Cyber War: The Next Threat to National Security and What to Do About It (4 page)

After Bronze Night, the Russian security services had encouraged domestic media outlets to whip up patriotic sentiment against Estonia. It is not a stretch to imagine that they also asked organized crime groups to launch the hackers in their employ, perhaps even giving those hackers some information that would prove helpful. Did the Russian government security ministries engage in cyber attacks on Estonia? Perhaps that is not the right question. Did they suggest the attacks, facilitate them, refuse to investigate or punish them? And, in the end, does the distinction really matter when you are an Estonian unable to get your money out of a Hansapank ATM?

Following the cyber attack, NATO moved to create a cyber defense center. It opened in 2008, a few miles from the site where the giant bronze solider had originally stood. On the original site of the bronze soldier there is a nice little grove of trees now. Unfortunately, the NATO center in Tallinn was of little use when another former Soviet satellite republic, Georgia, and Mother Russia got into a tussle over some small disputed provinces.

The Republic of Georgia lies directly south of Russia along the Black Sea, and the two nations have had a decidedly unequal relationship for well over a century. Georgia is geographically slightly smaller than the state of South Carolina and has a population of about four million people. Given its location and size, Georgia has been viewed by Moscow as properly within the Kremlin’s “sphere of influence.” When the original Russian empire began to disintegrate after the Russian Revolution, the Georgians tried to make a break for it while the Russians were too busy fighting each other, declaring Georgian independence in 1918. As soon as the Russians finished fighting each other, however, the victorious Red Army quickly invaded Georgia, installed a puppet regime, and made Georgia part of the Union of Soviet Socialist Republics. Soviet control of Georgia lasted until 1991, when, as the central Russian government was again in turmoil, Georgia once more took the opportunity to declare independence.

Two years later, Georgia lost control of two territories, South Ossetia and Abkhazia. Supported by Moscow, the local Russian populations in those territories succeeded in defeating the ragtag Georgian army and expelling most Georgians. The territories then set up “independent” governments. Although still legally part of Georgia as far as the rest of the world was concerned, the regions relied on Russian funding and protection. Then, in July 2008, South
Ossetian rebels (or Russian agents, depending upon whose version of events you trust) provoked a conflict with Georgia by staging a series of missile raids on Georgian villages.

The Georgian army, predictably, responded to the missile strikes on its territory by bombing the South Ossetian capital city. Then, on August 7, Georgia invaded the region. Not surprised by this turn of events, the Russian army moved the next day, quickly ejecting the Georgian army from South Ossetia. Precisely at the same time that the Russian army moved, so did its cyber warriors. Their goal was to prevent Georgians from learning what was going on, so they streamed DDOS attacks on Georgian media outlets and government websites. Georgia’s access to CNN and BBC websites were also blocked.

In the physical world, the Russians also bombed Georgia and took over a small chunk of Georgian territory that was not in dispute, allegedly to create a “buffer zone.” While the Georgian army was busy getting routed in Ossetia, rebel groups in Abkhazia decided to take advantage of the situation and push out any remaining Georgians, with a little help from their Russian backers. The Russian army then took another little slice of Georgian land, as an additional buffer. Five days later, most of the fighting was over. French President Nicolas Sarkozy brokered a peace agreement in which the Russians agreed to withdraw from Georgia immediately and to leave the disputed territories once an international peacekeeping force arrived to fill the security vacuum. That force never arrived, and within a few weeks Russia recognized South Ossetia and Abkhazia as independent states. The declared independent states then invited their Russian benefactors to stay.

To most in the U.S., except then presidential candidate John McCain, who tried to portray it as a national security crisis for America, all of this activity in Georgia seemed remote and unimportant. As soon as most Americans reassured themselves that the news reports
they heard about the invasion of Georgia did not really mean Russian army troops or General Sherman again marching on Atlanta, they tuned out. The event’s true significance, beyond what it revealed of the Russian rulers’ thinking about their former empire, lies in what it exposed of their attitudes toward the use of cyber attacks.

