Let's face it: Cyberattacks are easy. In August 2000, an employee at an Internet news service published a fake press release for Emulex and caused the company's market capitalization to drop by $2.5 billion. SQL Slammer used a vulnerability that had been known about for months, causing significant damage, and it could have wiped the hard drive of every infected system—if only its author had been more vindictive.

Since the early 1990s, it's been clear that an organized attack over the Internet or other data networks could seriously disrupt not just civilian but military targets as well, thanks to increased interconnections. In the 1980s, a group of West German hackers broke into more than 40 sensitive computer systems at the departments of Defense and Energy, and NASA. During the first Gulf War, hackers from the Netherlands broke into 34 DoD systems—including the computers that abort ships in the theater of operations. In 1995, an Argentinean hacker broke into DoD, NASA and Los Alamos National Labs systems that contain information on aircraft design, radar technology and satellite control systems. In February 1998, two teenagers from California, tutored in the art of hacking by an 18-year-old Israeli, broke into other DoD systems. In each of these cases, had the hackers been suitably motivated, they could have caused substantial damage to U.S. national security.

Given all that, why didn't the Iraqi military start attacking us in cyberspace when we started bombing their country? At the very least, why didn't Iraqi sympathizers and angry youths walk in from the Arab Street and start pounding us from their keyboards? When I called my friends in Washington and asked them that question, their answer was simple: The nation's digital security has gotten a lot better in the past two years.

Lines of communication that did not exist even two years ago have opened between law enforcement, the military, commercial providers and businesses. Administrators and software providers have become far more aggressive about deploying security technology like virus scanners and applying security patches. As a result, those running the national information infrastructure are now in a much better position to deal with current attacks. Yes, we're still vulnerable to worms and viruses, but those attacks are less likely to jeopardize lives. The Hoover Dam is secure.

And yes, some teenage hacker with a few hundred "zombies" on the Internet can use those assets to launch a distributed denial-of-service attack against a website. With just a few mouse clicks, the teenager might cause 6Gbps of traffic to bear down on some hapless victim. But aggressive monitoring now picks up these attacks shortly after they start. Once identified, it takes only a few phone calls to update a router configuration and neutralize the onslaught.

During the war in Iraq we experienced an upsurge in low-level denial-of-service attacks against websites, but for the most part these attacks appear to have been the work of relatively unsophisticated and underfunded sympathizers.

Iraq of the 1990s simply wasn't a good place for aspiring information warriors to develop their skills. What's more, those individuals with highly marketable computer skills were more likely to leave the country than to serve the regime. Countries such as China, England, France and Russia all have info-war capabilities; Iraq didn't.

Ironically, probably the most successful cyberspace attack of the 2003 Gulf War appears to have been a U.S.-originated attack against the English language version of the Al Jazeera website; whether it was an official attack of the U.S. military or the act of homegrown hackers sympathetic to the U.S. position remains unclear.


Lessons from the Front
To understand what all this means for CSOs, it's helpful to look closer at the U.S. military's own thinking, planning and response.

Within the U.S. military, the phrase "information warfare" really covers a broad spectrum: blowing up bridges that contain fiber-optic cables, dropping leaflets urging troops not to use weapons of mass destruction or using intelligence to aim 2,000-pound bombs on "leadership targets." For the military, "information warfare" really means using information to multiply the effectiveness of traditional war-fighting capability. It includes the millions of e-mails and text messages sent to Iraqi commanders. It also includes the practice of deception against the enemy and the use (or manipulation) of the news media. The decision to embed journalists with its forward troops, for example, was a marvelously successful part of the U.S. military's information warfare strategy.

When computer geeks think of information warfare, their minds turn to hacking and cracking: shutting down communications networks by penetrating their routers and wiping out configuration files; planting viruses inside enemy e-mail systems; grounding enemy aircraft by diverting fuel trucks to the wrong bases. Most military planners classify these operations as cyberwar.

It's hard to write knowledgeably about our government's offensive information warfare capability; the capability is largely classified. But sources tell me that much more money is spent on defensive measures than offensive ones. That's because every military installation is responsible for defending its own computers. But because cyberwar is so new, relatively untested and specialized, a decision to launch a cyberweapon could be made only at the military's highest levels. If a commander in the field wanted to shut down an enemy e-mail server, it would be far easier to simply bomb a building than go through channels to do something digital. Top brass would likely feel the same way: Our military officials understand the political fallout of accidentally bombing the wrong building; they don't know what would happen if they released a computer worm that "accidentally" shut down the Internet for a few days.

The U.S. military actually has a huge incentive to have politicians group cyberweapons in the same category as poison gas and germs—that is, weapons that are simply too terrible to use. That's because cyberweapons are cheap: If their use against the enemy is legitimized, then their use against our own civilian infrastructure is potentially legitimized as well. That's why if we are attacked with cyberweapons, our military is probably more likely to respond with conventional weapons.

Surprisingly, CSOs are faced with this same calculus when their systems are attacked in cyberspace. If a hostile customer shows up at your office with a gun and starts shooting, it's entirely appropriate for an armed security guard to respond with deadly force—in fact, the courts would see this as an exercise in self-defense. But if that same hostile customer were to launch a cyberspace attack against your servers, it would be utterly inappropriate to respond by hacking that customer's desktop computer or DSL modem. A more reasonable approach would be to report the attack to law enforcement or sue the customer in the civil courts.

That is a decision you might need to make some day. Like the military, many businesses are essentially developing an offensive cyberwar capability as part of their effort to defend themselves. If you have an antivirus system, then you have a collection of intercepted viruses that you could easily e-mail to your attacker. Many of today's network scanners will happily launch destructive scans at the click of a button. In order to effectively audit their systems, most security administrators have learned how to hack.

What's more, businesses are increasingly finding themselves in situations where "hacking back" seems like the only reasonable alternative. Law enforcement won't care that your organization has been attacked unless you have significant monetary damage. Meanwhile, you may not be able to file a lawsuit unless you can identify the perpetrator, which may be difficult if the attack originates from a server in China. Wouldn't it be much easier, cheaper and faster to type a few commands and shut down the enemy system?

Perhaps, but any organization that takes the law in its own hands by hacking back has far more to lose than its attacker. Hacking is illegal; breaking the law opens the organization up to legal liability and criminal prosecution. It's safer to simply add a few rules to your firewall and hope that the attacker will go elsewhere. And with any luck, the sky won't fall after all.


Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company. He can be reached at machineshop@cxo.com.