INFOWAR: Introduction to Cyberwarfare

INFOWAR Class Notes

INFOWAR: Overview Part 1: Introduction to Information Introduction to Warfare Part 2: Weapons Cyberwarfare Part 3: Military M. E. Kabay, PhD, CISSP-ISSMP Perspectives Part 4: Cyberdefense Professor of Computer Information Systems Policy Issues School of Business & Management Part 5: Emerging College of Professional Schools Vulnerabilities & Norwich University Threats

Part 1: Introduction to Introduction Information Warfare  Definition* Offensive and defensive use  Introduction of information & information  Vulnerabilities systems  Goals and Objectives To deny, exploit, corrupt or  Sources of Threats and Attacks destroy  Weapons of Cyberwar An adversary’s information, NOTE: information-based processes, References to “CSH6” are to this textbook: information systems, and Bosworth, S., M. E. Kabay, & E. Whyne (2014), eds. Computer Security computer-based networks Handbook, 6th Edition. Wiley (ISBN 978-0471716525). 2 volumes, 2240 pp. AMAZON < http://www.amazon.com/Computer-Security-Handbook-Seymour- While protecting one’s own. Used with permission of Bosworth/dp/1118127064/ > or Designed to achieve Robert Duffy, Avalon5.com < http://tinyurl.com/ldg9c8r > advantages over military or business See in particular Chapter 14: “Information Warfare” by S. Bosworth. ______adversaries. *Dr Ivan Goldberg, Institute for Advanced Study of Information Warfare

Vulnerabilities Critical Infrastructure  Presidential Decision Directive 63 (PDD-63) President Clinton (1998)  Critical Infrastructure http://www.fas.org/irp/offdocs/pdd-63.htm  COTS Software Defined US critical infrastructure includes  Dissenting Views Telecommunications  Rebuttal Energy Banking and finance Transportation Water systems Emergency services  These systems are vulnerable to asymmetric warfare – effective attack by much weaker adversaries (e.g., Mafia Boy vs AMAZON & eBAY in 2000)

COTS Software Dissenting Views

 Military and civilian sectors both depend on COTS  Some critics dismiss discussion of cyberwar as FUD (commercial off-the-shelf ) software Fear, Uncertainty and Doubt Microsoft OS has become Designed to increase sales of hardware, software monoculture and consulting services Continues to be vulnerable to  Personal attacks on early promulgators of information subversion warfare doctrine Allows study and exploitation by Controversial figure: Winn Schwartau adversaries Author of novel Terminal Compromise  Some hardware being manufactured Nonfiction Information Warfare and in potentially hostile nations Cybershock texts Much manufacturing in PRC Lampooned as wild-eyed Some claims of hardware Trojans (e.g., self-publicist keyboard equipped with keylogger) Actually a committed security expert

Rebuttal to FUD claims Goals and Objectives of IW  Growing evidence of asymmetric use of information systems in conflicts  Military  Industrial espionage from PRC  Government growing  Transportation  Conflicts around world demonstrate role  Commerce of Internet as tool and target  Financial Disruptions India/Pakistan  Medical Security Bosnia Koreas  Law Enforcement Iranian unrest in June 2009  International & Corporate Espionage Arab Spring ISIS/ISIL/DAESH  Communications  Potential remains high – e.g., PSYOP using flash crowds to  Economic Infrastructure obstruct emergency personnel or create targets for terrorists

Sources of IW Threats and Military Perspective Attacks  US Joint Doctrine for Operations Security (OPSEC) Identifying critical information  Nation-States Analyzing friendly actions in military ops  Cyberterrorists Identify which ops can be observed by adversaries  Corporations Determine what adversaries  Activists could learn  Criminals Select and apply measures to control vulnerabilities to  Hobbyists minimize adversarial exploitation  Some discussion of potential offensive cyberoperations US Air Force established AF Cyber Operations Command to be stood up June 2009 Image © 2009 Beatrix Kiddoe. Used under terms of service of Photobucket. US Army established 2009 Army Posture Statement on http://media.photobucket.com/image/threats/BeatrixKiddoe/motivator639310.jpg?o=19 Cyber Operations 11 Copyright © 2016 M. E. Kabay. All rights reserved. 12 Copyright © 2016 M. E. Kabay. All rights reserved.

Nation-States: Stuxnet Nation-States: China (2010)  People’s Republic of China major actor  Written to subvert SCADA for People’s Liberation Army doctrine explicitly Siemens centrifuge programmable includes information warfare logic controllers (PLCs) Widespread evidence of Damaged Uranium-enrichment massive probes and attacks centrifuges in Iran originating from China Spun too fast – crashed physically through state sponsorship  60% of Stuxnet infections were in Iran Formal training for cadres  Speculations that US & Israel  Other countries involved in information warfare wrote Stuxnet Worm ECHELON (SIGINT) organized by UK-USA No direct proof Security Agreement (Australia, Canada, New Zealand, the United Kingdom, and the United Circumstantial evidence includes codes and States) dates that might be related to Israel Documents supporting view that US involved were released by Edward Snowden in July 2013

Cyberterrorists Corporations (1)  Remains a theoretical possibility  Potential for sabotage against rivals  Individual criminal-hacker / Documented cases of interference using hobbyist attacks raise concerns computers and networks Documented interference  1999 – BUY.COM underpriced its $588 (mostly pranks) with Hitachi monitors at $164 – perhaps Ground traffic through effects of competing knowbots Emergency 911 systems  2000 – Sun accused Microsoft of corrupting Java to interfere with platform independence Air-traffic control  2000 – Steptoe & Johnson employee accused of Hospital systems…. denial-of-service attack on Moore Publishing  Pranksters have been spreading  2000 – AOL accused of interfering with other false news via Twitter (deaths of ISPs by tampering with Internet settings celebrities….)  Growing use of insecure wireless systems raises additional concerns for PSYOP

Corporations (2) Corporations (3)

 2005 – FCC investigated phone  FBI deems economic espionage serious problem: < company ISP interference with Vonage VoIP https://www.fbi.gov/about- us/investigate/counterintelligence/economic-espionage >  2006 – Businessman selling t-shirts hired hacker to damage competitors using DDoS Infected 2000 PCs with slave programs in botnet Disabled Websites and online sales Jason Arabo (19 years old) sentenced to 30 months prison & $500K restitution Younger hacker (16 years old) sentenced to 5 years prison & $35K restitution

Hacktivists (1) Hacktivists (2)

 Hacktivists use criminal hacking in support of  1998: Free East Timor (Indonesian Web sites) politics or ideology  1998: Legions of the Underground declared  1989: WANK (Worms cyberwar on Iraq and China Against Nuclear Killers)  1999: Jam Echelon Day: traffic with many keywords thought to spark capture by spy Infected DOE, network HEPNET & NASA networks  2000: World Trade Organization “You talk of times of peace for all, and then Hackers probed Web sites prepare for war.” 700 times  1998: Electronic Disturbance Theater Tried to penetrate barriers 54 times Indigenous peoples’ rights in Chiapas, Mexico Electrohippies launched DoS attack

Hacktivists (3) Hacktivists (4)  2004: Electronic Disturbance Theater launched DoS on  Anonymous (Anon) conservative Web sites during 2003 – 4chan board Republican National Convention No leaders  2008: Project Chanology Focus on defending launched against Church of Wikileaks in 2010-2011 Scientology Attacked Church of  2008: Chinese hackers attacked Scientology CNN Web sites to protest Western media bias QUESTION: doing good or not?  2009: much Web-defacement activity during attack by Israel See extensive list at on Gaza < https://en.wikipedia.org/wiki/Ti meline_of_events_associated_ Guy Fawkes Mask with_Anonymous > 21 Copyright © 2016 M. E. Kabay. All rights reserved. 22 Copyright © 2016 M. E. Kabay. All rights reserved.

