Computer Crime Research Center

library/arquillap.jpg

Interview John Arquilla

Date: October 15, 2003
Source: Computer Crime Research Center


Page 1 2 3 4 5 Next
... always have to be careful about trying to figure out where a cyber attacker is coming from. They can use computers in any part of the world, but they can be in an absolutely different part. The geography of cyber terror is simply not physical, and it's not linear. So while there's some evidence of cyber attackers operating out of South Asia, several Muslim countries -- and indeed, some of my students have identified particular groups and even some individuals operating in those parts of the world -- we're never quite clear about the ultimate identification of the attacker.

This is, I think, the other problem with cyber war -- the ambiguity as to the perpetrator of these acts. In the short story I wrote, I highlighted this point by having the attackers make it look like a particular nation was behind the attacks on the United States, and this precipitated a larger political military crisis.

I think we have to worry about that kind of deception in the future. After all, the Net is the place where deception is woven into its very fabric. I go back to a time with the Internet where, I think, among all the users, half were men, and half were men pretending to be women. So deception has been there from the very beginning.



The Mountain View case was investigated by the FBI, and then the case was closed. The question becomes, in a situation like this, could the FBI ever find out who was actually doing the probing?

The problem of resolving the perpetrator's identity is central to both the law enforcement and to intelligence, and, frankly, to homeland security. It's something to which we have to devote a great deal of attention in the coming years. I think that our current approaches are limited in part by our own laws. How far back we can hack to trace a user is limited under our existing laws, and the notion of international hot pursuit through cyberspace is also something that has run far ahead of existing international law. So we need to start thinking about a harmonization of information security law around the world.

We need to think about a networking of our own capabilities within this country that will move information far more speedily than it moves today.


The time to back-hack a perpetrator is within seconds, minutes or hours of the action, not months and years after it happens. The trail is far too cold by then. ...



How did 9/11, in general, change the way that cyber war or the potential for cyber war was viewed?

I think the cyber angle of the terror war we're in right now is one in which we realize Al Qaeda makes a very substantial use of the Web and the Net. They are a global network, and you don't run such a network without the use of such systems. For example, their money movements don't physically move money. They consist of e-mails to different places in the world where pots of money sit, and those e-mails direct how the money will be spent or otherwise utilized. So our ability to get inside these systems of communications is a crucial element in combating terror. ...

What we don't do is invest in the human capital that already exists, and that is several orders of magnitude more skillful than anything we can create through a federally funded program. Instead, we have a system in which the hacker faces jail terms far in excess of those of an armed robber for doing what he or she does -- it's mostly he's. We have to reexamine that punitive approach to the hacking community, and try, instead, to turn it into something that can be useful, and perhaps even to reform some of these people away from their own illegal actions.



Before, we talked about what a cyber war might look like, what an attack might look like. What might a defense look like at this point? If there was an attack, again, on infrastructures, what would we see? When would we see it? What would we do?

A cyber war that might unfold would be hard to detect at first. Often, attackers get in without even being noticed. In fact, most intrusions are not noticed. But assuming some kind of warning existed, or we noticed a drop in power production somewhere, or a system went on the fritz, then we would mobilize very quickly to do a pattern analysis to search for what kind of attack tool was being used. In government, we spend a great deal of time figuring out what all the possible tools and devices are that might be employed, and then we try to pattern match those to what's going on as a means of trying to cope with the attack and to mitigate its effects.

Now, this is useful. But it is limited in terms of our dealing only with what is already known -- the known signatures of viruses, for example. So our opponents who may have invented a new virus, or may have taken an old one and modified it in a new way, have an inherent advantage. There is something in the balance between offense and defense. I think there is somewhat of an advantage on the offensive side. Defenses, at best, can hope to limit damage.



I think the situation that you wrote about in your story, we're also talking now about viruses coming at us, but also getting into SCADA systems and such. How does one deal with that?

In the event that our system controls and data acquisition [SCADA] systems have been compromised, we're looking at defensive measures that could mitigate damage quickly, but at great economic cost. Shutdowns, for example, of oil flows on a pipeline to prevent any kind of break or environmental damage would have great, great economic costs that would attend them. In that respect, the cyber attacker might not get their ultimate goal, their primary target, which is to create an oil spill and a rupture in a pipeline. But they would hit their secondary target, if you will, which would be to cause some economic cost to be imposed on us.

I think the best we can hope for is to force the hacker off the primary goal, which is the catastrophic failure of a system. But there are always going to be costs imposed, and these cyber attackers hold the initiative. They decide where and when to attack, and they basically know that they will be able to run free for a little while.

There's an analogy to the Vietnam War that I think is useful here. Ninety percent of the firefights in the Vietnam War were started by the Viet Cong or the North Vietnamese army. They could choose when and where to attack, and they knew the moment they did this, that they would soon come under American attack from artillery, from aircraft, and from reinforcements being brought in by helicopter. I think the skillful hackers are like the Viet Cong. They know that they have a short period in which they will hold the advantage, and then they must disengage. So we have to watch out for those kinds of tactics.

I think we also need to be worried in the future that we won't have a few isolated incidents that occur over months or years, but we have to worry about the possibility of a campaign approach being taken by the cyber attackers, in which they mount several attacks over a period of hours, or perhaps over days. Think about, for example, a Nimda virus, something like that. That would be deployed once a week for three months. Think about the economic impact of something like that. ...



Another analogy that you talk about and you write about is how this is akin to the rise of air power 80 years ago. Define that for me.

When I think about cyberspace-based warfare, I think about air power. Eighty years ago, the great theorists of air power thought about having the ability to attack another society from the air without having the engage their armies or fleets first. Cyber warfare has some of those elements too. You don't have to engage in military. In fact, you don't even need a military in order to engage in this fashion. So it is a form of strategic bombardment. ...

I take heart from the notion that, in the eight decades or so of strategic aerial bombardment, their campaigns have almost never worked. It says to me that cyber bombardment campaigns are probably not likely to work either.

Now, both physical bombing and cyber bombing will have great costs associated with them, but I don't think a people will fold under that kind of pressure. So, for me, the real meaning of cyber warfare is on the battlefield. Much as aircraft which couldn't break societies with bombardment transformed 20th century warfare, I think cyber attacks will transform 21st century warfare. Militaries which are highly dependent on secure information systems will be absolutely crippled, just as if they didn't have aircraft above to protect them in the 20th century. If they don't have good cyber defenses in the 21st century, they'll be absolutely helpless.



Why was Kosovo important to understand the use of cyber tactics in a war situation?

I think Kosovo was, in some ways, a proving ground of certain cyber capabilities. We get into a very sensitive area here. But what can be said is that some means may have been used to distort the images that the Serbian integrated air defense systems were generating. This, of course, was crucially important to waging a successful air campaign. The president ruled out a ground invasion, so the ability to operate in a heavily defended airspace was quite important, and it goes to the issue of the applications of cyber-based tools in the field.

Now, on the Serbian side, there were some pinprick attacks in cyberspace against NATO, and these were easily brushed off. Perhaps the most fascinating aspect of...

Page 1 2 3 4 5 Next
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo