 |
The
past decade may be portrayed as a period of growing cyber threats, or
at least as a period of increasing fear and a growing conviction
regarding cyber insecurity. Among many different cyber-vulnerable
industries, critical infrastructure in the energy sector is paramount in
facing new risks and threats due to the connection and interdependence
of their information systems with the open internet. Cyberspace has
become a major potential landscape of insecurity, and both experts and
governments admit that critical infrastructures, which include electric
power transmission systems, water distribution systems, and oil-gas
distribution systems are susceptible to cyber attacks. Some of the more
startling issues that have surfaced are:
- Chinese and Russian infiltration of the US electricity grid
- In 2009, the U.S oil companies Marathon Oil, ExxonMobil and ConocoPhillips were the targets of cyber attacks. Data was leaked as a result of cyber espionage, and the perpetrators could have been Chinese hackers.
- In February 2010, the European Union’s Emissions Trading Scheme (ETS) was the victim of fraudulent cyber attacks. The registries in 13 European countries were forced to close.
- According to a recent survey by McAfee, “the most victimized sector was oil and gas, where two thirds of executives report distributed denial of service (DDoS) attacks”. Twenty-seven percent in the power sector and thirty-one percent in the oil and gas sectors reported being victim of extortion through cyber attacks.
In the face of damaging if not
catastrophic attacks, government authorities have launched several
programs. One such program is the result of a 5-year research project
into securing the US power grid, called “Trustworthy Cyber
Infrastructure for the Power Grid," which has been funded by the US
Departments of Energy and Homeland Security. The aim of this project is
to make certain that the new smart meters that will accompany the
introduction of the smart grid can resist hackers’ attacks. Similar
programs have been implemented in several other countries all around the
world. The Infocomm Security Masterplan in Singapore aims at defending
the critical infrastructures (finance, energy, water,
telecommunications) of the country against cyber attacks.
Security Issues & Information War AttackersThe
spectrum of tools and methods used by attackers may include
virus-and-malware dissemination. In 2003, for example, a computer worm
penetrated a computer at Davis-Besse nuclear power plant and disabled a
safety monitoring system. In 1998, a hacker using the Trojan computer
worm seized control of a main EU gas pipeline. Other attacks include
intrusions into network systems, DDoS attacks through Botnets (a Botnet
is a collection of software agents that can run automatically and
autonomously), equipment sabotage through cyberspace, information
manipulation to condition adversaries’ thinking, personal data theft,
etc.
Through the theft of data, for example, the
attackers may get sensitive information concerning company employees,
their activities and their passwords, which can be used in future
attacks. In 2009, 69 computers from the Los Alamos National Laboratory
(nuclear weapon research lab) were missing or were stolen. The PCs may
have contained personal or sensitive information. Over the past ten
years, the laboratory has lost several hard disk drives filled with
classified information.
Cyber attackers may be
divided into a few main categories, each type associated with different
objectives. One group is composed of politically motivated attackers.
Another group is composed of state actors (governments, intelligence
agencies, militaries) whose objectives are to acquire all kinds of data,
knowledge and secrets (economic, scientific, military and political)
concerning traditional operating activities of intelligence and
reconnaissance. Espionage is probably the main reason why the vast
majority of these types of attacks are attributed to foreign state
actors. Other objectives of state-sponsored cyber attacks include
equipment disruption, mapping a potential adversary’s capabilities, and
assessing capacity to attack an adversary's critical infrastructure
during a time of conflict. These are the information and cyber warfare
actors.
With the above objectives in mind,
current attacks may be seen as efforts to map the web, its
infrastructures and its actors. In the event of a major conflict, all
the information accumulated in times of peace could be used by
militaries. Energy distribution systems would be prime targets of
military cyber attacks.
China & Cyber Insecurity?
Increasingly, accusations are emerging from industrialized and developing countries pointing to China (the Peoples Liberation Army, “Beijing”, the “government”, or its hackers) and accusing it of being the source of major cyber attacks. These have reached sensitive targets, such as critical information infrastructures, the servers of big international firms and government agencies. The methods which are used in such attacks, themselves vaguely defined, are usually those of cyber criminals: intrusion, data theft, interception of data and communications, spreading malwares and viruses, use of botnets and web defacement. If cybercriminals are motivated by financial gains, several of these attacks are not money-oriented operations and therefore point to another originating source. Some of these attacks clearly serve other goals, such as intelligence gathering or the dissemination of ideologies.
