PREEMPTIVE STRIKE on CYBER SPACE: ACTIVE DEFENSE

1st Lt. Fatih AKSOY1 Abstract As an important power factor, electronic and cyber warfare instruments are becoming more and more integrated with the existing weapon systems. It is considered that international conflict will intensify on the cyber – state area therefore information systems will be an integral part of the national and international security. Cyber, as the new war domain, differ from other war domains. The very basic characteristic of cyber-attacks is their asymmetric feature. In other words; bigger impacts can be achieved with little effort. In war domains other than the cyber; you must have sophisticated and expensive weapon systems to dominate the adversary. But in cyber, with a cyber-weapon, developed by a few cyber experts using little resource could interrupt logistics activity and fire support of armies, target detection systems and mission computers might be made nonfunctional and ongoing orders might be changed due to the cyber-attack to military systems. A cyber-attack to communication system influences all users at all levels. A country could surrender without any struggle by means of cyber-attacks on critical substructure as SCADA (Supervisory Control and Data Acquisition) systems. Besides all these provided damages, cyber-attack capability is relatively a low cost but this capability identifies countries’ virtual war provision and operational advantages. Faster processors, high sensitivity image sensing systems, strong password breakers, frequency mixers, and designing and producing high-security communications satellites define cyber war capabilities and operational advantages of countries. During the war, considering the cost of creating front-line and loss of human, creating a virtual front-line with electronic attack as the concept of self-defense is a strategy that in many respects superior. Physical response to the attacks of virtual armies is like fighting against windmills, in award, it requires virtual response to virtual attack. In this study; the development in electronic environment, increasing dependence on cyber space, information security and cost issues, definition of cyber-security, critical infrastructures, tools and objectives of cyber threats, viruses, SCADA systems, state-sponsored cyber-attacks, cyber security policies implemented in the world and active defense issue are considered as the elements of a solution domain and cyber defense policies are analyzed. Keywords: Information security, Cyber space, Cyber security, Viruses, Active defense, SCADA systems, Cyber security policies.

1. 1

Development of Cyber Space

1st. Lt. Fatih AKSOY, Turkish Air War College, Đstanbul, Türkiye.

1

Weapon systems are developed, armies transform and countries need innovations on attack and defense systems. Countries require in regeneration on defense and attack systems with technological development, evolution of weapon systems, and fundamental transformation of armies. In the current digital World, there is an unprecedented rise in the number of internet users. Number of internet users in the world is 2.27 billion with an increase of 1.15 billion users which is nearly doubled the number of users in 2012. In Turkey, the number of internet users is 30 million. Turkey ranked 3rd in the world with 33,5 hours internet usage per week. 2 All works and operations were transferred to the electronic environment. There are daily 144 billion e-mails, 634 million domain names, 9.2 billion internet pages, 1,6 billion images, 50 million audio-video files, vitally important personal, corporate and national information as electronic data. 3. According to European Commission Digital Agenda Report on 18 June 2012, until 2015, doing online shopping of 50 % of the EU population, doing cross-border shopping of 20 % of this population, doing online shopping of 33 % of Small and Medium size Enterprise (SME) in the EU, using e-state application of 50 % of EU citizens are expected. 90% of operations in the EU are expected to require a certain level of digital literacy. 2.

Cyber Security

Cyber security aims policies, security concepts, security assurances, guidelines, risk management approaches, activities, trainings, best practices, secure accessibility to technologies, and privacy and identity verifications of institutions, organizations and users. Today, Facebook has over 1 billion users and value of over 100 billion dollars. On the other hand, Facebook is the focus of conspiracy theories regarding concerns about security problems, capturing of personal data and active cooperation with intelligence services. Since its establishment, 140,5 billion friend connections have been achieved and 219 billion photos have been shared.4 People, institutions and governments are becoming vulnerable as a result of increased dependence on cyberspace. As for the capabilities of a cyber-attack, it can cause power outages, communication and transportation. A cyber-attack can leave generators for several months and open dam covers. Furthermore, operations of the police multifunctional fire department and hospital can be blocked, government agencies can be deactivated, planes, tanks, ships can be destroyed. Figure-1 shows the results of these cyber threats which are much more than anticipated effect. 100 billions of dollars are spent for developing a war plane with stealth technology and also 10 billion of dollars for a nuclear submarine. Globally, there is no country that has these technologies except USA, China and Russia. On the contrary, the cost of cyber warfare strategy and program applied for military targets will be much less. In near future, NATO members are planning to come together for cyber-defense. Some countries such as the United States, are setting up territorial, aerial and naval furthermore cyber commands which are seen as the fourth power. a.

