China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.
Out of nowhere, here’s an article I wrote for the Canadian Military Journal. China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.
The new command system is based on COTS hardware and software products. It uses mainstream PCs and Windows as supporting components. All computers are connected with on a LAN by an Ethernet network using fiber-optic cable. According to The Register, the system will mostly be based on Windows XP although in was initially decided it would be based on Windows 2000.
The role of this system is to store and compile data from various sensors in order to present tactical information for the leadership. It also controls the weaponry:
SMCS NG is designed to handle the growing volume of information available in modern nuclear submarines and to control the sophisticated underwater weapons carried now and in the future. Its core capability is the assimilation of sensor data and the compilation and display of a real time tactical picture to the Submarine Command Team.
The SMCS NG system is the descendant of the previous SMCS system that was proposed back in 1983, when the U.K decided to build a new command system for the then-new Trident class. Before, all electronics were custom built by Ferranti. The SMCS would use COTS material to minimize the costs and become fewer dependants on one company. The architecture of the command system was modular and was written in Ada 83. The core of the system contains an Input/Output computer node, a computer that process data from the sensors and weapons systems. There is also the central node, which is used for processing all the data. Each of the central nodes are duplicated to provide of fault-tolerance, with each being dual modular tolerant, which means that hardware components are working in parallel in case one becomes defective. The dual central nodes are connected to each other and they are also connected to Multi Function Consoles, a Main Tactical Display and two Remote Terminals, which provide the Human Computer Interface. The first phase of the project was to install the SMCS on the Vanguard class submarines.
In 1990, it was decided to extend the SMCS to other submarine classes and that the new command system would use UNIX as its base operating system. Because of the Ada architecture, problems arose when the technicians tried to map the SMCS to run-time processes of UNIX. Solaris and SPARC machines were finally selected for Multi Function Consoles. The central nodes kept their original architecture in Ada.
In 2000, the project was completely own by BAE Systems and the move from SPARC computers to PCs. The switch for the operating system was more difficult, as management preferred Windows while the engineers promoted the use of variants of UNIX such as BSD, Linux or Solaris. The main argument for the engineers was that with UNIX, it would be possible to remove all the extra code unneeded for the submarines operations, thus making it more secure. However, the management point of view prevailed and thus was created the “Windows for Warships” label.
Windows was chosen even after the USS Yorktown accident in 1997, in the US. The ship was crippled after the sysadmin entered invalid data into the database thought the Remote Database Manager.
Insert any jokes about Windows controlling nuclear subs into the comments. Thank you.
Details are now starting to emerge from the deadly attacks by terrorists on the city of Mumbai, formerly known as Bombay. News outlets are starting to report technologies used by the attackers to communicate and coordinate their attacks that killed an estimated 172 people from various nations
Among all the commercial technologies used by the terrorists are GPS and satellite phones. The attackers, apparently trained in marine assault, entered the city by the MV Kuber, a hijacked fishing boat used as mother ship, and navigated by an experienced sailor using GPS maps: “A trained sailor, [Abu] Ismail used the GPS to reach Mumbai coast on November 26.” According to the Times of India, the GPS contained an escape route once the operation would be deemed completed.
Among the other objects found in the boat a satellite phone, a Thuraya model, was discovered which could be the key to find more information about the terrorists.
The satellite phone could be used to track conversations between the individuals before their landing on the city. According to an article published by ABC News, Indian Intelligence also intercepted a satellite phone call:
“Nov. 18, Indian intelligence also intercepted a satellite phone call to a number in Pakistan known to be used by a leader of the terror group, Lashkar e Taiba, believed responsible for the weekend attack, Indian intelligence officials say.“
Officials from the RAW, the Indian Intelligence agency, said that they got hold of SIM cards found with the satellite phone, possibly bought in the U.S. Those are providing leads to Lashkar e Taiba, a Kashmir separatist group, according to the same ABC article.
Also, many of the articles reports that BlackBerries phones were used by the attackers to communicate between each other and to attest the medias’ reports about the attacks. Damien McElory from The Telegraph claims that the terrorists used them to monitor the situation using British medias.
Finally, it appears the terrorists proclaimed their identity by sending various forged emails to news outlets by using a remailer.
More to come as the investigation continues, now that the siege has ended…
The Los Angeles Times reports that the reports about the Agent.BTZ worm spreading to the U.S Army networks might be a coordinated attacks originating from Russia.
The U.S Central Command is now infected with the worm and a high-classified network has been hit also.
It is unclear if the author of the article thinks that an infection is the same things as an ‘attack’ though. From the article:
“Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.”
This infection has been report at the beginning of the month. This might just be sensationalism ofrcomplete ignorance from the author who might think than an infection by a worm made in Russia is a deliberate attack.
Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.
Then maybe they should just call Symantec or F-Secure or even better, Google it…or this if they are having a hard time..
Not entirely cyber warfare related but still a very interesting read, but according to the Global Trends 2025 report by the National Intelligence Council, irregular warfare, which cyber warfare is part of, will play a determinant part into the future of the United States:
“… expanded adoption of irregular warfare tactics by both state and nonstate actors, proliferation of long-range precision weapons, and growing use of cyber warfare attacks increasingly will constrict US freedom of action.“
Unfortunately this is the only mention of cyber warfare in the report, which fails to go into further details. This shouldn’t come to a surprise to anyone though. We all know how reliant on technology everything is nowadays and the interconnection between every part of the modern society. Not only does the United States recognized that cyber warfare will be an important part of the upcoming conflicts, but also does China and Russia, which are stated to become heavyweights on the world stage:
“Few countries are poised to have more impact on the world over the next 15-20 years than China. If current trends persist, by 2025 China will have the world’s second largest economy and will be a leading military power.“
Right now, even with her very large armed forces of 2 million active personnel, China is trying to modernize its military to be more mobile and efficient. In order to accomplish that modernization, it has explored many new avenues that western societies are still trying to grasp. In 1999, two Chinese Air Forces colonels discussed new ways to conduct war in a guide titled “Unrestricted Warfare”, where they describe the use of computers as new weapons for future warfare:
“With technological developments being in the process of striving to increase the types of weapons, a breakthrough in our thinking can open up the domain of the weapons kingdom at one stroke. As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.“
Experts seem to agree that this kind of “new weapon” could do far more damage than one can imagine:
“If someone is able to attack information that is needed by decision makers, or that is crucial to organizing logistics and supply lines of an army on the ground, that means they can induce chaos in a nation“ said Sami Saydjari, who worked as a Pentagon cyber expert for 13 years and now runs a private company, Cyber Defence Agency.
We don’t know how much of the concepts explained in this book as been accepted by the People’s Liberation Army (PLA), but events from the last decade can gave us clues as how much China has developed cyber warfare capacities based on the text of the two colonels. .Concretes realizations of these ideas may have happened as soon as four years after the publication of the guide during Operation Titan Rain in 2003.With a computer network of more than 3.5 million computers spread across 65 countries, the Pentagon faces many challenges against a strong and sophisticated attack and Operation Titan Rain proved this. According to an article on ZDNet, 20 hackers, based or using proxies based in China, successfully attacked American networks in a coordinated attack:
At 10:23 p.m. PST, the Titan Rain hackers exploited vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Ariz.
At 1:19 a.m., they exploited the same hole in computers at the Defense Information Systems Agency in Arlington, Va.
At 3:25 a.m., they hit the Naval Ocean Systems Center, a Defense Department installation in San Diego, Calif.
At 4:46 a.m., they struck the U.S. Army Space and Strategic Defense installation in Huntsville, Ala.
The results from this operation were the theft of several classified information:
“From the Redstone Arsenal, home to the Army Aviation and Missile Command, the attackers grabbed specs for the aviation mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force,” according to Alan Paller, the director of the SANS Institute.
Many other attacks have been suspected to originate from China afterwards. Attacks against most of the G7 countries such as France, UK and Germany, New Zealand and India have been reported by many medias.