China & Cyber Insecurity?
Increasingly, accusations are emerging from industrialized and developing countries pointing to China (the Peoples Liberation Army, “Beijing”, the “government”, or its hackers) and accusing it of being the source of major cyber attacks. These have reached sensitive targets, such as critical information infrastructures, the servers of big international firms and government agencies. The methods which are used in such attacks, themselves vaguely defined, are usually those of cyber criminals: intrusion, data theft, interception of data and communications, spreading malwares and viruses, use of botnets and web defacement. If cybercriminals are motivated by financial gains, several of these attacks are not money-oriented operations and therefore point to another originating source. Some of these attacks clearly serve other goals, such as intelligence gathering or the dissemination of ideologies.
Current forensic methods and
technologies do not enable scientists to attribute cyber attacks to one
or another actor, i.e. to determine an attacker’s identity. As a
result, it is difficult (if not impossible) to conclusively assert that
the Chinese government and/or Chinese army are involved in the incidents
assigned to them.
China’s Strategy for Information WarfareChina
has demonstrated its intention to become an internationally leading
player in the fields of information-and- cyber warfare. Information
warfare involves actions taken to achieve information superiority by
affecting adversary information, information processes, information
systems and computer-based networks, while denying the adversaries’
ability to do the same. Cyber warfare is usually considered as a subset
of information warfare: it is warfare conducted in cyberspace. More
than 20 years ago, China began to publish its theories, doctrines,
policies and strategies concerning both defensive and aggressive use of
cyberspace. Recently, a student from the Institute of Systems
Engineering of Dalian University of Technology in China published a
research paper titled “Cascade-Based Attack Vulnerability on the US
Power Grid.” The title sounded like a provocation. Several American
experts and journalists analyzed the article as a new demonstration of
China’s offensive motivations against American infrastructure (and
indeed against the security and sovereignty of the USA), and also as
proof of China’s involvement in a new arms race in cyberspace. China’s
approach to information warfare and cyber warfare has two main
dimensions: military and civilian, both developed through theoretical
and practical considerations.
The Military DimensionThe
dazzling success of the US in the first Gulf War was interpreted by
several armies in the world as the victory of new technologies.
According to this model, information and information technologies’
dominance provided total control over the battlefield and was the key to
military success, victory and power. This conclusion called for a
radical transformation within armed forces. China’s Revolution in
Military Affairs (RMA) concept and the following transformation of
Chinese doctrine guided new strategies of evolution in Chinese military
affairs, as it has as well in several industrialized countries
worldwide. In this context, the concept of information warfare acquired
greater consideration among military experts in China. Since the mid
1990s the Chinese army has implemented a modernization program guided by
the concept of “informationization” (which translates as dominance over
information technologies and cyberspace).
In
1995 General Wang Pufeng, who is considered the father of Chinese
doctrine of information warfare, outlined several key concepts of this
doctrine. Among them he pointed out that:
- The goal of information warfare is no longer the conquest of territories or the destruction of enemy troops, but the destruction of the enemy’s will to resist.
- Information warfare is a war in which the ability to see, to know and to strike more accurately and before the adversary is as important as firepower.
In 1997 Chinese Colonel Baocun Wang added that:
- Information warfare can be conducted in times of peace, crisis and war;
- Information warfare consists of offensive and defensive operations;
- The main components of information warfare are command and control, intelligence, electronic warfare, psychological warfare, hacker-warfare and economic warfare.
In 1999, Colonels Qiao Liang and Wang Xiangsui in their book Unrestricted Warfare,
which concerned the art of asymmetric warfare between terrorism and
globalization, emphasized that “technological progress has given us the
means to strike at the enemy’s nerve centre directly without harming
other things, giving us numerous new options for achieving victory, and
all these make people believe that the best way to achieve victory is to
control not to kill.” This form of modern war called “unrestricted
warfare” means that weapons and techniques are now multiple and that the
battlefield is now everywhere. In short, they emphasize that “The
battlefield is next to you and the enemy is on the network,” and they
add, “information war is the war where the computer is used to obtain or
destroy information.”
