Potential Human Cost of Cyber Operations

Total Page:16

File Type:pdf, Size:1020Kb

Potential Human Cost of Cyber Operations ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS REPORT ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Report prepared and edited by Laurent Gisel, senior legal adviser, and Lukasz Olejnik, scientific adviser on cyber, ICRC THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Table of Contents Foreword............................................................................................................................................. 3 Acknowledgements ............................................................................................................................. 4 Executive summary ............................................................................................................................. 5 Introduction....................................................................................................................................... 10 Session 1: Cyber operations in practice .………………………………………………………………………….….11 A. Understanding cyber operations with the cyber kill chain model ...................................................... 11 B. Operational purpose ................................................................................................................. 11 C. Trusted systems and software supply chain attacks ...................................................................... 13 D. Cyber capabilities and exploits ................................................................................................... 13 E. Evolving nature of the threat actors and the growing attack surface ................................................. 14 F. Cyber vs kinetic attacks ............................................................................................................ 15 G. Attack and defence .................................................................................................................. 15 H. Importance and challenges of attribution...................................................................................... 17 Session 2: Cyber attacks that could affect the delivery of health care ................................................... 18 A. Cyber attacks that could affect hospitals (or other medical facilities)................................................. 18 B. Cyber attacks affecting medical devices ...................................................................................... 19 C. Cyber attacks affecting biomedical devices .................................................................................. 20 D. The challenge of fixing vulnerabilities in medical devices ................................................................ 20 E. Resilience of the health-care sector to cyber attacks ..................................................................... 21 Session 3: Cyber attacks that target critical civilian infrastructure or that may otherwise affect the delivery of essential services to the civilian population ........................................................................ 23 A. Specific features of cyber attacks against industrial control systems ................................................ 23 B. Threat actors: number, purposes, resources, capabilities, and evolution ........................................... 24 C. Attack testing .......................................................................................................................... 25 D. Risk and quantification .............................................................................................................. 26 E. Risk reduction and resilience ..................................................................................................... 27 F. Incident notification and response ............................................................................................... 28 Session 4: Cyber attacks on the internet core or that may have other systemic effects .......................... 29 A. Cyber attacks on DNS servers ................................................................................................... 29 B. Distributed Denial of Service (DDoS) attacks ................................................................................ 29 C. Attacks against cloud service providers ....................................................................................... 30 D. Practical results of attacking internet services and their dependencies ............................................. 31 1 THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Session 5: Cyber operations during armed conflict .............................................................................. 32 A. Peace time, armed conflicts and grey zones................................................................................. 32 B. Cyber space as an operational domain of a predominantly civilian nature ......................................... 32 C. Vulnerability disclosure, secrecy and deterrence ........................................................................... 33 D. Cyber operations as means and methods of warfare: circumstances of use, aim and expected effects.. 34 E. Potential military cyber operations that take advantage of the medical condition of an enemy. ............. 35 F. Cyber operations and expected incidental civilian harm ................................................................. 36 Session 6: The protection afforded by existing law, and possible avenues to reduce the human cost of cyber operations................................................................................................................................ 37 A. Conflict classification and questions of attribution .......................................................................... 37 B. The notion of “attack” ................................................................................................................ 38 C. Challenges in anticipating the effects of cyber attacks ................................................................... 38 D. The persistence of malware once released .................................................................................. 39 E. Potential avenues to reduce or avoid human harm ........................................................................ 39 Annex 1: Agenda ............................................................................................................................... 43 Annex 2: List of experts ..................................................................................................................... 49 Annex 3: Background document ......................................................................................................... 51 2 THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Foreword One of the main aims of international humanitarian law (IHL) is to protect the civilian population from the effects of military operations. Cyber warfare is the subject of growing concern, and there is no consensus around the question of how IHL will protect civilians against its effects. But what are the effects of cyber warfare on civilians? Since most known operations have been conducted outside conflict settings, the potential human cost of cyber operations in armed conflict is a matter of risk analysis. To move towards a realistic assessment of the potential human cost of cyber warfare, the International Committee of the Red Cross (ICRC) invited scientific and cyber security experts from all over the world to share their knowledge. In a three-day meeting, experts analysed some of the most sophisticated known cyber operations, regardless of whether they occurred during conflict or in peacetime, focusing on the risk that cyber operations may result in death, injury or physical damage, affect the delivery of essential services to the population, or affect core internet services. The meeting included participants working for global IT companies, cyber threat intelligence companies, computer emergency response teams, a national cyber security agency, participants with expertise in cyber security (including that of hospitals, electricity grids and other services), participants with expertise in the development and use of military cyber operations, lawyers and academics. The rich discussions provided a nuanced picture of the risks that cyber warfare can entail for the civilian population. One of the main fears of those working on cyber warfare and IHL is perhaps the idea that in cyber space, the principle of distinction will be difficult if not impossible to uphold. Yet, the expert meeting showed that the global digital infrastructure that can be targeted through cyber operations is in fact rather resilient to widespread effects. While a number of the cyber attacks analysed were indiscriminate, many others have been precisely targeted from a technical perspective. Nonetheless, while many systems are resilient, others are particularly vulnerable, and health-care systems are among those. Furthermore, the threats are evolving at a faster pace than anticipated, and the most sophisticated cyber capabilities may be largely unknown. Another area of concern highlighted in the meeting is the risk of proliferation of cyber tools, because they may linger in digital systems and can potentially be accessed from anywhere in the world, modified and reused. In the view of the ICRC, many of the operations described in the report would be contrary to IHL if carried out during armed conflict.
