100 Days to Cybersecurity Literacy (Day 1): Is RT News a Cyber Attack?
How’s that for an inflammatory clickbait title? But there is a kernel of seriosuness in it...
What is Cyber Warfare? (From “NATO Tries to Define Cyber War”)
In 2014, NATO began elucidating its policy towards cyber attacks and defense largely in response to the 2007 wave of denial-of-service attacks in Estonia that shut down many government services. Perhaps most importantly, invoking NATO’s collective defense clause in response to a cyber attack was discussed. What is the threshold where a cyber attack becomes an act of war?
This is an opportunity for us to learn some basic vocabulary of the cybersecurity profession. The three principles of information security are confidentiality, integrity, and availability:
Maintaining confidentiality is assuring that only authorized persons have access to sensitive information.
Maintaining integrity is assuring that information has not been tampered with or destroyed.
Maintaining availability is assuring that authorized persons can get to the information or services they need when they need them.
Military Secrets Hacked
An example will shine some light on how these principles can be used to explore the threshold. In 2013, a Pentagon procurer admitted at a US Senate Subcommittee Hearing that Lockheed’s information system had been hacked, and information on the F-35 Fighter program had been stolen. This has been popularly attributed to China. Why was this not considered an act of war?
An argument can be made that the principle of integrity is important in defining this threshold. It is one thing to steal information or slow down a process. It is yet another to corrupt data integrity. That can break the entire machine, and when critical infrastructure is at stake, we are now talking about inducing human casualties. Thus, it can be argued that stealing the plans was criminal but not an act of war.
During roughly the same period, we can see the same issues being discussed in this EU Parliament report: “Cyber defence in the EU.” Distinctions are made between defensive counter-cyber and offensive counter-cyber. In other words, state actors are developing their ability to attack other states as demonstrated by the recent admission that Obama approved infiltration of Russian infrastructure.
Social Media as an Attack Channel?
We now have a rough framework to talk about RT News as a cyber attack. Social Engineering is an attack vector, a line of force, based on human manipulation. Calling a Help Desk within a company to get them to reset a password would be a classic example. If RT used the “cyber attack channel” of Youtube to “socially engineer” some people into distrusting Hillary Clinton, will we say that this is a cyber attack?
Even if we do, the principle of integrity still has not been degraded, and thus, this is still not cyber warfare. However, this rough threshold is not thoroughly defined, and it remains to be seen how this will evolve. We can speculate that social media will be associated with cyber attacks at some point in time even if we aren’t there yet. We may eventually hear social media being described as an attack channel.
Who did what?!?!
There is another factor obscuring these issues even further. The Wikileaks Vault7 dump has revealed a wide array of CIA cyber capabilities. For example, the UMBRAGE group studied the signatures of different hacking groups in order to prevent “attribution” of CIA cyber activities. Attribution is the process of identifying a cyber attacker. It would not be the craziest thought to assume that other State Actors have developed similar capabilities.
As we work to recover from the Petya ransomware attack, where does this all leave us? After all, Petya has attacked that critical principle of information integrity.
The threshold for considering a cyber attack as an act of war is being explored.
We are currently seeing attacks that could be framed as crossing the threshold.
Attribution of such attacks is problematic at best.
Response to Attacks Will Be a Priority
Wherever one might fall in the political spectrum, the ethical hacker should care about protecting critical infrastructure. People need clean water. They need their lights to turn on. Hospitals, police forces, and fire departments need to be able to communicate with each other, and so, we discover my personal motivation for “100 Days to Cybersecurity Literacy.” In the medium- to long-term, I want to be able to help protect these critical infrastructures. We can’t do it in a 100 days, I suspect, but we should be able to build a foundation.
How do we start?
If you were learning how to cook, would you focus on one single recipe. Sure… Maybe at first… But you probably wouldn’t cook only one recipe for years. You would develop an array of techniques that apply to many recipes. Over time, your kitchen would better and better equipped. This is what we must do with cybersecurity in order to realistically take it on.
I have the following three directions:
I am going through this free online course geared towards the A+ certification to start building the knowledge of Networking that will eventually be necessary and to increase my overall IT literacy.
I am going through these free online information security courses offered by Texas A&M (note to the paranoid: you have to have a FEMA ID number to register, which takes about one minute, and I don’t care if Big Brother knows where I am).
I am following the EMT Basic Youtube channel where a security professional is sharing his musings on current cyber-related events from the point of view of protecting infrastructure.
There is an embarrassment of riches as far as free learning materials is concerned. Try Coursera or any of 5,000 other choices if my direction is not to your tastes.
Tomorrow we will do some practical stuff. We will think about password security, explore some more introductory cybersecurity terminology, and talk about how and why to run Linux.