Although evidence gathered shows that China is aggressively pursuing irregular warfare, Russia is also gaining a strong cyber warfare reputation on the world scene. Its attack against Estonia has won world coverage and succeeding attacks on Georgia gave the country experience in that domain. It is again unclear though if attacks from Russia are actually coming from government agencies or from criminal behaviour.
The first incident concerning Russia goes back to 1999, before the Chinese cyber attacks. American networks went under siege in what is now called Operation Moonlight Maze. Back then, FBI officials were investigating a breach into the DOD satellite control systems. Again, while the first accusations for the source of this attack were Russian authorities, it was soon shown that they were not implied in this attack. The only certitude about this operation was that the attack went through a Russian proxy.
Nevertheless, Russia cyber warfare was displayed on Estonia in 2007. Once against, it was unclear if the government was involved or if Russian patriotism over the removal of the war memorial caused Russian script kiddies and botnets to answer with a massive DDoS attack. Moscow always denied any involvement in that case. It is also well known that major botnets that are lurking on the net are often controlled by Russian cyber-criminal gangs such as the Russian Business Network. It’s quite possible that those cyber-gangs ordered their botnets to retaliate against Estonia, especially since the attack consisted mostly of a denial-of-service attack, and wasn’t not as sophisticated as a coordinated hacking attack on networks. Another plausible option would be that Russia’s cyber army is a mercenary force.
A repetition of the Estonia cyber attack then took place against Georgia during the Russia-Georgian conflict. The same kind of attack occurred and took down various governmental and commercial websites: HTTP floods were send to www.parliament.ge and president.gov.ge. Some other sites were hi-jacked and displayed fake information. The Georgian government had to put up a temporary website on Blogspot. This time, the Russian Business Network was openly suspected by many analysts to be behind the attacks.
McAfee claims that 120 countries around the world are now developing cyber warfare strategies. It is inevitable that countries without cyber warfare capacities will be at great disadvantage in any arising conflict, as disruption of communications will be the first objective of any belligerent. It’s crucial that a strong offensive and defensive cyber war force be developed in order to not only defend against cyber threats, but also wage war in cyberspace.
An unnamed senior US official has declared to the Financial Times that the Whitehouse computer network was victim to numerous cyber attacks from China. According to the same official, the attackers had access to e-mails for short periods of time.
The unclassified network of the Whitehouse was breach numerous times by the attackers, which may have stole information. The sensibility of the information accessed is not specified, but since it was on the unclassified network, no data of value should have been viewed by the hackers. The attacks were detected by the National Cyber Investigative Joint Task Force, an agency created in 2007 and under the FBI.
No one from the American and Chinese sides commented on this event. This declaration comes amid many cyber attacks performed in previous years also and every time, blamed on the Chinese or Russians. In 2007, the Pentagon claimed to have been hacked by the cyber division of the People’s Liberation Army (PLA). It has been known for a while not that China has developed advanced cyber warfare capabilities and has gain a lot of experience.
Since the 70s, when Deng Xiaoping was the head of China, the People’s Liberation Army tried to modernize itself and cut its size in order to become more efficient. Still, China is still behind when it comes to military even if its defense budget is the second largest after the United States on the planet, with US$57 billion in 2008. According to an article published in Culture Mandala, China could boost its cyber warfare capabilities in order to compensate for their technological backwardness.
It started as soon as in 2003, when it deployed its first cyber warfare units, the “zixunhua budui“. Since, many attacks have been attributed to China, such as Operation Titan Rain in 2003. China hopes that by using asymmetrical warfare, such as information warfare and cyber warfare, it might level other modern armies.
Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments declared that “a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure“. In the same document, we can read:
“One way to assess this risk is to ask whether a cyber attack by China launched a few days in advance of a clash could prevent U.S. carrier battle groups from deploying to the Taiwan Straits. Launching the attacks too early would create the risk of discovery and countermeasures.“
It is clear to me that a nation with a technologically late compared to modern armies have all the advantage to develop asymmetrical warfare. We can assess its effectiveness in Afghanistan and Iraq. And cyber warfare is a perfect way to destabilize modern armies used to technology in their daily operations. But this is far from being easy for both sides, as talented individuals and highly skills hackers are needed to develop this kind of warfare. Terrorists and groups are unlikely to develop a high quality cyber warfare force, although they still can be efficient. China, on the other hand, can and is smart to do it. After all, if a force can disable communications the enemy’s communications networks, such as GPS, emails and phone networks, it can makes a strong army useless. Like a strong man or woman, if the brain can contact the muscle through the nervous system, the body is powerless…
Today the U.S Army discovered something called Twitter, and realized that, as MySpace, Facebook, Google Earth and many other sites, it could be used by terrorists to plan attacks on landmarks or other targets. Although the Army report admits it has no proofs that Twitter is currently used by individuals for terrorism. The report details many interesting scenarios described in the report:
Scenario 1: Terrorist operative “A” uses Twitter with… a cell phone camera/video function to send back messages, and to receive messages, from the rest of his [group]… Other members of his [group] receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.
Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow “B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”
Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario… has already been discussed for other social networking sites, such as My Space and/or Face Book.
Although this is true, for anyone having a clue about technology, this shouldn’t be any news. Any social networking site offers the opportunity to criminals and terrorists extensive information about someone. This can only by solved by educating people about privacy, and why it’s important. This is especially true for security and military personnel.
As more and more of the infrastructure of modern societies gets inter networked, the more the authorities are taking notice of the possible disasters that ought to happen if those networks would be attacked and controlled by malicious individuals. Based on that, the U.S Secretary of the Air Force announced the creation of the AFCYBER, the Air Force Cyber Command, whose mission “will be to provide combat ready forces trained and equipped to conduct sustained global operations in and through cyberspace, fully integrated with air and space operations“. Let’s go deeper into that interesting new agency and try to see if it can actually matches the challenges of this century.
The United States government released in February 2003 a 76 pages document titled “The National Strategy to Secure Cyberspace”. This document recommended numerous solutions and actions to better protect the American cyberspace. Among these actions, one of them recommends to “Improve coordination for responding to cyber attacks within the U.S. national security community”. Based on that recommendation, the former U.S Secretary of the Air Force, Michael W. Wynne decided to establish a cyberspace command. He also stated:
“The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace“
It then has been decided that the 67th Network Warfare Wing and some elements of the 8th Air Force would serves as the core of the new command. It’s interesting to note that the goal of the 67th is “organizes, trains, and equips cyberspace forces to conduct network defense, attack, and exploitation.” Therefore, the Air Force already had an unit trained to conduct cyberspace operations, and more interestingly, this unit was also train to conduct attacks, not only defensive operations. Thus, in 2006 the Air Force Cyberspace Command (Provisional) unit was put into place. but faced many difficulties. The first came as to define the term “cyberspace”, define the command’s operations, find a location to base the unit, then find the personnel and define all their functions, train them and organize the unit. Those challenges were perfectly summarized when Maj. Gen. William T. Lord answered a Slashdot user about the location of the new command:
“I would hope that no matter where it was located, we would still be able to attract the talent needed to work in this exciting command and that all communities see the need to protect this domain.”
Attracting specialists and talented individuals is getting harder and harder. The private sector in technology is still offering, for now at least, good opportunities for graduated students. Maybe that’s why the AFCYBER touted is creation and development with TV ads and advertisement all over the web. A great mistake, as it opened it to greater scrutiny from the public and observers, which would now be able to witness the success or the failure of the new command…
And not only did it have difficulties organizing itself, it was in competition with other similar services of the military, with the Navy (Naval Network Warfare) and Army already having such organizations, without forgetting about organizations such as the National Security Agency (NSA).
Even with the fore mentioned difficulties, “We’ve figured all that out” said General Lord in October this year, “We’ve outlined how to organize cyber forces, i.e., what capabilities fall into, or not into, a cyber organization“.
The optimism expressed in Lord’s comment was hard to share. One month earlier, the establishment of the Cyber Command was suspended and the transfers of units were halted. In June, different actors were still discussing if the command should concentrate on defense and protection or if it should also conduct offensive operations. The ever growing size of the command and the confusion about which operations of the unit was to conduct were slowing any progress and all this amid numerous other Air Force scandals about nuclear management, which later caused Wynne to resign from his post.