Before fighting broke out in the physical world, cyber attacks hit Georgian government sites. In the initial stages, the attackers conducted basic DDOS attacks on Georgian government websites and hacked into the web server of the President’s site to deface it, adding pictures that compared the Georgian leader, Mikheil Saakashvili, to Adolf Hitler. It had seemed trivial, even juvenile, at first. Then the cyber attacks picked up in intensity and sophistication just as the ground fighting broke out.

Georgia connects to the Internet through Russia and Turkey. Most of the routers in Russia and Turkey that send traffic on to Georgia were so flooded with incoming attacks that no outbound traffic could get through. Hackers seized direct control of the rest of the routers supporting traffic to Georgia. The effect was that Georgians could not connect to any outside news or information sources and could not send e-mail out of the country. Georgia effectively lost control of the nation’s “.ge” domain and was forced to shift many government websites to servers outside the country.

The Georgians tried to defend their cyberspace and engage in “work-arounds” to foil the DDOS attack. The Russians countered every move. Georgia tried to block all traffic coming from Russia. The Russians rerouted their attacks, appearing as packets from China. In addition to a Moscow-based master controller for all the botnets being used in the attacks, servers in Canada, Turkey, and, ironically, Estonia were also used to run botnets.

Georgia transfered the President’s webpage to a server on Google’s blogspot in California. The Russians then set up mock presidential sites and directed traffic to them. The Georgian banking sector shut
down its servers and planned to ride out the attacks, thinking that a temporary loss of online banking was a better bargain than risking the theft of critical data or damage to internal systems. Unable to get to the Georgian banks, the Russians had their botnets send a barrage of traffic to the international banking community, pretending to be cyber attacks
from
Georgia. The attacks triggered an automated response at most of the foreign banks, which shut down connections to the Georgian banking sector. Without access to European settlement systems, Georgia’s banking operations were paralyzed. Credit card systems went down as well, followed soon after by the mobile phone system.

At their peak, the DDOS attacks were coming from six different botnets using both computers commandeered from unsuspecting Internet users and from volunteers who downloaded hacker software from several anti-Georgia websites. After installing the software, a volunteer could join the cyber war by clicking on a button labeled “Start Flood.”

As in the Estonian incident, the Russian government claimed that the cyber attacks were a populist response that was beyond the control of the Kremlin. A group of Western computer scientists, however, concluded that the websites used to launch the attacks were linked to the Russian intelligence apparatus. The level of coordination shown in the attacks and the financing necessary to orchestrate them suggest this was no casual cyber crusade triggered by patriotic fervor. Even if the Russian government were to be believed (namely, that the cyber storm let loose on Georgia, like the previous one on Estonia, was not the work of its official agents), it is very clear that the government did nothing to stop it. After all, the huge Soviet intelligence agency, the KGB, is still around, although with a slightly different organizational structure and name. Indeed the KGB’s power has only increased under the regime of its alumnus, Vladimir Putin. Any large-scale cyber activity in Russia, whether
done by government, organized crime, or citizens, is done with the approval of the intelligence apparatus and its bosses in the Kremlin.

If it was, as we suspect, effectively the Russian government that asked for the “vigilante” DDOS and other cyber attacks as a stand-alone punishment of Estonia and later conducted them as an accompaniment to kinetic war on Georgia, those operations do not begin to reveal what the Russian military and intelligence agencies could do if they were truly on the attack in cyberspace. The Russians, in fact, showed considerable restraint in the use of their cyber weapons in the Estonian and Georgian episodes. The Russians are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved.

For years U.S. intelligence officials had thought that if any nation were going to use cyber weapons, even in the small ways demonstrated in Estonia and Georgia, the likely first movers would be Russia, China, Israel, and, of course, the United States. The nation that joined that club in the summer of 2009 came as a surprise to some.

It was a little after seven p.m. in Reston, Virginia, on the last Monday in May 2009. Outside, the rush-hour traffic was beginning to thin on the nearby Dulles Airport Access Road. Inside, a flat screen at the U.S. Geological Survey had just indicated a 4.7 magnitude earthquake in Asia. The seismic experts began narrowing in on the epicenter. It was in the northeastern corner of the Korean Peninsula, specifically forty-three miles from a town on the map called Kimchaek. The data showed that there had been a similar event very nearby in October 2006. That one had turned out to be a nuclear explosion. So did this one.

