New Book: Cyber War in Perspective: Russian Aggression against Ukraine

The conflict in Ukraine appears to have all the ingredients for “cyber war”. Moscow and Kyiv are playing for the highest geopolitical stakes, and both countries possess a high level of expertise in information technology and computer hacking. However, there are still many skeptics of cyber war, and more questions than answers. Malicious code is great for espionage and crime, but can it help soldiers on the battlefield? Does computer hacking have any strategic effects? What are the political and military limits to digital operations in peacetime and in war?

This NATO-funded research project, undertaken by 20 leading authorities on national security and network security, is a benchmark for world leaders and system administrators, and sheds light on whether “cyber war” is reality -- or science fiction. Further, it helps decision makers to understand that their choices today have ramifications for democracy and human rights tomorrow.

*Free download* from the NATO Cyber Centre (CCD COE):

World Cyber Crisis? Students to the Rescue!

UK Prime Minister David Cameron recently hopped the pond to meet with Barack Obama — one would be hard-pressed to think of a more high-profile meeting. What was on the agenda? Cyber security. Understandably so — their meeting came on the heels of the alleged North Korean hacking of Sony and the hijacking of CENTCOM’s Twitter and YouTube accounts by ISIS supporters.

A White House press statement called cyber attacks one of the most serious “economic and national security challenges” facing the world today, and declared that both government and private sector were under attack. The two world leaders announced plans to strengthen cyber security for critical infrastructure and the financial sector. Looking longer term, they called for increased information sharing, intelligence cooperation and investment in cyber security education.

One of the most exciting pledges was to create the Cambridge vs. Cambridge cyber security contest, pitting the Massachusetts Institute of Technology (MIT) against the UK’s University of Cambridge. MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) hailed the announcement as a “hackathon” that will harness the students’ “collective brainpower.” In the UK, the event was heralded a trans-Atlantic digital war game that will help to prepare the British Isles for future cyber terrorist attacks.

The Ivory Tower and Computer Hacking: Mutually Compatible

How do you get from here to Carnegie Hall? Practice, practice, practice! Fortunately, there is a growing recognition that, if we want to protect cyberspace, the nursery is a better place to find recruits than in a retirement home. That is why NSA Director GEN Keith Alexander decided to keynote Black Hat, and why the newest spin-off from the world’s largest hacker convention, DEF CON, is aimed squarely at kidz.

In the United States, there are a growing number of cyber security competitions at the university level. Under NSA supervision, the military services have held an annual cyber war exercise since 2001 (unlike in football, West Point currently holds the trophy). This has led to the creation of the National Cyber Security Defense Competition among universities and CyberPatriot for high school and even middle school students.

Such programs are designed to give students the opportunity to apply their studies in a hands-on exercise (often based on “capture the flag” scenarios) with the added incentive of fierce competition among peers. These hacker events have been hugely popular, with the winners immediately gaining “1337” status in their discipline and advancing to clashes of network titans in contests such as DEFCON CTF 2015.

Unfortunately, however, these remain tiny sparks of light in what is an otherwise pitch-black cave of cyber security education. Colleges simply cannot keep up in what is now a dynamic and rapidly evolving network security threat landscape. PBS recently reported that there are over 200,000 unfilled cyber security jobs in the U.S. alone!

War Gamez in Social Media – not your typical college class

ZeroFOX recently presented at ShmooCon about a novel cyber security exercise carried out in partnership with Johns Hopkins University. The exercise instructed graduate level students to simulate red team/blue team social media penetration tests on other American universities. Each group was assigned to “attack” a school for part of the experiment before switching to defending a different school.

The “attacking” students, with the help of botnet armies and subversive hyperlinks, infiltrated adversary networks with highly imaginative – and effective – social media attacks. Their goal was simple: to lure the target audience into clicking on a tracking link. In the study, the link redirected to a benign 404 page. However, in a genuine cyber attack, a click would not have simply tracked the clicker’s basic information, but could have compromised the entire network. We recorded the basic demographics of clicks for scoring purposes; including browser and operating system statistics.

During the offensive campaign phase, the attackers used attractive hashtags, bogus business schemes, fake job announcements, insider Facebook group details, sports updates, free ice cream and much more to lure gullible students to click on their link.

The most effective lures, in descending order, were the following:

  • Automated Tinder invitations: 75% click rate
  • Access to closed Facebook groups: 12.5% click rate
  • Fake job announcements: 12.5% click rate
  • Sexually provocative student blogs: ~500 clicks
  • Hashtag hijacks of sporting events: retweets, clicks, favorites

The war game was a short exercise, but the results of our study were extraordinary. In summary, the “attackers” were able to “compromise” plenty of target networks simply by using social media communications. All told, nearly 3,000 users clicked on the tracker links.

The Social Media Threat Vector

Our project validated something we have known for a long time at ZeroFOX: it is shockingly easy to carry out cyber attacks on social media. Unfortunately for today’s corporations, the adversary has known this for a long time as well.

The students at Johns Hopkins University proved that people are far more willing to trust something posted on social media than other platforms. Email, for example, it widely assumed to be vulnerable. According to Norton, 89% of people won’t open an email from an unknown sender. Yet well over a third will accept a friend request from an unknown individual, and 40% of people have fallen victim to social media cyber crime.

