The past decade may be portrayed as a period of growing cyber threats, or at least as a period of increasing fear and a growing conviction regarding cyber insecurity. Among many different cyber-vulnerable industries, critical infrastructure in the energy sector is paramount in facing new risks and threats due to the connection and interdependence of their information systems with the open internet. Cyberspace has become a major potential landscape of insecurity, and both experts and governments admit that critical infrastructures, which include electric power transmission systems, water distribution systems, and oil-gas distribution systems are susceptible to cyber attacks. Some of the more startling issues that have surfaced are:
- Chinese and Russian infiltration of the US electricity grid
- In 2009, the U.S oil companies Marathon Oil, ExxonMobil and ConocoPhillips were the targets of cyber attacks. Data was leaked as a result of cyber espionage, and the perpetrators could have been Chinese hackers.
- In February 2010, the European Union’s Emissions Trading Scheme (ETS) was the victim of fraudulent cyber attacks. The registries in 13 European countries were forced to close.
- According to a recent survey by McAfee, “the most victimized sector was oil and gas, where two thirds of executives report distributed denial of service (DDoS) attacks”. Twenty-seven percent in the power sector and thirty-one percent in the oil and gas sectors reported being victim of extortion through cyber attacks.
In the face of damaging if not catastrophic attacks, government authorities have launched several programs. One such program is the result of a 5-year research project into securing the US power grid, called “Trustworthy Cyber Infrastructure for the Power Grid," which has been funded by the US Departments of Energy and Homeland Security. The aim of this project is to make certain that the new smart meters that will accompany the introduction of the smart grid can resist hackers’ attacks. Similar programs have been implemented in several other countries all around the world. The Infocomm Security Masterplan in Singapore aims at defending the critical infrastructures (finance, energy, water, telecommunications) of the country against cyber attacks.
Security Issues & Information War Attackers
The spectrum of tools and methods used by attackers may include virus-and-malware dissemination. In 2003, for example, a computer worm penetrated a computer at Davis-Besse nuclear power plant and disabled a safety monitoring system. In 1998, a hacker using the Trojan computer worm seized control of a main EU gas pipeline. Other attacks include intrusions into network systems, DDoS attacks through Botnets (a Botnet is a collection of software agents that can run automatically and autonomously), equipment sabotage through cyberspace, information manipulation to condition adversaries’ thinking, personal data theft, etc.
Through the theft of data, for example, the attackers may get sensitive information concerning company employees, their activities and their passwords, which can be used in future attacks. In 2009, 69 computers from the Los Alamos National Laboratory (nuclear weapon research lab) were missing or were stolen. The PCs may have contained personal or sensitive information. Over the past ten years, the laboratory has lost several hard disk drives filled with classified information.
Cyber attackers may be divided into a few main categories, each type associated with different objectives. One group is composed of politically motivated attackers. Another group is composed of state actors (governments, intelligence agencies, militaries) whose objectives are to acquire all kinds of data, knowledge and secrets (economic, scientific, military and political) concerning traditional operating activities of intelligence and reconnaissance. Espionage is probably the main reason why the vast majority of these types of attacks are attributed to foreign state actors. Other objectives of state-sponsored cyber attacks include equipment disruption, mapping a potential adversary’s capabilities, and assessing capacity to attack an adversary's critical infrastructure during a time of conflict. These are the information and cyber warfare actors.
With the above objectives in mind, current attacks may be seen as efforts to map the web, its infrastructures and its actors. In the event of a major conflict, all the information accumulated in times of peace could be used by militaries. Energy distribution systems would be prime targets of military cyber attacks.
China & Cyber Insecurity?
Increasingly, accusations are emerging from industrialized and developing countries pointing to China (the Peoples Liberation Army, “Beijing”, the “government”, or its hackers) and accusing it of being the source of major cyber attacks. These have reached sensitive targets, such as critical information infrastructures, the servers of big international firms and government agencies. The methods which are used in such attacks, themselves vaguely defined, are usually those of cyber criminals: intrusion, data theft, interception of data and communications, spreading malwares and viruses, use of botnets and web defacement. If cybercriminals are motivated by financial gains, several of these attacks are not money-oriented operations and therefore point to another originating source. Some of these attacks clearly serve other goals, such as intelligence gathering or the dissemination of ideologies.
Current forensic methods and technologies do not enable scientists to attribute cyber attacks to one or another actor, i.e. to determine an attacker’s identity. As a result, it is difficult (if not impossible) to conclusively assert that the Chinese government and/or Chinese army are involved in the incidents assigned to them.