After years of negotiating with the U.S., as well as with China and Russia, the weird, hermetic government of North Korea had decided to defy international pressure and explode a nuclear bomb,
for the second time. Their first attempt, three years earlier, had been characterized by some Western observers as something like a “partial fizzle.” In the ensuing hours after this second blast, U.S. Ambassador to the United Nations Susan E. Rice was attached to the phone in her suite at New York’s Waldorf Towers. She consulted with the White House and the State Department, then she began to call other UN ambassadors, notably the Japanese and South Koreans. The South Korean who is the head of the UN, Secretary General Ban Ki-moon, agreed to an emergency meeting of the Security Council. The outcome of that feverish round of diplomatic consultations was, eventually, further international condemnation of North Korea and further sanctions on the impoverished tyranny. A decade and a half’s worth of diplomacy to prevent a North Korean nuclear capability had come to naught. Why?

Some observers of the Pyongyang government explained that the destitute North had no other leverage to extract concessionary loans, free food, and gifts of oil. It had to keep selling the same thing over and over, a promise not to go further with its nuclear capability. Others pointed to the rumored ill health of the strange man known in the North as the Dear One, Kim Jong-il, the leader of the Democratic People’s Republic of Korea. The tea-leaf readers believed that the Dear One knew that he was fading and had selected Number Three Son, Kim Jong-un, a twenty-five-year-old, to succeed him. To prevent the United States, or South Korea, from taking advantage of the transition period, the analysts claimed, the North believed it had to rattle its sabers, or at least its atoms. The pattern with North Korea in the past had been to threaten, get attention, give a taste of what awful things might happen, then offer to talk, and eventually to cut a deal to enrich their coffers.

If the detonation was designed to provoke the United States and others to rush with offers of wheat and oil, it failed. Having condemned the explosion and announced the movement of defensive
missiles to Hawaii, as June moved on, the U.S. leadership shifted its focus back to health care reform, Afghanistan, and self-flagellation over its own intelligence activities. Somewhere in the bureaucracy an American official publicly announced that the U.S. would again be conducting a cyber war exercise known as Cyber Storm to test the defense of computer networks. The 2009 exercise would involve other nations, including Japan and Korea, the one in the south. North Korean media soon responded by characterizing the pending exercise as a cover for an invasion of North Korea. That kind of bizarre and paranoid analysis is par for the course with North Korea. No one in Washington thought twice about it.

As the July 4 break began in Washington, bureaucrats scattered to vacation homes on East Coast beaches. Tourists in Washington swarmed to the National Mall, where a crowd of several hundred thousand watched the “rockets’ red glare” of a sensational fireworks display, a signature of the Fourth of July holiday. On the other side of the world, the association of rockets and the Fourth was not lost on some in the North Korean leadership. In outer space, a U.S. satellite detected a rocket launch from North Korea. Computers in Colorado quickly determined that the rocket was short-ranged and was fired into the sea. Then there was another rocket launch. Then another and another. Seven North Korean rockets were fired on the Fourth of July. Whether a plea for help, or more saber rattling, it certainly seemed like a cry for attention. But that cry did not stop there. It moved into cyberspace.

Right before the Fourth of July holiday, a coded message was sent out by a North Korean agent to about 40,000 computers around the world that were infected with a botnet virus. The message contained a simple set of instructions telling the computer to start pinging a list of U.S. and South Korean government websites and international companies. Whenever the infected computers were turned on, they silently joined the assault. If your computer was one of the zombies,
you might have noticed your processor was running slowly and your Web requests were taking a bit longer to process, but nothing too out of the ordinary. Yes, it was another DDOS attack by zombies in a botnet. At some time over the weekend, the U.S. government did notice when dhs.gov and state.gov became temporarily unavailable. If anyone actually thought of consulting the Department of Homeland Security terrorist threat level before deciding to go watch the fireworks on the National Mall, they would not have been able to gain that information from the Department of Homeland Security’s website.