One of the areas to be prioritised in the UK’s SDSR was cybersecurity — now indentified as a growing domain for espionage, crime and defence. NEIL ROBINSON, senior analyst, RAND Europe, provides a guide to the threat from the cyber-realm, which reaches across government to defence and aerospace companies, airlines and air forces.
This is a full article published in Aerospace International: August 2011
Just how at risk are we from cyberwar and cyberterrorism? Recent instances of cyber-attacks against critical national infrastructure and well-known aerospace and defence companies point to a perception of an exponentially increasing problem. The pervasive nature of cyberspace, embedded in our everyday lives, has become a necessary consideration in any discussion about military operations, national security or economic and social wellbeing. The use of the Internet by airlines for ticketing and booking, the provision of Internet access in the sky, deployment of interconnected networks for route planning, air traffic control and navigation and safety are some examples of how we depend on cyberspace technologies and the Internet in civil aviation. From the military perspective, just as strategic bombing was seen as a unique capability of airpower many decades ago, so cyberwar is being promoted by generals and strategists: the very epitome of Sun-Zsu’s dictum that ‘to subdue the enemy without fighting is the acme of skill’.
Despite a number of years debating these issues, no-one seems to agree exactly whether and what types of cyber-attacks should be treated as a military concern. Furthermore, the latest spate of high profile incidents have garnered some very high profile attention. Prime Ministers, Presidents and ceos all have an eye on cyber-security now that stories abound, from organised criminal gangs stealing credit card numbers, to the covert world of state sponsored intelligence agencies: all things cyber are now a ‘cause celebre’.
Types of attacks
But before we open ‘cyber Pearl-Harbor’ analogies used to bring attention to this topic, its worth trying to establish clearly just what these different attacks were about.
Some are aimed at what is known as the critical infrastructure (CI) of which aviation forms a part. CI are generally regarded to be those infrastructures upon which the economic and social well being of a nation may depend. They are commonly understood to comprise several different sectors: transportation, energy, healthcare, defence and so on. Since many companies now depend on computer technology and the Internet for running their businesses, cyberspace is an underlying component common across all. Therefore, the case of Stuxnet is illustrative in this regard. Although the jury is still out on who was behind Stuxnet, some have suggested that it was the work of a team of six to eight people over several months.
Some forms of cyber-attack have affected defence and aerospace companies, such as Lockheed Martin. The US defence contractor recently revealed it had been the subject of a ‘significant and tenacious’ cyber-attack supposedly perpetrated via a vulnerability in the RSA SecureID ‘two-factor’ authentication system used by employees to gain access to the corporate network. Whether this was an attempt to steal sensitive data relating to defence systems, such as the F-22, is still unknown.
Governments too have also been high profile target: the US Department of Defense; Ministry of Defence and Treasury in the UK, the French Finance Ministry and the World Bank are all notable examples. The DoD has been a favourite cyberspace target for decades — for example in 1998 when the ‘Solar Sunrise’ series of computer attacks were launched against the DoD classified computer network. They were supposedly performed by two hackers in the United States and one in Israel. In early 2011 UK Secretary of State for Defence Dr Liam Fox reported that the Ministry of Defence was subject to ‘significant and intense’ forms of cyber-attack on a daily basis. He said that Britain was now in contact with an invisible enemy and that last year the MoD detected and disrupted more than 1,000 potentially serious attempts to breach its computer systems. Dr Fox indicated that criminals, foreign intelligence services and others were likely to be behind the attacks. Finally, the World Bank recently closed down its computer network to the International Monetary Fund (IMF) over concerns that computer systems in the IMF had been breached. In early 2011 it was reported that the US Federal Aviation Administration (FAA) was attacked, with sensitive personal data of present and past employees at risk. The FAA commented that at no time was any air traffic control networks at risk.
Other attacks are targeted toward personal data, the ‘lifeblood’ of the Internet economy. In April 2011 Sony’s Playstation Network was attacked and the personal information of its users was stolen. It is believed to be the largest data loss so far with over 77m accounts compromised. Subsequently, in what might be considered as an example of cybercriminals focusing and switching their attention on another vulnerable target following the disclosure, the Sony Online Entertainment network was subsequently attacked affecting 24m customer records.