Finally, it's worth mentioning the Liberation Army Daily, which in 2006 defined information warfare as:
- a process to take advantage of the enemy in a war under conditions of informationization, and
- a process which finds its strongest expression in our ability or inability to use several means to obtain and ensure an efficient flow of information; our ability or inability to make full use of the permeability of information space to share and connect information and information systems, to merge materials, energy, and information and create a combined fighting force; and in our ability or inability to weaken the information superiority of the enemy and operational effectiveness of the enemy’s computer equipment.
Within
the framework of these approaches, Chinese military modernization is
guided by the concept of “informationization” which means developing a
network architecture that allows the coordination of military operations
in multiple dimensions. The strategy of information warfare is
contained in the Chinese concept of integrated network electronic
warfare (INEW), defined by General Dai Qingmin in the early 2000’s. INEW
is the integration of electronic warfare (EW), computer network attacks
(CNA), protecting networks through computer networks defence (CND),
and intelligence operations through computer network exploitation
(CNE). The joint action of CNA and EW against Computerized Command,
Control, Communications, Intelligence, Surveillance, Reconnaissance
(C4ISR) and logistic systems-networks of an adversary constitutes the
basis of offensive Chinese Information warfare.
In 2003, the Central Military Commission Committee of the Chinese Communist Party endorsed the concept of 3 Warfares within the concept of military information warfare. The 3 Warfares'
concept includes psychological warfare, media warfare (influencing
public opinion both nationally and internationally), and legal warfare
(which is to use the tools of national and international law to gain the
support of the international community). With respect to this concept,
China has been readily accused of cyber attacks (for example against
the U.S. power grids in 2009) yet systematically denies any accusation
of wrongdoing. Beijing uses the international media to give its own
version of events and to call for international cooperation to counter
cyber threats. China uses the cyber-realm to victimize itself by
denouncing Cold Warriors’ who they accuse of fabricating the allegations
against the country, and to remind the international community that
China has a legal framework to fight against cybercrime.
Several
military training centers in China provide cyber-war training programs
to military staff and have done so since the mid-1990s. Since 1997
international media have reported a large number of information warfare
exercises conducted by military forces. The exercises demonstrate the
transition from information warfare theory into practice. The actual
information warfare and cyber warfare capabilities of China remain
unknown. But whatever these capabilities are, gaining power and
superiority in the cyber dimension has become a major issue in China.
The objective is to be able to win wars conditioned by information
(information warfare, cyber war) before 2050. As Colonel Dai Qingmin
said in 2009, “the internet will become the place of an inevitable arms
race.“
The Civilian DimensionIn
1995 General Wang Pufeng evoked the revival of the “people’s war”
concept, made possible by the integration of civilian and military
experts in the same struggle: the traditional battlefield no longer
exists, and war may be everywhere, becoming everybody’s matter.
Concretely, the involvement of the civil sector is reflected in many ways:
- China develops its military capabilities in close relationship with private industry and academia, putting into practice policies promoting the connection between private and public sectors, and between civilian and military sectors. This phenomenon can be observed in a great number of other industrialized nations as well.
- At the frontier of the civil-military dimension, militia units established by the army in various military provinces involve citizens from the industry or academia. Units have been set up that have expertise in information warfare, electronic warfare, psychological warfare, information operations, network warfare, etc.
- Some sources suggest the existence of links between supporters of the People's Liberation Army and the hacker community, but one might question whether the Chinese army has any power over the latter. The 2003 “Annual Report on the Military Power of the People’s Republic of China” referenced the dangers inherent in nationalist hacking (hacktivism) during times of crisis. Many actions are credited to Chinese hackers: waves of cyber-attacks following the bombing of the Chinese embassy by NATO forces in Belgrade in 1999, attacks against the interests of Taiwan, attacks against official US official websites in protest against the collision between a Chinese fighter jet and a US spy plane in 2001, attacks against Tibetan websites and attacks in 2008 against the website of the French embassy in China following a meeting between the Dalai Lama and the French President Nicolas Sarkozy. The list of hacktivists’ attacks is a long one.
Chinese information warfare is mainly
devoted to managing power relations with the outside world, but this may
also be applied within the framework of its borders: information and
cyberspace superiority are a matter of power in China. In recent years,
technological progress has played the spoilsport. Social networks
(Twitter, Facebook) have become new actors and tools on the national and
international political scene. In August 2009 an article published on
the website Central European News in Chinese (Cenews) described Twitter
and other social networks as a new weapon used for cultural subversion
and for the political infiltration of the country.
