Re: [iwar] Arab/Israeli "CyberWar" of our own making

From: Fred Cohen (fc@all.net)
Date: 2001-06-11 06:18:51


Return-Path: <sentto-279987-1327-992265534-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 11 Jun 2001 06:20:07 -0700 (PDT)
Received: (qmail 22274 invoked by uid 510); 11 Jun 2001 12:19:30 -0000
Received: from mo.egroups.com (208.50.144.78) by 204.181.12.215 with SMTP; 11 Jun 2001 12:19:30 -0000
X-eGroups-Return: sentto-279987-1327-992265534-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by mo.egroups.com with NNFMP; 11 Jun 2001 13:18:54 -0000
X-Sender: fc@all.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_1_3); 11 Jun 2001 13:18:53 -0000
Received: (qmail 39278 invoked from network); 11 Jun 2001 13:18:52 -0000
Received: from unknown (10.1.10.26) by l8.egroups.com with QMQP; 11 Jun 2001 13:18:52 -0000
Received: from unknown (HELO all.net) (65.0.156.78) by mta1 with SMTP; 11 Jun 2001 13:18:52 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id GAA28050 for iwar@yahoogroups.com; Mon, 11 Jun 2001 06:18:51 -0700
Message-Id: <200106111318.GAA28050@all.net>
To: iwar@yahoogroups.com
In-Reply-To: <5.0.2.1.2.20010610230745.053d5ec0@brain-stream.com> from "B.K. DeLong" at Jun 10, 2001 11:46:28 PM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 11 Jun 2001 06:18:51 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: Re: [iwar] Arab/Israeli "CyberWar" of our own making
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Per the message sent by B.K. DeLong:
...

I want to start by saying that I think this discussion is very healthy
and that I enjoy it.  I will be taking a position that cyber warfare is
indeed in play in the Israel PLO conflict - but it is only that - a
position.  It is subject to change if I become convinced that I am wrong.

My position is based on the general notion that war is at the high
intensity extreme of conflict.

Conflict is always present, but it ranges in intensity.  Intensity also
changes with time.

	For example, spears as weapons would not be considered much in
	the way of intensity by most people today, but 100+ years ago,
	spears were used in some of the highest intensity conflict that
	ever happened, and 500 years ago spears were one of the high
	tech weapons of the day in many parts of the world. 

Today, the conflict between the PLO and Israel is increasing in intensity
and information operations (the DoD term) are in use by both sides.  If we
choose to call it cyber warfare, that would indicate that it is at the high
intensity end of the spectrum of information conflict.

I believe that the information operations underway in the Middle East
are indeed high intensity.  The rhetoric is extreme - on both sides -
and the web defacements are reflective of the high intensity racial
hatred being pushed by both sides.  The use of information operations
have included the targeting of PLO leadership by Israeli armed forces
using information technology for the targeting.  They have included the
use of a cellular telephone bomb to blow up a PLO leader (some years
back). They have included the use of inciting and inflamatory alterations
to web pages - the communications media of the day.  They have included
luring, kidnapping, and killing.  They have included attempts to deny
military and civilian government control via information attacks.

In order to have a war, we might consider a requirement that the
governments on both sides be involved.  Otherwise we might simply call
these criminal acts.  Of course governments know this and tend to avoid
the big W word unless they want to be bombed outright.  Ever since Viet
Nam the US has avoided the term war - but warfare certainly takes place
even without the official sanction of calling it a war.  So give that we
might want to require government sanction (but not require declaration),
the PLO/Israeli cyber conflict is indeed a war.

The Israeli government has every right and capability to stop the
Israeli citizens who are participating in this conflict from doing so.
They choose not to.  These are known actors - ex Israeli military
personnel (all Israelis are - but the apparent leader of this group
was a captain I believe - not just a common conscript).

The PLO knows who these actors are on their side and their leadership
has actively supported and helped to promote their efforts.  In the case
of the PLO it is essentially their declared policy to support such efforts.

The final question we might ask would be whether the level of intensity
justifies the use of the term warfare.  I think that the answer to this
lies in the question of relativity (not Einstein's sort).  Just as
spears wre high intensity weapons 500 years ago, the techniques in use
by these parties are high intensity today.

Just as all military weapons tend to improve over time and more advanced
nations tend to have more advanced capabilities, the case can be made
that the attacks used to day by the PLO and Israeli sides in this
conflict are relatively high intensity for today.  Three years ago, most
of the techniaues used in this conflict would have been shockers to most
of the people on the Internet.

Now that I have taken a position, I feel I can respond to Mr.  DeLong's
(who I greatly respect) comments in that context. 

> At 07:40 PM 06/10/2001 -0700, you wrote:
> >         The PLO did denial of service attacks against israeli military
> >         and governmental systems.

