Cyber warfare has been advanced a step by militants in Afghanistan, who have managed to intercept the unecrypted video feeds from UAVs orbiting overhead.

At the beginning of the year, I laid out some examples of what effective cyber warfare entails, including this:

Imagine compromising the enemy’s C4ISR infrastructure and not only knowing where all enemy assets are, but having the ability to provide false information (if at least a few times before being discovered).

Now, over at Danger Room, we see this:

If you think militants are going to be content to just observe spy drone feeds, it’s time to reconsider. “Folks are not merely going to listen/watch what we do when they intercept the feeds, but also start to conduct ‘battles of persuasion’; that is, hacking with the intent to disrupt or change the content, or even ‘persuade’ the system to do their own bidding,” Peter Singer, author of Wired for War, tells Danger Room.

The militants have managed to intercept drone feeds from a $4.5M piece of equipment with a $26 piece of software. That clearly demonstrates that deploying very sophisticated, very expensive technology in the battlefield does not negate the need for operational security, or OPSEC.

The next step may be a man-in-the-middle attack on those feeds, allowing the insurgents to inject fabricated feeds into the system. This could change how U.S. soldiers on the ground react to what they are seeing, maybe by unintentionally attacking a hospital instead of an insurgent safe-house, or maybe even attack fellow U.S. soldiers rather than an intended target.

In the grand scheme of things, this is nothing new. Signal intelligence, or SIGINT in military lingo, has been with us since we were tattooing secret messages onto shaved heads and waiting for the hair to grow back to conceal it. What is troubling is that the drones are a critical aspect of the AF-PAC theater. Their sole purpose is to provide video surveillance (using that intelligence to then deliver a missile is a secondary purpose). They are remotely piloted primarily using that video feed. Not protecting that signal’s confidentiality, integrity or availability potentially negates its usefulness altogether. If the enemy can either jam or alter that feed, they can simply crash the drone or dictate its mission and by extension dictate the mission of ground teams dependent on the feed.

In the opening paragraph I credited the militants with advancing cyber warfare, however now I’m inclined to credit the U.S. for having receded the art of OPSEC.

The conficker/downadup worm has impacted the French Ministry of Defense, according to an article posted by The Telegraph. According to the article;

…aircraft were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand.

At one point French naval staff were also instructed not to even open their computers.

Like the recent compromise of the British MoD, the compromise of the French MoD appears to have been isolated to the unclassified network called Intramar. Coincidentally it was the navy that has reportedly been compromised in both cases.

It’s still being questioned whether or not aircraft were grounded by the worm. However, the fact that the worm impacted the MoD is not in question and that illustrates the risk of having weapons systems interconnected with the Internet.

To my knowledge the botnet created by conficker/downadup hasn’t been put into action yet. However, the fact that it now has two major trophies; the French and the British Ministries of Defense is certainly worth pondering. The propagation methods this worm uses have proven to be very effective.

CIO.com has an article about a ‘rapidly spreading virus’ that is giving the UK Ministry of Defense a run for its money.

First, viruses don’t spread on the network — worms spread on the network and a virus can be their payload.

Semantic arguments aside, the story demonstrates just how effective a worm can still be, especially in cyber warfare. Not only do you have the direct impact of the worm; delivery of the payload, but you also have secondary effects; network and host congestion and the potential over-reaction by the IT groups by simply shutting off machines to avoid compromise. According to a Ministry of Defence spokeswoman;

“The reason why so many people are without their computers is because we’ve turned them off rather than they’ve been wiped or destroyed by this virus”

Without knowing what this particular bug is and what it does, shutting down systems may very well be a solid defense but that obviates the fact that the network wasn’t well prepared for a worm outbreak. The best defense against a network worm is defense in depth but it doesn’t have to be complicated. In fact I would argue that it shouldn’t be much more complicated than:

1. Patch management
2. Network segmentation
3. IPS and AV protection at segment links
4. HIPS protection on critical hosts and AV protection on *all* hosts
5. Established incident response

But I digress.

As I stated previously; targeting military networks can have far reaching, even strategic gains:

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Wouldn’t you know it, the rumor mill suggests BBC confirms that the HMS Ark Royal, an invincible-class light aircraft carrier was or still is affected. I guess their network isn’t invincible-class.

The fact that the worm spread through multiple networks and ultimately ended up on the carrier’s network demonstrates the potential a worm has for damage simply through the Achilles heal of interconnected systems; their very connectedness.

If this is in fact the conficker worm and not some one-off, custom job cooked up by someone intentionally targeting the MoD, I’d expect some heads to roll. It would be extremely disappointing to learn that a garden-variety* worm targeting a three month old vulnerability whipped some MoD ass.

*Conficker is neither exceptional nor cutting edge as worms go. In fact, the core vulnerability that conficker targets resides in the Windows Server service, which is known to be vulnerable as early as 2006 if not earlier and RPC attacks enjoy an even longer history. Given the core role Windows’ server service and RPC play in networking Windows machines, any shop deploying it as an infrastructure should protect both at all costs.

Update:

According to the BBC, as of 1/20/09, this is still affecting the MoD and it has affected 70 sites. What’s interesting is the statement that it’s successfully redirected email traffic to email servers in Russia:

Conservative MP Mark Pritchard said he had been told by one defence official that e-mail traffic from some RAF stations had been re-directed to a Russian internet server as a result of the virus.

Officials note they don’t think the MoD was targeted, which leads me to believe it was indeed a garden variety worm that hit them. That statement (that email was redirected) could be caused by the ‘fog’ of incident handling on such a large scale. However, if it’s true, I assume it happened because the email server or servers were compromised by the worm, which deployed a bot that phoned home, and the compromise was escalated through remote control of the bot.

Recent cyber attacks on Israel may appear to be an aspect of cyber warfare, but in reality they’re merely cyber activism.

From Globes online:

Quantity, not quality, is the guideline of hackers trying to shut down Israeli websites in response to Operation Cast Lead. Information security solutions developer Applicure Technologies Ltd. (TASE:APCR) reports a multifold increase in hacking at Israeli websites, as well as a large increase in attempts to hack protected websites.

We’re hearing more and more of cyber attacks associated with physical attacks; Estonia, Georgia, and now Israel. More often than not the attacks (usually website defacements or distributed denial of service (DDoS) attacks) are perpetrated by a lose-knit group of decentralized actors (open source warfare) rather than a well organized attack orchestrated by a military, government, or other hierarchal entity. But as the tactics develop and effectiveness increases, cyber attacks will become more mainstream, just as other technologies of warfare develop and we progress further into 5th generation warfare or 5GW.

But the key question is; in the grand scheme of warfare just how effective are cyber attacks? Current state of the art has for the most part been low-scale and minimally effective for several reasons. Obviously the more developed and connected a target is, the more potential cyber attacks have for disruption. Also, the better organized and developed the cyber ‘army’ is, the more effective they will be. That doesn’t mean the cyber army has to be centralized, merely organized in a way that provides meaningful intelligence, attack cohesion and relevancy, etc. Most cyber attacks that we’ve seen, that have been associated with armed conflict, have been largely disorganized, perpetrated by ad-hoc organizations, and have largely been centered around propaganda dissemination rather than system disruption.

In other words, the majority of what we’ve seen so far has mainly been cyber activism; defacing websites with propaganda, spamming propaganda, etc, taken by itself has minimal effect on the outcome of physical warfare and should probably be a sub-category of psychological warfare.

So what are the gains of cyber warfare when it’s properly implemented? I’ll organize a few examples into two categories; tactical and strategic gains.

Tactical gains

Forget about website defacement, imagine if one could disrupt satellites and hinder GPS guided bombs, like the GBU-39 Small-Diameter Bomb (SDB) that Israel is currently deploying in large numbers. Better yet, imagine being able to control those satellites and redirect those bombs to a target of your choice (a hospital or baby formula factory if that’s your style). But let’s not stop there, now that we control the satellites, we don’t just have control of bombs, but to a lesser extent war planes, UAVs, and any other weapon system that relies heavily on GPS positioning.

Imagine compromising the enemy’s C4ISR infrastructure and not only knowing where all enemy assets are, but having the ability to provide false information (if at least a few times before being discovered).

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Strategic gains

Nearly all national economies are tied to the Internet and utilize a computer network of some sort. A concerted, long term disruption of these systems could seriously impact the enemy’s economy. Cyber attacks on oil bourses, stock exchanges, etc could reduce the ability of a country to generate revenue and fund their campaign. This could also help subvert the peoples’ hearts and minds, turning the populace against the war effort.

Cyber attacks on key industries could disrupt a country’s ability to produce weapon systems. For example, if an enemy were to continuously disrupt or outright destroy data and information systems for Northrop Grumman, they could have a severe impact on the production of UAV’s, which the US military as come to heavily utilize.

Theft of military and industrial secrets could provide a needed boost to a state. Just look at China, one of the leaders in emerging cyber warfare and certainly adept at espionage.

The list goes on; electrical grids (collateral damage to industry, economy, etc), cell phone grids, nuclear power plants (destruction of which would also be a physical attack), commercial shipping entities, etc.

Cyber warfare has huge potential and we’re only seeing the earliest stages of it now. As its effectiveness develops and as the world embraces ‘teh intarwebs’ we’ll begin to see a whole new way to wage war by smaller and smaller players, both state and non-state.