Critical Infrastructures

2

Murat Ünver ve Cafer Canbay, “Ulusal ve Uluslararası Boyutlarıyla Siber Güvenlik”, Elektrik Mühendisliği, 2010, Cilt:1, 94-103, s.96. 3 Önder Şahinaslan, Güvenli Bir Toplum Đçin Son Kullanıcı Siber Güvenliği, Maltepe Üniversitesi Yayınları, Đstanbul, 2012, s. 11. 4 Ş. Andaç, http://ekonomi.milliyet.com.tr, 2012.

2

Critical infrastructures are physical and information technologies, facilities, networks, services and assets that have adverse influence on citizens’ health, safety, security and economic welfare in case of damage and destroy. These infrastructures vary from a country to another but generally water system, food, health, transportation, banking, energy, finance, civil administration, information technologies (IT), communication, space and research, chemical and nuclear industry, emergency services, public order, security department and defense sectors are confirmed as critical infrastructures. Among all these departments, IT departments are also determined the most critical one for being provider of information. Figure 1 illustrates that critical infrastructure for homeland information security.

Figure-1. Critical Infrastructures for Homeland Information Security5. b.

Viruses

It is determined that the use of viruses will be more effective not only on cyber-space but also on cyber area that integrated to electronic area of future’s battleground. Researches on the subject show the gigantic proportion of threats, danger and attacks on cyber-space. Researches show that the virus “I Love You” infected nearly 45 million PCs and caused a loss of about 10 million dollars. “Ninda” also caused a loss of about 3 million dollars and Love Bug’s damage is nearly 10 million dollars. Trojan “My Doom” caused 4,8 million dollars loss . A worm named “Sapphire/Slammer” infected 90% of computers connected to internet in 10 minutes in 2003. Since the meeting with the first virus in 1981, hundreds of millions people have been victims and thousands of corporate network have been attacked. Large sum of money has been spent to security software industry for protection from this inevitable danger but despite this struggle, malwares spread throughout the world anyway6. 5

Barış AKSU, “Bütünleşik Siber Güvenlik Yaklaşımı”, Bilişim Zirvesi, Bildiriler, 11-13 Eylül 2012, Cilt: I,

Interpromedia Yayını, Ankara, 2012, s. 8. 6

D. BORA, “Tarihin En Tehlikeli 50 Virüsü”, Chip Dergisi, http://www.chip.com.tr/makale/tarihin-en-tehlikeli-50bilgisayar-virusu_24459.html/, (Erisim tarihi: 10.01.2013).

3

Viruses take shape according to the computer systems which are written on. Hardware and system software play a decisive role on types of viruses. Turkey was ranked fifth among the countries affected by malware in second quarter of 2013, as shown in Figure-2.

Figure-2. Malware Infected Countries in the Second Quarter of 20137. 3.

Active Defense

Cyber weapons are developing day by day and becoming impossible to prevent them 100%. Being prepared for attacks, increasing security measures on the systems, strong password policies, isolating the critical systems from internet and most importantly, personnel training are becoming more important. However, only defense is not enough. Defense has protocols, rules to observe but there is no rule for attackers. In cyber security strategy and doctrine, offensive approaches should be included. The defense also protocols to be observed, but there are rules which are not cared by. Cyber security strategy, doctrine offensive approaches should be included. Cyber warfare has become a reality for all societies. DDOS attacks in Estonia and Georgia, Duque and Stuxnet malwares used against Iran revealed the existing and possible dimensions of cyber warfare. Presently, there is no deterrent punishment or legal case as both national and international. Significant obstacle for punishment to attackers is difficulties in the determination of attackers. Firewalls, software patches and anti-virus software are examples of passive defense methods. However, passive security measures do not have great deterrent effect because they are ineffective against the 0-Day (Zero-Day) attacks. Another method, active defense target to stop a continuing attack including own defense systems and reduce the loss of a system. Also, active defense can target to neutralize the attackers before the attack begin. States have two options. Active and passive defense. Active defense not only reduce the impact of a possible cyber-attack, but also has a deterrent effect because of its reaction capability with a powerful attack. History showed that legal procedures can become ineffective under a possible attack and defense should 7

Akamai Technologies, The State of The Internet 2nd. Quarter 2013 Report, Vol: 6, Akamai Technologies Press, Cambridge, 2013, p. 4.

