Governance & Risk Management , Risk Assessments
Surviving Cyber War
"The use of cyber attacks is not by definition warfare, just like shooting somebody in the streets isn't warfare or using a gun isn't warfare," Stiennon, author of the just-published Surviving Cyberwar said in an interview with GovInfoSecurity.com (transcript below). "But when it is state sponsored and the intents and purpose is war-like, in other words to somehow gain an advantage over another state adversary, that is when you start entering the realm of warfare."
Cyberwar, in Stiennon's view, could only occur in connection with kinetic warfare. "Are attacks going on against our critical infrastructure right now?" asked Stiennon, chief research analyst at IT-Harvest, an IT security advisory firm. "The classic penetration and seeing around is certainly going around. Are people throwing switches and shutting down our critical infrastructure? No. And, will there be a cyberwar if they did so? It would certainly be a cyber attack, but I don't think it would fall into the realm of warfare until there was shooting on both sides."
In the interview, Stiennon also:
- Defines cyberwar.
- Furnishes steps organizations and individuals should take to survive a cyberwar.
- Explains why the federal government should take a hands-off approach in safeguarding key private IT systems.
Stiennon, a former vice president of research at IT adviser Gartner, was interviewed by GovInfoSecurity.com's Eric Chabrow.
ERIC CHABROW: There has been a lot of attention placed on cyberwar in the past few months. Former National Intelligence Director Michael McConnell says that America is loosing the cyberwar, the White House Cyber Security Coordinator Howard Schmidt in an interview with GovInfoSecurity.gov said he doesn't believe a cyberwar could exist. Before we get into your view on this extensional debate, please first define cyberwar.
RICHARD STIENNON: To me, cyberwar is using networks and computers and applications and the people that run them coincident with more traditional means of warfare, such as invasion and missile launches.
CHABROW: This is something in conjunction with kinetic war or just following a pattern of kinetic war?
STIENNON: In conjunction with. So, up until that point, for me they're just cyber attacks, the classic thing we have been seeing for the last couple of decades; but to my own definition was always when we se these types of attacks in conjunction with a kinetic attack then it has passed the gateway, to me, to be accepted as cyberwar and obviously that occurred Aug. 8, 2008.
CHABROW: And that was when?
STIENNON: That was when a Russia invaded South Ossetia, a breakaway part of Georgia.
CHABROW: Why does it have to be related to a kinetic war?
STIENNON: Keith Alexander (the Army general who heads the National Security Agency and the military cyber command) would agree with me on this. The use of cyber attacks is not by definition warfare, just like shooting somebody in the streets isn't warfare or using a gun isn't warfare. But when it is state sponsored and the intents and purpose is war-like, in other words to somehow gain an advantage over another state adversary, that is when you start entering the realm of warfare.
CHABROW: We are engaged in several areas of combat in Afghanistan and in Iraq at the moment, do you see any kind of cyber threats emanating from that?
STIENNON: Well, certainly the U.S. military forces are using traditional intelligence methods; I shouldn't say traditional because grabbing cell phones and doing forensics on them to determine what connections they have made falls into the realm of cyber because it is a pretty broad definition, the way the government uses it. And certainly the adversaries are using laptops; we are confiscating them when we attack insurgents, so there is definitely cyber intelligence and the use of that intelligence to further the war efforts. For sure, cyberwar is occurring in the realms of theaters that we are actually engaging kinetic warfare.
CHABROW: Let me back up a bit and get your observation on this: Would you say that a threat exists now to do damage to the American government and/or America's critical IT infrastructure - the power grid, for example - by digital means without some type of traditional combat? And, could that be seen as a cyberwar or not?
STIENNON: I certainly see the threat, because it is happening today, and damage is being done. The damage might be the systems are encroached and critical data exfiltrated, but that damage caused the Pentagon supposedly over $100 million in corrections and repairs in order to secure their network after it was breached a little over a year ago so that is one way of defining damage. Are attacks going on against our critical infrastructure right now? The classic penetration and seeing around is certainly going around. Are people throwing switches and shutting down our critical infrastructure? No. And, will there be a cyberwar if they did so? It would certainly be a cyber attack, but I don't think it would fall into the realm of warfare until there was shooting on both sides.
CHABROW: There seems to be a reluctance on your part of describing potentially massive damage caused by a cyber attack as a cyberwar coming from an adversary. Why do you have that reluctance?
STIENNON: I don't want to fall into the trap of over-hyping the situation. The situation is bad enough as it is. We have government systems for the most part that are extremely vulnerable and the government has let its guard down, and it has to do a lot of backtracking and filling to correct those issues; but, to claim we are at war with somebody I think is going over the top.
CHABROW: Your book is entitled, Surviving Cyberwar. What do you mean by the title?
STIENNON: Certainly, around the world there are active cyber battles going on. It might be between opposing sides in Israel or opposing sides between India and Pakistan or India and China, and we have to prepare and figure out how to survive those attacks; all the way from the government and the states responsibility, all the way down to the enterprise and the individual's responsibility. You are going to be experiencing these types of attacks if you are involved in computers anyway, and you have to prepare to survive them. And doing so is actually not that complicated, it might take some investment, it might take a change of thinking about the threats we have been battling all of these years because it is a lot different than just fighting the last virus or worm that is spreading all over the Internet, or cyber criminals trying to steal personally identifiable information, it goes a lot deeper than that. The targets are now your information and your data, the things that you use for connecting business and you have to defend yourself against that.