China’s Strategy for Information Warfare
China has demonstrated its intention to become an internationally leading player in the fields of information-and- cyber warfare. Information warfare involves actions taken to achieve information superiority by affecting adversary information, information processes, information systems and computer-based networks, while denying the adversaries’ ability to do the same. Cyber warfare is usually considered as a subset of information warfare: it is warfare conducted in cyberspace. More than 20 years ago, China began to publish its theories, doctrines, policies and strategies concerning both defensive and aggressive use of cyberspace. Recently, a student from the Institute of Systems Engineering of Dalian University of Technology in China published a research paper titled “Cascade-Based Attack Vulnerability on the US Power Grid.” The title sounded like a provocation. Several American experts and journalists analyzed the article as a new demonstration of China’s offensive motivations against American infrastructure (and indeed against the security and sovereignty of the USA), and also as proof of China’s involvement in a new arms race in cyberspace. China’s approach to information warfare and cyber warfare has two main dimensions: military and civilian, both developed through theoretical and practical considerations.
The Military Dimension
The dazzling success of the US in the first Gulf War was interpreted by several armies in the world as the victory of new technologies. According to this model, information and information technologies’ dominance provided total control over the battlefield and was the key to military success, victory and power. This conclusion called for a radical transformation within armed forces. China’s Revolution in Military Affairs (RMA) concept and the following transformation of Chinese doctrine guided new strategies of evolution in Chinese military affairs, as it has as well in several industrialized countries worldwide. In this context, the concept of information warfare acquired greater consideration among military experts in China. Since the mid 1990s the Chinese army has implemented a modernization program guided by the concept of “informationization” (which translates as dominance over information technologies and cyberspace).
In 1995 General Wang Pufeng, who is considered the father of Chinese doctrine of information warfare, outlined several key concepts of this doctrine. Among them he pointed out that:
- The goal of information warfare is no longer the conquest of territories or the destruction of enemy troops, but the destruction of the enemy’s will to resist.
- Information warfare is a war in which the ability to see, to know and to strike more accurately and before the adversary is as important as firepower.
In 1997 Chinese Colonel Baocun Wang added that:
- Information warfare can be conducted in times of peace, crisis and war;
- Information warfare consists of offensive and defensive operations;
- The main components of information warfare are command and control, intelligence, electronic warfare, psychological warfare, hacker-warfare and economic warfare.
In 1999, Colonels Qiao Liang and Wang Xiangsui in their book Unrestricted Warfare, which concerned the art of asymmetric warfare between terrorism and globalization, emphasized that “technological progress has given us the means to strike at the enemy’s nerve centre directly without harming other things, giving us numerous new options for achieving victory, and all these make people believe that the best way to achieve victory is to control not to kill.” This form of modern war called “unrestricted warfare” means that weapons and techniques are now multiple and that the battlefield is now everywhere. In short, they emphasize that “The battlefield is next to you and the enemy is on the network,” and they add, “information war is the war where the computer is used to obtain or destroy information.”
Finally, it's worth mentioning the Liberation Army Daily, which in 2006 defined information warfare as:
- a process to take advantage of the enemy in a war under conditions of informationization, and
- a process which finds its strongest expression in our ability or inability to use several means to obtain and ensure an efficient flow of information; our ability or inability to make full use of the permeability of information space to share and connect information and information systems, to merge materials, energy, and information and create a combined fighting force; and in our ability or inability to weaken the information superiority of the enemy and operational effectiveness of the enemy’s computer equipment.
Within the framework of these approaches, Chinese military modernization is guided by the concept of “informationization” which means developing a network architecture that allows the coordination of military operations in multiple dimensions. The strategy of information warfare is contained in the Chinese concept of integrated network electronic warfare (INEW), defined by General Dai Qingmin in the early 2000’s. INEW is the integration of electronic warfare (EW), computer network attacks (CNA), protecting networks through computer networks defence (CND), and intelligence operations through computer network exploitation (CNE). The joint action of CNA and EW against Computerized Command, Control, Communications, Intelligence, Surveillance, Reconnaissance (C4ISR) and logistic systems-networks of an adversary constitutes the basis of offensive Chinese Information warfare.
In 2003, the Central Military Commission Committee of the Chinese Communist Party endorsed the concept of 3 Warfares within the concept of military information warfare. The 3 Warfares' concept includes psychological warfare, media warfare (influencing public opinion both nationally and internationally), and legal warfare (which is to use the tools of national and international law to gain the support of the international community). With respect to this concept, China has been readily accused of cyber attacks (for example against the U.S. power grids in 2009) yet systematically denies any accusation of wrongdoing. Beijing uses the international media to give its own version of events and to call for international cooperation to counter cyber threats. China uses the cyber-realm to victimize itself by denouncing Cold Warriors’ who they accuse of fabricating the allegations against the country, and to remind the international community that China has a legal framework to fight against cybercrime.