More importantly, our experiment proved that not only is cyber crime evolving rapidly, but the key to innovative solutions involves getting students excited and involved sooner than later. It takes more than a textbook on malware analysis to train the next generation of cyber warriors. As such, Obama and David Cameron are spot on in creating the Cambridge vs. Cambridge competition. As we were thoroughly impressed by in our own study, students thrived in the competitive environment and came up with a huge array of innovative strategies to both launch, and defend against, social media cyber attacks. This competition, as we hope will be true of Cambridge vs. Cambridge, put students in the driver’s seat and inspired them to grapple with a daunting new challenge in cyber security.

A new generation of cyber crime is here. But so is the next wave of innovative and cutting-edge solutions.

Online Trust in the Age of Digital Deception

“She loves me, she loves me not…”

Normally, it takes many petals – and sometimes many flowers – to answer this question. Children play truth or dare. Cops use a polygraph. Spies undergo “source validation”. Long ago, however, Aristotle warned that a good speaker can manipulate the emotions – and convictions – of any audience.

Incoming Friend Request!

The age-old challenge of deciding whom to trust is even harder in the Internet era, where there is a paradox: humans are physically more distant from one another – as we retreat to a quiet place with our laptop, tablet or smart phone – but we are pouring our hearts, minds and souls into cyberspace.

The latest Pew Research Social Networking Fact Sheet (Jan 2014) says that 74% of online adults use social media, 40% of cell phone owners use social media on their phones, and 46% of all social media users post original content in the form of photos or videos. These numbers will only increase in the future, as Internet devices shrink in size and grow in mobility. Eventually, they will be invisible to the naked eye, and we will always be connected to the Net.

What has this virtual revolution done to integrity, credibility and interpersonal trust? Facebook users in particular describe their online relationships as “close” and “trusting”. The interactive – and often intimate – nature of social media, however, carries an element of risk, on a personal and a professional level. The unfortunate fact is that cyber criminals use the relative anonymity of Internet communications to facilitate every kind of vice, from fraud to murder.

In cyberspace, it is hard to separate the sheep from the goats. If I want to know more about Vladimir Putin, should I follow @VladimirPutin or just @Putin? In fact, neither account belongs to the President of Russia. The real #Putin is @PutinRF, who currently has 887K followers. @BarackObama has 52.5M followers, but he cheats – Obama follows 646K accounts, most of whose posts he will never read. Hilariously, the real Putin only follows one other person: himself. That is even fewer than the official Twitter account of North Korea (@uriminzok), which only follows three, one of which is a 27-year old Coldplay fan from Texas.

The increasing physical distance between humans makes it easier for us to deceive one another. It is much easier to tell a lie when you do not have to look someone in the eye. Human intelligence is more art than science. In the Bond film For Your Eyes Only, Countess Lisl von Schlaf says, over a glass of champagne, “Oops! Me nightie’s slipping,” to which James replies, “So’s your accent, Countess. Manchester?” She confesses: “Close. Liverpool.”

But this kind of cross-examination is harder to do with an ISP in Houston standing in the way. And as the recent cyber attack on Sony demonstrates, it is even possible for serious criminals – with the world’s top intelligence agencies looking for them – to remain anonymous, perhaps forever.

These technical difficulties are compounded by time and resource limitations. All of us are swimming in a sea of dynamic, digital data, and the pressure is always on. Could this online match be my one, true love? Does Cyber Monday end at midnight? Did my favorite politician just become my least favorite, or was that just Photoshop playing tricks on me?

To answer life’s greatest questions, boffins have their scientific method: hypotheses, predictions, experiments, observations, evidence, measurement, publication and citation impact. But in the real world – including the day-to-day affairs of government, business and love – it is often subjectivity over objectivity, animal instinct over cold calculation.

ZeroFOX social media risk management cannot see into the human heart, but it can help you and your organization to evaluate the authenticity and reliability of information in the social media space, including suspicious profiles, images, links and more. No social media security strategy is perfect, but you owe it to yourself – and to Aristotle – to be wary.

Thoughts on the ISIS hack of CENTCOM

Advertising works. Propaganda works.

If the goal of this attack was publicity, then ISIS scored a victory – even if only on the cyber battlefield. Every major news organization in the world covered this story. ISIS is surely presenting it as a victory within its territories – and ISIS sympathizers in the West will also be impressed.

Nation-states spend enormous amounts of money on propaganda. Check out this image of a U.S. "leaflet bomb" dropped on North Korea over 50 years ago. What do you think: should we drop VHS or DVD copies of The Interview on North Korea today?

This attack shows that ISIS has a desire, and already some capability, to compete with the U.S. in cyberspace – where the U.S. is supposed to be dominant. For ISIS, the reach of cyberspace is global, not just Iraq and Syria, which offers ISIS opportunities that it would not otherwise have.

On a technical level, if publicity was the sole goal of this ISIS operation, then their hacker prowess was good enough to complete the mission. We do not know if this is ISIS’s only cyber operation, but I doubt it. It suggests, on the contrary, that ISIS probably has other ongoing cyber operations that are designed solely to collect intelligence that would help it achieve real-world battlefield victories.

This will be a short-term victory, however, unless ISIS can back it up with other successful cyber and/or real-world operations. More than a black eye for CENTCOM, it is a short-term shot in the arm for ISIS supporters.

For a more in-depth look at what happened, here is my blog at ZeroFOX.

FREE *Science Fiction* short story!

All, here is my first attempt to explore the connection between computer security and national security through fiction. This is a short story, "Good morning, good morning", focused on the challenges of counterintelligence in the Internet era ...

Please let me know what you think, thanks!

- Kenneth

Kosovo, Cyber Security, and Conflict Resolution

This paper was presented at the Friedrich Ebert Stiftung international conference: “Current Security Challenges for the Western Balkan region - addressed by means of joint responsibility and cooperation”, Nov. 19–21 2014, in Prishtina, Kosovo.


Cyber conflicts are merely a reflection of traditional conflicts. Cyber security is an international problem that requires an international solution. To make tangible progress on strategic cyber security in the Balkans, the creation of a regional center of expertise can help – both at a tactical/technical level, and in a strategic sense by investing in future technologies and modernizing local economies.

1. Introduction: cyber security and national security

Just as Vietnam was the world’s first “TV War”, the Kosovo war in 1999 was the world’s first “Internet War”. A pro-Serbian hacker group called the “Black Hand” subjected the North Atlantic Treaty Organization (NATO),  the United States, and the United Kingdom to Denial-of-Service (DoS) attacks and over twenty-five different strains of virus-infected email.  They took the NATO Public Affairs website (where NATO sought to portray its side of the conflict) offline for days. NATO spokesman Jamie Shea cited “line saturation” caused by “hackers in Belgrade.” As NATO tried to upgrade nearly all of its computer servers, the location of the attacking computers shifted from Belgrade to other countries around the world.  In the U.S., the Secret Service investigated a White House website defacement; in the UK, the government admitted the loss of “some” database information.

The World Wide Web was only created in 1991,  but by the turn of the century, it was clear that warfare – like everything else – would find a new home in this new cyber “domain”. In 1948, Hans Morgenthau wrote that national security depends on the integrity of a nation’s borders and its institutions, but today, national institutions have been connected to the Internet – to include everything from elections to electricity. A cyber attack is best understood not as an end in itself, but as a means to a wide variety of ends, some of which can have serious political and/or military consequences. And on this new battlefield, anyone with an Internet-connected computer – regardless of his or her physical proximity to a conflict – can join the fight.

Following the war over Kosovo, the use of cyber attacks in international conflicts has evolved. In Israel, pro-Palestine hackers have hit economic targets such as the Bank of Israel and the Tel Aviv Stock Exchange.  In Estonia, in retaliation for moving a Soviet World War II memorial from the center of Tallinn, pro-Russia hackers downed a wide range of Internet domains. In Syria, analysts believe the Israeli military used a cyber attack to cripple the Syrian air defense system during an Israeli air force strike on an alleged nuclear reactor. In Georgia, Russia is said to have employed cyber attacks to facilitate a military invasion. In Kyrgyzstan, a DoS attack knocked the entire nation offline during a domestic political crisis. In Iran, the Stuxnet computer worm reportedly destroyed nuclear centrifuges.

In this geopolitical-cyber context, it is unsurprising that the U.S. – whose example is now being followed by many other nations – has already created a military command devoted exclusively to cyber warfare.

Most recently, Kosovo has again appeared on Planet Earth’s short but growing list of international cyber incidents. In October 2014, during a football match between Serbia and Albania, a small drone trailing a nationalist Albanian flag (which included Kosovo on a map of “Greater Albania”) was flown through the stadium, sparking ethnic tensions in the region and a diplomatic row between the two countries. Serbian President Tomislav Nikolic said “the only thing missing  … was an explosive device in the craft.” Cyber attacks by both pro-Serbia and pro-Albania hackers followed the drone incident.

2. In cyberspace, traditional security approaches fall short

In the future, cyber security will grow increasingly synonymous with national security. Today, national security decision makers are already responsible for the security of not one computer or even thousands, but millions, including the cyberspace around them.

How will nations prepare for the cyber wars to come? First, by investing in new technologies such as Internet Protocol version 6 (IPv6), which ends the world’s current shortage of computer addresses and offers improved security features such as mandatory support for Internet Protocol Security (IPSec). This is a logical approach – the best way to fix a technical problem is with a technical solution. However, the dynamic nature of the Internet marketplace, and political tension between data privacy, law enforcement, and human rights, will ensure that there is no silver bullet, at least in a purely technical sense.

Second, nations will incorporate cyber attack and defense into everything they do. In terms of military doctrine, the dream of winning international conflicts without fighting is as old as Sun Tzu’s Art of War. However, no one currently knows whether cyber tactics and strategies will be a positive or negative development on warfare. If cyber attacks play a lead role in future wars, and a sizable portion of the fight is over IT infrastructure, future wars could be shorter and cost fewer lives, with quicker economic recovery and post-war diplomacy – but only time will tell.

Many aspects of “cyber conflict”, however, are revolutionary, and may be hard to square with traditional law enforcement principles and military doctrine. First, the proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography. Second, the blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them – especially “zero-day” attacks, against which there is no defense (or knowledge on the part of the defender). Third, cyber attacks are flexible enough to be effective for propaganda, espionage, and even the destruction of critical infrastructure. And fourth, there are currently few moral inhibitions to cyber attacks because they relate primarily to the use and abuse of data and computer code – so far, there is little perceived human suffering.

What about traditional military deterrence? At least three factors diminish its credibility: acquisition, attribution, and asymmetry. First, cyber tools and tactics are relatively easy to acquire. There is no readily apparent difference between expertise in computer network defense and computer network offense – they are essentially one and the same discipline. Second, “attribution”, or the anonymous hacker problem (e.g. an attacker’s ability to operate quietly and to disguise his or her true location) decreases the chances of deterrence via retaliation for an attack. Finally, there is no better example of cyber asymmetry than “MafiaBoy”, who as a teenager in 2001 caused over $1 billion in corporate losses during a successful DoS attack. 

