Case Studies in Information Warfare and Security For Researchers, Teachers and Students
Edited by Matthew Warren
Case Studies in Information Warfare and Security Volume One First published: April 2013 ISBN: 978‐1‐909507‐06‐7 Copyright © 2013 The authors All rights reserved. Except for the quotation of short passages for the pur‐ poses of critical review, no part of this publication may be reproduced in any material form (including photocopying or storing in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copy‐ right holder except in accordance with the provisions of the Copyright De‐ signs and Patents Act 1988, or under the terms of a licence issued by the Copyright Licensing Agency Ltd, Saffron House, 6‐10 Kirby Street, London EC1N 8TS. Applications for the copyright holder’s written permission to reproduce any part of this publication should be addressed to the publish‐ ers. Disclaimer: While every effort has been made by the editor, authors and the publishers to ensure that all the material in this book is accurate and correct at the time of going to press, any error made by readers as a result of any of the material, formulae or other information in this book is the sole responsibility of the reader. Readers should be aware that the URLs quoted in the book may change or be damaged by malware between the time of publishing and accessing by readers. Note to readers. Some papers have been written by authors who use the American form of spelling and some use the British. These two different approaches have been left unchanged. Published by: Academic Conferences and Publishing International Limited, Reading, RG4 9SJ, United Kingdom, info@academic‐publishing.org Printed by Ridgeway Press Available from www.academic‐bookshop.com
Contents Introduction to Case Studies in Information Warfare and Security ............................................................................................. iii Professor Matthew Warren Cyber Security Awareness Initiatives in South Africa: A Synergy Approach ............................................................................................ 1 Zama Dlamini and Mapule Modise Neutrality in the Context of Cyberwar ............................................ 23 Julie Ryan and Daniel Ryan Changing the Face of Cyber Warfare with International Cyber Defense Collaboration ...................................................................... 38 Marthie Grobler, Joey Jansen van Vuuren and Jannie Zaaiman An Exceptional war That Ended in Victory for Estonia or an Ordinary e‐Disturbance? Estonian Narratives of the Cyber‐Attacks in 2007 .. 55 Kari Alenius Estonia After the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security ........................................ 72 Christian Czosseck, Rain Ottis and Anna‐Maria Talihärm Australian National Critical Infrastructure Protection: A Case Study ................................................................................................. 92 Matthew Warren and Shona Leitch Proactive Defense Tactics Against On‐Line Cyber Militia ............... 107 Rain Ottis Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective .................................................. 119 Rain Ottis Electronic Activism: Threats, Implications and Responses ............. 132 Allen Wareham and Steven Furnell i
List of Contributors Kari Alenius, Department of History, University of Oulu, Finland Christian Czosseck, Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia Zama Dlamini, Command and Control and Information Warfare, DPSS and CSIR, Pretoria, South Africa Steven Furnell,, University of Plymouth UK and Edith Cowan Univer‐ sity Perth Australia Marthie Grobler, Council for Scientific and Industrial Research, Pre‐ toria, South Africa Shona Leitch, Deakin University, Australia Mapule Modise, Command and Control and Information Warfare, DPSS and CSIR, Pretoria, South Africa Rain Ottis, Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia Julie Ryan, The George Washington University, Washington, USA Daniel Ryan, National Defense University, Washington, USA Anna‐Maria Talihärm, Cooperative Cyber Defence Centre of Excel‐ lence, Tallinn, Estonia Joey Jansen van Vuuren, Council for Scientific and Industrial Re‐ search, Pretoria, South Africa Allen Wareham, University of Plymouth UK Matthew Warren, Deakin University, Australia Jannie Zaaiman, University of Venda, South Africa
ii
Introduction to Case Studies in Information Warfare and Security Modern society is highly dependent on key critical systems either physical or technology based. They have become more significant as the information age has developed and societies have found themselves dependant on these systems. These key systems are grouped together and are described as critical infrastructures; which can be at risk of Information Warfare or cyber attacks. The threat of Information Warfare or cyber attacks to governments and businesses critical infrastructures has become a more press‐ ing and everyday issue facing countries all around the world. In‐ formation Warfare causes many separate and individualised prob‐ lems and the perpetrators can be a country, sub‐state groups or individuals which makes defence of such attacks even more trou‐ blesome. One particularly difficult aspect of protecting against In‐ formation Warfare is the sheer number of possible attack types that could occur against critical infrastructure systems and the fact that passive attacks may occur rather than active attacks, for example, monitoring network trend data rather than trying to dis‐ rupt a network. It is hard for us as individuals to imagine the consequence of an Information Warfare attack: an extended loss of power or the failure of related systems such as banking systems, the Internet, lifesaving medical equipment, the failure of public transportation systems, water treatment plants being non‐functional or a lack of food at the supermarkets due to the malfunction of food distribu‐ tion systems. It is because of these potential Information Warfare iii
Case Studies in Information Warfare and Security
risks that governments in all countries are so concerned and tak‐ ing action against these new security threats. Many critics dismiss the cyber threat to countries as being "hype or overstated", but that is far from the truth. In 2007, cyber at‐ tacks on Estonia resulted in the failure of Estonia's online infra‐ structure; in May 2007 we saw that Estonia was the first victim of a prolonged Information Warfare campaign. The background to the campaign was a political disagreement between Estonia and Russia that was taking place in the physical world. In 2010, we saw the development of the Stuxnet malware (in this case a worm) that had the ability to disrupt certain types of SCADA (Su‐ pervisory Control And Data Acquisition) systems that support key industrial systems, such as power supplies and water treatment facilities. The development of the Stuxnet malware raised many security concerns about SCADA systems. In many cases these SCADA security concerns could be mitigated by something as sim‐ ple as implementing an effective patch management system. The Stuxnet example however highlights the recent capability and complexity of malware and the possibility for malware to be used as a weapon in an Information Warfare campaign. The increasing complexity of these malware attacks could make it harder for governments and organisations to protect their critical infrastruc‐ tures against these particular threats. This is amplified by the zero day attack, where the malware appears for the first time online and there is no suitable protection against the attack; the time needed to analyse the malware and develop the suitable protec‐ tion signature means that any attempts to mitigate are futile. In Australia 438 cyber incidents occurred between 2011‐12 which required a significant response by the Australian Government Cy‐ ber Security Operations Centre; in 2012, the hacking group Anonymous stole personal information of hundreds of thousands of customer from an Australian ISP and then disclosed that infor‐ mation online. Countries have developed unique approaches to deal with the risks of cyber attacks. In Australia, the Prime Minis‐ iv
Matthew Warren
ter Julia Gillard released Australia's first National Security Strat‐ egy, Strong and Secure: A Strategy for Australia's National Secu‐ rity. This strategy reinforced the importance of the protection of Australian's against many security threats including cyber threats. The Australian government's strategy acknowledged the threat of cyber espionage and foreign interference and the threat to "clas‐ sified government information; commercial information with di‐ rect consequences for business and the economy; intellectual property; and the private information of Australian citizens". This is a significant acknowledgement that cyber threats now impact every Australian and have become an issue not only for govern‐ ments but for individuals and their online information. The need to "strengthen the resilience of Australia's people, assets, infra‐ structure and institutions" against cyber attacks has also been recognised. This means the issue is not just one of protecting against cyber attacks, but also the ability to rebuild systems quickly after a cyber attack and minimise their impact. Tied up with the new strategy was the announcement of the creation of a new Australian Cyber Security Centre which will be in operation by the end of 2013 and which aims to improve partnerships be‐ tween government and industry. The centre will have the ability to protect against new and developing cyber security threats in real time and allow for information to be shared quickly, so any cyber risks can quickly be mitigated. The Australian Government has also identified that resilience is an important issue for critical systems. The Australian Government focuses on resilience from the following aspects in terms of (Criti‐ cal Infrastructure Resilience Strategy, 2010): Critical infrastructure resilience ‐ the ability to reduce the magni‐ tude, impact or duration of a disruption to critical infrastructure whatever its cause. So if essential services are damaged or de‐ stroyed, they can get up and running again quickly. This is an im‐ portant part of creating a nation where all Australians are better
v
Case Studies in Information Warfare and Security
able to adapt to change, have reduced exposure to risks, and are better able to bounce back from disaster; Mutual responsibility – the responsibility of critical infrastructure resilience management and operation is shared between the owners and operators of critical infrastructure, and all levels of government – Australian, state and territory, and local. The own‐ ers and operators of critical infrastructure are primarily responsi‐ ble for ensuring the security of their assets. Smaller countries such as New Zealand also have formed dedi‐ cated critical infrastructure protection centres to secure against cyber risks but it was the USA that was the first to recognise the significance of critical infrastructure and the importance of de‐ fending these critical infrastructures. They were the first to im‐ plement comprehensive measures to protect US critical infra‐ structures. Since those first measures in the late 1990s, the US government has implemented further measures recently an‐ nouncing the expansion of US Defense Department’s Cyber Com‐ mand from 900 to more than 4,000 staff. The US government is planning three different forces under Cyber Command: “national mission forces” to protect computer systems that support the na‐ tion’s power grid and critical infrastructure; “combat mission forces” to plan and execute attacks on adversaries; and “cyber protection forces” to secure the Pentagon’s computer systems. This represents a major step forward in cyber protection and a model that many other countries will likely reproduce over time. Many governments however have to consider whether the pro‐ tection of critical infrastructure is considered a military, govern‐ ment, law enforcement or corporate issue or whether it be the work of an agency or department that coordinates and integrates some or all of these bodies. One of the challenges of Information Warfare is the global nature of the threat. What we have seen is the need for international co‐ operation to deal with cyber threats, particularly in the area of vi
Matthew Warren
sharing information, of countries being part of joint training exer‐ cises, and jointly coordinating cyber defence responses. We have witnessed Cyber security co‐operation defined as part of the Aus‐ tralian – US defence treaty; and in response to the Estonia Infor‐ mation War we have seen the NATO Cooperative Cyber Defence Centre of Excellence be developed in order to protect NATO members against the threats of Information Warfare as well as joint statements on cyber security co‐operation from both the United Kingdom and New Zealand governments. Many other gov‐ ernments have come to a similar conclusion; that they have a duty of care to protect their population and citizens against In‐ formation Warfare threats, but in times of austerity the consid‐ eration is whether governments are able to fund the required budgets for these key initiatives. The NATO Cooperative Cyber De‐ fence Centre of Excellence could be an example of how budgets and resources could be shared between a number of countries to defend against Information Warfare risks. Whilst funding is impor‐ tant, the human resource consideration is essential and national strategies and approaches are needed. The UK government has recognised the shortage of Cyber Security specialists and intro‐ duced a number of initiatives to counteract this such as education programs about Cyber Security in school curriculums, the setting up of the Cyber Security Challenge UK to providing advice, support and guidance for anyone interested in a career in cyber security and the development of the UK Certification for Information As‐ surance Professionals to accredit Cyber security professionals. The aim of this book is to highlight a number of important and significant cases in relation to Information Warfare. The papers come from authors from the following continents: Africa; Europe; Oceania and North America and includes papers from the Euro‐ pean Conference of Information Warfare and the International Conference of Information Warfare. A number of chapters focus on the Estonian Information Warfare Attacks, considering the rea‐ sons behind their occurrence, outlining what occurred, those who were involved and the important lessons to be drawn from their vii
Case Studies in Information Warfare and Security
experiences. The book assesses how individual countries deal with Information Warfare in terms of protecting critical infrastructures or raising security awareness amongst a population and reflects on other considerations of Information Warfare in terms of the neutrality in Cyber Warfare, co‐operation and the role of activism. Professor Matthew Warren School of Information Systems Deakin University Australia www.mjwarren.com
viii