4

be carried out by countries themselves. (For example, the attack on the Twin Towers). Another mission of countries is to prevent attacks before its beginning from cross-border. Active defense’s reaction against attackers targets to make ineffective of attackers following attacks. This reaction includes sending malicious viruses or package combination attack by automatic and manual attack systems. Early detection and warning systems can avert cyber attacks before they reach the peak. On the other hand, even best programs are incapable of detecting all existing and possible malicious software. If we look at the legal perspective, there are good and bad results of attack that can be realized until its completion. Firstly, countries have time to evaluate the attack because it has already been completed. On the other hand, following the trace of attack will be more difficult because traces will disappear as time goes. Completion of an attack should be thought as a component of future possible attacks because reaction of active defense against future attacks will be more forcible. Early detection and warning programs detect a lot of cyber-attacks as mid-level threats. The classification of an attack before the most destructive point of attack reveals wrong results. Naturally, when a system administrator detects any cyber-attack, he tries to avert the attack with passive cyber defense methods. However, system administrator can evaluate future attacks from the same source and give a decision about which method he will use against the attack. When an intrusion is detected, distinguishing the target of the attack is difficult without examining the program’s code and daily logs.8 Cyber threats aim generally unauthorized access to the system, system deterioration, prevention of services, data changing, destruction of information, disclosure of information, doing harms to economic, political, social, military areas with the way of information stealing9. 4.

Active Defence Samples

In 2007, a cyber-attack was made against government and media of Indonesia and a cyberattack was made to Georgia in 2008. Another attack was made against Iran’s nuclear program with Stuxnet virus in 2010. Cyber warfare began to take place in countries’ security strategies. Cyber Warfare Command was established in The United States in 2009. China aims to rule the electronical area, in this regard it developed a cyber-doctrine. The Government of Iran explained that certain ministries and instruments of government will be offline after virus attacks as Stuxnet, Flame, Duque and finally a virus named Gauss that steal usernames and passwords from the network of installed computers. The next stage for Iran is to be completely independent from internet and establish intranet for the country. Cyber-attacks in and before 2010, attackers used simple way for attacking as dropping off service, sending spam e-mail, changing website content, provocation with manipulation, misleading people. These threats trigger malwares that cause more dangerous threats and damages. Selection as cyber battlefront of the target of SCADA systems that operating in many areas will lead to severe consequences for humanity and the world. It is considered that an attack to SCADA systems can cause flood, life without gas, heating system, and electricity in a country or

8

M. J. Sklerov, The Defense Technical Information Center, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA517821, 2009. 9 Matthew J. SKLEROV, Solvıng the Dilemma of State Responses to Cyber-attacks, Judge Advocate General's Corps United States Navy, Texas, 2009, p.88.( Published Master's Thesis).

