Cyber Warfare: The Narrative in the Network
In January 2011, John Chambers, CEO of Cisco Systems, addressed a group of Asian visitors to CES, the consumer electronics show held each year in Las Vegas. Seated among priceless works of art in a penthouse suite at the Venetian Hotel, Chambers made small talk to entertain his guests, and to pique their curiosity about new Cisco products. More curious, however, was his mention of Hezbollah, the Muslim militant group sponsored by Iran. A lawyer by training, he is not given to throwaway observations, particularly in the company of dignitaries who might be carrying purchase orders.
Hezbollah toppled the Lebanese government a week later, withdrawing its support of Prime Minister Saad Hariri as he was about to meet with Barack Obama at the White House. Chambers’ mention of Hezbollah might have been a coincidence, but Cisco’s interests often align with our national security. Most of the world’s Internet traffic, including government and military operations, touches at least one Cisco product along the way.
Nine months before Chambers’ comment in Las Vegas, Richard A. Clarke published Cyber War: The Next Great Threat to National Security and What to Do About It. Clarke, an advisor to four US presidents, has been a critic of our security protocol for years. His 2004 publication Against All Enemies, a narrative history of Al Qaeda’s role in the 9/11 attacks, offered a blunt warning about our failure to contain that organization. The intelligence community takes Clarke quite seriously. He admits to being influenced by his early work on nuclear strategy, when certain factions favored preemptive strikes against the Soviets. Clarke’s camp favored intimidation by superior force, but he is pessimistic about our current doctrine: “The force that prevented nuclear war, deterrence, does not work well in cyber war.” [1]
Clarke flatly states that American corporate and government networks have been infiltrated by foreign interests, and he cites China as the party most responsible, with Russia coming in a close second. When he reported one such incursion to George W. Bush, the President asked,“What does John think?” [2] This reference to Chambers, a significant Republican donor, illustrates his political presence and managerial influence. Under his leadership, Cisco grew to be the largest manufacturer of network equipment. His teams of security experts became trusted advisors to the highest government officials. However, because many of our networks have been breached, that expertise is not enough. In the language of Silicon Valley, the problem lies farther up the stack.
The Internet runs like a river — its surface teeming with webpages full of data: text, images, audio and video. At the bottom of the river lies a bedrock of fiber optic cable, the conduit that physically transmits the data along with instructions on how to move it. Above the bedrock, submerged at different depths, digital switches and routers parse those instructions, packaging the data and sending it up to the surface. Cisco manufactures most of these switches and routers.
While the number of these devices increases as companies and governments build more operations centers, the finite network only increases with the addition of more fiber, laid below city streets or along the ocean floor. Occasional advances in technology have the same effect of increasing network capacity. New compression techniques squeeze more data through the same conduit, while routers and switches become more efficient with upgraded software.
The surface, the bedrock and the depths in between are collectively known as the stack, a hierarchy of physical and logical layers categorized by function. At the top of the stack, web browsers retrieve pages from servers and present them to humans. These actions are governed by the session, presentation and application layers, which permit sites like Facebook to deliver personalized content to logged-in users. Below these layers, the switches and routers inhabit the data, network and transport layers, establishing finite boundaries in which the data flow back and forth. That movement is characterized by metadata, the canonical information about the data that describes its structure and purpose.
Clarke sees the stack as a battlefield on which major skirmishes have already been fought. In 2007, an army of computers, located mostly in Russia, launched a distributed denial of service (DDOS) attack against Estonia, effectively halting all Internet traffic during that republic’s transition to independence. While there had been many such attacks against other targets, the scale of this incident all but guaranteed government involvement. [3] Clarke says, “The most adept hackers in Russia, apart from those who are actual government employees, are usually in the service of organized crime.” [4] This shadow apparatus covered its tracks by making the attacks appear to originate from China.