At some point in the future, world leaders may decide to negotiate a cyber arms control treaty or a non-aggression pact for cyberspace. However, the nature of a “cyber weapon” poses a unique challenge to any such regime. How do you prohibit something that is inherently hard to define, such as “malicious” code? How do you inspect something as big as cyberspace, when a single USB Flash drive can hold trillions of data bits? In theory, cyber weapons inspectors could operate at the Internet Service Provider (ISP) level, but such regimes are already commonplace, such as China’s Golden Shield Project, the European Convention on Cybercrime, Russia’s SORM,  and the USA PATRIOT Act. Each is unique in terms of guidelines and enforcement, but all face the same problem of overwhelming traffic volume – not to mention political disagreements over data privacy and human rights.

Despite all of this, cyber arms control may be in our future, because in cyberspace, we all live in glass houses. One possible model is the 1997 Chemical Weapons Convention (CWC), which compels signatories to destroy CW stockpiles, forbids them from producing any more, and gives practical aid to its members in the form of advocacy and the peaceful advancement of science. In a similar fashion, a cyber weapons convention could create an internationally staffed institution to help signatories improve cyber defenses, recover from attacks, and promote peaceful uses for computer science.

3. The need for international collaboration

Governments today are confronted with a paradox: to disconnect from the global Internet is folly - and yet network connectivity provides adversaries with a medium through which to commit cyber crime,  cyber espionage, or even cyber war. And there is only so much they can do about it, because law enforcement jurisdiction ends every time a network cable crosses an international border. Over the past twenty years, cyber investigators have spent countless hours staring blankly at long lists of foreign Internet Protocol (IP) addresses, with virtually no clue about how to see behind them.

Cyberspace is bigger than any country. Therefore, cyber security is an international problem that requires an international solution. One of the most vexing characteristics of cyber attacks is that they are normally routed through unwitting third parties, in which “middle man” proxy computers are successfully attacked along the way in order to cover the trail of the attacker. Unfortunately, this dynamic not only facilitates short-term cyber attacks, but also has a corrosive effect on the long-term integrity of the Internet as a whole, and suggests that a cyber attack against anyone is a cyber attack against everyone. Progress in strategic cyber security will be difficult, however, due to legacies of conflict, poor technical skills, and the fear of losing national sovereignty. However, in the end, we have no choice. Nations will remain technically, legally, and morally responsible for their own network infrastructure, but forced to reach out to international partners for help on a regular basis.

At a technical level, international institutions already lie at the heart of Internet management. Since 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) has managed the communication protocols that once belonged to the U.S. Department of Defense. In theory, the U.S. government has the right to veto fundamental changes to the system, but in practice ICANN operates independently. That said, ICANN only makes sure that information – in the form of data “packets” – gets from point A to point B on the Internet; it does not control access, police Internet content, or stop cyber attacks.

The task of making sure that information sent across the Internet does not break national or international law falls to national-level law enforcement and counterintelligence organizations. Toward this end, the most important international legislation to date is the Council of Europe’s Convention on Cybercrime, issued in 2001 and now signed by 51 nations (acceded by 44) from around the world. This treaty, supplemented by the Protocol on Xenophobia and Racism Committed through Computer Systems, is the only binding international agreement related to cyber security, and is considered an archetypal template for countries to use domestically. 

A successful cyber crime treaty is a good start, but what happens when cyber attacks cross the threshold of terrorism – or even warfare? The Russian government has long argued that an agreement similar to those that have been signed for weapons of mass destruction (WMD) could be helpful in securing the Internet.  In 1998, Russia successfully sponsored United Nations (UN) Resolution 53/70, “Developments in the field of information and telecommunications in the context of international security;” which states that while modern information and communication technology (ICT) offers civilization the “broadest positive opportunities”, it was nonetheless vulnerable to misuse by criminals and terrorists. In 2010, this resolution was co-sponsored by the U.S. There are currently two streams of ongoing cyber dialogue at the UN: one relative to cyber crime and another on cyber warfare. One concrete achievement has been the UN’s sponsorship of a conference series called the World Summit on the Information Society (WSIS). Despite these achievements, however, the UN’s enormous size can also be an obstacle to progress, as there are numerous antagonistic political and military alliances within the organization, and a great disparity among Member States in terms of ICT infrastructure, law, policy, and threat perception.

Therefore, quicker and more tangible progress on strategic cyber security may come within the context of regional political and military alliances. The European Union (EU), with the highest GDP in the world, already has a legal and policy framework that includes robust support for electronic signatures, online services, spam filtering, consumer protection, individual privacy and digital copyrights. Furthermore, the entry into force of the Lisbon Treaty in 2009 strengthened the EU’s security credentials by increasing the Council’s authority to define a common approach to foreign and security challenges, and by encouraging Member States to act in closer security cooperation with one another. The Organization for Security and Cooperation in Europe (OSCE) – a 56-nation group that extends from North America to Central Asia – has sponsored many cyber security “Expert Workshops,” including in both Serbia and Croatia.

In terms of international military might, however, no organization today can match NATO, whose raison d’être since 1949 has been the collective defense of its Member States. NATO links Europe with North America, and has a formal dialogue with dozens of additional nations in its Euro-Atlantic Partnership Council, Mediterranean Dialogue, Istanbul Cooperation Initiative, and Contact Countries. All told, these partnerships span the globe. According to Suleyman Anil, Head of Cyber Defence in NATO’s Emerging Security Challenges Division, the 2007 crisis in Estonia transformed the organization’s perspective on cyber security: “Estonia was the first time … [we saw] possible involvement of state agencies; that the cyber attack can bring down a complete national service, banking, media…” NATO’s latest Strategic Concept describes cyber attacks as threatening “Euro-Atlantic prosperity, security and stability,” and recently NATO announced that cyber attacks could lead to an invocation of Article 5, which declares that “an armed attack against one ... shall be considered an attack against them all,” which is the Alliance’s core organizing principle of collective defense.

To the east of NATO, the Shanghai Cooperation Organization  – a group composed of China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan – signed an agreement on “Cooperation in the Field of International Information Security” in 2009;  and in 2011, Russia and China proposed an “International Code of Conduct for Information Security”.

Thus, there are already hints of emerging alliances in cyberspace. Hopefully, this trend will tend not toward greater conflict, but greater international security and stability.

4. Conclusion: a regional cyber center in the Balkans

One way to make real progress on strategic cyber security, especially for small nations, is via international partnerships. In this light, the Balkan countries would be wise to create a regional center of computer security expertise, with a future-oriented mission of conflict resolution in cyberspace.

At a tactical, technical level, the center should focus on defending the region’s computer networks from attacks. Proactively, it should offer cyber security education in “best practices” as well as more advanced technical training. Reactively, it should employ a multinational forensics team that can deploy in the event of a crisis, with the authority to openly publish the results of an investigation. At the strategic level, the center could become a magnet for economic investment in international efforts to promote information technology and cyber security.

Cyber conflicts do not occur in a vacuum; they are reflections of the traditional conflicts that have always plagued humans, even before the rise of nation-states. Of course, objective technical expertise will be the foundation of any such project, but a good understanding of the regional geopolitical context is also necessary, and only local experts can provide that.

There should be no fear of being “behind” in cyber security expertise or experience. All nations are just now beginning to address strategic cyber security issues. The Balkans are a microcosm of the wider world, and could easily become a role model in the global cyber security domain. Small countries such as Estonia, Israel, Iceland, and Finland have proven that small nations can make large contributions in this dynamic field, where everything is by nature asymmetric.

The center’s staff should hail from every country in the Balkans. However, the center could have a virtual “home” in cyberspace – thus keeping overhead costs to a minimum. Its training program should be shared, open, objective, and rigorous. A strong, internationally based core of subjects and certifications could help to unify the personnel and program. One of the center’s primary goals should be to develop trust, both within the institution and from the perspective of the outside world. During times of crisis, the personal and professional relationships developed at the center over time would become invaluable assets.

There is no doubt that the center, from its first day, would be busy. For new legislation, it could help to write basic definitions. For disaster planning, it could classify and help to protect critical infrastructures. For law enforcement, it could teach computer forensics, and raise awareness vis-à-vis intellectual property and data privacy. For decision makers, it could interpret technical jargon.

One existing model for the center is the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, where multinational personnel engage in research and development, and offer training to both computer scientists and senior-level decision makers. Since its founding in 2008, CCDCOE has established an annual conference examining the nature of cyber conflict, created a hands-on cyber defense exercise (CDX) called “Locked Shields”, and published numerous legal studies such as the Tallinn Manual on the International Law Applicable to Cyber Warfare.

The new center’s overall goal should not be perfection, but a proactive, methodical reduction in the potential fallout from future cyber attacks. Information technology and cyber security are new disciplines in the world, and the exact formula for success has yet to be written. The countries of the Balkans can make a significant impact in this field, while simultaneously making investments in their economic development.


  “53/70: Developments in the field of information and telecommunications in the context of international security,” (4 Jan 1999) United Nations General Assembly Resolution: Fifty-Third Session, Agenda Item 63.
  “Active Engagement, Modern Defence: Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organisation,” (2010) NATO website:
  “An International Code of Conduct for Information Security – China’s perspective on building a peaceful, secure, open and cooperative cyberspace,” (10 Feb 2014) 
  “Evidence Mounts of Pro-Serbian Internet Attack on NATO Countries,” (17 Apr 1999) mi2g:
  “Nurgaliyev urges common SCO approaches to cyber crime,” Voice of Russia (28 Apr 11).
  “Overview by the US-CCU of the Cyber Campaign against Georgia in August of 2008,” (Aug 2009) U.S. Cyber Consequences Unit.
  “The North Atlantic Treaty,” (4 April 1949) Washington D.C., NATO website:
  “Yugoslavia: Serb Hackers Reportedly Disrupt U.S. Military Computer,” (28 Mar 1999) Bosnian Serb News Agency SRNA (reported by BBC Monitoring Service, 30 Mar 1999).
  At CERN: 
  Bilefsky, D. (17 Oct 2014) “Drone Stunt at Belgrade Soccer Match Stirs Ethnic Tensions,” The New York Times.
  Broad, W.J., Markoff, J. & Sanger, D.E. (15 Jan 2011) “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times.
  Cheng, Gracye, Cohen, Morgan, Green, Josh, Oliveira, Carlos & Stadnyk, Mark. “Responses to Questions Posed by CNAS on International Law & Internet Freedom,” The Harvard Law National Security Research Group 
  Davis, J.l (21 Aug 2007) “Hackers Take Down the Most Wired Country in Europe”, WIRED.
  E.g. Internet fraud, credit card fraud, bank card skimming, the dissemination of child pornography, etc.
  Falkenrath, R.A. (26 Jan 2011) “From Bullets to Megabytes,” The New York Times.
  Freedberg, S. (7 Nov 2014) “NATO Hews To Strategic Ambiguity On Cyber Deterrence,” Breaking Defense.
  Fulghum, D.A., Wall, R. & Butler, A. (26 Nov 2007) “Cyber-Combat’s First Shot,” Aviation Week & Space Technology 167(21) 28.
  Gardner, Frank. (3 Feb 2009) “NATO’s cyber defence warriors,” BBC News.
  Geers, K. “Cyberspace and the Changing Nature of Warfare,” SC Magazine (2008).
  Geers, K. “IPv6: World Update,” coauthored with Alexander Eisen, ICIW 2007: Proceedings of the 2nd International Conference on Information Warfare and Security 85-94 (2007).
  Geers, K. (2010) “Cyber Weapons Convention,” Computer Law and Security Review 26(5) 547-551.
  Geers, K. (2010) “The Challenge of Cyber Attack Deterrence,” Computer Law and Security Review 26(3) 298-303.
  Geers, K. (9 Feb 2011) “Sun Tzu and Cyber War,” Cooperative Cyber Defence Centre of Excellence, 1-23.
  In 2010, the European Union had a GDP of nearly $15 trillion USD (
  Jovanovic, J. (18 Oct 2014) “Serbian hackers Deface the Website of the Albanian State Television”, Tech Worm.
  Keizer, G. (28 Jan 2009) “Russian ‘cyber militia’ knocks Kyrgyzstan offline,” Computerworld.
  Markoff, J. & Kramer, A.E. (27 Jun 2009) “U.S. and Russia Differ on a Treaty for Cyberspace,” The New York Times.
  McCullagh, Declan. “ICANN rejects US domain-name veto proposal,” CNET News, (01 Mar 11).
  Morgenthau, H.J. (1948) Politics among nations: the struggle for power and peace (A. A. Knopf) 440.
  Pellerin, C. (18 Oct 2010) “Lynn: Cyberspace is the New Domain of Warfare,” American Forces Press Service.
  Stoil, R.A. & Goldstein, J. (28 Jun 2006) “One if by Land, Two if by Modem,” The Jerusalem Post.
  The Council of Europe Convention on Cybercrime ( 
  Verton, D. (2002) The Hacker Diaries: Confessions of Teenage Hackers (NY: McGraw-Hill/Osborne).
  Verton, D. (4 Apr 1999) “Serbs Launch Cyberattack on NATO,” Federal Computer Week.
  Walker, M. (18 Nov 2014) The Cyber-Attacks And Fears Of Cyber-War To Come, InSerbia Network Foundation.
  WSIS is co-sponsored by the International Telecommunications Union (ITU). 
  Система Оперативно-Розыскных Мероприятий or “System for Operative Investigative Activities.”

essay: Cyberspace as Battlespace

This content was presented as a Black Hat webcast on Oct 9, 2014.

Inflection point: mission creep

The Internet is still a baby. But the cyberspace around it – the effective connection between computers, computer networks, and humans – is already Planet Earth’s greatest technological achievement. Every aspect of human life is different: government, economy, society, and national security.

And this revolution is far from over. The current rate of technological innovation is so quick that no one – not even the National Security Agency – can keep up. Therefore, we must occasionally step back and consider whether the path we are on is an optimal path, or whether certain adjustments should (or even could) be made before it is too late.

There are many Internet-related problems to solve, but this essay is about the ongoing military invasion of cyberspace, and attempts to occupy strategic Internet terrain before the next war.

The ramifications are numerous:

  1. Hostile activities are taking place in peacetime.
  2. Human rights may be needlessly harmed.
  3. This dynamic may lead to eternal chaos on the Internet.

Internet era: the Golden Age of Espionage

First, let’s compare cyber war with cyber espionage.

Cyber espionage has existed for more than a generation. Foreign intelligence services leverage the ubiquity, vulnerability, and interconnectivity of computers – and they are probably still getting better at it every day. The best book on this topic remains The Cuckoo’s Egg, in which Cliff Stoll, a system administrator at the Lawrence Berkeley National Laboratory in California, traced a $0.75 accounting error all the way back to a German hacker working for the Soviet KGB.

Cyber espionage will be difficult to stop because foreign intelligence is targeted, classified, and (unfortunately) the most popular reading among senior government officials. At a technical level, cyber espionage is often undertaken by well-trained, state-sponsored hackers, which means they are hard to catch, and even harder to prosecute.

And within any given country, if what you are more worried about is the “Surveillance State”, I think it is true that law enforcement and counterintelligence will often overstep their bounds. Cops (like everyone else) are overwhelmed by changes in technology, and swimming in a sea of perplexing information. Law enforcement and counterintelligence are getting better at using information technology, but their current position vis-à-vis foreign intelligence hackers is today closer to the script of “No Country for Old Men” – they are usually outgunned.

Evolution not revolution

However, stealing information via computer networks was primarily a natural evolution of espionage. In the collection of foreign intelligence, there are few real constraints. Spy tradecraft includes concealed electronic devices, impersonation, front organizations, false flag operations, murder, and sex.

Every one of these activities has its cyber analog – with the possible exception of murder, but foreign intelligence will eventually perfect that method as well.

Espionage is a game of deception and theft. If and when technology – including computer hacking – can help a spy accomplish his or her mission, there are few inhibitions. A credible virtual front company is hard to create from scratch, but is faster and cheaper to build than the brick and mortar version.

One final note on cyber espionage: some prominent examples, including Moonlight Maze, the theft of nuclear weapons data, the loss of the F-35 blueprints, and many more, rise above the level of tactical loss – they are strategic data sets, and strategic national losses.

Distinction: espionage vs. attack

There is a crucial difference between cyber espionage (stealing information) and cyber warfare (altering data or data flows in support of a military mission). The former is (relatively) passive, while the latter is aggressive.

In the future, cyber attacks may be defined only by the limits of the attacker’s imagination. But for now, let’s divide cyber warfare into two primary types:

  1. Denial-of-service (DoS)
  2. Data modification

DoS is easily understood: either via traditional (e.g. bombs) or digital means, the attacker prevents a legitimate user or computer from accessing a targeted machine or network resource.

Data modification is more ambitious. The attacker aims for nothing short of altering “reality” – at least for a certain period of time. Bombs may appear to be falling when they are not – and vice versa.

If successful, cyber warfare can be both a technical wonder (i.e. a demonstration of elite hacker skills) and a philosophical wonder (i.e. the victim now has a false understanding of reality).

Cyber war: strategy and tactics

Cyber war is no different from any other kind of war. When the violence begins, it means that political and military leaders have decided to use force in an attempt to solve a national security problem. At that point, the goal is to win the conflict – all other considerations are secondary.

There will be an attempt to keep the attack parameters within the “Laws of War”, but that is easier said than done – just look at the pictures of Japanese and German cities after World War II. USAF Gen. Curtis LeMay, mastermind of the Tokyo fire bombing, and post-war Commander of U.S. Strategic Command, said: “I suppose if I had lost the war, I would have been tried as a war criminal  … all war is immoral and if you let that bother you, you're not a good soldier.”

The use of digital weapons has many attractive features, including worldwide reach, lightening speed, extreme asymmetry, and potential anonymity. A computer hack is a versatile tool, and can be used to support any traditional war aim – the dissemination of propaganda, the interruption of logistics, the neutralization of weapons systems, and the destruction of critical infrastructure. Every one of us, from a rocket launcher to a cyber war skeptic, needs a reliable computer to properly perform our job.

The success of any given cyber operation may come down to timing and novelty. In certain scenarios, as soon as the war begins, the access points created for cyber espionage can be leveraged to support cyber war.

In the future, it is impossible to say how powerful a cyber attack might be, and a cyber-only war could happen. The simple reason is that everything – including weapons, logistics, and command and control – is now dependent on computers and networks that are vulnerable to hostile takeover.

If there is a future war between major world powers, it is possible that the scale and novelty of the cyber operations could bring down the Internet entirely – perhaps even beyond the duration of the conflict.

Generally speaking, however, hacker tools and tactics play just one part of a larger, more complex conflict – similar to electronic warfare. This is normal; for example, the infantry only constitute about 15% of Army personnel. There are many ancillary jobs within any military that support its ultimate goal of “killing people” and “breaking things”.

Remember that nation-states will mix and match cyber and non-cyber tools and tactics. Further, there can be cyber vs. cyber operations, cyber vs. non-cyber, and non-cyber vs. cyber.

For a quick review of what the world’s cyber commands are currently saying about their own missions, please see yesterday’s blog: “World Cyber Commands: in their own words”.

Nation-state hacking

The difference between nation-state hackers – aka the “Advanced Persistent Threat” – and every one else is money. Governments do not employ the smartest people, but they can afford an organizational, mission-focused, team-oriented approach to hacking, that includes intelligence officers, linguists, engineers, and more. Such teams enjoy good training, vacations, and retirement plans. If an employee is sick or takes a new job, another person will take his or her seat.

By comparison, cyber defense is an immature discipline; investigations are painstaking and typically inconclusive. Investigators normally have only a few clues to go on, which are insufficient to understand the strategic scope, capabilities, and intentions of the attacker. By the time many intrusions are discovered, the hackers have long since moved on to other targets. And due to jurisdictional boundaries and the “attribution problem”, many attackers operate from an effective safe haven.

In short, against even a good network security team on defense, this is not a fair fight.

Strategic cyber defense

Every nation has a layered defense.

First, organizations have their own network security personnel. However, no matter how intelligent and capable they are, it will be tough to resist a targeted attack by a foreign military.

Second, there is law enforcement, with guns and badges, and the authority to arrest and prosecute. But cyberspace is a global domain, and this group lacks jurisdiction over foreign Internet Protocol (IP) space.

Third, counterintelligence (CI). This is a potential sweet spot in national cyber defense, as CI examines both internal and external threats. Still, CI lacks legal jurisdiction overseas, and foreign intelligence usually outpaces this group with superior tools and tactics.

Given the collective limitations of these groups, world leaders may decide to give the responsibility for protecting their national IP space to militaries. After all, if enemy planes or tanks cross the border, the military would fight them. So if a military attacks another nation’s public infrastructure (or even its private sector) with cyber attacks, who should take the lead on defense?

Different countries have different political philosophies, and different concepts of what is public and what is private. There are likely to be as many perspectives as there are nations. This debate is currently underway in Israel, with Prime Minister Netanyahu personally involved.

Militarization of the Net: ramifications

No president or general wants to explain how he or she lost a war due to poor planning or lack of preparation. Therefore, national leaders may give intelligence agencies and military units considerable freedom to prepare for the cyber wars of the future.

Their focus – both for offense and defense – will begin with the “hard targets”: leadership communications, intelligence agencies, and weapons systems. Over time, more attention will be given to the “soft underbelly” of a nation – public critical infrastructure.

From an attacker’s perspective, undermining the security of such targets requires an APT-level effort, and months if not years of painstaking subversion. On defense, protecting the computers and networks of large enterprises is also a full-time job.

The dilemma for national security planners is that if they wait until a national security crisis actually takes place, it may be too late – either to attack the enemy or to protect the homeland. The trouble is that both of these endeavors will take place in peacetime, and may come at a high cost in terms of data privacy and personal freedom.