Recommended publications
  • North Korean Cyber Capabilities: in Brief
    North Korean Cyber Capabilities: In Brief Emma Chanlett-Avery Specialist in Asian Affairs Liana W. Rosen Specialist in International Crime and Narcotics John W. Rollins Specialist in Terrorism and National Security Catherine A. Theohary Specialist in National Security Policy, Cyber and Information Operations August 3, 2017 Congressional Research Service 7-5700 www.crs.gov R44912 North Korean Cyber Capabilities: In Brief Overview As North Korea has accelerated its missile and nuclear programs in spite of international sanctions, Congress and the Trump Administration have elevated North Korea to a top U.S. foreign policy priority. Legislation such as the North Korea Sanctions and Policy Enhancement Act of 2016 (P.L. 114-122) and international sanctions imposed by the United Nations Security Council have focused on North Korea’s WMD and ballistic missile programs and human rights abuses. According to some experts, another threat is emerging from North Korea: an ambitious and well-resourced cyber program. North Korea’s cyberattacks have the potential not only to disrupt international commerce, but to direct resources to its clandestine weapons and delivery system programs, potentially enhancing its ability to evade international sanctions. As Congress addresses the multitude of threats emanating from North Korea, it may need to consider responses to the cyber aspect of North Korea’s repertoire. This would likely involve multiple committees, some of which operate in a classified setting. This report will provide a brief summary of what unclassified open-source reporting has revealed about the secretive program, introduce four case studies in which North Korean operators are suspected of having perpetrated malicious operations, and provide an overview of the international finance messaging service that these hackers may be exploiting.
    [Show full text]
  • Never Agains IV February 2010
    the Availability Digest www.availabilitydigest.com More Never Agains IV February 2010 It is once again time to reflect on the damage that IT systems can inflict on us mere humans. We have come a long way in ensuring the high availability of our data-processing systems. But as the following stories show, we still have a ways to go. During the last six months, hardware/software and network faults shared responsibility, each causing about one-third of the outages. The rest of the outages were caused by a variety of problems such as power failures, construction mishaps, and hacking. Rackspace Hit with Another Outage Techcrunch, June 20, 2009 – On June 20, Rackspace suffered yet another outage1 due to a power failure. The breaker on the primary utility feed powering one of its nine data centers tripped, causing data center’s generators to start up. However, a field excitation failure escalated to the point that the generators became overloaded. An attempt by Rackspace to fail over to its secondary utility feed failed because the transfer switch malfunctioned. When the data center’s batteries ran out, the data center went down. Failovers do fail. Have a contingency plan no matter the extent of your redundancy. NYSE Suffers Several Outages in Less Than a Month Reuters, July 2, 2009 – On Thursday morning, July 2, brokers on the floor of the New York Stock Exchange found that they could not route orders, causing the NYSE to halt trading in some stocks and to extend the trading day. During the previous month, a software glitch halted trading; and an order-matching problem affected timely order reconciliation.
