The birth of the internet in 1989 transformed the underpinning of our world. The capabilities of the global network in communication as well as governance revolutionized and altered cultural development. It is a disconcerting fact, then, that the cyber arena now so entrenched in daily life has also come to be formally recognized as a new domain in warfare.
Attacks have crippled the countries Estonia, Georgia and Kyrgyzstan, and currently cost governments worldwide more than $1 trillion annually in defense attempts. However, despite this astonishing sum of investment, little progress has been made in an overall bid to tackle destructive cyber activity.
While the security of the US cyber network has remained under private sector supervision, alternatively, non-democratic regimes are eager to promote the idea of a tight government-controlled internet. It now falls upon liberal nations to locate security measures that will also preserve the integrity of a free cyber environment.
Jeffrey Carr is a cyber intelligence expert who specializes in the investigation of cyber attacks against governments and network structures by hackers from authorized and underground sources. He regularly consults with American and foreign government intelligence on acts of espionage at venues such as the Defense Intelligence Agency and NATO's Cooperative Cyber Defence Centre of Excellence conference on cyber conflict.
Carr is a frequent writer for Forbes Firewall blog. He is also the author of the Intel Fusion blog, and founded the widely read Project Grey Goose—an Open Source investigation into the 2008 Russian cyber attacks on Georgia. His book, Inside Cyber Warfare, has been certified by General Kevin Chilton, commander US Strategic Command.
In an interview with The Majalla, Carr elucidates on the specifics of cyber warfare, its implications for critical infrastructure, and discusses where he believes the focus needs to lie in determining procedures to tighten internet security.
The Majalla : Could you please define cyber warfare?
Nobody has really had a good definition of cyber warfare, but in my view, cyber warfare occurs anytime one actor attempts to achieve a political or strategic goal through means of networked operation, or an electronic or internet-based operation.
Q: Have countries officially defined cyber warfare?
I think everyone has attempted to define it, it’s a little difficult; you would have to define cyber space and no one has yet come to a complete agreement on that. We think we all know what it is intuitively but it’s hard to really put into words.
Q: How are the challenges to security that we face now different from those we faced during warfare pre-internet.
I would say this is much larger in scope. Also, many more people are now able to play at this game. Before, you were limited to radio signals, your telephone lines, much different in terms of interception and how many people who might be out there with those capabilities. Now, because of the internet and the way that this is becoming a completely networked world, the amount of actors that might be involved in this, whether they are criminal or employed by the state or part of a militia and you name it, it’s exponentially larger that its hard to even give a number to it, but it makes everyone much more vulnerable.
Q: Would you say there are links between cyber warfare and real warfare?
In my view they are intricately connected. I don’t believe we’ve ever seen pure cyber warfare. The way that I define it, I think that cyber is a component of regular warfare. Short of that I think you’re seeing something else, you’re seeing cyber espionage or you’re seeing the oppression of visiting groups. These are not acts of war as we traditionally think of them. Or I could say even “acts of war” is not really an accurate term. These are not things that would allow a defense of action by another state that would result in physical warfare.
Q: Could a serious cyber attack result in the threat of war? Say the US sustains a cyber attack by Russia, could that potentially snowball into ground attacks?
Well it depends. First of all you wouldn’t know that it was from Russia; the way it stands today there would be no way of knowing that. It would not be sufficiently strong enough to justify an invasion of another country or escalate it to a physical level. Without being able to tell who launched what attack and without being able to confirm that it was an attack that might have caused the damage, versus a faulty switch or a bug in the code or whatever, I think it would be very hard to imagine something escalating to real conflict. On the other hand if it were a terrorist group, because they are interested not necessarily in war but to cause disruption, they may very well announce that they were responsible. In which case you might have a repeat of what you had after 9/11, which is the US—just another country going after the terrorist group that’s responsible even if they are geographically inside the borders of another state.
Q: It is interesting that everyone is currently in the process of dealing with this issue because of the advancement of technology. It is also interesting to think about the evolution of national and international law designed to protect states from cyber attacks. Where are cyber threats coming from and what are the targets?
Almost every developing and developed country is cyber capable. Many have announced that they are building out this component for their military; others are simply using it. Even little countries like Burma…the government has used it in the past against dissidence, Zimbabwe same thing; tiny African nations that are taking advantage or leveraging technology in order to hang on to political power. Russia does the same thing—China, against Chinese dissidents; Russia, against other political parties that oppose the president’s parties. Even here in the US we have domestic groups that are using cyber space in an attempt to attack the government or politicians or other leaders through cyber space, so it’s pretty predacious.
Q: Do you find that there is a particular demographic that actually launches cyber attacks? No, but there are plenty of very well educated people involved in these attacks. Some of the things that we’ve investigated we found in Pakistan, for example, some Pakistani hackers that were attacking Indian websites are engineers, software engineers. In places not limited to cyber space but certainly terrorist groups have been associated… have had their membership include doctors, so these are not just kids or uneducated people; they seem to involve quite the opposite, highly skilled, motivated individuals.
Q: What kinds of policies are governments forming in order to minimize cyber threats, and how are cyber attackers punished if they are caught?
Internally, countries already have these laws in place, like China prosecutes hackers, so does Russia, so does the US, so does Great Britain. A number of countries already have laws that would punish hackers. I think what is being done that is going to be helpful is when you have countries collaborate under those laws. You’ve seen that, too, like in Spain, when a group of individuals were engaging in international criminal activities. They were caught because of a combined law enforcement effort involving I think maybe three different countries. That to me is a successful strategy against these types of cyber attacks. However, some countries don’t want to sign on to that, like for example Russia. They don’t want to give permission for other countries or for an international effort that would cross borders in pursuit of internet criminals. I think the way that Russia prefers it is that you come to them, show them what you have and they’ll do the best to arrest them.
Q: This brings up another point—this idea of prosecuting hackers across borders.
Personally I’m in favor. I think that’s a good policy I would like to see more of that.
Q: How effective is the US-CERT (US Computer Emergency Readiness Team)?
I think every nation’s computer emergency response team are all overwhelmed by trying to keep up with this. There are a lot of problems with this—lack of manpower lack of budget, lack of training in some cases, awareness of what the latest threats are, staying on top of brand new or what are known as zero-day threats, there is just so much. I think the bottom line here is that it would be hard for anyone to do a top-notch job in that role currently.
Q: What needs to happen? Is it mainly a problem of resources?
I think there has to be a change in strategy, a change in thinking completely, so right now the approach seems to be to try to defend everything, to be a response to all attacks, to try to defend against all attacks, in my opinion, and that’s just a no win situation. You can never do that; it will always fail. A different strategy should be to focus only on the most critical data, the most valuable information, leverage that you can’t afford to lose. Those are the questions that every company and government needs to ask themselves and then segregate those out. Then employ real time monitoring. Use humans to engage in observing packet behavior and packet flow, how often data has been accessed by whom from where, and have built in red flags to trigger an immediate response. That today is the only really successful way to combat this threat. You have to make sacrifices in terms of what you can’t protect.
Q: Do US companies operating internationally expose the US to security threats?
Yes, so in other words one of the dangers that I often speak about is when you have let’s say in China, you have a multi-national company with a lab inside China; there are definite threats for those companies in terms of acquiring their data. Whether it’s through technology transfer, which is a normal function that occurs when you hire people, or it might be because of espionage or interception of communications. So there are all kinds of possibilities. Even more difficult though is to convince that company that it’s a problem, because from a financial point of view, these companies, now because of globalization, have to be in other countries in their opinion in order to sustain themselves. So it becomes very difficult for them to make that kind of decision.
Q: Can the US government do anything to minimize these threats?
Unless a US law is broken, it’s up to the company to make those decisions. However having said that, what the government should do and I think in some instances is doing, is make buying decisions because of it. These are security concerns for other countries like in the US and Britain, so those countries can decide whether or not they actually want to allow their equipment to be sold inside their borders. In a similar fashion, if say a US company, ABC, had all of its widgets made in… you name it, some foreign country, it doesn’t matter who it is, and the US government felt like ABC did not have sufficient security in place, government could also choose not to be a customer of the ABC company for that reason. So the officer would have this voluntary check system, which checks and balances.
Q: What does cyber warfare and the issue of cyber threats mean for the future of international relations?
That’s a good question. I think its one more negotiating point that countries can use in terms of the relations and how they leverage power in attribution. If, for example, Russia was interested in the US signing a non-cooperation treaty similar to what is in place for nuclear weapons to have one for cyber weapons and the US declined, that would give Russia some type of leverage in the world political environment, negotiating, we’ll do this or we’ll do that. So I think that’s what we’ll probably see, and probably further attempts to try to control or set rules of engagement that are globally accepted. I think that all of those are difficult to enforce, because even though a country may sign an agreement specifying rules of engagement, if you can’t prove attribution then how do you enforce it?
It seems quite messy It is actually. I think it will either become more messy or the internet will have to radically change in some way, and I’m not even sure that will occur.
Q: One last question, I know that you’ve just published a book, what are you working on right now?
I actually just started a new company that focuses protection on… well that does what I told you about earlier which is help companies, US and foreign companies, identify and protect their so called “crown jewels,” their most critical data, and at the same time help their executives be safe when they travel. So it’s an executive cyber security protection company. And I’m working on a video workshop for executives, for CIOs, CEOs and how they should be… the strategies they can use to protect themselves when they are conducting business around the world.
Q: How far along are you with your company?
About two months, I think it’s about two months old, and it’s a baby so it’s still occupying a lot of my time, and I’m actually trying to find someone to come on board and help with the actual running of… I’m not a corporate guy so I need someone who has those skills and surprisingly it’s hard to find the right person.
I’m sure it is it’s like finding a partner for life. Exactly.
Q: What is your company called?
Taia Global (taiaglobal.com).
Interview conducted by Jacqueline Shoen
