14 Jul 2009
Costs of War: Chasing Cyberghosts
A series of cyberattacks on US and South Korean government websites brought a flood of media coverage and near-hysterical reactions from some US lawmakers. But how serious were they really? Shaun Waterman writes for ISN Security Watch.
By Shaun Waterman in Washington, DC for ISN
The large networks of such infected computers controlled by hackers are called botnets. Computers in the botnet - typically owned by innocent, unknowing individuals or companies who have not kept their anti-virus protection up to date - bombard their target websites with millions of fake requests for information, over-loading them and causing real visitors to the site to experience long delays in getting to the site, or sometimes shutting them down altogether.
Most of the US sites targeted were affected only marginally by the attacks. “Readers may have noticed that our site was a bit slow and occasionally unreachable today,” wrote Brian Krebs of WashingtonPost.com.
Some US government sites were down altogether over the holiday weekend and even once the work week began. But these were sites that simply had not done “due diligence security” necessary to survive “standard weather on the internet,” according to cybersecurity analyst John Pescatore.
“The attack itself was very minor,” Marcus Sachs told ISN Security Watch. Sachs is the director of the Internet Storm Center, a volunteer monitoring group run by web security specialists.
An estimate from security firm Arbor Networks put the volume of data associated with the bogus requests launched by the attackers at only 39 megabits (Mb) per second on average, with a maximum volume of about 182 Mb per second. Attacks “below a couple hundred Mb per second are pretty easily filtered,” wrote Arbor Networks’ Jose Nazario.
Sachs said the government agencies least affected were those hosted by commercial internet companies, which distribute so-called 'mirror sites' for the agencies’ web pages across servers scattered around the country and the world.
“We know how to deal with these attacks,” he said. “This is not a technical issue, it’s a leadership issue.”
Agencies that failed to distribute their websites in this way are the equivalent of “a businessman [who] decided to open up franchises housed in igloos in the countries on the equator,” wrote Pescatore.
Sachs said misleading media coverage of the events meant that “this non-event flamed into something [that appears] much bigger than it actually is.”
But he said the media were not solely to blame. When a cybersecurity incident occurs, “There’s nowhere for you guys [in the news media] to go find out what’s really going on.”
He noted that despite the new administration’s commitment to openness and transparency, much reporting about the incident relied on anonymous sources, many of whom appeared ill-informed.
“Where was the leadership?” he asked, “Where was the communication?”
The paucity of accurate information had more serious consequences than just the making of a media mountain out of an internet security molehill.
Botnets can easily be created by anyone with software coding skills or even rented from cybercrime gangs. Because even the so-called 'command-and-control programs' which provide lists of target websites for botnets can be hosted on hacked computers without their owner’s knowledge, it is extremely difficult to trace DDOS attacks back to their real authors.
“It’s like chasing ghosts,” said Sachs.
Nonetheless, media coverage of the attacks almost universally attributed them to North Korea, initially on the basis of anonymous sources in the South Korean intelligence services.
“There’s not a shred of technical evidence it was North Korea,” said Sachs. He added that since the attacks caused little damage - though they were “politically embarrassing” - he did not expect US intelligence and law enforcement agencies to undertake the lengthy and expensive technical forensic investigation that would be required to identify their true origin.
“Why spend millions to track down some teenager?” he asked.
Nonetheless, many lawmakers, apparently anxious to polish their hawkish credentials, were swift, as Sachs put it, “to pound their fists and demand retaliation.”
The North Koreans “need to be sent a strong message, whether it is a counterattack on cyber, [or] whether it is more international sanctions,” said Republican Rep Peter Hoekstra, a ranking member of the House Intelligence Committee. “The only thing they will understand is some kind of show of force and strength.”
It would be easy to dismiss such opinions, especially from a lawmaker who has something of a reputation for over-statement.
But alarmingly enough, the US military has openly discussed the possibility of retaliating against cyberattacks with real bombs. "You don’t take any response options off the table from an attack on the United States of America,” said Air Force General Kevin Chilton, the head of US Strategic Command, earlier this year. “Why would we constrain ourselves on how we would respond?”
ScholarEvgeny Morozov of the Open Society Institute recently argued in a long essay in the Boston Review that cybersecurity fears are hugely overblown, and that the real danger may come from state over-reaction to a threat of which the paucity of public understanding is matched only by the unlikeness that it will ever materialize.
The prospect of unknown attackers disabling banking systems or the power grid, “certainly sounds scary,” Morozov writes, “almost as scary as raptors in Central Park or a giant asteroid heading toward the White House. The latter two are not, however, being presented as ‘national security risks’ yet."
Shaun Waterman is an award-winning reporter for the Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. He holds a Master’s degree in social and political sciences from King’s College, Cambridge.
Shaun Waterman's Costs of War column appears every Tuesday.
Creative Commons - Attribution-Noncommercial-No Derivative Works 3.0 Unported