Hacktivists (5): Criminals (1) Recent Campaigns by Anonymous  2014  Stock manipulation: pump ‘n’ dump schemes Ferguson re shooting of Mike Brown NEI Webworld pump-and-dump (Nov 1999) Operation Hong Kong vs government repression 2 UCLA grad students & associate bought Attacks on Philippine govt for poor response to almost all shares of bankrupt NEI Super Typhoon Yolanda Webworld company  2015 Using many different pseudonyms, posted >500 messages praising company Charlie Hebdo – condolences, target Jihadists Also pretended to be company interested Islamic State – thousands of ISIS Websites, Twitter in acquisition accounts inactivated Within 1 day stock value increased from Death Eaters – pedophiles attacked $0.13 to $15 per share Stop Reclamation – 132 PRC govt Websites attacked Made ~$364K profit StormFront – neo-Nazi group attacked OPKKK – revealing names of KKK members 23 Copyright © 2016 M. E. Kabay. All rights reserved. 24 Copyright © 2016 M. E. Kabay. All rights reserved.

Criminals (2) Criminals (3) – Identity Theft  Los Angeles gasoline-pump fraud (1998) New computer chips in gasoline pumps Cheated consumers Overstated amounts 7%-25% Complaints about buying more gasoline than capacity of fuel tank Difficult to prove initially Programmed chips to spot 5 & 10 gallon tests by inspectors Delivered exactly right amount for them!  Organized crime (esp. Russian, Eastern European) involved in identity theft  Methods and targets could be used in organized state- sponsored information warfare, especially if SCADA (supervisory control and data acquisition) systems Figures from Finklea, K. (2014). “Identity Theft: Trends and Issues.” targeted Congressional Research Service. Report #7-5700. 27 pp. P. 11. < https://www.fas.org/sgp/crs/misc/R40599.pdf >

Criminals (4) – ID Theft cont’d Criminals (5) – ID Theft cont’d

Criminals (7) – Ransomware Criminals (6) – Ransomware cont’d

 1989 – AIDS Information Diskette Scrambled names of folders & files Demanded payment to unlock  Today: ransomware

Encrypts data 2015.pdf

Demands payments using Bitcoin - q1

Extortion of $10K-$100K -

threat

McAfee Labs Threats Report (May2015).

quarterly

From From http://www.mcafee.com/us/resources/reports/r p

Part 2: Weapons of Cyberwar Denial of Service Malicious Code Part 2: Cryptography PSYOP Physical Attacks Weapons Biological & Chemical WMD Weapons Inadvertently Provided

Examples of INFOWAR DoS Overview (1) Techniques  Denial-of-service attacks (DoS) & DDoS This next section is designed (Distributed DoS) attacks Render target systems / networks unusable or to impress newcomers to the inaccessible Saturate resources or cause catastrophic INFOWAR field with the errors Difficult to prevent without widespread existing variety and cooperation among ISPs  DoS & DDoS attacks powerful tool for complexity of cyberthreats. asymmetric warfare Attacker resources can be modest Consequences can be severe

DoS Overview (2) History of DoS (1)  Can also occur by mistakes causing positive feedback loops e.g.,  Early systems subject to resource exhaustion  Autoforwarding between 2 e-mail HP3000 console (early 1980s) received all accounts system messages When target fills up, sends bounce Logons, logoffs, requests for paper & tape to original address which forwards bounce to full account which generates Pressing any key on console without pressing new bounce which… until mailbox fills up key blocked incoming system messages  Out-of-office replies to lists System buffers filled up with messages Message sent to everyone on list No further actions requiring notifications Including absent person… No one could finish logging on or off …whose e-mail sends out-of-office reply to entire Anyone asking for tape/paper froze list including same absent person….  All systems that use obligatory user lockout at risk  Competing Web-bots of DoS E.g., automatically reducing price below each Attacker need only log on to all userIDs with other’s sale price…. bogus password – locks everyone out

History of DoS (2) History of DoS (3)

 1987-12: Christmas-Tree Worm IBM internal networks Grew explosively Panix Attacks of September 1996 Self-mailing graphic  Unknown criminal hacker attacked the PANIX Escaped into BITNET Internet Service Provider Crashed systems  "SYN-flooding attack"  1988-11: Morris Worm Stream of fraudulent TCP/IP requests for Probably launched by mistake connections Demonstration program Non-existent Internet addresses Replicated through Internet Overwhelmed server ~9,000 systems crashed or were deliberately Denied service to legitimate users taken off-line  TCP/IP specialists immediately developed patches Was about ½ to ¾ of Internet as it was then to prevent recurrence 37 Copyright © 2016 M. E. Kabay. All rights reserved. 38 Copyright © 2016 M. E. Kabay. All rights reserved.

History of DoS (4) History of DoS (5)  Forbes (Feb 1997) Melissa Virus (Mar 1999) Disgruntled employee George Parente  CERT-CC reported fast-spreading new MS-Word macro virus deleted budgets, salary data Melissa written by “Kwyjibo/VicodenES/ALT-F11” Crashed 5 of 8 network servers to infect Word documents Systems down 2 days – costs >$100K Uses victim's MAPI-standard e-mail address book Arrested by FBI – pled guilty Sent copies of itself to 50 most e-mailed people  Windows NT servers attacked (Mar 1998) E-mail message w/ subject line Repeated crashes "Important Message From ” Included NASA, .mil, UCAL sites  Spread by David L. Smith (Aberdeen, NJ)  Australian mailstorm (May 1998) Spread faster than any previous virus Bureaucrat set autoreply + autoconfirmation to be sent to 2,000 Took down ~100,000 e-mail servers users in network Estimated $80M damages Generated 150,000 messages in Convicted in 2002 of knowingly spreading computer virus 4 hours Sentenced to 20 months in federal prison + 100 hrs His own mailbox had 48,000 e-mails community service + 1,500/day arriving 39 Copyright © 2016 M. E. Kabay. All rights reserved. 40 Copyright © 2016 M. E. Kabay. All rights reserved.

Damages from DoS and Costs of DoS DDoS: Tort  Direct costs often difficult to compute  Indirect costs involve  Potential tort liability from allowing system to be used for harmful activities Loss of immediate business Possible that victims of DoS and DDoS will Consumers switch to another Website if a sue intermediate hosts for contributory vendor’s system is too slow negligence Loss of customer confidence  Existing law in USA establishes requirements Many customers stay with latest supplier for best practices in preventing harm Potential legal liability under SLAs (Service Industry standards are common basis Level Agreements) Competitive pressures may move Costs of recovery corporations to prevent misuse of their systems by DoS and DDoS tools National security issues $$$

Specific DoS Attacks E-mail-Bombing (1)  Destructive Devices (Malicious software)  In early days of e-mail (1980s), anyone could flood mailboxes Logic bombs See CSH6 Chapter 16,  ISPs imposed strict limits on number of outbound e-mails Viruses, worms, Trojans Malicious Code  EULAs / Terms of Service explicitly forbid flooding Exploits of known vulnerabilities  But could still use e-mail lists to flood  E-mail Bombing & E-mail Subscription-list victims Bombing  1996-08 — “Johnny [x]chaotic”  Buffer Overflows  Subscribed dozens of people to hundreds  Bandwidth Consumption of lists  Routing & DNS Attacks  Victims received up to 20,000 e-mail msg/day  SYN Flooding  Published rambling, incoherent manifesto  Resource Starvation  Became known as “UNAMAILER”  Java  Struck again in December  Router Attacks  Caused serious re-evaluation of e-mail list management  Other Resources

E-mail Bombing (2) Overview of DDoS (1)  Root problem  Some list managers automatically subscribed people without verification  But now almost all lists verify authenticity of request  Send request for confirmation to supposed recipient  But can still flood victim using automated subscription requests  Thus many list managers now use CAPTCHAs*

*Completely Automated Public Turing test to tell Computers and Humans Apart http://tinyurl.com/hl3m7kj 45 Copyright © 2016 M. E. Kabay. All rights reserved. 46 Copyright © 2016 M. E. Kabay. All rights reserved.

Overview of DDoS (2) History of DDoS (1)  Attacker subverts poorly secured system  Controls tools to send large volumes of coordinated  Jun & Jul 1999: Trin00 traffic against target (aka Trinoo)  Massive multiplier effect Thought to be 1st DDoS tool  Packets arrive from many different sources Tested on 2,000 systems Makes packet filtering by source impossible worldwide  Sources can be  Aug 1999: large-scale deployment of Trin00 manipulated for >227 systems used as sources PSYOP in Attacked 1 University of Minnesota computer – information down 2 days warfare – misleading  Dec 1999: CERT/CC® issued CA-1999-17 impressions discussing DDoS for 1st time  Feb 2000: Mafiaboy attacks multiple e-commerce sites (see next slide)

History of DDoS (3) History of DDoS (2)  May 2001: Attacks on  February 7, 2000 attack from “Mafiaboy” Steve Gibson’s GRC.com  Michael Calce, 15 year-old boy from Montréal area, Canada Well-known security  Used a dial-up modem to control DDoS expert, writer, programmer  Effects 13-year-old attacker used  Yahoo.com inaccessible 3 hours IRC bot  Est. $500,000 loss in revenue  Oct 2002: DNS servers  Stock value fell 15% attacked  Feb 8:   Amazon.com 10 hours – $600,000 loss All 13 top-level Domain Name System root servers  Buy.com – 9.4% availability stock lost 44% of value swamped by DDoS for 2 hours  CNN – user count fell to 5% of normal 9 servers went down – only 4 continued working  eBay stock value fell 24% A few more hours might have knocked all the root  Feb 9: servers off the ‘Net – could have stopped entire  E*Trade & ZDNet – completely unreachable Worldwide Web  Charles Schwab – brokerage down – no exact figures

History of DDoS (4) DDoS Attack on Social Networking Sites – Aug 2009  DDoS as tool for extortion Growing number of criminals (and criminal  Aug 6-8, 2009 – SNS under attack organizations) threaten DDoS attacks unless paid Twitter down ransom LiveJournal down and up Demonstrate power by interrupting service Facebook slow Most victims stay quiet about extortion Gawker affected  Jan 2009: TechWatch digital TV site down Xbox Live DDoS allegedly using 9,000 bots Some Google services for SYN flood  Analysts believe attack was aimed at 1 blogger 446Mbps avalanche of packets rose to 2 Gbps Cyxymu outspoken critic of South Ossetia war Writes in “Georgianised Russian” Victim applied advanced traffic filters  Attackers demanded ransom DDoS attack blamed on Russian hackers* *Example of

DDoS vs BBC TV Website DDoS vs Irish Lottery

 2016-01-02  1121 GMT 2016-01-20  BBC Website down to 1325 for few hours  Largest jackpot in 18  DDoS months  Post screenshot  Could not buy tickets w/ #tangodown Machines blocked or #takendown Website  Anti-ISIS hackers unresponsive New Word Hacking Claim pen-testing to fight ISIS “Only a test”

DDoS Terminology & DDoS Tools – Details Overview Elsewhere  Terms (synonyms) Intruder (attacker, client)  Trin00 Master (handler)  Tribe Flood Network Daemon (agent, beast,  Stacheldraht bcast program, zombie)  TFN2K Victim (target)  Trinity  Process  Code Red Worm Intruder compromises insecure systems  NIMDA Installs master program  Hidden Links in Scans for thousands of weak systems Web Pages or Programs Installs daemon code to listen for instructions Instructs owned systems to launch DDoS Permission requested from Frans Charming 55 Copyright © 2016 M. E. Kabay. All rights reserved. for permanent use of image 56 Copyright © 2016 M. E. Kabay. All rights reserved.

