Ethan Zuckerman’s online home, since 2003

Misunderstanding cyberwar

There’s nothing like the term “cyberwar” to capture a reader’s attention. For those who grew up on “Wargames”, “Sneakers” or William Gibson novels, the term conjures up images of heroic hackers in shadowy basements, frantically tapping on keyboards in a life and death struggle against the enemy on the other side of the glowing CRT screen.

It’s a vision that was compelling to senior people in the US Air Force, including former USAF Secretary Michael Wynne, who was fired earlier this year over the scandal of mishandled nuclear weapons. Before his departure, Wynne launched the Air Forces’s “Cyberspace Command” with a television ad that portrayed the Air Force as the defender of the Pentagon against an onslaught of digital attacks. The Pentagon has stopped funding and now may cancel the initiative.

Wynne argues that the current military faceoff between Georgia and Russia over South Ossetia is an instance of cyberwar, saying “The Russians just shot down the government command nets so they could cover their incursion. This was really one of the first aspects of a coordinated military action that had cyber as a lead force, instead of sending in air planes.”

That’s the sort of speculation tech reporters live for. It raises the possibility that, instead of reporting on venture capital deals and the kudzu-like spread of Facebook, they might get the chance to be war reporters without the complication of being shot at. In the past week, in-depth articles on cyberwar have graced the pages of the Washington Post, the New York Times, Christian Science Monitor, and Salon.

The best of these articles have a common conclusion: it’s very hard to know what’s actually gone on. Call it “the fog of cyberwar”. Better yet, please don’t. As the dust settles, it’s unclear whether “cyberwar” is even an appropriate term for what’s taken place online as an actual war – the kind with guns and dead people – has transpired in Georgia. It’s worth remembering that in this “cyberwar”, the most serious consequence is that a website becomes temporarily inaccessible to viewers – it’s a war being fought with paintballs, not with live rounds.

Here’s what’s known: many Georgian websites have been difficult or impossible to access for several days. In response, the Georgian government has moved some vital email addresses and websites to Google, and other Georgian websites have sought help from Estonia. Here’s what’s not known: whether these attacks were directed by the Russian military, as Georgia’s Foreign Minister has speculated, by shadowy criminal gangs, or just by kids with a grudge against Georgia and too much free time. The last of these scenarios is looking increasingly likely.

Some of the most dramatic reports of cyberwar have come from an anonymous blog (RBNexploit) that tracks the Russian Business Network. RBN is a source of great concern to many in the computer security community – it’s a very successful producer of tools used for spam, identity theft and malware. The RBNexploit bloggers asserted that RBN hackers – on behalf of the Russian government – had taken control of backbone routers that delivered traffic to Georgia via Turkey, effectively cutting Georgia off from the Internet.

While this would have been dramatic and exciting, it doesn’t appear to be true. Earl Zmijewski, a vice president at internet monitoring company Renesys, has been watching connections into Georgia very closely and reports, “During the hostilities, we’ve seen no significant changes in routing. In particular, we saw no apparent attempts to limit traffic via Russia, but then again, most traffic from Georgia seems to currently transit Turkey. ”

What’s knocked some Georgian websites offline are denial of service attacks. These attacks are the equivalent of harassing a person by calling her on the phone as often as possible and hanging up when she answers. On the web, this involves sending a request to a web server over and over, hoping to overwhelm it and make it incapable of serving pages to legitimate users. In a more sophisticated version of the attack, dozens or hundreds of people call the same number – load the same webpage – which might make even a modest-sized corporation impossible to reach for the duration of the attack. These more complex attacks are called distributed denial of service attacks (DDoS), and they have become frustratingly common since CERT (Carnegie Mellon’s Computer Emergency Response Team) first warned of them in 1999.

It requires very little technical expertise to carry out a simple DoS attack – hit reload on your web browser every few seconds and you’ll be carrying out an (ineffective, primitive) attack. Belarussian tech journalist Evgeny Morozov was curious how much technical skill it would require to participate in a more organized attack. In a brilliant article for Slate, he describes visiting sites like StopGeorgia.ru, where he discovered a webpage that, saved to his desktop and opened in a browser, made thousands of requests an hour to 18 Georgian websites. Presto – “cyberwar” for dummies. A bit more poking led him to a set of instructions for DoSHTTP, a utility that can easily be misused to perform efficient denial of service attacks.

The technical solutions Morozov found weren’t especially sophisticated – one relied on a dozen lines of Javascript code, the other on a widely available off-the-shelf tool. These attacks can be effective not because they’re using especially sophisticated technology, but because they leverage a “social hack” – they rely on the actions of individual, patriotic Russians organized via sites like StopGeorgia, which hosts a “scoreboard” displaying which Georgian sites are reachable and unreachable. Look too hard for shadowy political forces and esoteric technology and “we risk underestimating the great patriotic rage of many ordinary Russians, who, having been fed too much government propaganda in the last few days, are convinced that they need to crash Georgian Web sites. Many Russians undoubtedly went online to learn how to make mischief, as I did.” (Morozov is very clear that his sympathies don’t lie with the Russians in this conflict, and that his attacks were conducted very briefly, for research purposes.)

The attacks on Georgian websites are probably not just coming from angry Russians hitting reload. Some are likely coming from “botnets”, large sets of computers that have been infected with malware, software that allows a computer to be controlled remotely by a third party. Russian hacker network RBN controls one network, the Storm botnet, but many others exist. It’s now possible to “rent” a botnet – Bill Woodcock of internet research consultancy Packet Clearing House estimates that botnets can be rented to perform DDoS attacks for as little as four cents per machine. It’s possible that some hackers have rented botnets and turned them against Georgian websites, or that some operators have decided to “donate” attacks to the anti-Georgian cause.