This troubling dynamic raises the following question: how much of the Internet is already occupied military ground?

I recently conducted an analysis of 18 months’ worth of FireEye data, which included 30 million malware callbacks to 208 country code top-level domains. Our most interesting finding was the discovery of a sharp rise in callbacks to three countries – Russia, Ukraine, and Israel – during the months they were engaged in war. The simple explanation, in my opinion, is that computer network operations are now an essential part of modern intelligence collection and military operations – and with a strategic data set to analyze, such operations can be hard to hide.

Conclusion: the future

There is only one Internet, and we need to be able to trust it. However, the existence of only one Internet means that there is only one cyber battlefield. The same, vulnerable IT infrastructure is used to manage libraries, private companies, frontline troops, public critical infrastructure, and our personal lives. Today, students, spies, and soldiers all live and work in the same IP space.

By the way, this state of affairs not only allows governments to spy on students, but students to spy on governments; students can write academic papers about real cyber espionage, and real cyber war. :)

As we can see from current events in the Middle East and Former Soviet Union, nations still wage wars. Therefore, their militaries will prepare today for the wars of tomorrow. 

For the foreseeable future, traditional military might is still the ultimate defense of any country – but over time, computer network operations will play an increasing role in war. And some of the preparations for cyber war will include the peacetime occupation of strategic terrain on the Internet.

This militarization of the Internet – in peacetime – has significant ramifications for international cyber security, in part because the future is hard to predict, to include the next national security crisis. It will be hard to avoid abuses of data privacy and human rights – which may be considered justifiable “friendly fire”.

The need to strengthen global cyber security against this emerging threat is clear, but it will take time. Cyber security is a broad concept, and encompasses both tactical and strategic considerations.

Investment must begin at the tactical, technical level. The most important thing is to train more people in the science – and art – of information security.

Investment must continue at the strategic level. Traditional security concepts like deterrence, arms control, and proportionality in response are challenged by cyber-specific idiosyncrasies, including attribution, asymmetry, code inspection, and even basic definitions of what constitutes an attack.

Fundamentally, cyberspace is an international domain, so having traditional geopolitical allies is critical. In this light, I think the best places to look for improvement in international cyber security are in the European Union and in the North Atlantic Treaty Organization (NATO) – as they are the strongest political and military alliances in the world.

For our common future ... government, the private sector, and individual citizens must work together in a mature way, based on the rule of law. But unfortunately, the world is filled with immature political systems.

Governments will never willingly disallow law enforcement, counterintelligence, foreign intelligence, and militaries the best tools to do their jobs. However, all of these organizations will make mistakes, overstep their bounds, and abuse the rights of citizens. Depending on the country, this could happen thousands of times – every day.

I believe the most important thing for strategic cyber security is to strengthen transparency and accountability in governments worldwide. And it is the Internet itself that provides us with the best mechanism to do this. That is why we must resist unreasonable government oversight – and the unnecessary militarization – of the Net.


Stoll, C. The Cuckoo’s Egg, Doubleday (1989).
"Curtis LeMay", Wikiquote
Molinaro, Kristin, “Infantry leaders sharpen training tactics to meet battlefield demands”, The Bayonet (15 Sep 2010)
Ravid, Barak. (21 Sep 2014) “Battle move in Israel's cyber turf war: Shin Bet loses authority over ‘civilian space’”, Haaretz

World Cyber Commands: in their own words

Let’s have a quick look around the world, to see how various militaries are currently explaining their perspectives on "cyber war". 

I will try to point out some key phrases from each website or article.

United States

“U.S. Cyber Command”, U.S. Strategic Command

  • “conduct full spectrum military cyberspace operations”
  • “ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries”
  • “support to combatant commanders for execution of their missions around the world”

United Kingdom

  • “dedicated capability to counter-attack in cyberspace”
  • “if necessary, to strike in cyberspace”


  • “Strategic priority for national sovereignty”
  • “cyber defense is the future of defense in a virtual environment without borders”
  • “Today, every military operation has a cyber component”
  • “the same as earth, sea, air, and space”
  • “cyber defense rests at the highest level of decision-making in the Ministry of Defense”


“IDF in cyber space: Intelligence gathering and clandestine operations”, Israel Defense Forces

  • “a platform to improve operational effectiveness”
  • “relentlessly operating in the field”
  • “thwarting and disrupting enemy projects”
  • “at all fronts and in every kind of conflict”
  • “used to maintain Israel’s quality and advantage over its enemies”
  • “prevent their growth and military capabilities”
  • “influence public opinion”
  • “advocating in the cyber space”
  • “both during war and peace time”
  • “clandestine activity”


“Iran to launch first cyber command”, Press TV (15 Jun 2011)

  • “establish its first cyber command”
  • “to counter ‘soft warfare’”


Petrova, Anastasia. “Russia to get cyber troops” (16 Jul 2013) Vzglyad (Source: Russia Beyond the Headlines

  • “Putin believes that the “firepower” of information attacks could be higher than that of conventional weapons”
  • “monitoring and processing information coming from the outside”
  • “A cyber war is already on”
  • “delivering counter strikes if needed”
  • “second in importance only to nuclear arms”

Petrova, Anastasia. “Russia to get cyber troops” (16 Jul 2013) Vzglyad (Source: Russia Beyond the Headlines

  • “Cyber weapons are widely used in military conflicts”
  • “Israel leads the way in this area … American protection ranks second”



“China: U.S. hacking report groundless”, China Military Online (22 Sep 2014)