Several military training centers in China provide cyber-war training programs to military staff and have done so since the mid-1990s. Since 1997 international media have reported a large number of information warfare exercises conducted by military forces. The exercises demonstrate the transition from information warfare theory into practice. The actual information warfare and cyber warfare capabilities of China remain unknown. But whatever these capabilities are, gaining power and superiority in the cyber dimension has become a major issue in China. The objective is to be able to win wars conditioned by information (information warfare, cyber war) before 2050. As Colonel Dai Qingmin said in 2009, “the internet will become the place of an inevitable arms race.“
The Civilian Dimension
In 1995 General Wang Pufeng evoked the revival of the “people’s war” concept, made possible by the integration of civilian and military experts in the same struggle: the traditional battlefield no longer exists, and war may be everywhere, becoming everybody’s matter.
Concretely, the involvement of the civil sector is reflected in many ways:
- China develops its military capabilities in close relationship with private industry and academia, putting into practice policies promoting the connection between private and public sectors, and between civilian and military sectors. This phenomenon can be observed in a great number of other industrialized nations as well.
- At the frontier of the civil-military dimension, militia units established by the army in various military provinces involve citizens from the industry or academia. Units have been set up that have expertise in information warfare, electronic warfare, psychological warfare, information operations, network warfare, etc.
- Some sources suggest the existence of links between supporters of the People's Liberation Army and the hacker community, but one might question whether the Chinese army has any power over the latter. The 2003 “Annual Report on the Military Power of the People’s Republic of China” referenced the dangers inherent in nationalist hacking (hacktivism) during times of crisis. Many actions are credited to Chinese hackers: waves of cyber-attacks following the bombing of the Chinese embassy by NATO forces in Belgrade in 1999, attacks against the interests of Taiwan, attacks against official US official websites in protest against the collision between a Chinese fighter jet and a US spy plane in 2001, attacks against Tibetan websites and attacks in 2008 against the website of the French embassy in China following a meeting between the Dalai Lama and the French President Nicolas Sarkozy. The list of hacktivists’ attacks is a long one.
Chinese information warfare is mainly devoted to managing power relations with the outside world, but this may also be applied within the framework of its borders: information and cyberspace superiority are a matter of power in China. In recent years, technological progress has played the spoilsport. Social networks (Twitter, Facebook) have become new actors and tools on the national and international political scene. In August 2009 an article published on the website Central European News in Chinese (Cenews) described Twitter and other social networks as a new weapon used for cultural subversion and for the political infiltration of the country.
Some Thoughts on Critical Infrastructure
The insecurity of critical infrastructure is an urgent issue to be solved. But it is not a recent one. The dependence of modern societies on technologies is not a new story. Stuart Case wrote in 1929,
“With the growing use of electric power, the telephone, gasoline, and imported foodstuffs, the factor of dependence on an unknown technology is very great… The machine has presented us with a central nervous system, protected with no spinal vertebrae, lying almost naked for the cutting… If, for one reason or another, severance is made, we face a terrifying, perhaps a mortal crisis… Day by day the complexity, and hence potential danger, accelerates; materials and structures ceaselessly and silently deteriorate. One may look for some ugly happenings in the next ten years.”
Even earlier in 1905, the French Nobel Prize Anatole France proposed a description of the new threats associated to the new technologies of communication when he wrote,
“Telegraphy and wireless telephony were used from one corner of Europe to the other and so easy that the poorest man could talk, when he wanted and how he wanted, to a man located anywhere on the globe. […] It was the lifting of borders. Critical hour indeed! […] The French Republic, the German Republic […] Switzerland even and Belgium, each expressed, by unanimous vote from their parliament and in huge meetings, the solemn resolution of defending against any foreign aggression the national territory and national industry. Tough laws were announced […] regulating severely the use of the wireless telegraph […] Our borders are defended by electricity. The federation is surrounded by a zone of thunder. A simple man wearing glasses is sitting somewhere in front of his keyboard. He is our only soldier. He has only to touch a key to destroy an army of 500,000 men”.
We recognize in these early writings contemporary themes; the global dissemination of a communication technology, the concern that it raises from governments, the threat perception to national security and defence, the resulting authoritative reactions and regulations, and indeed the image of absolute power in the hands of a single man (a hacker?) as powerful as a whole army (asymmetric power?), able to destroy an adversary in one fell swoop, in an image of the Apocalypse, recalling the catastrophic predictions of an electronic Pearl Harbor type war..
