Defensive coordination. The final
component of an effective cyberwarfare defense is coordination. Knowing that one is under attack is an intelligence function. Identifying and
characterizing the attack is a forensic
analytical function. Communicating
this information to the ISPs that can
mitigate the attack is a communications function. These functions are
most often coordinated by a computer
emergency response team (CERT), or
sometimes called a CIRT (computer
incident response team). A CERT is the
glue that holds a defense together, providing expertise, analytical facilities,
and open lines of communication between the many organizations that are
party to the defense or have some stake
in its success.
CERTs provide training and preparedness workshops, maintain and
exercise contact lists, and observe
trends and find patterns in online
criminal, military, and espionage activity. When a country is under attack,
CERTs help individual organizations
identify which portions of the attack
are directed against them particularly,
as opposed to those that they’re feeling the effects of incidentally. CERTs
provide the expertise to help those organizations with the very specialized
tasks of discerning attack traffic from
legitimate traffic and developing filters
that will block the attack while protecting their ability to conduct business.
CERTs will then communicate those
filters up the path of ISPs toward the attackers, blocking the malicious traffic
at each step, pushing the boundary of
the cleaned network away from the victims and toward the attackers.
Georgia
A little more than a year after the Estonian incident, Georgia was subjected
to cyber attacks in conjunction with
the Russian incursion into South Ossetia in August 2008. This more complex attack combined Georgian targets
with domestic media outlets that were
perceived to be reporting news from a
Georgian perspective.
Much of what had worked well in
the case of Estonia did not in the Georgia attack. Relative to Estonia, Georgia
suffered from two crippling deficien-cies: Georgian international connectivity was far more limited, hence more
a sparsely supplied
market for local
connectivity can
create bottlenecks
and make attractive
targets.
vulnerable. Most of its international
links were through Russian territory;
and unlike Estonia, Georgia had no
IXPs. As with Estonia, Georgia lacked
a DNS root server, but that was mooted
by its limited infrastructure being easily overwhelmed.
Given the relatively modest infrastructure and comparative lack of
e-commerce to be affected (and all
dwarfed in significance by an actual
shooting war), it may be more difficult to extract lessons from Georgia’s
experience than from Estonia’s. One
noteworthy issue in the case of Georgia, however, was the number of offers made by governments and corporations to “mirror” Georgian Web
content. If the Georgian government
desired to reach a non-Georgian audience for sympathy and support, then
distributing that message to parties
outside Georgia and in regions of the
Internet far less amenable to denial-of-service attacks would be a worthwhile
strategy.
Why cyberwar?
The mere fact that significant conversation is still occurring more than
three years after the attacks on Estonia
indicates that even if the destructive
impact was minimal, the overall information warfare effect was significant.
The return on a very small investment
was disproportionately high; these
margins suggest that cyberwarfare
techniques will continue to be applied
until they become considerably more
expensive or less noticed.
It is worth understanding what was
successful about the attack and what
was successful about the defense.
Viewed in the large, the Chinese cyberwarfare doctrine upon which the
attacks were patterned states that one
of the principal goals of an attack is to
dispirit an adversary’s civilian population, reduce their productivity, and
cause them to withdraw economic,
and eventually moral, support from
their country’s engagement in the
conflict. This was not the SCADA attack—an attack on the cyber aspects
of physical systems, with the intent
to cripple the latter—that is so often
warned of in the U.S. (SCADA, for supervisory control and data acquisition, is a catchall label for the various
systems used to manage industrial