    [Show full text]
  • The Flame: Questions and Answers 1.8
    The Flame: Questions and Answers 1.8 Aleks Kaspersky Lab Expert Posted May 28, 13:00 GMT Tags: Targeted Attacks, Wiper, Cyber weapon, Cyber espionage, Flame Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame. Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super­weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage. For the full low­down on this advanced threat, read on… General Questions What exactly is Flame? A worm? A backdoor? What does it do? Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm­like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
    [Show full text]
  • Availability Digest
    the Availability Digest www.availabilitydigest.com Help! My Data Center is Down! Part 3: Internet Outages December 2011 Long gone are the days of the isolated data center. Back then, batch jobs were submitted to update databases and to generate reports. Back then, turn-around times were measured in hours or even days. In today’s competitive environment, IT services are online; and instant response times are expected. What good is a data center if no one can talk to it? Orders can’t be placed or tracked. Medical records can’t be accessed. Online banking comes to a halt. Today’s data centers must be connected. They depend upon the networks that allow users to access them online reliably and with fast response times. In the old days, a company had control over its communication network. It leased lines that it used exclusively for its purposes. If it lost communications, it had direct access to its communication carrier for rapid repair. For critical applications, companies installed redundant communication facilities so that they could continue in operation even in the presence of a communications failure on one of their lines. Not so true today. More and more, companies are relying on the public Internet to connect their users with company data centers. But how reliable is the Internet? In our previous articles in this series, we related horror stories of unimaginable power failures and storage failures that took down the best-designed data centers. In this article, we explore some notable Internet failures that rendered data centers useless even though they were otherwise fully operational.
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • Reporting, and General Mentions Seem to Be in Decline
    CYBER THREAT ANALYSIS Return to Normalcy: False Flags and the Decline of International Hacktivism By Insikt Group® CTA-2019-0821 CYBER THREAT ANALYSIS Groups with the trappings of hacktivism have recently dumped Russian and Iranian state security organization records online, although neither have proclaimed themselves to be hacktivists. In addition, hacktivism has taken a back seat in news reporting, and general mentions seem to be in decline. Insikt Group utilized the Recorded FutureⓇ Platform and reports of historical hacktivism events to analyze the shifting targets and players in the hacktivism space. The target audience of this research includes security practitioners whose enterprises may be targets for hacktivism. Executive Summary Hacktivism often brings to mind a loose collective of individuals globally that band together to achieve a common goal. However, Insikt Group research demonstrates that this is a misleading assumption; the hacktivist landscape has consistently included actors reacting to regional events, and has also involved states operating under the guise of hacktivism to achieve geopolitical goals. In the last 10 years, the number of large-scale, international hacking operations most commonly associated with hacktivism has risen astronomically, only to fall off just as dramatically after 2015 and 2016. This constitutes a return to normalcy, in which hacktivist groups are usually small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism. Attack vectors used by hacktivist groups have remained largely consistent from 2010 to 2019, and tooling has assisted actors to conduct larger-scale attacks. However, company defenses have also become significantly better in the last decade, which has likely contributed to the decline in successful hacktivist operations.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • No Internet? February 2008
    the Availability Digest What? No Internet? February 2008 On Wednesday, January 30, 2008, North Africa, the Middle East, and India experienced a massive Internet outage that was destined to last for several days or even weeks.1 How did this happen? How did companies cope? Could it happen in other areas such as Europe or the United States? The Failure The bulk of data traffic from North Africa, from the Middle Eastern countries, and from India and Pakistan is routed through North Africa. There, it is carried by a set of three submarine cables that lie under the Mediterranean Sea. The cables link Alexandria, Egypt, with Palermo, Italy, where the traffic then moves on to Europe, the UK, and the Eastern United States. On January 30, 2008, two of these three cables were severed. It is not yet known why, but the predominant theory is that the cables were severed by the anchor of a huge freighter. Heavy storms had hit the area the previous day and forced Egyptian authorities to close the northern entrance to the Suez Canal at Alexandria. As a result, ships had to anchor offshore in the Mediterranean Sea, dropping their anchors to ride out the storm. It is suspected that one of the freighters dropped its anchor on top of the cables. Reportedly, the two severed cables were a kilometer apart. The storm may have dragged the freighter’s anchor across the sea bed, thus taking out both cables. The result of this catastrophe was that 75% of channel capacity was lost from the Mideast to Europe and beyond.
