Thursday, May 29, 2008

Attacking Your Online "Persona"

Instead of physically killing the person, can you "assassinate" their online persona and eliminate their ability to operate in an online world?

The counterterrorism blog sets up a scenario where a person with extensive online presence could be "assassinated" or forced to scramble to beat back an attack on their personal and financial reputation. The next Presidential cycle, for example, may see candidates increasingly dependent on an online identity and presence:

Arguably, as well as raising funds and organizing volunteers much of the campaigning would be conducted in cyberspace across virtual forums and virtual spaces - the capacity to deliver speeches to large virtual audiences will be available to candidates as server capacity increases. Some attempts were made during this campaign to integrate cyberspace (the YouTube debates) but this is not yet a working forum.

Therefore a cyberspace assassination would seek to achieve the following aims: prevent the candidate from actually being in cyberspace ( the equivalent of virtual-murder), instill fear amongst their supporters that the same may happen to them and as a side-effect force the political campaigns to spend money on their cyber security or force the Secret Service to protect cyber-personas (the protection of cyber-identities is clearly something that all protective security agencies are going to need to consider). The tools to do this arguably already exist - hackers or botnets for hire could be diverted to these ends. This of course is fast-forwarding to a future more virtualized point where society is heavily reliant on cyber-spaces but similar tools could be applied today.

Can we--and should we--employ that kind of tactic against our enemies?

As with all things virtual, the scenario can be flipped. The use of precision cyber-attacks (or virtual assassinations) against America’s enemies should be considered today as a tactic to disrupt cyber-terrorists. This is in part a direct answer to one of the questions posed by the Senate Committee on Homeland Security and Governmental affairs (Violent Islamist Extremism, the Internet, and the Homegrown Terrorist Threat), which asked,

“What, if any, new laws, resources and tactics other than those already employed by intelligence and law enforcement should be used to prevent the spread of the ideology [violent Islamist] in the United States?”

The answer, targeted cyber-attacks. In a recent piece in the Armed Forces Journal Col. Charles Williamson argues that the USA should develop its own botnet facility in order to launch cyber ‘carpet bombing’ against its enemies. This suggestion can be refined and used to address the current problem of cyber-jihadis. There is an ongoing debate about whether to act against extremist websites - on the one hand they provide useful insight and intelligence on the other they are currently the terrorist training camps and propaganda vehicle of choice. The ability to target specific sites for attack or even specific users would seem to be a useful counter-terrorist tool and an answer to this debate. Therefore, Col. Williamson’s cyber carpet-bombing should be adapted for counter-terrorist purposes and directed at the most active and most dangerous cyber-terrorists. For the growing band of Internet jihadi’s permanent disconnection from cyberspace is the equivalent of organizational death.

As online identities become more important they are vulnerable to a variety of different attacks, some of these are adaptations of fundamental human tactics and skills. The ancient tactic of assassination is one of them.

Colonel Williamson goes on to say:

The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources.

Rob Kaufman, of the Air Force Information Operations Center, suggests mounting botnet code on the Air Force’s high-speed intrusion-detection systems. Defensively, that allows a quick response by directly linking our counterattack to the system that detects an incoming attack. The systems also have enough processing speed and communication capacity to handle large amounts of traffic.

Next, in what is truly the most inventive part of this concept, Lt. Chris Tollinger of the Air Force Intelligence, Surveillance and Reconnaissance Agency envisions continually capturing the thousands of computers the Air Force would normally discard every year for technology refresh, removing the power-hungry and heat-inducing hard drives, replacing them with low-power flash drives, then installing them in any available space every Air Force base can find. Even though those computers may no longer be sufficiently powerful to work for our people, individual machines need not be cutting-edge because the network as a whole can create massive power.

After that, the Air Force could add botnet code to all its desktop computers attached to the Nonsecret Internet Protocol Network (NIPRNet). Once the system reaches a level of maturity, it can add other .mil computers, then .gov machines.

To generate the right amount of power for offense, all the available computers must be under the control of a single commander, even if he provides the capability for multiple theaters. While it cannot be segmented like an orange for individual theater commanders, it can certainly be placed under their tactical control.

For computer network attack intended to create effects for a theater commander, the most sensible person to exercise tactical control is the Joint Force Air Component Commander (JFACC). The JFACC is responsible for the theater’s deep-strike capability and habitually operates in parallel warfare with hundreds of simultaneous strikes on hundreds of locations. That is exactly the kind of capability provided by the botnet. Also, the JFACC has the most at stake in using the botnet for deterrence, limited strike or massive strike because it is the JFACC who will have to send in his joint airmen if the botnet fails. This means he will have the most incentive to compel the Air Force to build and exercise this tool for him.

If that sounds like the ultimate "arm chair" warfare scenario, then it probably is. The military has long struggled to recruit the kind of people who would carry out such an attack--military life is not conducive to the lifestyle of the cybergeek. The risks of carrying out this kind of warfare are minimal, argues Col. Williamson, because it is all in a "virtual" setting, after all. He does note that:

“We might start a new arms race.” We are in one, and we are losing. Gen. James Cartwright, then-commander of the U.S. Strategic Command, testified for the 2007 Report to Congress of the U.S.-China Economic and Security Review Commission that analysts think China has the world’s largest denial-of-service capability. Can the U.S. reasonably believe that other nations have not learned from the DDOS attacks on Yahoo and CNN in 2000 or on Estonia in 2007? As Gregory Rattray projected in his book, “Strategic Warfare in Cyberspace,” if we are, or are about to be, engaged in a conventional conflict, the adversary may launch a DDOS that, under the right circumstances, could deter or delay us. Their capability could reduce our options. In addition, at least one foreign nation has advocated unrestricted warfare in cyberspace.

And you thought China's "blue water" navy was the next looming threat.

No comments: