How Would We Know if a Cyber War Started?

Physical wars are easy to determine, but not virtual ones. The Defense Department is now struggling with the odd question of how to tell when a war starts.

uscybercommandlogo.jpg

In the real world it’s easy to tell when a war starts. One side makes a violent attack against another and, whether or not there are casualties, everyone knows what’s what. But the virtual doesn’t have any such thing. So the Defense Department is now struggling with the odd question of how to tell when a war starts.

As Gen. C. Robert Kehler, commander of the U.S. Strategic Command, said at a conference last week:

The battle space from our perspective has expanded beyond traditional geographic boundaries as our world becomes increasingly interconnected through space and cyberspace. Potential adversaries can wield hybrid combinations of strategies, tactics, and capabilities and will operate in the shadows to present us with ambiguous indications and situations.
 

The recent attacks against water utilities in Illinois and Texas are perfect examples of this.

In Illinois, the Statewide Terrorism and Intelligence Center initially said hackers broke a pump which supplies water to thousands of home by accessing it remotely and then repeatedly and rapidly turning it on and off. The agency said the hackers obtained access using stolen login names and passwords taken from a company which writes control software for industrial systems. Tuesday, the FBI and Department of Homeland Security said they “found no evidence of a cyber intrusion” into the Illinois utility’s supervisory control and data acquisition (SCADA) systems.  

However, the Naked Security blog – a very reliable source, has an interview with a hacker named “Pr0f” who claims to have done the Illinois attack and a subsequent one at utility in South Houston, Texas. Pr0f says he took the action in order to highlight the weak-to-non-existent security around public utilities.[*] (Operator error: Pr0f didn't claim responsibility for the Illinois attack. Thanks to Jeffrey Carr, CEO of Taia Global for spotting my mistake!)

If we are to believe him – and I don’t have any reason not to – he did the second hack when DHS denied the first incident was a hack. The blog Threatpost (another great source) quotes Pr0f as saying: “I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done.”

Prior to Pr0f’s coming forward there were reports of the Illinois attack having been routed through a Russian web address. Of course, it turned out that it wasn't a hack at all. However, even if it had been and it had been routed via a Russian address that wouldn't prove the Russians had anything to do with it. The inability to determine who is attacking you points to one more difficulty in establishing the casus belli for cyber war.

Even if we assume that the level of cyber “interference” from say China and Russia is no more than what is the government publicly admits (and if you believe that I have a beautiful bridge I’d like to discuss selling to you) then we are already at the “shots fired across the border” stage of activities.

The truth is that cyber wars will likely be able to reach a pretty intense level before officially being classified as war. It might even be that shootings wars will be required for this to happen. Until then the battles will take place anyway. They will likely have a greater intensity – and certainly more secrecy – then any of the old KGB vs. CIA clandestine activities. The goal now may in fact be seeing how close to crippling a nation one side can get without being blamed for it.

* Naked Security’s Chester Wisniewski wrote a wonderful piece about that “security”:

Reading about this my spidey-sense was tingling... What? They have SCADA control systems hooked up to the public internet? And they are running phpMyAdmin!?!?

I run a reasonably low profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores.

I removed it four years ago after a never ending stream of severe vulnerabilities made it too risky for my *play* site.

NEW! Download the State of the CIO 2017 report