Dear Sanjay The posting below is an off-topic posting. Please ask yourself if any posting you make falls with the scope of this list. Harish.
Date: Fri, 23 Jan 2009 21:07:36 +0530 From: "Sanjay" <[email protected]> Subject: [AI] How long before all-out cyberwar? To: <[email protected]> Message-ID: <002e01c2b0fd$0d7dfc10$0201a...@santanupc> Content-Type: text/plain; charset="iso-8859-1" How long before all-out cyberwar? What kind of damage could a cyberwar do, and how can we guard against it? Michael Reilly, Palo Alto THE first cyber-battle between superpowers was shadowy and nearly bloodless. In April 2001, a US navy plane caused an international incident when it collided with a Chinese jet fighter. The Chinese pilot lost his life, while the American plane made an emergency landing on China's Hainan Island, where it was detained. After 11 days, the plane and crew were returned safely, but accusations of blame persisted on both sides. Publicly, both governments did little more than squabble over the issue, but for the rest of the month both suffered a number of harmless but annoying attacks on their computer networks. Websites also sprang up with instructions on how to run programs aimed at disabling government computers. American officials claim that the attacks almost shut down California's electrical grid, but neither government has owned up to launching the assaults. "There were a number of cyber-skirmishes and hack-backs originating in China and America right around that time," says Herbert Lin, a software specialist at the US National Research Council (NRC) in Washington DC. "Were they state-sponsored? Who knows." Since then sporadic reports have emerged of attempts on several national networks, each one as murky as the last . Meanwhile, the US and China appear to be taking the issue seriously. In 2000, Dai Qingmin, an army general and head of the Chinese government's communications department, advocated the use of pre-emptive cyber-attack, while Daniel Kuehl of the National Defense University in Washington DC says the US military is exploring the use of cyberweapons. Considering the dependence of stock markets, power grids, phone networks and banks on computers, a cyber-attack might seem very tempting to a nation with an axe to grind. "Americans feel very secure, but they shouldn't," says Adriel Desautels of software security firm Netragard in Mendham, New Jersey. To tackle the issues surrounding the prospect of cyberwar - including how to retaliate and whether cyberweapons could or should be used - Lin is leading a study sponsored by the NRC, Microsoft and the MacArthur Foundation. The results are not due until the summer, but Lin revealed some details at a workshop on technology and warfare at Stanford University in Palo Alto, California, last month.Less-lethal weapons? One issue his team will tackle is ethics. Currently unregulated by international law, it is unclear where computer viruses and denial-of-service (DoS) attacks slot in on the scale that ranges from "less-lethal" weapons such as CS gas and Tasers, through guns and bombs up to chemical, biological and nuclear arms. The answer might seem obvious: cyberweapons are harmless compared with their bloodier counterparts. Even an all-out cyber-attack couldn't possibly do the same damage as a conventional air raid or ground invasion, says Michael Vlahos of Johns Hopkins University in Baltimore, Maryland. "If ruling regimes have a dispute, cyberwar can be a great way to signal that without killing people," he says. Others argue, however, that as countries increasingly rely on computers, the cost of a successful cyber-attack will be measured in human life just as an air raid or ground attack is. "Cyberwarfare has been sold as cleaner, but things like power plants and air traffic control systems are vulnerable to attack," says Thomas Wingfield of the US Army Command and General Staff College in Fort Belvoir, Virginia. A recent study by the US Department of Homeland Security found that electrical generators could be hacked into and induced to self-destruct, raising the threat of large-scale physical damage to critical infrastructure. "Cyberweapons are now rising to the level of weapons of mass destruction," he says. One crucial aspect of computer viruses and worms is their ability to spread uncontrollably. Such a weapon could inadvertently infect hundreds of thousands of home and office computers, causing economic and social mayhem. Impossible to contain within national boundaries, a virus could end up back in the country that launched the attack. Because of this, Wingfield says cyberweapons could be banned from war just like chemical and biological weapons, poisoned and exploding bullets, and blinding lasers. "It's possible to imagine cyberweapons being on that list," he says. There are good reasons to avoid cyberweapons, but how should a country that is attacked by one respond? Under the Charter of the United Nations, a nation has the right to use force as self-defence only if it is attacked using force. Wingfield says the term "force" might be applied to a cyber-attack if it caused significant financial or physical damage. He concludes that any country that suffers a sufficiently severe cyber-attack is within its rights to respond with conventional weapons such as bombs. Retaliation, however, raises another problem: how to find out who launched an attack. Unlike physical warfare, where it is often obvious who is responsible, the internet presents forensic challenges. Computers can be hijacked, unbeknownst to their owners, and used as accomplices in attacks that come from another source. "Who would [President] Bush bomb if the internet went down?" says Desautels. Tracing the attack might yield an innocent computer user, not the true perpetrator. "If you have a worm on your computer, you don't want to be doing your income taxes and have a Hellfire missile come through the window," says Ivan Oelrich of the Federation of American Scientists in Washington DC. This problem was illustrated last year, when Russia appeared to have launched massive DoS attacks against Estonia's cyber-infrastructure (New Scientist , 6 June 2007, p 30). At the time, it was seen as an example of cyberwarfare, but Estonian authorities recently convicted a lone, 20-year-old hacker living in the country for the attacks. Rather than relying on retaliation, Desautels says a better solution is to put pressure on software firms to fix the bugs in their code. These vulnerabilities are the chinks in the armour that allow an attacker to access a computer's memory and install malicious files or press-gang the PC into becoming part of a "botnet" that can launch DoS attacks . If the bugs weren't there in the first place, this wouldn't be possible. "Congress needs to make software companies responsible for vulnerabilities," says Desautels. "That should be our first line of defence."Buy up those cyber-bullets Michael Reilly The prospect of cyber-attacks puts software bug hunters in a tricky spot. All software can contain bugs or flaws, and researchers routinely find them in their programs. Because these vulnerabilities, and the pieces of code that exploit them, can be used to launch attacks, they have become a hot commodity. Security firms such as iDefense, Tipping Point and Netragard buy them up from bug hunters, tell their clients about them and then disclose them to the companies that develop the software so that they can issue patches to correct the problem. There are also websites that auction the bugs off. Governments are known to be in the business of trading bugs too (New Scientist , 13 June 2007, p 30), presumably because of the risks they present to military and government security. The cyberspace equivalent of bombs and bullets, finding vulnerabilities in the software would be essential for anyone hoping to launch a cyber-attack, government or not. That presents bug catchers with the question of who it is OK to sell bugs to. With no laws governing bug brokering, Adrian Desautels of software security firm Netragard has to rely on his sense of right and wrong. As a rule, he avoids governments, he says. "I would never sell to a non-US based buyer, and I only sell to people I know and trust," he says. But he worries that not everyone is as conscientious. "I think people like me should need a licence for what we do, which is selling a sort of munitions," he says. "We don't, and that's dangerous." ------------------------------ ________________________________ Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this email by error, please notify us by return e-mail or telephone and immediately and permanently delete the message and any attachments. The recipient should check this email and any attachments for the presence of viruses. The Bank accepts no liability for any damage caused by any virus transmitted by this email. To unsubscribe send a message to [email protected] with the subject unsubscribe. To change your subscription to digest mode or make any other changes, please visit the list home page at http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
