Cyberwarfare: What will it look like, how will we defend against it? Those questions have taken on new urgency, as the possibility becomes more real.Recently, the Baltic nation of Estonia suffered several weeks of distributed denial-of-service attacks against both government and private-sector Web sites. And late last month, a report from the Department of Defense said the People's Liberation Army of China is building up its cyberwarfare capabilities, even creating malware that could be used against enemy computer systems in first-strike attacks.
To date, there have been no proven, documented cases of one nation attacking another via cyberspace. Yet cyberwarfare is a chilling prospect that's treated among most nations with much the same reverence as Cold War players treated the idea of nuclear winter, mainly because of the potential large-scale economic disruption that would follow, says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. This would include shortages of supplies that could affect both citizens and the military, he says.
The cyberattacks against Estonia primarily targeted the government, banking, media, and police sites, and they "affected the functioning of the rest of the network infrastructure in Estonia," the European Network and Information Security Agency, or ENISA, reported on its Web site. As a result, targeted sites were inaccessible outside of Estonia for extended periods in order to ride out the attacks and to try and maintain services within the country.
Distributed denial-of-service attacks are particularly difficult to prevent and require a lot of coordination to contain the damage when multiple sites are hit. In order to weather the 128 strikes launched against its cyberinfrastructure, Estonia sought help from not only its Computer Emergency Readiness Team, established late last year, but also the Trans-European Research and Education Networking Association and Computer Emergency Readiness Teams in other countries, including Finland and Germany, according to ENISA.
LET'S GET ALONG
A major hurdle that nations face in defending their critical infrastructures is working with the entities that control telecommunications networks, electrical grids, and transportation systems. This is a significant issue in the United States, given that the private sector owns more than 85% of the critical infrastructure.
Communication and cooperation between government officials and private-sector critical infrastructure owners is essential because the military is more knowledgeable and better prepared to respond to a cyberattack. "When it comes to information warfare, corporations in general are no match for a trained intelligence officer," says David Drab, a 27-year veteran of the FBI who retired in 2002 and is now principal for information content security with Xerox Global Services. These officers have an objective, they have resources, and often they have the element of surprise on their side, he says. Businesses are ill-prepared to handle these types of attacks.
The Defense Department's annual report to Congress on China's military strategy says China is building up "tactics and measures" to protect friendly computer systems and networks. "The People's Liberation Army is pursuing comprehensive transformation from a mass army designed for protracted wars of attrition on its territory to one capable of fighting and winning short-duration, high-intensity conflicts against high-tech adversaries," according to the report. China refers to that as "local wars under conditions of informatization," the report says.
But China isn't just developing a defensive cyberwarfare plan. The People's Liberation Army sees exploiting computer network operations as critical to achieving "electromagnetic dominance" early in a conflict, says the report. And China is focused on being able to disrupt battlefield information systems.
Still, Schmidt says, there are ways to mitigate the prospect of cyberwarfare. One is for nations to work with their critical infrastructure owners to bolster security preparedness. This includes ensuring that software patches are up to date and that access-control systems--biometric or otherwise--are in place to protect IT infrastructures from intruders and malicious insiders. Schmidt's other proposal is less technical and more diplomatic: "Create treaties among countries that agree to not do this to each other."
Illustration by Mark Matcho