The Art of Cyber War —- Keeping Hackers on a Tight Leash

29 09 2011

Many of us may have envisioned that future human warfare will be predominantly conducted in cyber space. Cyber warfare (CBW) may still be an abstract concept to the general population, but as information security professionals, we know that the battle has already begun. CBW includes not only international espionage, but also domestic intrusion into organizations’ information network systems, such as, corporate and banking networks and government databases. Countries are spying on each other and individual hackers are exploiting the vulnerability of information systems. The most frightening part of CBW is that it only takes one hacker to create extensive irreversible damages. Given the risk that we are facing, continuously revamping security systems and creating new techniques are not enough to confront invaders who are also upgrading and transforming and becoming more advanced. A more proactive effort to approach the challenge from other angles is needed.

The ancient Chinese military treaties, “The Art of War,” suggested a basic principle that applied to any kind of warfare; if you know your enemy as you know yourself, then you will always be in a win-win situation for every battle.  The underlying rationale of the principle is that one can only gain absolute control over the subjects or objects that they profoundly understand. In order to keep hackers on a tight leash, cyber security professionals need to study who and what they are against. This principle may sound exaggerated; yet its significance has been authenticated by the victory of wars won in Chinese history.

For this principle to work, a precondition has to be met.  We need to be experts of every aspect about ourselves, such as our goal for securing systems, our information management technology, our competence to secure the information networks, our ability to respond immediately to incidents, and our potential to improve and develop methodologies in the field. This is what many information security professionals are focusing on.

However, by accomplishing this precondition, we only have 1/3 of the probability to win the war, as Sun Tzu, the author of “The Art of War,” would say. To gain the other 1/3 of a chance to win, we need to study every aspect of the intruder’s aspirations. For example, who in the population is capable of being an intruder? What is the geographical information about this sub-population? Among them, do they have the kind of personality and motive to commit an intrusion? Are there any observable abnormal behaviors in their daily work? Where in the system would they be likely to start to act out? What kind of technique will they be likely to use?

Through scientific studies, including both experimental and non-experimental, we can have an objective understanding about the intruders. For instance, between 2002 and 2007, the inside threat study team at CERT collaborated with U.S. Secret Agents. Together they collected data about 250 cases of incidents that caused different levels of damage on the information system of affected organizations.1 The data significantly showed the general trends of the characteristic of the attackers.  Seventy-seven percent of the attackers were former or current full time employees.2  Eighty-six percent of the intruders held technical positions, including 36% system administrators, 21% programmers, 14% engineers and 14% IT Specialists.3 Although 96% of the 250 attackers are male, there was not enough evidence to support the hypothesis that hacking behavior is associated with gender.  The issues of random sampling and ratio of gender working in IT jobs can be two confounded variables. The subjects are demographically varied in terms of age, racial, gender, and marital status.

Researchers also found that the main motive of their action was revenge.4 The attackers, in 92% of the cases, were triggered by a unpleasant work-related event.5 After subjects experienced cognitive dissonant from the negative events, they were likely to develop a motivational drive to reduce their degree of discomfort by means of what was accessible to them. Thus, to use their specialty in technology and authentication to intrude into the network system is a way to retaliate against their employers. In addition, revenge is not only justified due to religious’ beliefs, but also it is due to concerns about social law reinforcement, such as the death penalty. For details of this finding, please refer to the original article.

After the above simply analysis, we now have a better idea of who are more likely to commit the violation of 18 USC §1030 and why they decide to do it. This sub-population needs to be studied explicitly to obtain the second 1/3 of winning probability.

For questions, you may contact me at yinghan@andrew.cmu.edu or make a common on www.theartofcyberwar.blogspot.com.


1.   Insider Threat Study, CERT at Carnegie Mellon University, May, 2008 https://www.cert.org/insider_threat/study.html

2.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

3.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

4.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

5.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: