact as well as giving advanced warning prior to attacks, giving targeted entities the crucial time needed to shore up their defenses. A prime example is Project Grey Goose, whose members provided a wealth of information about the cyber attacks against Estonia in 2007, detailing the most likely players and their motives. Another trend I expect (and hope) to see continuing is the collaboration and cooperation of nations in the area of cyber crime. Large scale botnet takedown operations are tricky because the criminals involved do not respect national borders, and the various police forces need to cooperate with each other to bring offenders to justice. Though this does not directly relate to Cyber Warfare, an international sharing of discovered malicious code could have an interesting effect on the various cyber warfare commands around the globe. As to Cyber Deterrence, I believe that the practice will cease to be relevant, and the term will be discarded in favor of less general terms such as Cyber Defenses, Cyber Intelligence et cetera. 13 RESEARCH PAPER: Cyber Deterrence – Methods & Effectiveness By Don Eijndhoven, Argent Consulting References 1. Richard A. Clarke, US Government security expert 2. Richard A. Clarke, Cyber War, HarperCollins (2010) 3. Software aimed at exploiting vulnerabilities for which a patch has not yet been developed. 4. http://twitter.com/0daybid 5. http://www.coresecurity.com/content/core-impact-overview 6. http://www.immunitysec.com/products-canvas.shtml 7. http://www.metasploit.com 8. The numbers vary. The Air Force Law Review estimates 120 countries in their article in the winter of 2009, Spy-Ops says 140 in a 2008 article in Outside The Beltway. 9. Source: Code Complete, 2nd edition by Steve McConnell 10. US Defense Secretary Robert Gates stated that the US government experiences cyber attacks on their network daily and constantly. See ZDNet article. 11. Source: The book “Criminology” by Larry J. Siegel 14