Notes from NATO’s cyberwarfare conference in Tallinn
This week I am in Talinn, Estonia, attending the first big cyberwarfare conference put together by the good folks at NATO’s new Cooperative Cyber Defense Center of Excellence (whose work I covered in my Newsweek column on an earlier visit). The conference resembles an academic event rather than a usual industry gathering; speakers had to ...
This week I am in Talinn, Estonia, attending the first big cyberwarfare conference put together by the good folks at NATO’s new Cooperative Cyber Defense Center of Excellence (whose work I covered in my Newsweek column on an earlier visit). The conference resembles an academic event rather than a usual industry gathering; speakers had to submit formal papers, which would be peer-reviewed and possibly published after the event. Moreover, many of the talks are on topics that get little to no attention in the media (seriously, when was the last time you read about “proactive botnet countermeasures”, “behavioral analysis of zombie armies” or, my personal favorite, "enhancing graph-based automated DoS attack response”?).
I like this more academic approach, for it helps us not to get lose into a maze of metaphors like “digital Pearl Harbors” and “cyber 9/11”, leaving more important subjects unaddressed. In fact, the only people using such overemotional expressions at the conference also seem to be pitching their own software or consulting solutions to help us cope with the “cyber-scare”. There are, obviously, quite a few military types in attendance– it’s a NATO conference, after all – but I also spotted many academics, policy-makers, and geeks (or, at least, pony-tailed , slightly overweight, and chaotically-dressed people who resemble them a lot).
There is also a great social program in the evenings here; one evening performance included a Microsoft employee showcasing how to carry a live cyber-attack; this is certainly the kind of a dinner address that I would like to see at other conferences (sadly, my social life at this conference leaves much to be desired; I spend most of my evenings here talking to reporters about Iran locked up in my hotel room). The Estonian National Theater (also known as the Opera, I guess) is one of the best conference venues I’ve been to: lots of free and fast wifi, excellent art-work, huge audiences, and, well, this building is definitely not your military bunker most commonly associated with the cyberwar!
Here are my notes from some of the talks I’ve attended. Most of them have been far too interesting (and long – 45 min each) to summarize in detail, so I’ll only highlight the most interesting facts and concepts.
Jose Nazario of Arbor Networks mentioned the growing impact that DDoS-attacks – used predominantly as means of intimidation – are having on elections worldwide. To illustrate his point, he spoke of attacks on Kasparov.ru in Russia as well as the recent DDoS attacks on the web-sites of several parties in the UK; the Iranian case was, obviously, an elephant in the room (yet, surprisingly, Iran was barely mentioned throughout the entire conference). Nazario also pointed out to the disturbing frequency with which DDoS attacks are now accompanying important geopolitical and diplomatic negotiations, pointing to a spike in DDoS attacks against Ukrainian web-sites as anti-NATO protests where sweeping the country (the attacks carried a "NATO go home" message).
Felix Leder and Tillmann Werner, both of the University of Bonn, gave one of the best talks at the conference, describing their efforts to analyze, infiltrate, and even shut down botnets. Before telling us about the nuts and bolts of botnet take-downs, they also gave a very informative primer on “the botnet anatomy”, describing the major differences between centralized, locomative and decentralized (or peer-to-peer) botnets. The most interesting part of their talk was the one that dealt with addressing numerous ethical and legal challenges that botnet fighters like them face. Unfortunately, the outlook is not too bright: privacy concerns (is it okay for two German researchers be cleaning up our computers without our consent?), uncertainty with regards to liability (who is to blame if something breaks while they are disinfecting our computers?), and various diplomatic and geopolitical concerns (why take all these risks only to find out that DHS thinks you are a threat to national security and ban you from entering the US?) all make it very unlikely that the botnet problem would be solved anytime soon, even if the technological means are already available.
Roelof Temmingh, the CEO of Paterva, showed the audience how easy it is to create fake but credible online profiles and make them look very credible; some of it could even be automated. One use for such mass-production of fake identities may be to organize what he calls “social denial-of-service attacks”, where hundreds of angry (but fake) individuals will send yo a Twitter message every morning, “telling you how much they hate you”. Temmingh says it takes 3-4 months to "create" and “grow” a virtual person; he showed us one such fake individual – Eugene Gregoria from Singapore– that he invented. He also shared some interesting tips on how to use services like Google AdWords for tracking global interesting in subjects that nobody but you needs to know about (e.g. “imagine” getting alerts when someone searches for a secret keyword that only you are supposed to know!). Another interesting part of Temmingh’s talk was focused on how much useful information can be drawn from open and publicly available sources; he demoed a piece of software that pulled quite a lot of interesting data even on the ultra-secretive employees of NSA.