But there is a difference between the early 20th Century and the first decade of 21st Century: the fiction of 1905 has become reality in 2010. New communication technologies and virtual cyberspace have acquired the status of weapons and a space of conflict among militaries and criminals. Their very existence makes possible new strategies. In 1999, Qiao Liang and Wang Xiangsui wrote that,
“Supposing a war broke out between two developed nations already possessing full information technology, and relying upon traditional methods of operation, […] by using the combination method, a completely different scenario and game can occur: if the attacking side secretly musters large amounts of capital without the enemy nation being aware of this at all and launches a sneak attack against its financial markets, then after causing a financial crisis, buries a computer virus and hacker detachment in the opponent's computer system in advance, while at the same time carrying out a network attack against the enemy so that the civilian electricity network, traffic dispatching network, financial transaction network, telephone communications network, and mass media network are completely paralyzed, this will cause the enemy nation to fall into social panic, street riots, and a political crisis. […] This admittedly does not attain dimension spoken of by Sun Zi, when he states, 'The other army is subdued without fighting.' However, this can be considered 'Subduing the other army through clever operations.' […] This is, however, only a thought. However, it is certainly a feasible thought."
Cyberspace has become a vulnerable weaponized system that China knows how to use in times of peace, and a tool to gain more power in a globalized world. The policies developed by the Chinese government and military are officially defensive ones and never suggest any offensive peace-time orientation, as a cyber attack could be considered as an act of war by the victims. Beijing authorities officially condemn all forms of cyber criminal activity as well as hacking operations that target Chinese or foreign victims. It is also known that China has offensive technical capabilities and a theoretical/doctrinal framework for information and cyber warfare. Nevertheless, the existence of a strategy alone may not be used as an argument to attribute cyber attacks to China. The facts are that the origin and author of attacks are extremely difficult to authenticate. Perpetrators never sign their attacks, and China is only one among many countries that have cyber war capabilities and theoretical frameworks for information warfare. Several reports assert that more than 120 countries have such capabilities.
Further perpetrators of information warfare or cyber attacks may differ over time with differing objectives and strategies. A major cyber attack could be perpetrated by an inside actor, or by any hacker from any country in the world. According to a senior intelligence official, quoted in an article published last April 2009, "The Chinese have attempted to map our infrastructure, such as the electrical grid…So have the Russians." The director of U.S. National Intelligence said that a number of nations, including Russia and China (but not limited to them alone), can disrupt elements of the U.S. information infrastructure.
Focusing our attention on the “Chinese” source of cyber attacks may prevent us from objectively viewing the new global strategic environment. The risk is to ignore threats emanating from other nations and their own information-cyber warfare communities. Again, due to technical reasons, we do not really know which attacks originate in China or elsewhere. Blindly accusing countries is a risky game with unforeseen consequences.
The complex combination of interdependent systems, actors, and infrastructures may be the final target of cyber attacks. In this case, the perpetrator might be a hacker operating for fun, or even spies leaking data, or cybercriminals. But the most dangerous threat is the effect-based attack: the target of the cyber attack launched against this complex may be the individuals, the society or the economy that are dependent on the critical infrastructures. Through paralysing the critical energy infrastructure (CEI), the perpetrator can target the larger social environment. Several questions must be answered in this regard. Is a comprehensive cyber attack possible against CEI? Is a cyber attack against a CEI efficient? What is the impact of the cyber attack on CEI? The infrastructure being a complex system, the attack may in fact have minimal or no impact.
If the answer to one or more of these questions is affirmative, then it must be asked what are the secondary effects of such an attack? Are the impacts limited to technological problems, and is the problem easy to solve? How far could the effects of a CEI attack impinge upon national or international relations with foreign partners or even on international energy markets? If the attack is limited to societal impact, how does a government manage to stabilize the situation? In an extreme instance, the technical solution (recovering the activity of the CEI) is not a guarantee for the stabilization of the social situation. Might the victim of such a cyber attack turn it to good account? The victim might use the incident/attack to denounce the aggressive will of adversaries, to call for international cooperation, to use the attack as a political argument within the scope of the international arena, etc. The answers to these questions demonstrate that cyber threat against critical energy infrastructure is not of limited technical scope but one of global geopolitical importance.
Increasing the security of critical infrastructures and in particular energy infrastructure requires:
- Irrefutable proof concerning the identity and motivations of perpetrators. In short, efficient attribution technologies must be developed.
- A secure technical environment provided by technology; the exploitation of technical failures is the source of cyberspace insecurity.
- Scenarios for recovery after an incident and scenarios to strengthen resilience.
- Reaction capabilities, articulated scenarios, and coherent policies to guide nations in a post attack period.
- The application of basic rather than complex and costly standards and policies of security. Most important for security is not complexity but applicability. Audit processes security certifications should be reduced, and the application of basic security solutions (using antivirus protections, regulating the use of information systems by employees, disconnecting the sensitive systems from the public internet, strengthening the security of sensitive and personal data, applying access policies, etc.) should be advanced.
- A focus on strategy: information and cyber warfare are matters of strategy, technical issues are of secondary importance.
- Developing “national” solutions (applications, software, hardware, infrastructures) rather than relying on foreign suppliers of essential technologies.
Daniel Ventre is a researcher at CNRS in Paris. His website is http://infowar.romandie.com