    [Show full text]
  • Ethical Hacking
    Ethical Hacking Alana Maurushat University of Ottawa Press ETHICAL HACKING ETHICAL HACKING Alana Maurushat University of Ottawa Press 2019 The University of Ottawa Press (UOP) is proud to be the oldest of the francophone university presses in Canada and the only bilingual university publisher in North America. Since 1936, UOP has been “enriching intellectual and cultural discourse” by producing peer-reviewed and award-winning books in the humanities and social sciences, in French or in English. Library and Archives Canada Cataloguing in Publication Title: Ethical hacking / Alana Maurushat. Names: Maurushat, Alana, author. Description: Includes bibliographical references. Identifiers: Canadiana (print) 20190087447 | Canadiana (ebook) 2019008748X | ISBN 9780776627915 (softcover) | ISBN 9780776627922 (PDF) | ISBN 9780776627939 (EPUB) | ISBN 9780776627946 (Kindle) Subjects: LCSH: Hacking—Moral and ethical aspects—Case studies. | LCGFT: Case studies. Classification: LCC HV6773 .M38 2019 | DDC 364.16/8—dc23 Legal Deposit: First Quarter 2019 Library and Archives Canada © Alana Maurushat, 2019, under Creative Commons License Attribution— NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) https://creativecommons.org/licenses/by-nc-sa/4.0/ Printed and bound in Canada by Gauvin Press Copy editing Robbie McCaw Proofreading Robert Ferguson Typesetting CS Cover design Édiscript enr. and Elizabeth Schwaiger Cover image Fragmented Memory by Phillip David Stearns, n.d., Personal Data, Software, Jacquard Woven Cotton. Image © Phillip David Stearns, reproduced with kind permission from the artist. The University of Ottawa Press gratefully acknowledges the support extended to its publishing list by Canadian Heritage through the Canada Book Fund, by the Canada Council for the Arts, by the Ontario Arts Council, by the Federation for the Humanities and Social Sciences through the Awards to Scholarly Publications Program, and by the University of Ottawa.
    [Show full text]
  • Download Article (PDF)
    Proceedings of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013) Trust in Cyberspace: New Information Security Paradigm R. Uzal, D. Riesco, G. Montejano N. Debnath Universidad Nacional de San Luis Department of Computer Science San Luis, Argentina Winona State University [email protected] USA {driesco, gmonte}@unsl.edu.ar [email protected] Abstract—This paper is about the differences between grids and infrastructure for destruction [3]. It is evident we traditional and new Information Security paradigms, the are facing new and very important changes in the traditional conceptual difference between “known computer viruses” and Information Security paradigm. Paradigm shift means a sophisticated Cyber Weapons, the existence of a Cyber fundamental change in an individual's or a society's view of Weapons “black market”, the differences between Cyber War, how things work in the cyberspace. For example, the shift Cyber Terrorism and Cyber Crime, the new Information from the geocentric to the heliocentric paradigm, from Security paradigm characteristics and the author’s conclusion “humors” to microbes as causes of disease, from heart to about the new Information Security paradigm to be faced. brain as the center of thinking and feeling [4]. Criminal Authors remark that recently discovered Cyber Weapons can hackers could detect some of those placed “military logic be easily described as one of the most complex IT threats ever bombs” and use them for criminal purposes. This is not a discovered. They are big and incredibly sophisticated. They pretty much redefine the notion of Information Security. theory. It is just a component of current and actual Considering the existence of a sort of Cyber Weapon black Information Security new scenarios.
    [Show full text]
  • Critical Infrastructure Report
    AUTHORED BY: TIFFANY EAST ER ADAM EATON HALEY EWING TREY GREEN CHRIS GRIFFIN CHANDLER LEWIS KRISTINA MILLIGAN KERI WEINMAN ADVISOR: DR. DANNY DAVIS 2018-2019 CAPSTONE PROJECT CLIENT: POINTSTREAM, INC. COMPREHENSIVE U.S. CYBER FRAMEWORK KEY ASPECTS OF CRITICAL INFRASTRUCTURE, PRIVATE SECTOR, AND PERSONALLY IDENTIFIABLE INFORMATION 2018 – 2019 Capstone Team The Bush School of Government and Public Service, Texas A&M University Advisor: Danny W. Davis, Ph.D. About the Project This project is a product of the Class of 2019 Bush School of Government and Public Service, Texas A&M University Capstone Program. The project lasted one academic year and involved eight second-year master students. It intends to synthesize and provide clarity in the realm of issues pertaining to U.S. Internet Protocol Space by demonstrating natural partnerships and recommendations for existing cyber incident response. The project was produced at the request of PointStream Inc., a private cybersecurity contractor. Mission This capstone team analyzed existing frameworks for cyber incident response for PointStream Inc. in order to propose a comprehensive and efficient plan for U.S. cybersecurity, critical infrastructure, and private sector stakeholders. Advisor Dr. Danny Davis - Associate Professor of the Practice and Director, Graduate Certificate in Homeland Security Capstone Team Tiffany Easter - MPSA 2019 Adam Eaton - MPSA 2019 Haley Ewing - MPSA 2019 Trey Green - MPSA 2019 Christopher Griffin - MPSA 2019 Chandler Lewis - MPSA 2019 Kristina Milligan - MPSA 2019 Keri Weinman - MPSA 2019 Acknowledgement The Capstone Team would like to express gratitude to COL Phil Waldron, Founder and CEO of PointStream Inc., for this opportunity and invaluable support throughout the duration of this project.
    [Show full text]