Aerospace International Contents – August 2011
News Roundup – p4
News focus- p11
Airbus unveils the cabin of 2050
Winging it- p 12
All the news from the Paris Air Show
Plenty of space- p18
What next after the Space Shuttle?
Plane speaking – p 22
An interview with the MAA’s AM Timo Anderson
Cyberwar: reality check? – p 26
Preparing for virtual war
Forget SSTs – go HST! – p 30
Hypersonic successors to Concorde
Managing change – p33
Boeing’s defence business
The last word – p34
Keith Hayward on the Paris Air Show
What is at stake with these incidents? Experts commonly suggest that different motives behind these types of attack exist. The Stuxnet worm, perhaps, is one of the foremost (although not the first) examples of an attack against CI, and it has many people in government worried. This is because it represents an important ‘proof of concept’. By spreading via the control systems used in the Iranian Nantaz nuclear facility, received wisdom is that it played a role in the centrifuges spinning out of control, degrading the capability of the Iranian nuclear programme. Since cyberspace pervades other critical infrastructures (such as defence and transportation) too, then experts point out it may not be too long before the same type of attack is tried out elsewhere. The more extreme proponents of this theory paint doomsday scenarios about aircraft falling out of the sky or crashing into one another due to corrupt or modified information being digitally secreted into navigation data or via the remote manipulation of ATC systems. These kind of attacks may be the preserve of nation states with almost unlimited time and resources to painstakingly carry out cyber-espionage, identify vulnerabilities (which may be logical or, more commonly, associated with human behaviour) and carefully execute any operation, covertly leaving malicious code to cause havoc. The reason that is commonly identified as to why only nation states would be able to do this is simple. Unlike the average home broadband connection or WiFi network, systems that control major infrastructures (known as SCADA for Supervisory Control and Data Administration) are usually not connected directly to the Internet, have complex and unique setups which require extensive reconnaissance and may even be air-gapped (that is to say, unconnected) from other more vulnerable computer systems completely. Indeed, you could argue that the attack vector of Stuxnet was not via cyberspace but rather more biological: Stuxnet, while a highly sophisticated computer program, apparently entered the Iranian nuclear computer systems via insertion of a USB stick of an operative in the facility. If the Iranian nuclear programme had better employee training in place (no unauthorised USB sticks permitted in the facility, for example) then no-one would have heard of Stuxnet.
In 2008, Conficker was also an interesting case in point: it was widely regarded as one of the most effective instances of malicious code or ‘malware’ developed. In 2009 it hit the French Navy, infecting planning and control systems (not avionics) used to prepare flight plans for aircraft such as the Rafale. It also apparently hit the Royal Air Force and Royal Navy. However, unlike Stuxnet, it was not possible to discern whether air forces were specifically targeted: analysts reported that the possible intention of Conficker was to copy financial information, rather than degrade or destroy infrastructures, and that its presence on French unclassified networks was, like Stuxnet, the result of an individual inadvertently plugging a USB stick carrying the code into a military computer system.
What about the attacks against aerospace and defence contractors? These types of attack are also potentially serious but they are not necessarily unique to aerospace and defence. It appears that attempts to break into defence contractors may well be motivated by more obvious objectives — either industrial espionage (one company trying to steal business secrets from another) or, perhaps more seriously, foreign intelligence espionage where a state-sponsored cyber-attack attempts to copy classified data regarding weapon systems and programmes. In February of this year, the UK Foreign Secretary William Hague announced that in 2009 a defence contractor was sent a malicious email posing as a report regarding Trident from someone claiming to be from another defence firm. Ostensibly the purpose of this was to copy information relating to sensitive defence programmes. In early January 2010 the Washington Post reported that the computer attacks on Google which experts thought originated in China were part of a ‘concerted political and corporate espionage effort.’ In total, according to reports, 34 companies were targeted through exploits in email attachments. Companies included those in the US defence industrial base such as Northrop Grumman, as well as hi-tech companies like Symantec. The use of cyberspace to attempt to copy sensitive information relating to classified weapons programmes is obviously of some concern from the national security implications. In 2008 a US congressional panel noted that ten of the top US defence contractors such as Northrop Grumman, Boeing and Raytheon were subject to instances of cyber-espionage. From an economic perspective, in the UK, Detica released a report on behalf of the Office of Cyber-Security and Information Assurance which claimed that the cost of cybercrime to the UK (estimated by them as largely composed of theft of industrial intellectual property) amounted to £27bn per year.