> Does this include their classified networks where the real work happens? Or 
> just the unclassified network where their brochureware Web sites revised? 
> The US government and military is subjected to DDoS and DoS attacks all the 
> time...I hear they pretty much move on with their lives as classified 
> networks are relatively isolated from such attack.

The notion that the 'real' work happens in classified networks is, in my
view, representative of an inaccurate view of how information systems
are used today in a military and governmental context.  The US DoD, for
example, only uses classified communications for less than 10% of its
operations.  It depends to a great extent on civilian infrastructure
that is the same sort of infrastructure attacked in the PLO/Israel
conflict.

> And how do we know the PLO did these DoSes? We all know that all it takes 
> is one person with control over hundreds of zombie machines to take down a 
> small network. A good example of this is detailed by Steve Gibson: 
> http://grc.com/dos/grcdos.htm

The PLO declared the intent to do so and claimed credit for doing so. 
They wre aided by some terrorist supporters from other nations and by
individuals who they slicited to assist them.  This sounds to me like an
attributable event, but of course I would welcome any evidence that
indicates that the PLO only declared that these attacs were theirs
because they were successful.  The attacks took place against Israeli
and Israeli owned businesses and infrastructures in Israel and in the US
as well as ISPs that supported them.

> >         They also stole credit card information and names and contact
> >         information for supporters of Israel and caused them grief.

> You must be talking about the American Israel Public Affairs Committee :
> http://www.attrition.org/mirror/attrition/2000/11/02/www.aipac.org/

Indeed.

> I'll agree - that's probably the closest we've come to "cyberwar" in my 
> opinion. (and they POSTED credit card and contact information on the 
> defaced site  - there was never any evidence that they were stolen and 
> used). But then again, would GForce Pakistan really got involved in this 
> action had the media not blown it out of proportion? If you look at their 
> previous defacements you'll see hundreds of sites defaced in the name of 
> Pakistan regarding the Kashmir conflict. 
> (http://defaced.alldas.de/defaced.php?attacker=GForce&p=1)

I agree that the cyber conflict between India and Paksistan verges, at times,
on cyber warfare.

> >         They also used the Internet to lure, kidnap, and kill an Israeli
> >         teen.

> Who's "they" ? From what I've read, this was certainly not PLO sanctioned. 
> In the US, sick adults lure kids to their houses to kidnap and/or kill them 
> every so often as well. I don't see how the above incident was part of an 
> organized, state-sanctioned "cyberwar".

This particular case may or may not have been sanctioned by the PLO - it
is unclear to me at this time.  Nevertheless, the PLO certainly has
promoted such things and has historically supported such actions.

> >Israel also participated...
> >
> >         They killed a PLO leader by blowing up their cell phone (before
> >         the latest round).

> Hmmm. Are you talking about the death of Islamic Jihad leader Iyad Hardan 
> in April? He wasn't killed with his cell phone but a booby-trapped public 
> telephone. Which in my mind has nothing to do with "cyber" anything. 
> (http://www.acj.org/april/april_5.htm#3)

No - but this would potentially also count if information technology was
used to identify him and command the phone to blow up.  I was talking
about the incident of a few years ago when a cell-phone bomb was used
against a PLO leader. 

> >I want to agree with your assessment but it is not that clear cut.

> What activity at this point in time has lead you to say that the 
> Israel/Arab "cyberwar" is building back up again? While my assessment is 
> not "clear cut" I think we need to present all the evidence before 
> declaring a "cyberwar" is going on. It doesn't take much for the media to 
> drool and let the FUD fly nowadays.

I agree that more evidence would be nice - all we see right now is a
small increase in defacement rates - that is why I asked if someone
wanted to pick up on it ans start to investigate more actively.

> You made several valid points but I poked holes in them because there's no 
> clear-cut definition between a "cyberwar", a security incident, and a 
> trend. I think use of the word "cyberwar" has serious connotations that the 
> American public in general cannot distinguish between an actual declaration 
> of war and a really annoying security incident like we can. Therefore I 
> think it's important to keep talk away from comparing these incidents to 
> wartime activity and continue to describe them as the computer security 
> problems that they are. Otherwise that will not only confuse and scare the 
> American public but also feed the media into making this incident 
> longer-lasting then it should be.

I agree that we need to continue to consider our definitions, but I do
think that in this case I have made a credible case for what cyber
warfare may be and that the PLO Israeli conflict supports this notion. 
Whether the intensity is again picking up is the question I would like
to see answered and docuemtned here.

FC

--
Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
  Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to serve.
	PGP keys: https://all.net/pgpkeys.html - Have a great day!!!

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:16 PDT