As by October 8, 2008, the Air Force decided that the Cyber Command will finally be a numbered unit under the Air Force Space Command as told by Staff Gen. Norton A. Schwartz (see previous post “U.S Air Force Cyber Command is Working on a new Roadmap“, October 24, 2008). After 2 years, it seems that very little has been accomplish. We still have no idea of the structure, the size and not even the mission of the unit. Although Colorado Springs is apparently the preferred location, still no official location have been designated.
Will it work?
To be successful any cyber unit must first emphasize on constant research of new vulnerabilities in order to take the lead. It’s not just about looking at logs and waiting for an attack to occur. Any
serious cyber warfare unit must cooperate with every actor of the computer security field, not only corporations or universities, but also with hobbyist groups, hackers and phreakers in order to always have the initiative. As information is always distributed at blazing speed through out the net, and that nothing stays secret for long, constant research is needed to discover new vulnerabilities and detailed analysis. Yet, all those actors have been, as far as I know, ignored or forgotten.
Also, offensive is the best defense. Why should a military organization concentrate only on defensive operations? It even goes against American principles of war, as it ignores the “Offensive” principle, letting the initiative to the enemy. This is clearly not a sound decision. It ignores the basic concepts or warfare. I believe this is mostly due to a certain mentality in the military leadership, which still regards technology as support for troops instead of a fully fledge battlefield. This reasoning needs to change if we are to develop real cyber warfare operations. This is certainly something the Chinese understood.
I believe it will, if this unit becomes reality, become an administration bloated unit that will miss the point. Quantity is never a remedy to the lack of quality. A small but highly trained and skilled unit of hackers can do a lot more than a legion of technicians. The important part of cyber warfare is always to stay ahead, since that as soon as a hole or exploit is found, the enemy will patch it thus making it obsolete. and therefore, the need to find the next security vulnerability. Therefore, we don’t need a bigger bureaucracy, but more research, more cooperation with existing similar units and agencies and to develop a strong offensive capacity as the Chinese government seemed to have developed. The 67th Network Warfare unit and the Naval Network Warfare Command would be able to implement those capacities with the appropriate funding and support.
This command, which seemed like an important toward cyber warfare, now seems to have become a botched concept that will unlikely be of any use, except for other to look upon and learn from their mistakes. As the U.S Navy also has plans for a Naval Cyber Command, they have been a lot quieter about their project, maybe so they won’t suffer the same humiliation as their colleagues.
As governments are realizing the potential threats from a cyber war, agencies are organizing themselves to protect and defend their cyberspace. The U.S Air Force was based on this premise and would have been a good idea…if anyone had any idea of what they were talking about. Instead, it became or will become an administrative burden that failed and that will give no ror little results. In the end, the “Cyber Command” or what’s left of it, will be another organization which goals will be the same as the other agencies already in place, with no new value or innovative ideas…While western nations are struggling to grasp the concept of cyber warfare, others are developing a very well organized and effective effort to disrupt our systems. Cyber war is won by being a step ahead…and we’re not…
A new roadmap will be written for the reorganization of what was once the U.S Cyber Command. The project was downgraded from a major command to a numbered unit on October 8 by Staff Gen. Norton A. Schwartz. The cyberspace mission of the Air Force will be part of the Air Force Space Command. Both organizations are now working at ways of working together to fulfill the Air Force commitment to protect the cyberspace.
“This is not an additional duty for us,” General Kehler said. “We are in this 100 percent, and we will dedicate the manpower and resources needed to make this transition work. This is not just building a cyber numbered Air Force. This is establishing a robust cyberspace capability for our Air Force, and there won’t be a huge difference in what was being presented originally — cyber being its own command — with what will be done under Air Force Space Command’s umbrella.
There more I read about the Air Force Cyber Command, the more I believe it’s going to end up as it started. In the end, this is about the 67th Network Warfare unit transferring under the Air Force Space Command from the 8th Air Force. This is a wasted opportunity from the Air Force.