The first cyberwar
Finally, other forms of cyber-attack may be directed against nation states. For example, the attacks against Estonia in 2007 and Georgia in 2008 have been identified as the first ‘true’ instances of ‘cyber-war’. The Estonian ‘cyber-war’ was instructive because of the high level of connectivity in the country. These attacks, conducted via ‘bot-nets’ (and allegedly state sponsored by the Russian Federation) resulted in government computer systems and banks being taken offline for a limited period. Estonia also at one point had to shut down external traffic into the country, effectively rendering it offline from the Internet. Other examples include the web-defacements that occurred following the mid-air collision between a US P-3C Orion electronic warfare plane and a Chinese fighter in 2001. Hackers from both China and the United States began to deface various websites in protest at the incident.
Governments and the private sector have reacted to this dynamic landscape of cyber(in)security by creating new policies and programmes, developing new military capabilities and investing heavily in defensive technical initiatives.
As far back as 2000, the Taiwanese Defence Minister Wu Shih-wen revealed that a battalion-sized military unit responsible for cyber-war would be developed in his country. China has been reportedly building this capability for some time and in 2008 NATO opened its Centre of Excellence for Cyber-Defence in Tallinn after the well-publicised attacks against Estonia. In early 2009 Germany’s Strategic Reconnaissance Command established its own cyber-war unit near Bonn. Sweden has also worried about how to defend against such attacks according to a 2008 report by the Swedish Emergency Management Agency.
In the US, Cyber Command (USCYBERCOM) recently achieved Initial Operating Capability. USCYBERCOM is an operational combatant command with the job of war-fighting in cyberspace. USCYBERCOM aims to unite network defence activities across the US DoD. It is a sub-unified command subordinate to US Strategic Command and includes service elements from the Army, 24th USAF, Fleet and Marine Forces. USCYBERCOM aims to take a role in directing the operations and defence of specified Department of Defense information networks as well as preparing for’ full spectrum military cyber-space operations’, ensuring US/allied freedom of action while denying the same to adversaries. In late June of this year, President Obama announced new policy guidance on rules for cyberwarfare that have, according to reports, been in preparation for two years. These rules elaborate just how far military commanders may go in deploying cyber-attacks against adversaries. Reports are that the guidance in the Executive Order (not yet released) permits the blocking of cyber-intrusions and action to shut down servers in other countries. In addition, the reconnaissance of adversary networks through remote network mapping in order to understand the layout of adversary computer networks is permitted.
The UK, meanwhile, has announced a significant cross-government cyberspace security initiative, creating the Office of Cyber-Security (OCS), part of the Cabinet Office and the Cyber Security Operations Centre (CSOC) based in Cheltenham. The MoD is heavily involved in this initiative and the work of the OCS. In addition, it may be assumed that guidelines of the sort recently announced by President Obama are also being discussed in Whitehall. Cyber-security was one of the rare things to be assigned more resources in the recent SDSR: the UK Government’s programme will cost £650m over four years. This will support the implementation of the ambitious National Cybersecurity Strategy, released in 2009 which set a stake in the ground for efforts to address the problem. In addition, another cross government co-ordination function, the Centre for the Protection of the National Infrastructure (CPNI) aims to address physical, cyber and insider threats to critical infrastructures such as transport networks.
Both NATO and the European Union (EU) have been grappling with the international aspects of these issues for some time. In its Lisbon Summit Declaration and the New Strategic Concept, cyber-attacks are accorded growing prominence by NATO, requiring more effort to protect NATO’s information and communications networks. In June 2011 a new policy on cyber-defence was approved which sets out a co-ordinated vision for cyber defence across the Alliance, focused on prevention and building resilience. Cyber-defence will be integrated into NATO’s defence Planning Process (meaning it will have the same attention as other military aspects). Crucially, the new Action Plan details how NATO might assist, upon request, with enabling activities (such as information sharing) regarding Allied cyber-defence efforts.