5

region. It can also cause artificial disasters such as fire, environmental damage and financial loss and even exposure to radiation. In fact, what makes Scada systems vulnerable against hackers is developed by engineers rather than program specialists. Engineers might be specialists on their area but not on cyberdefense issue. Stuxnet, written against SCADA software, targeted, 0-day (Zero-day) vulnerabilities of Windows OS, facilities of Siemens’ industrial automation and Iran’s critical nuclear facilities. Stuxnet attacks caused Iran’s nuclear project for two years and these attacks actualized this delay with relatively low cost as 10 million dollar. These software were written with large budgets and organization of states’ support for cyber espionage, cyber intelligence and sabotage. Stuxnet identified first by a Belarussian small firm named “VirusBLokAda” as an American retaliation attack to Russia who made cyber-attacks to Estonia and Georgia. Initial researches showed that it was not a standard worm software. However, Stuxnet’s complex structure, tactics used and targets revealed that scenarios about cyber warfare voiced for years were not too unrealistic as thought. Approximately 130,000 computers are affected by the malicious software, Stuxnet. Also, 60% of infected computers are located in Iran throughout the world. Stuxnet is a virus that designed for special purpose so it does not harm application program in general. It spread through computer to computer with 15.000 code and uncovered four programming error that could not detected by Microsoft before10. When looking at functioning of Stuxnet virus, if the infected computer has SCADA systems, Stuxnet first tries to steal available projects, codes and designs. Another important point, Stuxnet can install its own codes to PLC (Programmable Logic Controllers) with its interface of programming software. However these installed codes cannot be detected when scanning of all codes in PLC. Thus, Stuxnet has the title of being first known rootkit that can store all codes injected to PLCs. Stuxnet also targets to make central PLC systems dysfunctional with different frequencies and engine speeds. Stuxnet is considered as one of the finest examples of the type of targeted attack. Duque for providing intelligence and Flame that emerged as the most complex cyber espionage software are the other written viruses in this cyber area before Stuxnet. Flame software could not be detected by anti-virus scanners for years because of its continuously update when collecting information on cyber-space. When detected in 2012, Flame distinguished itself from the other malicious software with its very large size (20MB) and modularity. Stuxnet and Duque showed long time activity by using vulnerabilities that were perhaps even unknown by their developers. Code of Stuxnet can be obtained by people including terrorists who have information about the subject and it can be copied and used. Required technology is available on internet so all these factors generate other threats. Day by day, comparable attack to a cyber-attack is not thought possible under the new conditions without usual military deterrence rules. Stuxnet attack affecting SCADA systems has already created a new area named Expertise of SCADA Security all over the world. It is considered that Stuxnet worm detected Pakistan, India and Indonesia will take places among the future-fronts of cyber warfare. Also, for the security of planned nuclear power plants in Sinop and Mersin for producing nuclear energy, work about 10

Emre BAKIR, “Siber Savaşlar- 5. Boyutta Savaş” Siber Güvenlik Derneği Yayını, http://www.siberguvenlik.org.tr/ 2013/01/siber-savaslar-5-boyutta-savas.html, 2012 (Erisim tarihi:18.11.2013).

6

SCADA systems must be started and safety and security of the systems must be provided and backup with determining different products from dominating companies to PLC market as Emerson, Honeywell of USA, Invensys of England, Siemens of Germany, ABB of Switzerland and Yokogawa of Japan. At least, it is evaluated that software of SCADA and PLC systems must be preferred open source (Unix-Lunix)11 . Using different SCADA supplier companies is a requirement for ensuring the supply of source code of SCADA systems in our country where SCADA systems widely used. Otherwise, an attack against one manufacturer can jeopardize all the infrastructure of a country. Cyber-security infrastructures of the provided systems must be designed and tested by national security consulting firms. An attack like Stuxnet to electrical networks can be done using weaknesses or the back-door of SCADA systems. With an attack cost a few million dollars, the whole country can be left without electricity and this causes a huge economic loss. Not only in peace period, but also in war period, a cyber-attack may disrupt military strength. The most effective solution is to have national SCADA and cyber security systems.12 Besides, turning off the system when any weakness or vulnerability is detected, will create a big problem because of the requirement of keeping attentive the basic infrastructure systems. In fact, Stuxnet that has now no longer any confidentiality, infected nearly 60000 computers in Iran and over 10000 computers in the world13. 5.

Cyber Security Institutions:

Looking at the status of nations’ cyber-security institutions, Department of the Interior in U.S, Intelligence Organization in the UK, Intelligence Organization in Russia, Ministry of Information Industry in China, the Prime Ministery in Japan, the Department of Defense in France and the Ministry of Transport in Turkey concern about the cyber security. Nations’ cyber security strategies are shown in Figure-6.

11

Tacettin KÖPRÜLÜ, “Akıllı Şebekeler Đçin Siber Güvenlik”, Siber Güvenlik Konferansı, Bildiriler, 6 Kasım 2012, Cilt: I, Tübitak Yayınları, Ankara, 2012, s. 24. 12 D.T.Köprülü, http://siberguvenlik.org/siberguvenlik_sunumlari/akilli_sebekeler_icin_siber_guvenlik.pdf, 2012. 13 J. SHEARER; Symantec Corporation, http://www.symantec.com/security_response/writeup.jsp?docid=2010-0714003123-99, 2010 (Erisim tarihi:16.12.2013).

7

14

Figure-6. Countries in models of cyber-security strategy .

6.

An Air Force Strategic Vision for 2020-2030 Due to the resulting analysis of some issues appearing in “Air Force Strategy Study 2020-

2030”, the Air Force should focus on five critical capabilities over the next two decades15. −

Power projection,

−

Freedom of action in air, space, and cyberspace,

14

Mc Kinsey Analiz Şirketi, Ülkelerin Siber Güvenlik Strateji Modelleri, Gartner Yayınları, Chicago, 2012, s.12. John A.SHAUD ve Adam B.LOWTHER, “An Air Force Strategic Vision for 2020-2030”, Strategic Studies Quarterly, Spring 2011, s.9. 15

8

−

Global situational awareness,

−

Air diplomacy,

−

Military support to civil authorities. Success for the Air Force - will depend on the service’s ability to integrate the application of

all national power instruments through the air, space and cyber domains. No longer is it possible to think or act principally in a single domain. Actors- friend or foe- who are most effective in operating across domains will achieve their objectives with greater frequency than those who remain stuck in a paradigm that is focused on a single domain. If the focus of a state is likely to continue shifting to longer ranges, it will require a greater emphasis on long-range power projection by the Air Force. Expecting a time of stagnant or declining defense budgets’ this challenge will require innovative thinking if the state and the Air Force are to maintain regional influence. Continued success will likely come through the integration of cyber and space - particularly important in an Asia - centered world.16 In a global security environment marked by the proliferation of advanced antiaccess and era denial systems, friendly forces will find it in increasingly difficult to establish secure bases within striking distance of adversaries. This will increase the demand for long-range power projection options17 While power projection is synonymous with capabilities such as penetrating long-range strike, airlift and aerial refueling, the future will also call for something new to the Air Forceoffensive cyber capabilities. As the Air Force moves forward, the force structure - and, consequently, force-development programs-must change to emphasize these requirements, which will include integrating (manned and unmanned) air, space and cyber capabilities. Future battlefields may look more like the recent Russo-Georgian conflict, in which a cyber offensive preceded Russia`s conventional attack. Four recommendations are offered to assist the Air Force in meeting power projection requirements across the strategic planning space during the next two decades: a. First the Air Force must begin the process of fusing air, space and systems. This suggests the need for systems, operators and organizations that are capable of achieving effects in more than one domain. b. Second, the Air Force needs to develop “general purpose” forces accustomed to operating with allies in ways such as training, education and assistance.

16

Kadir YILDIZ, 2020-2030 Hava Kuvvetleri Đçin Bir Stratejik Vizyon Çalışması, Günışığı Kasım 2013, s.72-74. John A.SHAUD & Adam B.LOWTHER, An Air Force Strategic Vision for 2020-2030, strategic Studies Quarterly, Spring 2011. 17

9

c. Third, developing unmanned platforms that are enhanced by artificial intelligenceenabling autonomous operations-will support the Air-force conventional power projection mission. d. Lastly, offensive and defensive cyber capabilities must be fused into air and space platforms.

7.

Comparison of Passive and Active Defense

Passive Defense

Active Defense

There is enough time to evaluate the

The process is executed dynamically.

attack.

Don’t allow time for evaluation, Because it is difficult to detect an

It is difficult to trace the attack, it

attack, attacker is in advantageous

requires time.

position

It is partially effective.

Can be fully effective.

It needs too much detailed and

The need for further intelligence is

integrated intelligence about the threat

limited.

Must be applied to all system.

Cyber and physical infrastructure security is dependent on each other.

It is difficult to detect malware. Antivirus follows the virus not virus does.

Can be practiced with the limited number at systems. Physical infrastructure can be influenced with the use of cyber infrastructure.

Unknown new generation of viruses can be improved.

While the classification of attacks it

For the time which will pass in the

would be incorrect to classify before it

attacking classification is an

reaches the top dangerous level.

advantage.

