The proceedings of the Conference on Cyber Warfare 2009  were published by IOS press. Hard copies can be ordered here or by contacting the CCD CoE (ccdcoeccdcoe.org). All papers can be downloaded here (zip).

PAPERS:

1. Cyber Wars:  A Paradigm Shift from Means to Ends

Dowload PDF

Amit SHARMA
Institute for System Studies and Analysis (I.S.S.A), 
Defence Research and Development Organization (D.R.D.O),
Ministry of Defence, India

Abstract. The last couple of decades have seen a colossal change in terms of the influence that computers have on the battle field, to an extent that defence pundits claim it to be a dawn of a new era in warfare. The  use of computers and information in defence has manifested into various  force multipliers such as Information Operations, C4I2SR Systems, Network Centric Warfare, to the extent that commentators are terming this information age  as a Revolution in Military Affairs (RMA). These advances have not only revolutionized the way in which wars are fought, but have also initiated a new battle for the control of a new dimension in the current contemporary world: The Cyber Space. 

Over time cyber warfare has assumed the shape of an elephant assessed by a group of blind people, with every one drawing different meanings based upon their perceptions. Under these circumstances there was a gradual paradigm shift in military thinking and strategies, from the strategic aspect to the tactical aspect of cyber warfare laying more emphasis on cyber attacks and counter measures. This resulted in the formation of a notion that cyber warfare or information warfare is a potent force multiplier, which in a sense downgraded the strategic aspects of cyber war to a low grade tactical warfare used primarily for a force enhancement effect. The author believes this is wrong, cyber war is a new form of warfare and, rather than cyber war merely being an enhancement of traditional operations, traditional operations will be force multipliers of cyber war.

This paper tries to shatter myths woven around cyber warfare so as to illuminate the strategic aspects of this relatively misinterpreted notion. This paper will elucidate the scenarios and mechanisms illuminating the process of using the strategies of cyber war, so as to achieve conventional objectives. The paper will also analyze the doctrine and strategies including  first and second strike capabilities with regard to cyber war. This paper identifies a paradigm shift from the conventional belief of cyber warfare acting as  a force multiplier for conventional warfare to the recognition, that conventional warfare will be acting as a force multiplier around cyber war and hence making cyber war as the primary means of achieving grand strategic objectives in the contemporary world order.

2. Towards an Evolving Theory of Cyberpower

Download PDF

Dr. Stuart H. STARR
Center for Technology and National Security Policy (CTNSP)
National Defense University (NDU)

Abstract. In the 2006 Quadrennial Defense Review, a request was made to have the Center for Technology and National Security Policy (CTNSP), National Defense University (NDU), develop a theory of cyberpower. It was noted that there was a need to develop a holistic framework that would enable policy makers to address cyber issues in proper perspective. 

To satisfy that tasking, CTNSP convened five workshops, drawing on experts from government, industry, academia, and think tanks. Those workshops addressed a broad set of issues related to the evolution of cyberspace, cyberpower, cyberstrategy, and institutional factors that influence those factors (e.g., governance, legal issues).  To develop the desired theory, this paper systematically addresses five key areas. First, the paper  defines the key terms that are associated with cyber issues. Particular emphasis is placed on the terms “cyberspace”, “cyberpower”, and “cyberstrategy”. Second, the paper  categorizes the elements, constituent parts, and factors that yield a framework for thinking about cyberpower. Third, the paper explains the major factors that are driving the evolution of cyberspace and cyberpower. To support that effort, the paper presents strawman principles that characterize major trends. Fourth, the paper connects the various elements of cyberstrategy so that a policy maker can place issues in proper context. Finally, the theory  anticipates key changes in cyberspace that are likely to affect decision making. 

In view of the dramatic changes that are taking place in cyberspace, it is important to stress that this effort must be regarded as a preliminary effort. It is expected that the theory will continue to evolve as key technical, social, and informational trends begin to stabilize.

3. Sub Rosa Cyber War

Dowload PDF

Martin C. Libicki
RAND Corporation

Abstract. Cyberspace offers the prospect of  sub rosa warfare, in which neither side acknowledges that they are in conflict with one another or even that one side has been attacked at all. This is possible for two reasons: first, because the battle damage from some types of cyber attack may not be globally visible, and second because attribution can be very difficult. The reason that both sides may keep matters sub rosa is to maintain freedom of actions, on the theory that public visibility may complicate negotiations and lead to escalation. Nevertheless, sub rosa warfare has it dangers, notably a lack of the kind of scrutiny that may promote actions which cannot bear the light of day, and the overconfident assumption that no third party is aware of what is going on between the hackers of both sides.