The private sector
As an estimated 80-90% of critical infrastructures are in private hands, providing for cyber-defence is not purely a military matter. At the European level, the European Network and Information Security Agency (ENISA) part of the EU, supports private sector efforts to increase the resilience of cyberspace. It has been operational for several years now, and has a programme of work relating to resilience, sharing best practices between the private sector about how to better protect computer networks. In addition, the European Programme for Critical Infrastructure Protection (EPCIP) covers measures to address the resilience of CI (such as transportation networks) designated as European Critical Infrastructure (ECI). EPCIP identifies the following ECI sectors: energy, nuclear industry, information/communication technologies (ICT), water, food, health, financial, transport, chemical industry, space and research facilities as being critical in a pan-European context (that is to say, a failure of one in a Member State would have a knock-on effect upon others).
At the UN, there have been ongoing discussions for some years now about an international cyber-arms treaty, similar to the Chemical Weapons Convention (CWC) that would prohibit via international law the use of certain types of cyber-weapon by nation-states. Along this theme, at the 47th Munich security conference held in February, British Foreign Secretary William Hague announced that the UK would play host to a major international conference in London later in 2011 on ‘norms in cyberspace’; aimed at articulating a more structured and comprehensive dialogue (among the 30 or so international organisations currently debating this topic) about what constitutes acceptable standards on how countries should act in cyberspace. President Obama also recently announced the US International Strategy to Secure Cyberspace and in May a joint US-UK communiqué was published in which President Obama and the Prime Minister re-affirmed their close bilateral co-operation as well as charting new steps forward on a number of cybersecurity issues.
Industry, too, has been investigating ways to address these threats. Aside from the ongoing research into cyberspace security conducted by the academic, technical and research communities (for example, into securing the Domain Name System or developing new cryptographic protocols) there have been new private sector initiatives more squarely in the domain of ‘cyberwar’. For example, in October 2010, Northrop Grumman in the UK opened a cybersecurity test range at its Fareham facility. The range is to be used to test large complex networks and simulate attacks against infrastructure. The facility can inter-operate with others around the world to create large-scale simulated environments to test the latest vulnerabilities and exploits. In the US, the Defense Industrial Base (DIB) Collaborative Information Sharing initiative was established so that defence contractors can share operational information about intrusions on corporate networks in a trusted environment. In the UK, Information Exchanges (IE) have been set up which involve private sector players from the transportation and SCADA communities to share information on threats, vulnerabilities and best practices. Other corporate efforts are aimed at improving technical or managerial level responses to cybersecurity: for example, Detica in the UK supports the work of UK intelligence and law enforcement communities in addressing problems in cyber-space.
There is currently a great deal of investment, time and attention being accorded to cybersecurity and cyber-attacks. Unfortunately, as with many things relating to security (such as airport screening measures), it is not a simple question of government passing a law or regulation to make the problem go away. Achieving good cyber-security requires concerted action by public and private sectors and by end-users: for example, many of the bot-nets used to perpetrate these types of attack exist because of poorly secured home broadband connections. The fact that responsibility for properly addressing these cyber-security issues sits across national governments, intelligence agencies, the military, private sector (both as users of cyberspace, like airlines but also providers of Internet and telecommunications infrastructure) and consumers makes improving matters a highly complex task. A combination of laws, incentives to firms and user education and training are often seen as the best mix.
International and national law may be used to both deter and prosecute cyber-attackers, economic incentives may be used to support the private sector improve its own levels of cyber-security and training and education of end-users can help to reduce the opportunity for such attacks to take place. As if that wasn’t a complex enough challenge, the fact that cyber-attacks can cross national boundaries (by definition) requires a concerted international effort: those responsible for cyber-attacks, whether they be criminals or foreign governments, take advantage of the varying standard of cyberdefence to route their attacks through a weak spot. Often these are countries with no law concerning cyber-attack, for example, or where the hand of the international community cannot reach. Improving the international aspects may be the most fruitful avenue for truly dealing with the adverse implications of economic and social reliance upon cyberspace and all the benefits it brings.
This is a full article published in Aerospace International: August 2011. As a member, you recieve two new Royal Aeronautical Society publications each month – find out more about membership.