A recent U.S. government report entitled Annual Report to Congress on the Military Power of the People's Republic of China (PRC) 2008 talks extensively about the increasing role of China's ability to conduct war over the Internet. In the past, such talk of a "digital Pearl Harbor" has been dismissed by some security experts as largely political hot air. Yet more and more evidence suggests that a politically sponsored Internet event could occur sooner rather than later.
I spoke recently with Josh Corman, principal security strategist for IBM Internet Security Systems, who believes that criminal hackers follow three basic motivations: prestige, profit, and politics--the three Ps. It's the latter that he's concerned about. "All of our security defense models," said Corman, "were built based on a model of threat which was purely prestige driven," referring to the virus writer who only wanted his creation mentioned on the evening news. Now, we're currently living in a time of profit, and have begun to react to that. But Corman's thinking ahead; he's talking about criminal hackers--either independent or state sponsored--entering the realm of politics.
"'Political' means different things," admits Corman. "I was telling people not to be surprised if we saw the botnets participate in the presidential primaries in the U.S." And then, in October 2007, a Ukranian botnet was linked to a flood of "Ron Paul for President" spam. But that's small potatoes compared to what Corman thinks is possible.
Botnet systems could take down candidate sites, send a whole bunch of free advertising or free smear campaigns, and potentially have an impact on who became the presidential candidates or who was successful on fundraising.
He says those same botnet systems could "take down candidate sites, send a whole bunch of free advertising or free smear campaigns, and potentially have an impact on who became the presidential candidates or who was successful on fundraising." Worse, he said, "'political' could mean a cyber protest, it could mean cyber espionage, or cyber reconnaissance." Such political action has already happened.
Some recent examples
Corman cites at least two "one-offs" within the last year. The first is
Estonia last spring, where a flash mob of ethnic Russian students in Estonia crippled the country's infrastructure for several weeks. The other one-off is the recent CIA disclosures to Congress about
foreign-state-sponsored attacks on U.S. military installations.
Neither were the crippling examples that worry him, and neither were apparently well coordinated. Corman admits these were headlines in the news that seem to wash over people and not really sink in. "But I think we're at a point right now where the more we talk about it, the more we use examples, we'll start to get to a critical mass awareness."
What's allowing (the Storm botnet) to be so successful is not an unpatched system per se, but it's an uninformed end user.
Corman believes we have to design with the idea of political sponsorship in mind. "It's no longer the case that you can protect your enterprise simply by protecting the systems and the infrastructure throughout the enterprise. I think when you think about attacks on a politically motivated basis or even on simply protecting your own network and infrastructure in e-commerce servers, it's going to take some more holistic thinking across more boundaries than we traditionally have done."
On profit-based attacks, Corman said "it wasn't until a number of large corporations were hit with a data breach, a targeted attack, or spear phishing that the security community really took notice. (The enterprise people) said 'Ouch!' Sometimes someone has to say, 'Ouch!'" He hopes that no one has to be stung by a political attack before the security community starts to take that threat seriously.
Also important is end-user awareness. "Among ourselves in the security intelligentsia, those of us who do security for a living, we talk about practicing safe computing. That used to include 'it's OK, just don't double-click on an executable, but it's fine to open a GIF, a JPEG, or an MP3.' But as you've seen, botnets are now using MP3s as a source of an infection. I mean, just the very podcasts you're listening to could be a source of infection."
Corman said the definition of safe computing has changed. Within ISS and IBM, Corman started an education awareness campaign called "The Evolving Threat." "We do seminars, we made a videogame, we’re trying to make some of these new security concepts more tangible and digestible to both enterprise practitioners and the consumers because some of this is simply the weakest link. "What's allowing (the Storm botnet) to be so successful is not an unpatched system per se, but it's an uninformed end user."
You can hear more of my interview with Josh Corman in this Security Bites podcast.
Will we see more public political attacks such as Estonia in 2008? Or will they be subtle, like the breaks at various military bases? TalkBack to me.