4. Warfare and the Continuum of Cyber Risks: A Policy Perspective

Dowload PDF

Andrew CUTTS
U.S. Department of Homeland Security

Abstract. At the highest levels of national government, two of the most important decisions to get right are properly prioritizing among competing missions, and balancing between short-term and long-term objectives. The most consequential and highest risk threat is attack by one or more nation-states intent on projecting power, and who are willing to damage or destroy critical information infrastructure by cyber means in order to achieve this objective. Threat actors falling into this category have the necessary time, resources, sophistication, and access to do so. This category certainly includes cyber warfare. Today, nation-states are beginning to understand in concrete terms the potential benefits and costs of cyber attacks used as a means of projecting national power. It may not take a great deal of a nation’s cyber resources, planning time, or technical access to achieve limited national objectives.  

In the U.S., cyber defense of critical infrastructures is largely a homeland security mission. It may be that defense always lags the most potent offense. But the goal is an effective defense, not a perfect one. To get ahead of the most serious national cybersecurity risks, including that of cyber warfare, a country’s cybersecurity leadership must seek an appropriate balance of resources, energy, and focus between those threats that are most frequent and those that are most consequential. The historical bias in dealing with cyber risk has been to look at it through the lens of commerce, not national security – and to reinforce the emphasis on short-term thinking rather than long-term strategy. One way to overcome this bias is simply to emphasize efforts that mitigate the most consequential risks. A nation’s cyber leadership could decide, for example, that it should apply significant early resources to mitigating the national security risk associated with defending critical infrastructure against nation-state threats. 

5. Cyber Terrorism: A New Dimension in Battlespace

Dowload PDF

Major J P I A G CHARVAT
SO2 Course Director
Centre of Excellence Defence Against Terrorism

Abstract.  This paper discusses the concept of terrorism, who  the terrorists are and develops an understanding of why they conduct the activities they do. Understanding the mens rea of the attacker will allow consideration of the type of attack they may plan and the effect they are likely to try and achieve.  It looks at the main motivations of terrorist groups and discusses their use of the Internet for various aspects of a terrorist campaign such as propaganda and recruitment. It will consider the various tactics that have been used and how the Internet has provided a new opportunity for terrorists to conduct their campaigns and how it has been adapted by them for their purposes. It examines the potential threat of a cyber attack by  terrorist organizations and how they can use the Internet and Cyber Space to attack a target with similar results to a conventional physical attack. The paper will briefly discuss some of the possible defences against this form of terrorism.

6. Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?

Dowload PDF

Forrest HARE
School of Public Policy, George Mason University

Abstract. The new US administration has begun efforts to securitize the substantial problems the United States is currently facing in cyberspace. Recently, President Obama ordered his National Security Council to conduct a rapid review of existing measures being undertaken by the federal government, and provide recommendations for additional ones. Many stakeholders in the US government and private industry are watching these actions closely as there seems to be broad acceptance that the issues call for more extensive  security measures. However, many issues will complicate effective securitization of threats in cyberspace. For example, not all stakeholders agree on the priorities or where the focus of security measures should be yet cyber security is a “trans-sovereign” issue affecting both developed and developing countries in an interdependent manner. 

Because actors in cyberspace enjoy relative anonymity and can threaten inter-connected targets around the globe, there is considerable debate as to whether the concept of borders is relevant to the challenges of cyber security. Regardless the focus of the debate, the concept of borders is important because they define the territory in which national governments can employ  sovereign measures. To analyze borders in the context of cyber security, this paper asks the question, “Is there an important role for the concept of borders, if not physical lines, in

improving national security in cyberspace?” To explore the question, the paper takes two approaches. The first is a comparison of the cyber security issues to international drug trafficking in an effort to explore how sovereign measures used to combat drug trafficking may be applicable to improving cyber security. The second approach is an examination of the issue from the perspective of the Heal and Kunreuther Inter-Dependent Security Model with  an attempt to inform the cyber security decision process of national governments as they consider options to invest in a higher level of security. 

The paper will argue that, whether the problem is addressed from the standpoint of criminal behavior like drug trafficking, or cyber attacks in an interdependent, global domain, borders can be a potentially useful  construct to address cyber security issues and inform national policy decisions, regardless of the physical location of relevant nodes. However, sovereign powers must be careful not to use the concepts of borders to curtail the progress our nations have made to connect and better the world via this evolving and expanding environment.

7. Towards a Global Regime for Cyber Warfare

Dowload PDF

Dr Rex HUGHES
Cyber Security Project, Chatham House, London 

Abstract. With two years having passed since the infamous cyber conflict between Estonia and Russia, international society still lacks a coherent set of principles, rules, and norms governing state security and military operations in cyberspace. For parties committed to promoting the cause of peace and stability in a multipolar world, this is a troubling notion since history shows that the likelihood of a new arms race is high when disruptive technologies dramatically alter the means and methods of war. As more nations aspire to project national power in cyberspace, a new digital arms race appears to be imminent if not already upon us. Thus, there is a central question confronting international society and more specifically the diplomatic community in cyberspace: What steps can be taken both today and into the future to forestall a major arms race and interstate competition in cyberspace? In order to begin addressing this complex question from the perspective of the Euro-Atlantic Community, this paper discusses both the challenges and opportunities of regulating 21st century cyber warfare. The paper is divided into three sections. Section 1 examines the evolution of the laws of armed conflict (LOAC) since the late 19th century. Section 2 examines how the LOAC apply to cyber warfare as viewed primarily from a US perspective (since US scholars have dominated the international regime discourse thus far). Section 3 examines what is needed to create a global regime for cyber warfare and

specifically the role that NATO and the Euro-Atlantic Community can play.

8. What Analogies Can Tell Us About the Future of Cybersecurity

Dowload PDF

David SULEK; Ned MORAN
Principal, Booz Allen Hamilton ;
Senior Consultant, Booz Allen Hamilton

Abstract. For more than a decade, leading experts in government and industry have warned of an impending Cyber Pearl Harbor, a surprise electronic attack with the potential to neutralize U.S. military power and cause massive disruptions in U.S. and global computer networks. This is a powerful historical analogy—but is it the right one? This paper articulates a framework to better explore and examine the use of historical analogies in their application to conflict in cyberspace. The resulting analysis does not seek to argue the Pearl Harbor analogy is a bad one. Quite to the contrary—our thesis is that while a cyber Pearl Harbor remains a possibility, is should not be treated by decision makers as an inevitability and that there may be equally powerful historical analogies to guide future cyber strategies.

9. The Information Sphere Domain
Increasing Understanding and Cooperation

Dowload PDF

Dr. PATRICK, D. ALLEN and Dennis P. GILBERT, Jr 
Johns Hopkins University, Applied Physics Lab
Booz Allen Hamilton

Abstract. Recent discussions regarding the emerging field of cyber warfare have focused on the term “cyberspace,” and have included cyberspace as being considered its own war fighting domain, much like air, land, sea, and space. In this stage of the Information Age, the international community is grappling with whether it needs to define this information realm as a domain, similar to the air, land, sea, and outer space domains that already exist. History shows that there is always an advantage in a conflict to the side that understands and operates within a domain better than the opponent. In this paper, the authors propose a definition of a domain, define what constitutes a domain, posit how new domains are created over time, and describe the features of what is and is not a domain. These definitions and features lead to our proposal that the “Information Sphere” should the preferred international term, and it is this “InfoSphere” that qualifies as a new domain, with features both similar to and different from the four existing physical domains. 

10. Sun Tzu was a Hacker: An Examination of  the Tactics and Operations from a Real World Cyber Attack

Dowload PDF

Billy K. RIOS
GreyLogic., LLC 

Abstract.  This text will cover the operational and tactical techniques used in a “real world” cyber-attack and includes an analysis  of the planning, command, control, execution, and outcome of these cyber-attacks. The text focuses on the cyber-attacks against the nation state of Georgia in 2008, as the author was in a unique position to observe the communications, execution, and responses from both attacking and defending entities. The various  aspects of the attacks will be described and linked back to traditional concepts of Maneuver Warfare as described in Marine Corps Doctrinal Publication 1 (MCDP-1).

