After Google-China dust-up, cyberwar emerges as a threat Page 1 of 3

After Google-China dust-up, cyberwar emerges

as a threat
The episode highlighted cyberthreats facing the U.S., but it's not a war -- yet
Jaikumar Vijayan
 
April 7, 2010 (Computerworld) Few events have crystallized U.S. fears over a cyber catastrophe, or
brought on calls for a strategic response, more than the recent attacks against Google and more than 30
other tech firms.
The company's disclosure in January that it was attacked by China-based hackers -- and its subsequent
decision to scale back operations there -- have stoked long-standing fears over the ability of cyber
adversaries to penetrate commercial and government networks in the U.S.
If a full-fledged cyberwar were to break out, the nation's economy would be hit hard. Banks might not be
able function, electricity, water and other utilities could be shut off, air travel would almost certainly be
disrupted, and communications would
be spotty at best -- in a word, chaos.
Few think that such a war is imminent.
But damage has already been done by
a slew of cyberattacks that, while well
short of cyberwar, have still resulted in
the theft of terabytes of intellectual
property data, trade secrets and
classified military and government
information. That information is now in
the hands of overseas groups, many of
which are thought to be state-
sponsored.
It's not just data and secrets.
Cyberthieves have also made off with
billions of dollars from U.S companies
and banks, and there are growing
concerns that cyberattackers are
making subtle changes to software
source code. That way, they can create
permanent windows into a company's
operations for future mischief.

An 'existential threat'
Many see the attacks as evidence that the U.S. is already in the midst of an undeclared cyberwar, with
attacks against government targets estimated to have more than doubled in the past two years. Just last
week, a top FBI official called cyberattacks an "existential threat" to the U.S. On Friday, two U.S. senators
now pushing cybersecurity legislation in Congress reiterated those sentiments.
And Mike McConnell the former director of the National Security Agency (NSA) and director of national
intelligence during the Bush administration, recently said in a Washington Post column that the U.S is not
only fighting such a war, it's also losing the battle.
That sentiment was echoed by U.S. Navy Admiral Robert Willard. who warned Congress about U.S
military and government networks being hit by attacks that appeared to originate from China. The attacks
are challenging the military's ability to "operate freely in the cyber commons," he said.

http://www.computerworld.com/s/article/print/9174558/After_Google_China_dust_up_cybe... 4/7/2010
After Google-China dust-up, cyberwar emerges as a threat Page 2 of 3

Those views are shared by security experts in both the government and the private sector who see the
relentless probing and attacks on U.S agencies and commercial interests as a precursor to something
more devastating. The concern is prompting action of sorts in Washington. In just the past month, two
major cybersecurity bills have been proposed. One would tie U.S financial aid to a country's willingness to
fight cybercrime. The other would strengthen domestic cybersecurity and require the president to work
with private industry in responding to a cyber crisis. That's a forgone conclusion, given how much of the
nation's cyber infrastructure is in private hands.

A cybersecurity ambassador?
Meanwhile, the U.S. State Department is rumored to be considering the creation of a cybersecurity
ambassador for the U.N. That's important, since there's no settled definition of cyberwar, and various
nations are already trying to figure out what a cyberwar entails and how it would be declared -- and
fought.
The first step to formulating an organized response is to define cyberwar correctly, said Robert
Rodriguez, a former Secret Service special agent and founder of the Security Innovation Network. Calling
what's gone on in recent years a "cyberwar" only complicates things, he said.
"War connotes huge conflict at a grand level between nations and societies," Rodriguez said.
It also involves the use of military force to essentially destroy another nation's capabilities and will to
resist, according to James Lews, director and senior fellow at the Center for Strategic and International
Studies. The cyber equivalent of such a conflict would involve a nation using cyber means to attain
political ends in another country, said Lewis, who led a commission that developed a set of cybersecurity
recommendations for President Obama last year.
"When you look at the number of systems that have been Trojaned or compromised, you could say our
cyberbattlefield has been prepped and can be used against us," admits Jerry Dixon, former director of the
National Cyber Security Division at the U.S. Department of Homeland Security (DHS).
"However, the adversary has to decide if the intelligence they're getting from our systems and networks is
more valuable than attacking them to take them offline," he said. "If they attack and take them offline,
they will lose insight into what we're doing."
Making such distinctions is crucial from a strategic response standpoint. "Pronouncements that we are in
a cyberwar or face cyberterror conflate problems and make effective response more difficult," Lewis said.
So if the attacks of recent years aren't warfare, what are they?

Spies or criminals?
A lot of what's going on is happening on two levels: cyberespionage and cybercrime on a massive -- and
growing -- scale. They aren't new, said Patricia Titus, the former chief information security officer at the
Transportation Security Administration who now holds a similar post at Unisys Corp. But the attacks on
Google and other companies refocused attention on the scope of the problem, she said.
Many of the recent attacks tended to originate from China, though countries such as Russia and India are
also suspect. Specific companies and government organizations are usually targeted through the use of
social engineering tricks, advanced reconnaissance and sophisticated malware tools that can quietly
penetrate networks and steal data. What's not always clear is whether this kind of economic and military
espionage is state-sponsored or carried out by hactivists and opportunists.
Other attacks, especially those from Eastern Europe, aim to steal money from banks, businesses,
educational institutions and individuals. Most recently, cyberattacks have targeted small and midsize
businesses, some of which have been forced out of business or into bankruptcy.

A nexus of bad guys

Increasingly, there appears to be a nexus between the groups committing cybertheft and those doing
cyberespionage, said Amit Yoran, former director of the National Cyber Security Division of the DHS and
current CEO of NetWitness Corp. Many of the botnets, servers, malware tools and techniques now used
in cybercrime are also being used for espionage. "Where traditionally a [state-run] intelligence service
would execute their own operations, now they have ties with organized crime," he said.
Those kinds of connections -- loose, fluid and constantly changing -- make fending off cyberattacks
difficult. As a result, a successful strategic response means that the intelligence community, the U.S
Secret Service, FBI and other law enforcement agencies have to start collaborating more, security
analysts say. And more information-sharing between the private and public sectors needs to take place.
The vast majority of the critical infrastructure in the U.S. is owned by the private sector. But most
companies have little or no information about the wealth of threat data being collected by intelligence and
other government agencies, Titus said. If they're unaware of the threats, they may be vulnerable.

http://www.computerworld.com/s/article/print/9174558/After_Google_China_dust_up_cybe... 4/7/2010
After Google-China dust-up, cyberwar emerges as a threat Page 3 of 3

At the international level, moves like the proposal to create a U.N. cyber ambassador who can negotiate
cybersecurity matters and articulate U.S. policy are crucial, Titus said. In fact, she wants the State
Department to consider installing cyber attachés at U.S. embassies in key countries such as China, India
and Russia. That way, the U.S government could quickly communicate with the appropriate authorities in
other countries during a cybercrisis. It also gives U.S firms operating in countries such as India and China
-- think Google -- a place to turn to immediately when a crisis flares, she said.
The government also needs to focus on continuous monitoring and situational awareness by creating an
early-warning system that could sniff out attacks, said Karen Evans, former de facto federal CIO under
the Bush administration. Getting a jump on an attack would allow government agencies to respond in a
coordinated fashion, she said.

No national policy
Evans believes the time has come for the government to formalize a national policy for dealing with
cyberthreats. Such a policy should clearly define the thresholds beyond which cyberattacks will be
considered an act of war, establish who's in charge among the different federal agencies that would
respond to a cyber crisis, and spell out when they are allowed to use that authority.
Few doubt that the U.S. Department of Defense and the NSA could launch crippling cyberoffensives of
their own in response to a cyberattack. But a policy framework needs to be in place defining when such
an offensive is appropriate, Yoran said. Whether that retaliation means a cyber-counteroffensive or a
more conventional military one needs to be figured out as part of U.S. cyberpolicy before a crisis, Yoran
said,
"Just as we would respond to a terrorist attack, there needs to be some sort of a response capability,"
Titus said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for
Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed .
His e-mail address is jvijayan@computerworld.com.

http://www.computerworld.com/s/article/print/9174558/After_Google_China_dust_up_cybe... 4/7/2010