The early stages of cyber warfare were characterized by brute force tactics. Obstructive activity disguised as traffic from third-party countries has become so widespread that counter measures have been institutionalized. Clarke describes secret schools in China and North Korea, where elite students are groomed as future hackers. [5] The US Cyber Command, formed in 2009 to coordinate offensive and defensive measures, has its own force of hackers.Located next to NSA headquarters in Fort Meade, Maryland, these groups are constantly probing public and private networks, looking for digital beachheads to attack or defend. Since many of these networks contain personal records of American citizens, these probes can infringe upon our fundamental right to privacy.
Because the United States relies on networks more than any other country, we are particularly susceptible to cyber attacks. This vulnerability forms the basic tenet of“asymmetric warfare,” a doctrine Clarke ascribes to the Chinese, whose reliance on older offline technologies such as radio and telephony decreases the potential damage from cyber attacks on its infrastructure. America will lose more because of its heavy, and in many instances exclusive reliance on network technology.
While blocking network traffic might have a disproportionate effect on our economy, the more ominous threats come from invasive, not obstructive behavior. Hackers gaining access to a system can leave behind insidious bits of code called logic bombs to disrupt or disable that system in the future. Clarke says, “A logic bomb in its most basic form is simply an eraser, it erases all the software on a computer, leaving it a useless hunk of metal.” [6]
The most inviting targets include the SCADA (supervisory control and data acquisition) systems that control electric power grids. Despite their importance, these systems of linked towers and generators remain notoriously porous. Clarke’s blunt assessment: “America’s national security agencies are now getting worried about logic bombs, since they seem to have found them all over our electric grid.” [7]
Unlike the physical wars that continue to rage around the world, there has been no clear casus belli for the cyber war. There is no geopolitical or socioeconomic cause, other than control of cyber space.
The strategy of cyber warfare begins with the assumption that nearly all of our public and private sector networks, including non-hardened military and financial services systems, have been hacked, breached or infiltrated in some way. Denial or disavowal will not change this. The strategic objective is therefore not to prevent this from happening, but to minimize the harm caused by rogue software that has become increasingly difficult to detect, let alone eliminate.
Software is inherently semantic. Programmers write sentences in languages that convert words into digital commands, which in turn cause computers to perform certain tasks. A sentence of insidious code, buried in thousands of other sentences, is all but indistinguishable, even to the most expert eye. The consequences are not apparent until after the commands contained in those sentences have been executed, so it is difficult to gauge the program’s potential harm by examining its content. It is only when the program speaks, by causing the computer to execute those commands, that we can understand the actual harm.
In 2012, a joint US/Israeli operation, casually denied by both governments, breached Iran’s cyberspace in just this fashion. [8] A virus planted in an Iranian research network spoke only to computers connected to centrifuges used to enrich weapons-grade uranium, changing certain settings to make the centrifuges run faster than the prescribed maximum speed, causing them to overheat and malfunction. Buried in the control system, this software escaped detection because it spoke tersely, only when necessary.
Whether such conversations disrupt operations, or simply gather shopping lists of data for exfiltration (a term Clarke uses repeatedly), they are the lingua franca of cyber warfare. Given the assumption that our networks have already been compromised, the problem becomes one of recognition, not prevention. We must learn to recognize these conversations at an early enough stage to prevent or compromise their completion. The process of recognition begins with data analysis.
Social networks like Facebook have created massive amounts of unstructured data, digital expressions that often do not include identifiers such as user names or email addresses. Examined separately, these expressions provide scant information, but meaningful stories can be extracted by high-performance computing (HPC), a technology that links thousands of computers together and doles out computational tasks for each machine to perform concurrently. The results of those tasks are then fed into statistical models that can predict future events and patterns of behavior.
Every segment of our economy uses predictive analysis. Forecasts of hurricanes or stock prices are based on the same process of extrapolating future behavior based on historical data. The probability of that future behavior resembling the past to a lesser or greater degree is what enhances the prediction.