The rhetoric of “cyberwarfare” has a reassuring implication: we understand how to fight wars, so surely we can win a cyberwar. Unfortunately, the truth is more complicated. There’s no magic “cyberspace command” solution the USAF can unleash to defeat a botnet. The administrators trying to bring Georgian webservers back online are doing precisely what any sysadmin does confronted with a DDoS – they are blocking traffic from the IP addresses that are launching the attacks, and sharing these blocklists with administrators confronting the same problems. If they can block addresses more quickly than the attackers can recruit more participants, they’ll win. This strategy is known by the complex technical term “Whack-a-Mole”, and it’s roughly as frustrating as the fairground game of the same name.

What’s frightening about the online attacks against Georgia is not that they’re organized by shadowy Krelmin forces, but that they’re coming from a loosely organized group of individuals. In his new book “Here Comes Everybody“, Clay Shirky notes that one of the characteristics of the contemporary internet is that it enables “ridiculously easy group formation.” Once formed, these groups can organize potluck dinners or spread propoganda. Chinese netizens, angered by what they perceived as anti-China bias in western media, organized a campaign to challenge media narratives on sites like Anti-CNN.com. Individuals have flooded YouTube with videos exposing errors in CNN and BBC’s China coverage and arguing that Tibet is a part of a multi-ethnic, federated China. Most western media reports assume this effort is organized by the Chinese government, a charge participants angrily deny.

The shift from a world where power comes solely from governments and militaries to one where power can come from loosely organized, adhoc groups is a hard one to grasp. It’s easy to understand why the press and the military would misunderstand the situation in Georgia as a new type of military attack. The truth may be more intriguing and frightening – we’ve entered an era where individuals can organize their own “cyberwar” campaigns online, in concert with or in opposition to their governments.


Reuters was kind enough to ask me for my thoughts on this matter – a version of the piece is available on their website.

3 Responses to “Misunderstanding cyberwar”

  1. Hanan Cohen says:

    The Internet war of Estonia

    What would happen if tomorrow the Internet ceased to function? To most critics, and particularly state officials and policy makers, the possibility that the Internet could one day suddenly disappear is no more than a mere speculation, a highly improbable concept. On May 2007, the events that took place in Tallinn, the capital of Estonia, proved everyone wrong. On that day, Estonia fell victim to the first-ever, real Internet war. This article delves into the political context that shaped the incident and analyzes some of the key lessons and policy implications that emerged as a consequence.

    http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf

    This report is written by Gadi Evron, an Israeli Internet security expert who was called to help.

  2. Good article, but I wonder if it’s off point in certain ways. You seem to be saying that because the DOS attacks (1) don’t shed blood, (2) aren’t easily traceable, and (3) are easy to do, therefore they don’t constitute warfare. But, granted that the term “cyberwarfare” is hype (as is any journo or military term prefixed with “cyber”), there is still the problem of motive. Russia stood to gain from the attacks, however little that gain. And it is hard to deny DOS attacks can be very useful parts of a plan to set the table for real warfare. Regarding the source of the attacks (if they are such — I’m not totally convinced either), I wonder if we are seeing a kind of privateering at work. Anwyay ….

  3. c says:

    I think you are taking media reports and trying to give them your own spin to lessen the alarm of cyberwar. DDOS is only the popular part.
    What you dont see are the emails that government employees get telling them not to come to work or their family will be killed. Some of these emails have pictures of their family on them (taken from anyplace they can find them on the web).
    You dont see the bank accounts being emptied and identity of Georgian individuals being stolen or messed with en mass.
    These things are happening but not being reported.
    They happened alot in Estonia too but like people only interested in the shock and awe of DDOS, they dont put the whole picture together and see how it influences those in power in Georgia. Dig deeper for the real results of cyberwar. Find out what it casts to defend against it and you will see MUCH more impact.
    I guess the only way to truly understand is to put yourself in their position and see. I for one would be rightly intimidated to see a threatening email, with all my money gone, an my phones and internet down as well.

Trackbacks/Pingbacks

  1. Global Voices Advocacy » Internet and South Ossetia Crisis - [...] Zuckrman provides a complete analysis of what he called “Misunderstanding Cyberwar“: The rhetoric of “cyberwarfare” has a reassuring …
  2. Network Security Blog » Cyberwarfare: “…it’s a war being fought with paintballs, not with live rounds.” - [...] like Ethan Zuckerman’s take on cyberwar: It’s just a DDoS attack and calling this war is like calling hackers …
  3. Eccentric Optimism » On the Russia/Georgia cyberwar speculations - [...] Complete article here: Misunderstanding cyberwar [...]
  4. Gifted Amateurs « Re-Moralization - [...] by gronberg Looking more and more like the cyberattacks on Georgia’s Internet links was home-brew hacking instead …
  5. Quick Reading for Today | Security to the Core | Arbor Networks Security - [...] Russia vs Georgia Cyber War from the SANS ISC is a good read. Very good commentary is available in …
  6. …My heart’s in Accra » Blogger “failures” in the Georgian war, and the rise of citizen propaganda - [...] What’s most interesting to me is the ways in which citizens have become actively involved in these propaganda battles. …

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Powered by WordPress | Designed by Elegant Themes