Spring 2007, a spat between Russia and Estonia was accompanied by a “cyberwar.” With my friend, and former boss, Jim Hendler (now a professor at RPI) I wrote an overview. The story is now relevant again for assessing the cyber component of the Georgian-Russian conflict. This difference is that this time, for all of the hype about cyberwar, there is real world fighting that is having a more permanent impact.
At the same time the growing level of illicit activity on the web is a concern in its own right.
June 5, 2007
By AARON MANNES and JAMES HENDLER
June 5, 2007
The age of cyberwar has arrived. The attacks on Estonian government and commercial Web sites following the relocation of a Soviet World War II memorial in Tallinn in late April made news around the world. Yet these were not the only, or even the most significant, such assaults this year.
In February, hackers laid siege to six of the 13 “root servers” that form the backbone of the Internet. Had they succeeded in disabling these servers, the Internet would have ceased to function. Fortunately, only two of the root servers were severely affected, causing only some localized slowdowns. The emerging threat of cyberattacks against vital parts of the global economy highlights the urgent need to protect the Net from criminals.
The attack on Estonia was perhaps more akin to a riot than a military strike. Just as a mob might wreck storefronts, cyberattacks defaced or knocked prominent commercial and government Web sites offline. Similar attacks have accompanied other international political spats. Arab and Israeli hackers attack each other’s Web sites, as do Pakistani and Indian hackers. After a South Korean speed skater was disqualified for bumping an American rival during the 2002 Winter Olympics, several strikes apparently originating from South Korea hit U.S. servers.
In all these cases, the hackers can cause email delays and fetter access to targeted Web sites. In Estonia, they prevented the national government from explaining the situation, hampered financial transactions and interfered with telephone systems, which rely in part on the Internet to function.
The strikes against the Estonian sites and the Internet root servers are of a type known as Distributed Denial of Service attacks, or DDoS. The assailants begin by installing a virus or other malicious software on a computer, directing it to send messages without its owner’s knowledge. These compromised computers, known as bots, are bound together into large networks called botnets. They then simultaneously send messages to the targeted system, overwhelming it and leaving it unable to respond to queries. Low-end estimates indicate that there are tens of millions of bots in the world, and experts have identified some botnets that included more than 100,000 compromised computers.
One reason for the increasing frequency of these attacks is that they don’t require high-level skills. In chat rooms where cybercriminals congregate, botnet builders offer their “products” for rent, their real identities obscured behind aliases. There are even online help desks to assist users. Because botnets consist of computers from all over the world, it is difficult to trace the origin of an attack, making it particularly attractive to governments who can deny any responsibility.
Consider the Estonian case. Tallinn accuses Russian state officials of involvement in the recent attacks. But even if that is true, it is difficult prove that this was state policy instead of the actions of sympathetic individuals. State computers may have been part of botnets, but so were other computers around the world. Russia is also a major center for cybercriminals, many of whom happen to be staunch Russian patriots. In this recent cyber levée en masse, many ordinary Russians participated in the attacks against Estonia; at its peak over one million computers were involved.
Because of their ease of use, DDoS attacks have proved attractive to various malevolent actors. According to a report by the Middle East Media Research Institute, Islamist chat rooms have included discussions of attack techniques and work to coordinate attacks on Web sites that oppose their cause. DDoS attacks may favor the assailant, but skilled IT professionals can counter them. More important, they have limited efficacy: Knocking out the power company’s Web site is not the same as taking down the power grid. Breaking into a system to gather information, or launching an attack that damages real-world infrastructure, requires more extensive skills. So far, the few publicly known incidents involving real-world infrastructure — most famously an April 2000 case in Australia in which raw sewage was released into rivers and streams — have involved disgruntled insiders.
DDoS is also of limited utility in economic warfare. Knocking out the Web site of an online business is obviously bad for that business, but it has a negligible overall economic effect: Frustrated customers can simply purchase from competitors.
Little is known about the people behind the February attacks on the Internet root servers. The investigation into the incident suggested that the attack was by cybercriminals who wanted to advertise their sophisticated botnet. Criminals have used DDoS to blackmail online businesses, particularly gambling sites. But botnets are used more profitably to disseminate spam and malware. While the botnets cannot yet destroy the Web technically, they are undermining its vital trust and openness.
There are no simple ways to prevent the World Wide Web from becoming a zone where powerful criminals operate unfettered and large players can push around small ones. Software makers can work to make systems more secure, but many computers are compromised by user error rather than technical flaws. The public can be better educated in computer security, but human nature is imperfect.
International standards for addressing the problem, such as the Council of Europe’s Convention on Cybercrime, are evolving. Setting international standards to counter cybercrime, while still protecting civil liberties, will be a continuing challenge. But the greater challenge will be pressing nation-states to adhere to these standards by enacting and enforcing laws against cybercrime.
Yet as the attacks against Estonia show, the task cannot be delayed — the increasing sophistication and accessibility of malware means these problems will only become worse. The future of the Web is at stake.
Mr. Mannes is a researcher in international security affairs and Ph.D. student at the University of Maryland. Mr. Hendler is a professor of computer science at Rensselaer Polytechnic Institute.