Some Thoughts on Critical Infrastructure
The insecurity of critical infrastructure is an urgent issue to be solved. But it is not a recent one. The dependence of modern societies on technologies is not a new story. Stuart Case wrote in 1929,
The insecurity of critical infrastructure is an urgent issue to be solved. But it is not a recent one. The dependence of modern societies on technologies is not a new story. Stuart Case wrote in 1929,
“With
the growing use of electric power, the telephone, gasoline, and
imported foodstuffs, the factor of dependence on an unknown technology
is very great… The machine has presented us with a central nervous
system, protected with no spinal vertebrae, lying almost naked for the
cutting… If, for one reason or another, severance is made, we face a
terrifying, perhaps a mortal crisis… Day by day the complexity, and
hence potential danger, accelerates; materials and structures
ceaselessly and silently deteriorate. One may look for some ugly
happenings in the next ten years.”
Even
earlier in 1905, the French Nobel Prize Anatole France proposed a
description of the new threats associated to the new technologies of
communication when he wrote,
“Telegraphy and
wireless telephony were used from one corner of Europe to the other and
so easy that the poorest man could talk, when he wanted and how he
wanted, to a man located anywhere on the globe. […] It was the lifting
of borders. Critical hour indeed! […] The French Republic, the German
Republic […] Switzerland even and Belgium, each expressed, by unanimous
vote from their parliament and in huge meetings, the solemn resolution
of defending against any foreign aggression the national territory and
national industry. Tough laws were announced […] regulating severely the
use of the wireless telegraph […] Our borders are defended by
electricity. The federation is surrounded by a zone of thunder. A simple
man wearing glasses is sitting somewhere in front of his keyboard. He
is our only soldier. He has only to touch a key to destroy an army of
500,000 men”.
We recognize in these early
writings contemporary themes; the global dissemination of a
communication technology, the concern that it raises from governments,
the threat perception to national security and defence, the resulting
authoritative reactions and regulations, and indeed the image of
absolute power in the hands of a single man (a hacker?) as powerful as a
whole army (asymmetric power?), able to destroy an adversary in one
fell swoop, in an image of the Apocalypse, recalling the catastrophic
predictions of an electronic Pearl Harbor type war..
But
there is a difference between the early 20th Century and the first
decade of 21st Century: the fiction of 1905 has become reality in 2010.
New communication technologies and virtual cyberspace have acquired the
status of weapons and a space of conflict among militaries and
criminals. Their very existence makes possible new strategies. In 1999,
Qiao Liang and Wang Xiangsui wrote that,
“Supposing
a war broke out between two developed nations already possessing full
information technology, and relying upon traditional methods of
operation, […] by using the combination method, a completely different
scenario and game can occur: if the attacking side secretly musters
large amounts of capital without the enemy nation being aware of this at
all and launches a sneak attack against its financial markets, then
after causing a financial crisis, buries a computer virus and hacker
detachment in the opponent's computer system in advance, while at the
same time carrying out a network attack against the enemy so that the
civilian electricity network, traffic dispatching network, financial
transaction network, telephone communications network, and mass media
network are completely paralyzed, this will cause the enemy nation to
fall into social panic, street riots, and a political crisis. […] This
admittedly does not attain dimension spoken of by Sun Zi, when he
states, 'The other army is subdued without fighting.' However, this can
be considered 'Subduing the other army through clever operations.' […]
This is, however, only a thought. However, it is certainly a feasible
thought."
Cyberspace has become a vulnerable
weaponized system that China knows how to use in times of peace, and a
tool to gain more power in a globalized world. The policies developed by
the Chinese government and military are officially defensive ones and
never suggest any offensive peace-time orientation, as a cyber attack
could be considered as an act of war by the victims. Beijing authorities
officially condemn all forms of cyber criminal activity as well as
hacking operations that target Chinese or foreign victims. It is also
known that China has offensive technical capabilities and a
theoretical/doctrinal framework for information and cyber warfare.
Nevertheless, the existence of a strategy alone may not be used as an
argument to attribute cyber attacks to China. The facts are that the
origin and author of attacks are extremely difficult to authenticate.