11. Belarus in the  Context of European Cyber Security

Dowload PDF

Fyodor Pavlyuchenko;
Translated from the Russian language by Kenneth Geers
www.charter97.org;
Cooperative Cyber Defence Centre of Excellence

Abstract. During the first decade of the 21st  century, Internet censorship in Belarus has evolved into a government tool used to combat political dissent. State-sponsored denial of service (DoS) attacks against civil society have become a domestic crisis that threatens not only freedom of expression in Belarus, but also the integrity of Internet resources throughout Europe. The ongoing cyber conflict between state and non-state actors in Belarus is analogous to the struggle between the Russian government and its internal adversaries in cyberspace. In this essay,  we recount the history of cyber censorship and attacks against Charter ’97, a popular Belarusian website, and discuss the effectiveness of countermeasures.

12. Politically Motivated  Denial of Service Attacks

Dowload PDF

Jose NAZARIO
Arbor Networks, United States

Abstract. Cyberwarfare has been waged for well over a decade, utilizing methods such as website defacement, data leakage, and distributed denial of service attacks (DDoS). This paper focuses on the latter, attacks that are  easily carried out and designed to overwhelm a victim’s network with wasted traffic. The goal of a DDoS attack is to make the use of the network impossible for internal or external users. Through a brief examination of the history of these attacks, we find they previously were designed to inflict punitive damage on the victim but have since grown into sophisticated censorship tools. Our approach measure such attacks by looking at Internet backbone traffic, botnet activities, BGP routing changes, and community chatter about such attacks to provide a robust picture of politically targeted DDoS attacks. Our analysis indicates that most of the attackers are non-state actors but are able to  fluidly utilize a growing botnet population to launch massive denial of service attacks. This finding has broad ramifications for the future of these attacks. 

13. A Brief Examination of Media Coverage of Cyberattacks (2007 - Present)

Dowload PDF

Cyrus FARIVAR
Freelance Technology Journalist (NPR, PRI, CBC, The Economist)

Abstract. As cyberattacks become more frequent, they draw new attention in the media. Indeed, there has been a significant spike in journalistic coverage of cyberattacks and cybersecurity in the last year alone, making this particularly relevant now. The aim of this paper is to provide an overview of coverage and make suggestions for future journalists and policymakers to work better together to better understand this new threat.

14. Behavioral Analysis of Zombie Armies

Dowload PDF

Olivier THONNARD, Wim MEES
Marc DACIER
Royal Military Academy, Polytechnic Faculty, Brussels
Symantec Research Labs, Sophia Antipolis, France

Abstract. Zombie armies - or botnets, i.e., large groups of compromised machines controlled remotely by a same entity - pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the long-term behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of “unclean networks”, and iv) the large proportion of home users’ machines with high-speed Internet connexions among the bot population.

15. Proactive Botnet Countermeasures An Offensive Approach

Dowload PDF

Felix LEDER, Tillmann WERNER, and Peter MARTINI
Institute of Computer Science IV, University of Bonn, Germany

Abstract. Botnets, consisting of thousands of interconnected, remote-controlled computers, pose a big threat against the Internet.  We have witnessed the involvement of such malicious infrastructures in politically motivated attacks more than once in recent years. Classical countermeasures are mostly reactive and conducted as part of incident response actions. This is often not sufficient. We argue that proactive measures are necessary to mitigate the botnet threat and demonstrate techniques based on a formalized view of botnet infrastructures. However, while being technically feasible, such actions raise legal and ethical questions.

16. When Not to Pull the Plug – The Need for Network Counter-Surveillance Operations

Dowload PDF

Scott KNIGHT,
Sylvain LEBLANC
Royal Military College of Canada

Abstract. The classic response to attack in computer networks has been to disconnect the effected system from the network, preserve the information on the system (including evidence of the attack for a forensic investigation), and restore the system. However, it can be argued that this type of response is not appropriate in many situations. This paper argues that understanding the adversary is essential to effective defence. Instead it may be appropriate to respond with a Network Counter-Surveillance Operation to observe the activity of the attacker. The aim of this research is to enable this new kind of operation through the identification and development of the new tools and techniques required to carry it out. This paper is an omnibus presentation of a group of research projects associated with satisfying this aim, namely tools to help observe the attacker's actions on the compromised system, tools to provide a realistic environment on the compromised system, and tools to mitigate the risks associated with the attacker's use of the compromised system. The argument for the tools and techniques described is presented in the context of an illustrative Network Counter-Surveillance Operation.

