Tag Archives: Cybersecurity

Instability-Stability Paradox and Cyber Attack on Gaming Firm

By Jon Lindsay

A new and notable cyber attack, allegedly from Iran and targeting an American gaming firm for disruption rather than exploitation, is being reported in the media: http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas. This is interesting for deterrence theorists for a number of dimensions: (1) it appears to be a use of cyber to inflict punishment for the political position of the firm’s CEO; (2) the attackers appear to be seeking out and avoiding the threshold which would invite retaliatory punishment, (3) they are aided in doing so by a victim striving to keep the attack secret to protect its reputation, and (4) all of this involves (allegedly) foreign targeting of a US non-state actor (firm) as a way of increasing the ambiguity of the attack to avoid a retaliatory punishment in administering the first coercive punishment.

One passage speaks directly to the stability-instability logic of CDD we have been discussing for a while: “Experts worry that America’s rivals may have found the sweet spot of cyberwar—strikes that are serious enough to wound American companies but below the threshold that would trigger a forceful government response. More remarkable still, Sands has managed to keep the full extent of the hack secret for 10 months.”

Cyber Attack: N=2?

By Jon Lindsay

There are a number of interesting things in this report of a (probably Russian) cyber attack on an oil pipeline in Turkey in 2008, more than two years before Stuxnet became public: http://www.bloomberg.com/news/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar.html.

The use of surveillance cameras as a point of entry to attack the very system they were supposed to be defending is particularly rich. The attackers also suppressed alarms of malfunction in the pipeline from reaching the control room, a trick also employed by Stuxnet among others (https://www.youtube.com/watch?v=KYAbFqkvzQA). The same information technology which is supposed to improve visibility of a system also makes the overall system more complex: this both creates vulnerabilities attackers can exploit AND creates intel and planning challenges for an attacker. Notably, this does not look like a trivial or amateurish operation. (Although, men skulking about with laptops in military uniforms? Surely a better disguise was possible?).

Whether this is the first cyber attack or not is a matter of definition. Some people cite Thomas Reed’s story of a 1982 sabotage of a pipeline in Russia—a CIA CI op against the KGB Line X industrial espionage program—but there are reasons to be skeptical about this event (no corroborating witness of this supposedly monumental explosion). I have described Stuxnet as the only publicly-known instance of cyber attack used to cause physical damage across international borders. I was hedging against the possibility of one or more unknown attacks, like this one. Surely there must be others. (You could also quibble that attacks that have bricked or locked up machines count as physical damage even before Stuxnet). Other news reports cite US military sources as having used cyber attack on the battlefield on a small scale, but there are no further details.

I haven’t been through it in depth, but this case appears to reinforce conclusions that I and others have drawn from the Stuxnet case:

–          Essentially, cyber attack is a form of covert action. It depends on deception and subversion which is scary and hard to detect and may go undetected for years, but by the same token is self-limiting. If compromise is fatal to an operation then operators have to show restraint in their objectives and take extra precautions in their planning. Deception abounds in this case but it seems to have had little meaningful political effect because the targets could just blame the usual nuisance factors like the PKK or malfunction. If a cyberwar happens in the forest but nobody hears…

–          Sophisticated attack is a nation-state game. It takes planning, pre-attack surveillance, and supporting operational infrastructure. This attack had a lot of moving parts, and the attackers knew a lot about POL control systems and the security systems protecting them.

–          Critically, adjunct support often involves human operations. Stuxnet probably needed the Mossad’s HUMINT networks to deliver the virus, or at least an unwitting contractor mule. This attack also seems to have required SOF to inject code into local controllers.

–          Stories like this dramatize the exotic art of the possible—which drives the cyber threat debate—but they also highlight how tenuous the theory of influence is in cyber attack. A lot of that tenuousness is a function of the reliance on deception, not so great for credible signaling (but maybe great for the reassurance of an ally in on the deception, which may have been as or more important in the Stuxnet case than slowing down the Iranians).

–          To the extent cyber is useful, it is usually in conjunction with something else: diplomacy and covert action and threats of air strikes with Stuxnet, and maybe with the 2008 Georgian invasion here, although the linkage is unclear, to put it lightly.

The other question this raises is why are we only finding out about this now? Sounds like US intel and various international “investigators” have known some details for a while. I suppose that it’s nice to be reminded that Russia has been playing with Little Green Men for a while and that US intel agencies are doing more than just torturing some folks.

Dissent and Deception With Mobile Apps

By Jon Lindsay

This is an interesting story about (presumably) Beijing’s use of a piece of malware to monitor protester’s communications in Hong Kong:

It points out a dilemma between seeking to restrict technology access to disable the advantages it has for the adversary (attacking their network) and ensuring the adversary’s access in order to collect intelligence (exploiting the network). There’s a passing mention also to Syria’s lifting of kill switch use in order to better monitor internet use. What’s interesting in this case is that the malware is marketed specifically to improve protester communications, and probably does a bit, but also collects on those communications to turn the user into an unwilling agent via deception.

The crowdsourced counterintelligence angle is also pretty interesting–upon discovery, the victim of a malware attack often benefits from a large and distributed forensic effort. The Iranians did with Stuxnet, too.

Alliance Management in Cybersecurity: Case of the U.S.-Japan Alliance

Last week there were protests against the Japanese government throughout Asia as crowds demanded apology for its aggression during WWII and for cabinet members’ visit to the Yasukuni Shrine. It was August 15, 2014, the 69th anniversary of Japan’s surrender in World War II. Like August 15 of previous years, leaders of China and South Korea also condemned Japan’s increasing assertiveness in foreign and defense policy.

Interestingly, the U.S. government’s growing willingness to share burden with Japan in its defense and deterrence against China and North Korea seems to have stroked this fear of Japanese militarism. The U.S. government has been carefully balancing the military need to push Japan to bear a bigger burden and the diplomatic need to not offend other countries in East Asia by doing so. The difficulty of such balancing act was underscored by Japan’s recent reinterpretation of its constitution, which extended the scope of the right to self-defense to include the defense of an ally under attack. The event exemplified the understanding between the two allies in burden-sharing but was recognized by other East Asian countries as a sign of Japan’s new assertiveness.

Political scientists have long recognized such complicated dynamics in inter- and intra-alliance relationships, in East Asia in particular. For instance, Cha (2000) argued that the key determinant in friction between Japan and South Korea is the symmetry of the U.S. commitment to Japan and South Korea. Noting Japan and South Korea are in a quasi-alliance relationship where the both countries have the U.S. as an ally, respectively, but not are in an alliance with each other, Cha applied Snyder (1984)’s framework of allies’ fear of abandonment and entrapment to explain the fluctuating tension between Japan and South Korea. He maintained that Japan and South Korea experience friction when the U.S. commitment to the region is strong or when there is an asymmetry in the two countries’ fear of abandonment by the U.S. When the U.S. commitment is weak and both countries fear abandonment by the U.S., Japan and South Korea display greater cooperation with each other.

Yet existing work on the dynamics in U.S. alliances in Northeast Asia are mostly concerned with nuclear and conventional military forces. How would the dynamics play out in the cyber domain? For one, burden-sharing between the U.S. and Japan in the cyber domain would incur lower diplomatic costs than other war-fighting domains. Cyber warfare is usually accompanied by anonymity. According to Gartzke (2013), anonymity in cyberspace provides both initiators and targets with conundrums. While anonymity “protects an aggressor from retribution, it also dilutes credit for the deed” (Gartzke 2013: 46-7). Moreover, anonymity fails to give the target a way to retaliate or to acquiesce (Gartzke 2013: 47). However, this implies that anonymity in cyberspace will prevent the U.S.-Japan cooperation from any public diplomacy crisis. While cyber warfare’s anonymity may weaken its effect in deterrence, it would neutralize any public outcry among East Asian countries responding to Japan’s burden-sharing. Because it is difficult to identity who cooperated and who attacked in cyberspace, Japan can take an initiative in its cooperation with the U.S. yet hide behind the cover of anonymity.

On the other hand, it is unclear whether Japan has the capability to share its burden and contribute to deter cyber threats from China and North Korea. The case of Stuxnet serves as a useful benchmark. In 2010, the U.S. and Israel implanted a computer worm in which attacked Iran’s nuclear centrifuges and disrupted its nuclear enrichment. According to Lindsay (2013), Stuxnet included “collaboration with Israel for both operational and strategic reasons: the United States needed access to Israeli clandestine intelligence networks in Iran, and the United States wanted to dissuade Israel from launching an airstrike against Iran” (385). There are some reports which suggest that it was Israel, not the U.S., which spearheaded the Stuxnet attacks (Lindsay 2013: 385). Unlike Israel, however, it is uncertain whether Japan can offer the U.S. anything akin to what Israel provided. Japan has been relatively slow in developing cyber capabilities and in responding to cyber threats. It was only in 2005 that the National Information Security Center was established in the Cabinet Secretariat. It was only last year that the Japanese government created and released its Cyber Security Strategy for the first time.

At present, it is unclear how the dynamics of the U.S.-Japan alliance will unfold in the cyber domain. The alliance has been central to East Asian security in the conventional domains. Both friends and adversaries in the region have observed and reacted to the changes in the relationship, resulting in political and military ramifications. It is unquestionable that they will continue to pay close attention to the alliance dynamics in the cyber domain.