Olivier Thonnard, of the Royal Military Academy in Belgium, spoke about the importance of researching the behavior of zombie armies – i.e. large groups of malware-infected computers that could form one or several botnets. Much of such research is carried in the framework of the WOMBAT project funded by the money from the EU. WOMBAT is definitely an acronym I like: Worldwide Observatory of Malicious Behaviors and Attack Threats; it’s good to be a botnet – you get your own observatory! Thonnard is particularly focused on studying the long-term behavior of such zombie armies: their average size, survival time, actions and evolution. The findings so far are quite interesting: the longest lifetime of a botnet that they studied has been be 586 days while the average life-time seems to more around 98 days; the long-living botnet is definitely an outlier and it’s quite puzzling that botnets can live for that long. Thonnard also spoke of “zombie-friendly places”, for they do see that highly uneven spatial distribution of infected computers in a limited number of "unclean networks". One of the most interesting future dimensions of this research for myself would be learning how different botnet armies can coordinate their behavior with each other, something, that according to Thonnard, is observable.
Amit Yoran, the former cybersecurity czar under Bush and currently the CEO of NetWitness, gave a very gloomy speech about the prospects of fighting the cyberthreat (NetWitness must have been a major cheerleader for this event, for it was impossible to step in any conference hall without seeing one of its banners or screens – they must have a lot of promotional materials, to which we have all been, well, “witnesses”). Yoran, who a few weeks ago said that cyber-9/11 has been happening in slow motion over the last decade did not deviate much for this message, sharing very deep observations of like “We’ve lost the cyberwar (ed. so it has already begun?) because the venue favors the attacker”. I am not even sure how to summarize Yoran’s speech here, for he thinks that everything needs to be changed – the metrics, the fundamental computing as well as security paradigms, and even our propensity to analyse everything in turns of returns on investment, in which Yoran says he doesn’t believe. Well, may be; to me this sounds exactly like the kind of challenging things that a cyberczar could have been doing in his day job.Oh wait, Yoran was the cyberczar…
Ned Moran, who teaches at Georgetown and also does some work for Booz Allen Hamilton, spoke of historical analogies with which we could better understand the threats posed by cyberwarfare. He mentioned four that have been most influential so far: the Strategic Defense Initiative, the Cold War, the National Highway System, and the Pearl Harbor. He also showed an interesting matrix depicting how other analogies could fit in on two of axes (one being inspiration vs desperation and the other one being disruptive vs systematic). I didn’t expect anything less than a cyberwarfare matrix from the PowerPoint factory that Booz Allen Hamiltion is, but I still have my issues with using too many metaphors to communicate a problem that may be fundamentally different from the ones we have faced in the past. Metaphors here could only distract us – but I’d be happy to be proven wrong. In my opinion, many of such metaphors – Cyber Cold War and Cyber-balkanization among others – make little sense and only incite unnecessary paranoia from the general public (update: I should point out that Ned Moran said just that in his talk).
Cyrus Farivar, a freelance technology reporter who has written widely about cyberattacks on Estonia (and also a good friend), gave an excellent talk on how journalists go about writing on a subject as complex as cyberwarfare. Cyrus spoke of journalists’ excitement over the prospect of covering a “war” without actually having to go to a war zone (however, Misha Glenny, a veteran war journalist, who happened to be in the audience, had little doubt that reporting on cyberwars comes no close). Cyrus also showed an interesting screenshot from Google Trends, depicting a growing media fascination with the subject of cybersecurity – there is no way to deny that journalists are not interested! He cautioned policy-makers against using inappropriate comparisons to nuclear attacks and other calamities and called on everyone working in cybersecurity to also do their homework and try to think of how journalists think and which journalists/media outlets could give their story the best coverage (this was particularly relevant given a keynote about GhostNet given by Nart Villeneuve, where he explained how he had been working with the New York Times before they broke the story). One word of advice that Cyrus gave to the attendees was to find ways to encourage journalists to learn more about the subject, perhaps, even by organizing various training events and conferences (Heli Tiirmaa-Klaar, who is one of Estonia’s most senior cybersecurity officials seconded that suggestion).
There were a few other sessions but they were either too academic or too well-known to be reported here (i.e. we all know about the GhostNet already!). We have half-a-day of the conference left, and it has so far been a very interesting experience. I am looking forward to the next edition of this conference next year; too bad I won’t be able to make it to their Cyber Conflict Law and Policy Conference, to be held in mid-September.