Meteorologists use data gathered by instruments measuring wind speed, barometric pressure, and other known factors. They predict future storms based on those that have occurred in the past, a relationship based on similarity. Econometricians predict future stock prices in the same fashion, using the past as foundation for the future. While the range of possible economic events might be more varied than the range of possible natural events, there are still limits to what can happen. We know, for example, that the stock exchange will halt trading in a stock that exceeds a predetermined threshold of volatility.
Our computer networks present a different problem. Having conceded their infiltration, we face an infinite variety of possible attacks. Every computer connected to a network speaks in a digital voice that reflects the contents of its memory and disk drives at any given moment. If we record that voice at regular intervals, storing time-ordered frames of data for subsequent analysis, we can build a vocabulary of meaningful phrases unique to that computer. We can also record conversations between computers on the network, the digital messages passed back and forth by programs running on those computers. Continuous analysis of those conversations allows us to extrapolate harmful behavior. As we become fluent in this high-level machine language, our familiarity with idiosyncratic phrases allows us to identify those that ring false.
So how does this relate to the stack? At the top layer, billions of tweets, text messages and emails race across the network every second. The application layer stores the user name of each sender and recipient, giving us a high-level semantic framework, but as we move down the stack, things get a bit murkier. We see digital fragments, keystrokes and mouse clicks that have no meaning or structure beyond the bits and bytes.
Facebook records every movement within its space, the actions of nearly a billion people generating half a million gigabytes of data every day. Much of this data is unstructured, not the messages and images posted to news feeds, but the navigational patterns unique to each individual, the way she reads those messages and views those images. Her activity becomes her digital voice.
All this happens beneath the application layer of the stack, but above the network layer. Meaningful analysis of this activity happens above the switches and routers, which is why Cisco continues to invest in companies that make analytical products.
This middle layer of the stack is where analysts plow through all that unstructured data. Corporations have traditionally used data mining to identify patterns of consumer behavior. Using radio-frequency identification (RFID) devices embedded in merchandise, a department store can not only catch shoplifters, it can also monitor how law-abiding shoppers move about the store while carrying items they intend to purchase. The pattern of physically browsing through different areas of the store becomes the digital voice of that shopper, recorded for later analysis. Decisions on where to display merchandise are often informed by such analyses.
Using tools like machine learning, a framework for training computers to recognize patterns of behavior in networks, data scientists can model insidious behavior in the same way that medical researchers can model the spread of cancer. There are in fact structural similarities between a program that responds to external messages and a cancer cell that responds to different receptors according to physiological context. The cancer cell grows in benign or insidious fashion, responding to messages sent from other cells and filtered through protein receptors. While that growth changes certain attributes of the cell — size, shape, proclivity to bind to other cells, etc. — its basic structure generally remains the same. If scientists can decode the messages, they can affect the cell’s growth, possibly making it less insidious, by sending anodyne messages that the receptors can understand.
In similar fashion, a software program responds to messages filtered through its points of contact with other programs running on the network. These points of contact, or interfaces, are the counterpart to the cell’s protein receptors. If these interfaces can be influenced to modify incoming messages, the program’s behavior can be modified without changing its underlying structure, the phrases of code in which it was written.
Two broad categories of conversation take place over a network: system messages generated by programs and devices communicating with the underlying infrastructure, and application messages generated by programs operating on their specific set of functionality. In network space, system messages may be construed as public, and application messages construed as private. Like a Trojan horse, and the eponymous computer virus, a private message can hide inside a public message and wait for the signal to attack. Since the private message is already inside the network, there is no need to convince a sentry to admit it.
The patterns of these messages tell a story. Analysts can extrapolate future behavior from these patterns, and postulate the roles of protagonist and antagonist. The narrative in the network describes conflict, and the presence or absence of its resolution.
