16 August 2008, 17:43
Misunderstanding cyberwar
Ethan Zuckerman
August 16, 2008
There's nothing like the term "cyberwar" to capture a reader's attention. For those who grew up on "Wargames", "Sneakers" or William Gibson novels, the term conjures up images of heroic hackers in shadowy basements, frantically tapping on keyboards in a life and death struggle against the enemy on the other side of the glowing CRT screen.
It's a vision that was compelling to senior people in the US Air Force, including former USAF Secretary Michael Wynne, who was fired earlier this year over the scandal of mishandled nuclear weapons. Before his departure, Wynne launched the Air Forces's "Cyberspace Command" with a television ad that portrayed the Air Force as the defender of the Pentagon against an onslaught of digital attacks. The Pentagon has stopped funding and now may cancel the initiative.
Wynne argues that the current military faceoff between Georgia and Russia over South Ossetia is an instance of cyberwar, saying "The Russians just shot down the government command nets so they could cover their incursion. This was really one of the first aspects of a coordinated military action that had cyber as a lead force, instead of sending in air planes."
That's the sort of speculation tech reporters live for. It raises the possibility that, instead of reporting on venture capital deals and the kudzu-like spread of Facebook, they might get the chance to be war reporters without the complication of being shot at. In the past week, in-depth articles on cyberwar have graced the pages of the Washington Post, the New York Times, Christian Science Monitor, and Salon.
The best of these articles have a common conclusion: it's very hard to know what's actually gone on. Call it "the fog of cyberwar". Better yet, please don't. As the dust settles, it's unclear whether "cyberwar" is even an appropriate term for what's taken place online as an actual war - the kind with guns and dead people - has transpired in Georgia. It's worth remembering that in this "cyberwar", the most serious consequence is that a website becomes temporarily inaccessible to viewers - it's a war being fought with paintballs, not with live rounds.
Here's what's known: many Georgian websites have been difficult or impossible to access for several days. In response, the Georgian government has moved some vital email addresses and websites to Google, and other Georgian websites have sought help from Estonia. Here's what's not known: whether these attacks were directed by the Russian military, as Georgia's Foreign Minister has speculated, by shadowy criminal gangs, or just by kids with a grudge against Georgia and too much free time. The last of these scenarios is looking increasingly likely.
Some of the most dramatic reports of cyberwar have come from an anonymous blog (RBNexploit) that tracks the Russian Business Network. RBN is a source of great concern to many in the computer security community - it's a very successful producer of tools used for spam, identity theft and malware. The RBNexploit bloggers asserted that RBN hackers - on behalf of the Russian government - had taken control of backbone routers that delivered traffic to Georgia via Turkey, effectively cutting Georgia off from the Internet.
While this would have been dramatic and exciting, it doesn't appear to be true. Earl Zmijewski, a vice president at internet monitoring company Renesys, has been watching connections into Georgia very closely and reports, "During the hostilities, we've seen no significant changes in routing. In particular, we saw no apparent attempts to limit traffic via Russia, but then again, most traffic from Georgia seems to currently transit Turkey. "
What's knocked some Georgian websites offline are denial of service attacks. These attacks are the equivalent of harassing a person by calling her on the phone as often as possible and hanging up when she answers. On the web, this involves sending a request to a web server over and over, hoping to overwhelm it and make it incapable of serving pages to legitimate users. In a more sophisticated version of the attack, dozens or hundreds of people call the same number - load the same webpage - which might make even a modest-sized corporation impossible to reach for the duration of the attack. These more complex attacks are called distributed denial of service attacks (DDoS), and they have become frustratingly common since CERT (Carnegie Mellon's Computer Emergency Response Team) first warned of them in 1999.
It requires very little technical expertise to carry out a simple DoS attack - hit reload on your web browser every few seconds and you'll be carrying out an (ineffective, primitive) attack. Belarussian tech journalist Evgeny Morozov was curious how much technical skill it would require to participate in a more organized attack. In a brilliant article for Slate, he describes visiting sites like StopGeorgia.ru, where he discovered a webpage that, saved to his desktop and opened in a browser, made thousands of requests an hour to 18 Georgian websites. Presto - "cyberwar" for dummies. A bit more poking led him to a set of instructions for DoSHTTP, a utility that can easily be misused to perform efficient denial of service attacks.
The technical solutions Morozov found weren't especially sophisticated - one relied on a dozen lines of Javascript code, the other on a widely available off-the-shelf tool. These attacks can be effective not because they're using especially sophisticated technology, but because they leverage a "social hack" - they rely on the actions of individual, patriotic Russians organized via sites like StopGeorgia, which hosts a "scoreboard" displaying which Georgian sites are reachable and unreachable. Look too hard for shadowy political forces and esoteric technology and "we risk underestimating the great patriotic rage of many ordinary Russians, who, having been fed too much government propaganda in the last few days, are convinced that they need to crash Georgian Web sites. Many Russians undoubtedly went online to learn how to make mischief, as I did." (Morozov is very clear that his sympathies don't lie with the Russians in this conflict, and that his attacks were conducted very briefly, for research purposes.)
The attacks on Georgian websites are probably not just coming from angry Russians hitting reload. Some are likely coming from "botnets", large sets of computers that have been infected with malware, software that allows a computer to be controlled remotely by a third party. Russian hacker network RBN controls one network, the Storm botnet, but many others exist. It's now possible to "rent" a botnet - Bill Woodcock of internet research consultancy Packet Clearing House estimates that botnets can be rented to perform DDoS attacks for as little as four cents per machine. It's possible that some hackers have rented botnets and turned them against Georgian websites, or that some operators have decided to "donate" attacks to the anti-Georgian cause.
The rhetoric of "cyberwarfare" has a reassuring implication: we understand how to fight wars, so surely we can win a cyberwar. Unfortunately, the truth is more complicated. There's no magic "cyberspace command" solution the USAF can unleash to defeat a botnet. The administrators trying to bring Georgian webservers back online are doing precisely what any sysadmin does confronted with a DDoS - they are blocking traffic from the IP addresses that are launching the attacks, and sharing these blocklists with administrators confronting the same problems. If they can block addresses more quickly than the attackers can recruit more participants, they'll win. This strategy is known by the complex technical term "Whack-a-Mole", and it's roughly as frustrating as the fairground game of the same name.
What's frightening about the online attacks against Georgia is not that they're organized by shadowy Krelmin forces, but that they're coming from a loosely organized group of individuals. In his new book "Here Comes Everybody", Clay Shirky notes that one of the characteristics of the contemporary internet is that it enables "ridiculously easy group formation." Once formed, these groups can organize potluck dinners or spread propoganda. Chinese netizens, angered by what they perceived as anti-China bias in western media, organized a campaign to challenge media narratives on sites like Anti-CNN.com. Individuals have flooded YouTube with videos exposing errors in CNN and BBC's China coverage and arguing that Tibet is a part of a multi-ethnic, federated China. Most western media reports assume this effort is organized by the Chinese government, a charge participants angrily deny.
The shift from a world where power comes solely from governments and militaries to one where power can come from loosely organized, adhoc groups is a hard one to grasp. It's easy to understand why the press and the military would misunderstand the situation in Georgia as a new type of military attack. The truth may be more intriguing and frightening - we've entered an era where individuals can organize their own "cyberwar" campaigns online, in concert with or in opposition to their governments.
Source: http://www.ethanzuckerman.com/blog/2008/08/16/misunderstanding-cyberwar/