10

It is trying to establish the safety

Many security obstacles should

obstacles for threats.

exceed to penetrate threats.

100% security is impossible.

Early detection and warning program, many will perceive as critical mid-level cyber-attack.

0.1% security vulnerability may be sufficient.

While detection and evaluation, the desired effect is obtained.

There are rules and protocols to be

There are no rules or protocols to be

followed.

followed.

It is necessary to provide security at

It depends on country, group or

the international level.

person.

There are unavoidable attack. (Such

There is the possibility to carry out an

as DDOS and 0-Day attacks).

attack which cannot be prevented.

The present known uses, are

Includes new opportunities. To be

procedural.

effective, you must find the unknown.

There are no adequate punishment or legal regime.

There is no penalty until it is determined. After determination identification is difficult.

Deterrence is less.

It is deterrent.

Waits for the start of the attack.

Provides the prevention across

Planned and started the attack is

borders before attack start. It is

directed.

intended on new unrealized attack.

Depends on technology.

Does not get much support from the technology.

Is usually symmetrical.

It includes asymmetric embodies.

Acts according to the principle of wait

It is dynamic and determines time

and see. It is passive and reactive

itself.

11

Focuses on the past and present

Focuses on future threats (cyber

threats.

intelligence).

There are more cost and resource

Cost optimization is made. Could

requirements (to prevent, detect,

avert the threat of attacks before they

respond to and recover).

occur.

More safety precautions should be taken from the stage of development. Nationalities is of importance. It requires external and integrated attack systems.

Need to develop the new and the unique.

Includes self-defense system.

Defense in depth should be

To attack a single target may be

considered.

sufficient.

Continuity is necessary for defense.

It lacks the power of “first blow"

After the attack, the continuity is required. Very strong "first strike" has the power to include.

It needs to national software for high

Existing systems may be used for

security.

cyber-attack. Table-1. Comparison of Passive and Active Defense18.

5.

Conclusion and Evaluation: Nowadays, communities are transforming into information societies so dependence of individuals, institutions and countries to IT, especially internet are increasing. Extremely dependence and global connectedness to internet and its rampant global structure causes vulnerabilities and background for cyber threats. In this context, international organizations are aware of cyber threats as the most important obstacle in the process of transition to information society and these institutions are operating to provide cyber security. Many countries have begun to place cyber security as an important issue in their security policies due to the rapidly increasing cyber threats. Some of these countries are making major investments to cyber security area and developing a variety of strategies to train staff because of the cyber world’s increasing integration with the economy, social life and national security. Less developed countries must follow the developments and adapt best practices to themselves after detection so they try to provide the security of network on public and private area. 18

Özgün Çalışma

12

Formation of mechanisms and necessary sanctions and adoption measures in co-operation between the countries are very important because of same-time attacks from many countries and sources. A specific strategy and action plan in order to prevent attacks is a need. Engineering an operational plan including how to operate the units during the attack, steps which will be taken have a great importance. A flexible and non-restrictive spam or filtering mechanisms make a great contribution to reduce attacks and prevent security vulnerabilities. Generally, security experts come one step behind because of their procedural activity. Although countries use the advantages of cyber defense provided by advanced technology, they can remain helpless against cyber-attacks after certain level because advanced technology provides much more benefit to cyber-attacks than cyber defense. Also, cyber-attack includes all beneficial factors of asymmetric war that is a derivative of physical war. At the moment all perspectives that we have in cyberspace focus on defense. However, the nature of cyber warfare comprises an asymmetric power. An attack with this power will affect not only cyber systems but also physical systems as in the example of SCADA. Also, defenses focused concept pays attention to the past and the present but perspective of attack includes future. In defense, only one weak point of us is enough for failure but in attack, a weak point of enemy is enough for achievement. A proactive approach should be illustrated by using “active defense” for cyber-attack. The function of armed forces from national power should be determined in this approach. Suitable approaches to cyberspace should be detected by analysis of application-based "Best Price" and "Benchmarking”. It is evaluated that countries can be successful in defense and attack by using cyber-attack concept and enemies can be paralyzed with an early attack. Plainly, a new weapon has come into being and the world will have to get used to this.

13