Perpetrators never sign their attacks, and China is only one among many
countries that have cyber war capabilities and theoretical frameworks
for information warfare. Several reports assert that more than 120
countries have such capabilities.
Further
perpetrators of information warfare or cyber attacks may differ over
time with differing objectives and strategies. A major cyber attack
could be perpetrated by an inside actor, or by any hacker from any
country in the world. According to a senior intelligence official,
quoted in an article
published last April 2009, "The Chinese have attempted to map our
infrastructure, such as the electrical grid…So have the Russians." The
director of U.S. National Intelligence said that a number of nations,
including Russia and China (but not limited to them alone), can disrupt
elements of the U.S. information infrastructure.
Focusing
our attention on the “Chinese” source of cyber attacks may prevent us
from objectively viewing the new global strategic environment. The risk
is to ignore threats emanating from other nations and their own
information-cyber warfare communities. Again, due to technical reasons,
we do not really know which attacks originate in China or elsewhere.
Blindly accusing countries is a risky game with unforeseen consequences.
Conclusions
The complex combination of interdependent systems, actors, and infrastructures may be the final target of cyber attacks. In this case, the perpetrator might be a hacker operating for fun, or even spies leaking data, or cybercriminals. But the most dangerous threat is the effect-based attack: the target of the cyber attack launched against this complex may be the individuals, the society or the economy that are dependent on the critical infrastructures. Through paralysing the critical energy infrastructure (CEI), the perpetrator can target the larger social environment. Several questions must be answered in this regard. Is a comprehensive cyber attack possible against CEI? Is a cyber attack against a CEI efficient? What is the impact of the cyber attack on CEI? The infrastructure being a complex system, the attack may in fact have minimal or no impact.
The complex combination of interdependent systems, actors, and infrastructures may be the final target of cyber attacks. In this case, the perpetrator might be a hacker operating for fun, or even spies leaking data, or cybercriminals. But the most dangerous threat is the effect-based attack: the target of the cyber attack launched against this complex may be the individuals, the society or the economy that are dependent on the critical infrastructures. Through paralysing the critical energy infrastructure (CEI), the perpetrator can target the larger social environment. Several questions must be answered in this regard. Is a comprehensive cyber attack possible against CEI? Is a cyber attack against a CEI efficient? What is the impact of the cyber attack on CEI? The infrastructure being a complex system, the attack may in fact have minimal or no impact.
If the answer to one or
more of these questions is affirmative, then it must be asked what are
the secondary effects of such an attack? Are the impacts limited to
technological problems, and is the problem easy to solve? How far could
the effects of a CEI attack impinge upon national or international
relations with foreign partners or even on international energy
markets? If the attack is limited to societal impact, how does a
government manage to stabilize the situation? In an extreme instance,
the technical solution (recovering the activity of the CEI) is not a
guarantee for the stabilization of the social situation. Might the
victim of such a cyber attack turn it to good account? The victim might
use the incident/attack to denounce the aggressive will of adversaries,
to call for international cooperation, to use the attack as a political
argument within the scope of the international arena, etc. The answers
to these questions demonstrate that cyber threat against critical energy
infrastructure is not of limited technical scope but one of global
geopolitical importance.
Increasing the security of critical infrastructures and in particular energy infrastructure requires:
- Irrefutable proof concerning the identity and motivations of perpetrators. In short, efficient attribution technologies must be developed.
- A secure technical environment provided by technology; the exploitation of technical failures is the source of cyberspace insecurity.
- Scenarios for recovery after an incident and scenarios to strengthen resilience.
- Reaction capabilities, articulated scenarios, and coherent policies to guide nations in a post attack period.
- The application of basic rather than complex and costly standards and policies of security. Most important for security is not complexity but applicability. Audit processes security certifications should be reduced, and the application of basic security solutions (using antivirus protections, regulating the use of information systems by employees, disconnecting the sensitive systems from the public internet, strengthening the security of sensitive and personal data, applying access policies, etc.) should be advanced.
- A focus on strategy: information and cyber warfare are matters of strategy, technical issues are of secondary importance.
- Developing “national” solutions (applications, software, hardware, infrastructures) rather than relying on foreign suppliers of essential technologies.
Daniel Ventre is a researcher at CNRS in Paris. His website is http://infowar.romandie.com