CHABROW: Let me understand something; I am just absorbing what you just said. There are around the world other real combats going on and associated with that could be a cyber attack, and America may not be directly involved in the kinetic combat, but are you suggesting that there could still be side effects on our systems because of these true combats going on?
STIENNON: Yeah, absolutely. And once again, the language gets in our way because would you say that Hamas or Hezbollah is at war with Israel? You know there aren't tanks moving around right now even though there are missiles fired constantly across various borders and the factions on either side engaged in similar periodic attempts to take down websites and web servers, so that is psychological warfare moving over into the cyber realm they are potential for fallouts affecting U.S. businesses and individuals. If you happen to be traveling in Georgia when the war began between Russia and Georgia, you would not have been able to get your e-mail out and communicate that comb over the Internet and actually over some phone networks as well, so you would have been a casualty of a cyberwar that was part of a kinetic war. And certainly, due to a beautiful irony, the web servers of the government of Georgia were re-homed to a U.S. hosting provider, coincidentally in Georgia, Atlanta, Ga. So the attacks just followed them, right? The attackers were using a domain name and the attacks went and started to hit the hosting provider and that had an overall effect collateral damage for the other businesses that were hosted by that provider and that is one of the dangers of the cyber insurgents and cyberwar occurring between countries, is they tend to get global very, very quickly.
CHABROW: What can people do in the United States to avoid this kind of collateral damage?
STIENNON: You have to carefully look at who your hosting provider is and also the defenses that they can put up around their data centers, as well as the DNS, the domain name servers, that are maintaining the location of your website. You can't just leave them sitting out there. A lot of them are just behind the firewall but the firewall has to allow DNS requests through so they are vulnerable to denial of service attacks. Your own hosting website may have a bandwidth limitation on it and it is very easy for an attacker to use up all of your bandwidth and your service provider will shut you down because they see that your contract at value. It is really to just step back one more time, just as you did when virus' started to be popular and worms started to be popular, and look at the defenses that you put in place and determine if you are willing to invest enough to stay up during a targeted attack. One alternative is to say no, that's just a website for our customers to come to find out how to contact us and rather than spend several thousand dollars on protecting your website you might opt to let it be essentially a sacrificial website and let it go down while somebody is attacking you.
CHABROW: What is the role of the federal government in protecting America's government systems and its key infrastructure from these collateral attacks?
STIENNON: I think the role of the federal government is first to defend its own ability to function. We still need access to the Federal Trade Commission website. We still need access to the Federal Aviation Administration and all of their networks and they should keep those up and running and take all of the defenses required in order to do so and they are failing in their primary mission if they allow those sites to be easily taken down.
As far as federal government involvement in trying to somehow beef up AT&T's network or any of the other major broadband carriers, I don't think that they are in a position to offer good advice or even technology frankly. The government has demonstrated that it is seven to 10 years behind in application of security technology. The only reason the carriers haven't fully deployed the type of technologies needed is they haven't experienced the threats; they haven't seen these types of attacks on their own networks. But I can tell you they will; every single industry has had to go through this.
CHABROW: Is the solution not to have things specified at all but establishing some kind of governing architecture to be able to meet changes in technology?
STIENNON: I don't think an architecture is required, just like you don't need an architecture for an economy to work; economies just happen. The Internet did just happen, i.e., the attitude that the government created the Internet when the government didn't create the Internet; the government paid for some researches at universities to protect their networks and the Internet created itself.
CHABROW: Let me just clarify something I just said, or in my question�when I used the word architecture I wasn't talking about, say an Internet architecture, but some kind of form that's needed; the idea that Congress can enact a law that keeps up with technology because technology moves so quickly, but maybe set up some way of governance or some way of organization that could react swiftly.
STIENNON: Oh, absolutely. An organization, especially one that brought together the technologists with policy makers so that everybody knew everybody else's phone numbers, that would be an excellent organization to have in the realm of crisis management, but as the next threat or disaster occurs, and it will, the right moves are made; sometimes the right move it to not do anything, right, and let the network operators figure it out and fix it. But we will have a better chance of not having escalation of either diplomatic or interstate issues if everybody is talking to each other.
CHABROW: I am taking away from our conversation, sort of a free market approach to cybersecurity, that you feel that there will be problems but we will learn from our problems and resolve them. Is that a correct assessment?
STIENNON: Free market to the world; certainly not free market for the government. The government itself, both on the military side and the rest of the agencies, have to start applying pretty well formulated security policies that have already been defined by National Institute of Standards and Technology and enforcing them to the extent needed to prevent attacks against them.
CHABROW: But it is the role that you see that government should or should not play with the private sector that should follow sort of the principles of the free market?
STIENNON: Exactly. Government should learn from the private sector and government should purchase from the private sector and use their expertise to help secure their networks. Let's just do that for the next five to 10 years until they get this stuff figured out.