Malicious Code/Malware Linux.Ekcocms.1 Trojan

 Terminology:  2016-01-16 Viruses, worms, Trojan horses  Linux systems See CSH6 Chapter 16  Snaps screenshot Mobile code such as Java, ActiveX, every 30 seconds VBscript INTEL: user activity See CSH6 Chapter 17 Websites visited  Malware widespread Programs used In 1980s & 1990s used by individuals  Saves to folders on disk In 1990s & 2000s increasingly used by organized Uploads encrypted crime contents to remote server Significant evidence of state-run malware research and development

Cryptography Wars (1) Cryptography Wars (2)  Cryptography used in military operations for millennia  Control shifted to Export Administration Regulations (EAR)  Cracking ciphertext top priority for governments and criminals Dept of Commerce Parallel processing More liberal Ultra-high-speed computers  Back doors to crypto (teraflops) Many governments/regimes demand access to  Debate about international traffic in strong cryptography encryption keys or “master keys” International Traffic in Arms Regulation (ITAR) of US Civil-liberties groups restricted export oppose demand ITAR under control of State Dept Weaken crypto for all users Critics regarded ITAR application to cryptography as pointless Usable by dictatorial regimes & criminals

PSYOP (1) PSYOP (2)  Psychological operations = PSYOP  Classic example of PSYOP: preparation for Normandy Planned psychological activities invasion (DISINFO) Directed to enemy, friendly, neutral Allies fabricated & planted leaks audiences about supposed invasion at To influence emotions, motives, Pas de Calais attitudes, objective reasoning & Nazis believed that General behaviors George S. Patton leading In ways favorable to originator invasion  Targets at all levels (individuals, groups, organizations,  Concentrated Nazi troops away military, civilian) from actual Normandy landing  Goals areas Reduce morale & combat efficiency among enemy  Sep 11, 2001 WTC bombing & subsequent anthrax- Promote dissension & defection among enemy spore scare illustrate effects similar to PSYOP – Support deception operations by friendlies demoralization, economic consequences, changes in culture Promote cooperation, unit, morale in friendlies

Physical Attacks Weapons Inadvertently Provided

 Sep 11, 2001 attacks had noticeable effects on  Vulnerabilities in software systems open nation to information infrastructure cyberwar  Backhoe attacks facilitated Bad software design (see RISKS FORUM DIGEST) by warning signs about where not to dig – indicate communications trunks  Undersea cables susceptible to sabotage https://catless.ncl.ac.uk/Risks/  International prevalence of car bombings, suicide Poor software quality assurance bombings & IEDs (improvised explosive devices) causing rethinking about weapons of cyberwar Rush to market of incompletely tested software  Increased attempts to secure civilian infrastructure  See CSH6 Chapters  But much of public policy described as security theater 38 Writing Secure Code (after Bruce Schneier) by critics 39 Software Development & Quality Assurance 40 Managing Software Patches & Vulnerabilities

Part 3: Military Perspectives on Cyberwarfare Fundamental problems Part 3: Asymmetric warfare: central concept Military In-kind counterattacks Forceful defenses Perspectives Industrial espionage Critical infrastructure Current battle with Daesh/ISIL/ISIS

Fundamental Problems (1) Fundamental Problems (2)  A fundamental flaw in today’s Internet: THERE IS NO GUARANTEE OF AUTHENTICITY  Criminals & hostile forces can use distributed IN IPV4 attacks Botnets created by commandeering Origination IP addresses can be spoofed! poorly-secured computers owned by A 12 year old hacker can make packets coming amateurs from her computer look like they come from Albania Botnets can have 10,000 zombies  Distributed networks are impervious to take- IPv6 does include strong down authentication Multiple connectivity But it isn’t Multiple replication yet widely Shut down one TOR node, no one notices* implemented See e.g., Dingledine, R., N. Mathewson, & P. Syverson (2006). “Tor: The Second-Generation Onion Router.” < http://hatswitch.org/~nikita/courses/ece598nb-sp06/slides/tor.ppt >

