August 5, 2015

Spooks and Spoofs: Cybercrime, Cyberspies & Best Defenses

CIO Strategy Exchange, New York, 2010

Concerns over cyber warfare and cyber-crime (including both thefts of intellectual property and denial of service attacks) have grown markedly in the last two years. The vote to address this murky topic by our pragmatic CIOSE members is one indicator of the strength of this trend. Another bit of evidence is the heightened coverage by the traditional business press, beginning with The Economist’s cyber warfare cover story (July 3, 2010). Also multiple stories in the Wall Street Journal over recent months linking the surreptitious collection of consumer data to potential theft of corporate intellectual property affecting every economic sector.

Clearly, the hackers are no longer talented college pranksters. Today, they range from highly sophisticated collectors of marketing data to criminal gangs and extortionists to cyber warriors, numbering in the thousands and funded (often clandestinely) by state actors from China, Russia, Iran and elsewhere.

The best way to gauge the magnitude of this threat (before turning to CIOSE member experiences) is through declassified analyses of the 2008 Russian invasion of Georgia issued by the U.S. Cyber Consequences Unit (US-CSU) in August 2009.

  • The Russians launched four cyber attacks: in Estonia, in 2007, when locals toppled a statue that commemorated Russian involvement fighting the Nazis; in Lithuania in 2008; in Kazakhstan in early 2009; and, most overtly, in Georgia between August 7 to 16, 2008. In that case, Russia invaded its neighbor ostensibly in defense of ethnic Russians living there but, more plausibly, to create uncertainty about the stability Georgia’s oil and gas transport facilities.
  • The cyber attacks were timed to coincide with the invasion and stopped when Russian military operations ended. However, the attackers were civilians, many of them working with organized crime and Russian sympathizers in Ukraine and Latvia. That made it impossible to hold the government responsible, a characteristic also apparent in recent cyber attacks from China and elsewhere. Interestingly, the civilian combatants were recruited through social networks normally devoted to dating, hobbies, and political commentary.
  • Coordination of the attack was sophisticated but the methods were not: Preset “botnets” (millions of controlled malwares) flooded eleven sites with http packets and caused massive denial of service. Web defacement hit another 43 sites, sometimes causing them to continue requesting pages that didn’t exist, thus exhausting their capacity.
  • The attacks came in two waves, with the first hitting government sites (presidential offices, ministries, courts, and parliament) and the media, including the BBC and CNN. Next came banking and business associations whose intercompany networks might have helped illuminate the situation on the ground. The attacks “significantly impeded the Georgian Government’s ability to deal with the Russian invasion,” concluded the US-CSU, “by interfering with communications between government and the public, stopping many payments and causing confusion about what was happening.” The National Bank of Georgia was forced to sever financial interconnection for ten days. Email, mobile, and land-line telephone communications were also disrupted.
  • In the end, cyber attacks effectively decapitated the state much as a preemptive bombing attack would have done in an earlier era, but without any lasting physical damage. Ominously, the Russians had the savvy to do much more. “Someone on the Russian side was exercising considerable restraint,” observed the US-CSU’s jaundiced commentator.