General Keith B. Alexander, who heads the National Security Agency in addition to the aforementioned US Cyber Command, recently told The New York Times that there had been “a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations.” [9]
Shortly after this rare public statement, the security company, Kaspersky Lab, identified malicious software, or malware, that targeted a company in the energy industry. This computer worm was compared to the American-Israeli malware that disrupted Iran’s nuclear program. [10]
In the same month, Saudi Aramco, the world’s largest oil company, reported “a sudden disruption in its network that caused it to isolate all its electronic systems from outside access as an early precautionary measure.” This followed a public admission of responsibility from “Cutting Sword of Justice,” a group of hackers who said their attack was in retribution for the Saudi government’s support of Sunni Muslim interests in Bahrain and Syria. [11]
In the same month, Kaspersky Lab identified a computer virus that targeted a specific range of banks associated with Lebanese interests, citing its similarity to the US-Israeli malware. It was not clear if those interests were related to Hezbollah. [12]
In late 2012, Defense Secretary Leon Panetta warned that the United States faced the possibility of a “cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.” [13] He went on to advocate legislation that would require new security standards at critical private-sector infrastructure facilities like power plants, specifically mentioning China, Russia and Iran as possible sources of attacks against them. A group of Republican lawmakers, led by Senator John McCain of Arizona, subsequently blocked passage of a cybersecurity bill meant to promulgate such standards. McCain sided with the US Chamber of Commerce, saying the law would be too burdensome for corporations.
In June, 2013, a single event altered the course of cyber warfare and our national interest in regulating it. Glenn Greenwald reported for The Guardian that the United States National Security Agency (NSA) was collecting the telephone records of millions of Verizon customers under a secret order from the Foreign Intelligence Surveillance Court (FISC). [14] Established under the Foreign Intelligence Surveillance Act of 1978, the FISC is a federal court authorized to oversee requests for surveillance from the NSA and FBI.
A subsequent revelation that the NSA had access to the systems of major technology companies such as Google and Facebook, granted under a secret surveillance program called PRISM, touched off a firestorm of controversy and public outcry. The source of these intelligence leaks identified himself as Edward Snowden, an NSA contractor working for BoozAllen Hamilton, the consulting firm.
Among the documents leaked by Snowden was the FISC order itself, which described the information to be collected by the NSA: “all call detail records or telephony metadata.” By distinguishing between metadata and communications data (the actual recordings of calls), the court order bypassed the need for individual warrants to carry out its purpose.
Public reaction focused on the invasion of privacy implied by the court order. The discovery of government surveillance evoked widespread dismay. Observers at both ends of the political spectrum voiced their opposition, albeit managed with predictable partisanship. The irony of a sitting Democratic president being chastened for a policy initiated by his Republican predecessor was not lost. Indeed, the outrage in some quarters was arguably over a perceived betrayal of liberal principles, as much as the act itself.
However, the true irony lies in the furor over metadata. The conventional belief that constraining its collection preserves privacy, overlooks the persistent nature of the underlying communications data. The calls themselves have in many cases been preserved as digital audio files. The FISC order effectively outsourced part of the NSA’s surveillance program by delivering what amounted to a blanket subpoena. It did not create the program, but it did authorize its actions.
As the extent of the NSA surveillance effort became apparent, international reaction went beyond the outrage expressed by those countries whose leaders had been personally targeted. While the disclosure that the NSA had tapped German Chancellor Angela Merkel’s cell phone did appreciable damage to that country’s relationship with the United States, the reaction of China was quite different.
In the aftermath of these events, Cisco announced that China had suspended its orders of Cisco products out of concern over the NSA programs. [15] While China’s reaction might have been a quid pro quo for criticism of its own hacking and surveillance programs, its chemistry with Cisco has had a particular valence.
