
THE first cyber-battle between superpowers was shadowy and nearly bloodless. In April 2001, a US navy plane caused an international incident when it collided with a Chinese jet fighter. The Chinese pilot lost his life, while the American plane made an emergency landing on China鈥檚 Hainan Island, where it was detained. After 11 days, the plane and crew were returned safely, but accusations of blame persisted on both sides.
Publicly, both governments did little more than squabble over the issue, but for the rest of the month both suffered a number of harmless but annoying attacks on their computer networks. Websites also sprang up with instructions on how to run programs aimed at disabling government computers.
American officials claim that the attacks almost shut down California鈥檚 electrical grid, but neither government has owned up to launching the assaults. 鈥淭here were a number of cyber-skirmishes and hack-backs originating in China and America right around that time,鈥 says Herbert Lin, a software specialist at the US National Research Council (NRC) in Washington DC. 鈥淲ere they state-sponsored? Who knows.鈥
Advertisement
Since then sporadic reports have emerged of attempts on several national networks, each one as murky as the last (see Timeline). Meanwhile, the US and China appear to be taking the issue seriously. In 2000, Dai Qingmin, an army general and head of the Chinese government鈥檚 communications department, , while Daniel Kuehl of the National Defense University in Washington DC says the US military is exploring the use of cyberweapons. Considering the dependence of stock markets, power grids, phone networks and banks on computers, a cyber-attack might seem very tempting to a nation with an axe to grind. 鈥淎mericans feel very secure, but they shouldn鈥檛,鈥 says Adriel Desautels of software security firm Netragard in Mendham, New Jersey.
To tackle the issues surrounding the prospect of cyberwar 鈥 including how to retaliate and whether cyberweapons could or should be used 鈥 Lin is leading a study sponsored by the NRC, Microsoft and the MacArthur Foundation. The results are not due until the summer, but Lin revealed some details at a workshop on technology and warfare at Stanford University in Palo Alto, California, last month.
Less-lethal weapons?
One issue his team will tackle is ethics. Currently unregulated by international law, it is unclear where computer viruses and denial-of-service (DoS) attacks slot in on the scale that ranges from 鈥渓ess-lethal鈥 weapons such as CS gas and Tasers, through guns and bombs up to chemical, biological and nuclear arms.
The answer might seem obvious: cyberweapons are harmless compared with their bloodier counterparts. Even an all-out cyber-attack couldn鈥檛 possibly do the same damage as a conventional air raid or ground invasion, says Michael Vlahos of Johns Hopkins University in Baltimore, Maryland. 鈥淚f ruling regimes have a dispute, cyberwar can be a great way to signal that without killing people,鈥 he says.
Others argue, however, that as countries increasingly rely on computers, the cost of a successful cyber-attack will be measured in human life just as an air raid or ground attack is. 鈥淐yberwarfare has been sold as cleaner, but things like power plants and air traffic control systems are vulnerable to attack,鈥 says Thomas Wingfield of the US Army Command and General Staff College in Fort Belvoir, Virginia. A recent study by the US Department of Homeland Security found that electrical generators could be hacked into and induced to self-destruct, raising the threat of large-scale physical damage to critical infrastructure. 鈥淐yberweapons are now rising to the level of weapons of mass destruction,鈥 he says.
One crucial aspect of computer viruses and worms is their ability to spread uncontrollably. Such a weapon could inadvertently infect hundreds of thousands of home and office computers, causing economic and social mayhem. Impossible to contain within national boundaries, a virus could end up back in the country that launched the attack. Because of this, Wingfield says cyberweapons could be banned from war just like chemical and biological weapons, poisoned and exploding bullets, and blinding lasers. 鈥淚t鈥檚 possible to imagine cyberweapons being on that list,鈥 he says.
There are good reasons to avoid cyberweapons, but how should a country that is attacked by one respond? Under the , a nation has the right to use force as self-defence only if it is attacked using force. Wingfield says the term 鈥渇orce鈥 might be applied to a cyber-attack if it caused significant financial or physical damage. He concludes that any country that suffers a sufficiently severe cyber-attack is within its rights to respond with conventional weapons such as bombs.
Retaliation, however, raises another problem: how to find out who launched an attack. Unlike physical warfare, where it is often obvious who is responsible, the internet presents forensic challenges. Computers can be hijacked, unbeknownst to their owners, and used as accomplices in attacks that come from another source. 鈥淲ho would [President] Bush bomb if the internet went down?鈥 says Desautels.
Tracing the attack might yield an innocent computer user, not the true perpetrator. 鈥淚f you have a worm on your computer, you don鈥檛 want to be doing your income taxes and have a Hellfire missile come through the window,鈥 says Ivan Oelrich of the Federation of American 杏吧原创s in Washington DC.
This problem was illustrated last year, when Russia appeared to have launched massive DoS attacks against Estonia鈥檚 cyber-infrastructure (New 杏吧原创, 6 June 2007, p 30). At the time, it was seen as an example of cyberwarfare, but Estonian authorities recently convicted a lone, 20-year-old hacker living in the country for the attacks.
Rather than relying on retaliation, Desautels says a better solution is to put pressure on software firms to fix the bugs in their code. These vulnerabilities are the chinks in the armour that allow an attacker to access a computer鈥檚 memory and install malicious files or press-gang the PC into becoming part of a 鈥渂otnet鈥 that can launch DoS attacks (see 鈥淏uy up those Cyber-bullets鈥). If the bugs weren鈥檛 there in the first place, this wouldn鈥檛 be possible. 鈥淐ongress needs to make software companies responsible for vulnerabilities,鈥 says Desautels. 鈥淭hat should be our first line of defence.鈥
Computer Viruses 鈥 Learn more about the threats to your PC in our comprehensive .
Buy up those cyber-bullets
The prospect of cyber-attacks puts software bug hunters in a tricky spot.
All software can contain bugs or flaws, and researchers routinely find them in their programs. Because these vulnerabilities, and the pieces of code that exploit them, can be used to launch attacks, they have become a hot commodity. Security firms such as iDefense, Tipping Point and Netragard buy them up from bug hunters, tell their clients about them and then disclose them to the companies that develop the software so that they can issue patches to correct the problem. There are also websites that auction the bugs off.
Governments are known to be in the business of trading bugs too (New 杏吧原创, 13 June 2007, p 30), presumably because of the risks they present to military and government security. The cyberspace equivalent of bombs and bullets, finding vulnerabilities in the software would be essential for anyone hoping to launch a cyber-attack, government or not.
That presents bug catchers with the question of who it is OK to sell bugs to. With no laws governing bug brokering, Adrian Desautels of software security firm Netragard has to rely on his sense of right and wrong. As a rule, he avoids governments, he says. 鈥淚 would never sell to a non-US based buyer, and I only sell to people I know and trust,鈥 he says.
But he worries that not everyone is as conscientious. 鈥淚 think people like me should need a licence for what we do, which is selling a sort of munitions,鈥 he says. 鈥淲e don鈥檛, and that鈥檚 dangerous.鈥