Asymmetric Warfare In-Kind Counterattacks

 Defense more expensive than attack  Problematic because of address spoofing  Probability of at least 1 weakness Not certain where attacks originate Increases as number of potential attack Could attack wrong target points grows  Recent incidents have been inconclusive n  P(system breach) = 1 – (1 - p) where Israelis vs Arabs p = probability of unit failure & Taiwan vs PRC n = number of independent possible Kashmir vs India breach points or Serbs vs Albanians  P = 1 – Π(1 - pi) where PRC vs USA Π is multiplication  Fundamental asymmetry of attacker/defender pi = probability of failure of unit i makes counterattacks in kind futile

Forceful Defenses Unlikely Industrial Espionage  Stahl, J. (2016-01-17). “The Great Brain  Barriers to the use of force Robbery: Economic espionage sponsored by US increasingly reluctant to use force without the Chinese government is costing U.S. international support corporations hundreds of billions of dollars Identity of attackers may be unclear and more than two million jobs.” Sixty Minutes, CBS News. Spoofing may lead to misidentification < http://tinyurl.com/hae3fne3 > Difficult to characterize specific incident as cyberattack, error, accident, or malfunction  US Dept of Justice describes Chinese cyberespionage as “national security Attackers may not be state actors – cannot launch emergency” war against criminals, activists, individuals  Government-sponsored hackers attack 1000s UN doctrine limits reactions to proportional of US private corporations response  Thus unlikely to see forceful response to cyberattack  US companies doing business in PRC have trade secrets consistently stolen

Critical Infrastructure Critical Infrastructure Attacked  Electricity generation, http://smile.amazon.com/gp/product/111881763 production & distribution (PTD)  Gas PTD  Volz, D. (2016-02-25). “U.S. government  Oil and oil products PTD concludes cyber attack caused Ukraine power  Heating systems outage.” Reuters < http://tinyurl.com/hsf47hl >  Financial services (banking, clearing)  2015-12-23  Security services (police, military) 225,000 people affected  Water supply (drinking water, waste 1st known successful cyberattack on a grid water/sewage, flood control)  Telecommunication (radio, TV, phones, Likely from Russian Sandworm group Internet)  Installed malware that switched breakers off  Public health (hospitals, clinics,  DoS on customer-service phones medicines, ambulances)  Agriculture, food PTD (supplies, storage, wholesale, retail) Prevented real customers from reporting  Transportation systems (fuel supply, railway network, airports, outages harbors, trucking for inland shipping)

DAESH/ISI & Social Media Pentagon v DAESH (1)  PSYOP a critical element of strategy Attracting recruits Using YouTube, Twitter, Facebook…. Gruesome videos of violence appeal to angry young people Shifting to also including “normal” “fun” info about members  More info: Wagner, D. (2015). “What the Islamic State Is Teaching the West About Social Media.” TheWorldPost. < http://tinyurl.com/jz8pfae > Wallin, M. (2015). “Winning the Social Media War Against ISIS.” American Security Project. < http://tinyurl.com/j8l9mak >

Pentagon v DAESH (2) Hackers v DAESH  2016-02-29  Griffin, A. (2015-11-27). “Anonymous has  Cyberoffensive launched vs taken down an ISIS website and replaced it ISIS with an ad for Viagra.” Business Insider. < http://tinyurl.com/j2fkf7v >  Military hackers attacked computer/cellphone networks  GhostSec affiliate  Launched from Ft Mead, MD  Click through to  Overload enemy networks pharmacy site Interrupt C2 of forces w/  Buy Viagra and Prozac DoS  PSYOP to make Cannot just blanket entire candidates laugh at ISIS area – need INTEL  Block ISIS PSYOP Email Social media

DISCUSSION:

 What are the most effective measures for defending against cyberwarfare attacks? Part 4:  Are kinetic (conventional) warfare methods adequate / appropriate for reducing cyberattacks? Cyberdefense  How do we cope with the risk of attacking the wrong targets? Policy Issues

Part 4: Cyberdefense Policy Legal Defenses Issues  International legal system ineffective vs infowar Information warfare not prohibited under UN charter Legal Defenses (except if it causes death or property damage) Technical Defenses Little or no police power to enforce few laws that exist governing infowar Cooperative Efforts Sovereignty trumps law in cross-border US Military Policies communications US Foreign Policy No major powers have pressed to international laws or treaties to govern infowar Politics may override legal judgement Power of criminals supersedes legal systems Identifying source of attacks difficult Technology advances faster than laws  Not likely to see legal defenses used against cyberattack

Technical Defenses Cooperative Efforts  All the technical defenses used in protecting  Little evidence of international cooperation to fight computers and networks against individual attack cyberterrorism or limit cyberwarfare can be used in cyberdefense  Strong efforts by US military to  Entire contents of CSH6 apply to cyberwarfare increase cyberwarfare capabilities defense  NATO starting to act  Constant attention to evolving vulnerabilities and Signed agreements for coop’n threats NATO supporting Cooperative  Special value for INTEL and COINTEL activities Cyber Defence Centre of Intelligence to track state and non-state actors Excellence in Estonia e.g., infiltration, monitoring Internet chatter  EU supporting civilian cyberspace Counterintelligence to identify spies and programs saboteurs

Robinson, N. (2013). “Cybersecurity Strategies Raise Hopes of International Cooperation.” RAND Corporation. < http://tinyurl.com/jfvc9g7 >

US Military Policies (1) US Military Policies (2)

 Joint Doctrine for Operations Security  USCYBERCOM (US Cyber Command) OPSEC 2009-06-23 SecDef ordered Identify critical information creation Analyze visibility to adversaries  Mission Identify tactical and strategic Plan, coordinate, advantages to adversaries of integrate synchronize, data acquisition conduct Identify & implement Operations/defense countermeasures DoD info networks Prepare/conduct US Joint Chiefs of Staff (2006). cyberwarfare “Operations Security.” Joint Publication 3-13.3. < https://fas.org/irp/doddir/dod/jp3_13_3.pdf >

US Military Policies (3) US Military Policies (4)  USCYBERCOM cont’d: Focus Presidential Policy Directive PPD-20 (2012-10) leaked 2013-06-07 Defend DoDIN < http://tinyurl.com/hezjbs2 > Support combatant commanders in action Strengthen US resistance & response to cyberattacks

https://www.stratcom.mil/factsheets/2/Cyber_Command/

US Foreign Policy Part 5: http://tinyurl.com/npfoxh9 Emerging Vulnerabilities & Threats

Part 5: Emerging Vulnerabilities Internet of Things & Threats  Growing number of controls in homes & industry Internet of Things connected via unprotected Internet Connected Automobiles  2010 – STUXNET worm vs Iranian nuclear centrifuges Self-Driving Cars US/Israeli cooperation Industrial Destroyed SCADA for SIEMENS centrifuges Robots  Dec 2015 – networked toys usable as spying devices Hospital  Jan 2016 – NEST thermostats updated – stop working Systems properly – cold homes  Jan 2016 – SHODAN search engine browses Webcams including in people’s houses  Feb 2016 – US Dir Natl Intel states that TV, car, & toys networked via Internet usable for surveillance

Connected Automobiles Self-Driving Cars (1)

 Security Innovation researcher  Laser pointer scrambles LIDAR http://tinyurl.com/qby7gok http://fortune.com/2015/09/15/intel-car-hacking/  Laser pointer tricks system into taking evasive action

Industrial Robots

http://tinyurl.com/ko6cuhy

http://tinyurl.com/j7jg7w9

Driving Driving Cars (2)

- Self

http://tinyurl.com/m2jarqo

DISCUSSION Hospital Hospital Systems

Now go and study