Huawei, a Chinese manufacturer of network equipment, has become a major competitor. Cisco has all but directly accused Huawei of stealing its technology, citing Huawei’s ties with the Chinese military as proof of its intentions. John Chambers has called Huawei “our biggest long-term threat,” adding that the company does not always “play by the rules.” [16]
The theater of cyber war described by Clarke has taken on a new dimension. While previous measures focused on defensive tactics such as intrusion detection, Snowden’s disclosures reveal a more aggressive strategy. The NSA has installed surveillance software in many computers by either breaching foreign networks or using a secret radio technology to communicate with machines not connected to the Internet. [17] That technology relies on covert transmissions from circuit boards planted on the machines. Those circuit boards can also receive spurious messages transmitted by the NSA.
Huawei and other foreign competitors have been supplanting Cisco switches and routers with their own devices. The Snowden disclosures have prompted China and several other countries to suspend or significantly reduce their orders of Cisco equipment. While Cisco has denied direct involvement in the NSA surveillance programs, [18] its business has been affected by widespread condemnation of those programs.
The Freedom of the Press Foundation, a nonprofit co-founded by Daniel Ellsberg, has announced that Edward Snowden will join its board. [19] Founded to enable donations to WikiLeaks when credit card companies refused to process donations, the Foundation has provided tools to help whistleblowers like Snowden send leaked documents to journalists. One of those tools, an open-source submission system called SecureDrop, was created by the late Aaron Swartz, a young computer programmer and activist who was convicted by federal prosecutors of multiple violations of the Computer Fraud and Abuse Act. Swartz was accused of downloading academic journal articles from a digital library at MIT. Shortly before Snowden’s initial disclosure to Guardian reporter Greenwald, who is also a board member of the Freedom of the Press Foundation, Swartz’s lawyer made a second unsuccessful attempt to plea bargain on behalf of his client. Facing the possibility of thirty-five years in prison, Swartz hanged himself in his Brooklyn, NY apartment.
The narrative in the network comprises actors who are protagonists to some, and antagonists to others. While the distinction seems clear to those who either conflate secrecy with patriotism or have commercial interests in network security, there has never been a greater need for disclosure. National security cannot trump personal privacy. Our democracy hangs in the balance.
References
1. Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It, (New York: Harper Collins, 2010), ii.
2. Clarke and Knake, Cyber War, 113.
3. Landler, Mark and Markoff, John “Digital Fears Emerge After Data Siege in Estonia” The New York Times 29 May 2007
4. Clarke and Knake, Cyber War, 18.
5. Clarke and Knake, Cyber War, 28.
6. Clarke and Knake, Cyber War, 92.
7. Clarke and Knake, Cyber War, 92.
8. Beaumont, Peter and Hopkins, Nick “US was ‘key player in cyber-attacks on Iran’s nuclear programme’” The Guardian
1 June 2012
9. Sanger, David and Schmitt, Eric, “Rise is Seen in Cyberattacks Targeting U.S. Infrastructure” The New York Times 26 July 2012
10. Rapoza, Kenneth, “Kaspersky Lab: Same Countries Behind Stuxnet and Flame Malware” Forbes 6 November 2012
11. Fineren, Daniel and Bakr, Amena, “Saudi Aramco says most damage from computer attack fixed” Reuters 26 August 2012
12. Gjelten, Tom, “Encoding Geopolitics: Virus Infects Banks in Lebanon” NPR 10 August 2012
13. Bumiller, Elizabeth and Shanker, Thom, “Panetta Warns of Dire Threat of Cyberattack on U.S.” The New York Times
11 October 2012
14. Greenwald, Glenn, “NSA collecting phone records of millions of Verizon customers daily” The Guardian 5 June 2013
15. Shinal, John, “NSA spying hurts business of large U.S.hardware makers” USA Today 9 December 2013
16. Kang, Cecilia, “Huawei’s U.S. competitors among those pushing for scrutiny of Chinese tech” The Washington Post
10 October 2012
17. Sanger, David and Shanker, Thom, “N.S.A. Devises RadioPathway into Computers” The New York Times
18. Jingting, Shen, “Cisco denies China monitoring accusations” ChinaDaily.com.cn
19. Savage, Charlie, “Snowden to Join Board of the Freedom of the Press Foundation” The New York Times