17. Autonomic Computer Network Defence Using Risk State and Reinforcement Learning

Dowload PDF

Luc BEAUDOIN;
Nathalie JAPKOWICZ  and Stan MATWIN
Defense Research and Development Canada; University of Ottawa

Abstract. Computer Network Defence is concerned with the active protection of information technology infrastructure against malicious and accidental incidents. Given the growing complexity of IT systems and the  speed at which automated attacks can be launched, implementing timely and efficient network incident mitigating actions, whether proactive or reactive, is a great challenge. We refer to the automation of action selection and implementation in this domain as Autonomic Computer Network Defence. In this work, we suggest that Autonomic Computer Network Defence can be achieved using Reinforcement Learning and dynamic risk assessment to learn the optimal action sequence, or policy, to recover from given computer network risk situations. Such a policy could then be used by commercial network management and security products to implement selected mitigating actions automatically, as risk states are sensed. 

18. Enhancing Graph-based Automated DoS Attack Response

Dowload PDF

Gabriel KLEIN, Marko JAHNKE, Jens TÖLLE; Peter MARTINI
Research Institute for Communication, Information Processing and Ergonomics (FGAN-FKIE), Germany;
Insitute of Computer Science IV, University of Bonn, Germany

Abstract. Timely and appropriate reactions to detected denial-of-service attacks against computer networks are crucial in both civilian and military settings. GrADAR is an intuitive graph-based approach for assessing the effects of DoS attacks against computer networks so that response measures can be automatically selected without human intervention. However, GrADAR has limitations insofar as implicit effects of countermeasures are only taken into account by propagation towards user nodes. Possible effects in the other direction are only considered if they are explicitly specified. For this, they need to be exactly known in advance which is often infeasible. This contribution presents an extension to GrADAR, in which we consider resource workload and processing capabilities and their effects on resource availability. We incorporate workload measurements into the GrADAR model which are done by passive analysis of network traffic. We further augment the active availability probes with passive measurements. This ensures more accurate availability values because additional measurement traffic that might falsify results only needs to be injected when resources are currently not accessed.

19. On nth Order Attacks

Dowload PDF

Daniel BILAR
Department of Computer Science, University of New Orleans, USA

Abstract. An nth order attack seeks to degrade, disable or subvert an end system indirectly by targeting one or more end mission-sustaining ancillary systems. We discuss the vulnerability etiology enabling such attacks. We illustrate the notion of these attacks with concrete historical, current and forward-looking examples; also in the context of cyberwar against advanced computerized societies. We sketch the challenges and requirements to detect and mitigate the effects of nth order attacks.

20. Business and Social Evaluation of Denial of Service Attacks in View of Scaling Economic Counter-measures

Dowload PDF

Louis-Francois PAU
Copenhagen Business School and Rotterdam School of Management 

Abstract. This paper gives an analytical method to determine the economic and indirect implications of denial of service and distributed denial of service attacks. It is based on time preference dynamics applied to  the monetary mass for the restoration of capabilities, on long term investments to rebuild capabilities, and of the usability level of the capabilities after an attack. A simple illustrative example is provided for a denial of service on a corporate  data centre. The needed data collection methodologies are categorized by classes of targets. The use of the method is explained in the context of legal or policy driven dissuasive, retaliation or compensation/ restoration actions. A concrete set of deployment cases in the communications service and transport industries is  discussed. The conclusion includes policy recommendations as well as information exchange requirements.

21. Virtual Plots, Real Revolution

Dowload PDF

Roelof TEMMINGH;
Kenneth GEERS
CEO, Paterva, Pretoria, South Africa;
Scientist, Cooperative Cyber Defence Centre of Excellence & Naval Criminal Investigative Service (NCIS), Tallinn, Estonia

Abstract. It is increasingly difficult to separate ‘cyberspace’ from what we think of as the ‘real world’. Human beings respond to stimuli from both. Threats to persons, organizations, and governments require timely and accurate evaluation, but cyber attackers can exploit the imperfect and maze-like architecture of the Internet to make threat evaluation difficult. In cyberspace, it is possible to create fraudulent online identities – potentially millions of them – that could programmatically support any personal, political, or military agenda. In the future, computer botnets may evolve from spam and Distributed Denial of Service (DDoS) generators to semantic creatures that can post opinions, arguments and threats on the Internet. Counterfeit identities on the World Wide Web (WWW), complete with randomized or stolen biographies, pictures, and multi-year histories of Internet activity, will be difficult to separate from real human beings because there is no quick way to determine whether a virtual person really exists.