Hacker wars: Look deeper -- it's not hype
This week's guest columnist is Gerald Freese.
Many observers who followed the events of the People's Republic of China's (PRC) self-proclaimed Sixth Online War of National Defense dismissed it as so much "hype," with little substance or lasting impact. These "experts" reduced the hacker war to a scorecard, tracking tallies of defaced sites and summing it up with the final equation that "no real damage equals no real war."
In fairness to those who took this expedient -- if incomplete -- view of events during the cyber conflict, there are some facts that partially support their conclusions: The attacks were primarily Web site defacements, with a few marginally successful e-mail floods or other types of basic denial-of-service attacks. The much-touted organization of the pro-PRC hackers wasn't refined enough to avoid the execution of some poorly coordinated attacks. Also, if we look at the sites attacked by the pro-PRC hacktivists, many were small organizations with little apparent strategic value. These items, along with an assumption that there is some validity to a "what-you-see-is-what-you-get" high-level analytical approach, lend some credence to the "hype" theory.
The "hype" group, consisting of a small group of media outlets and IT security firms, believes the U.S. press and the majority of their security sources seriously inflated the war's significance. This is not a new approach, but
Regarding the press, there are times when they focus primarily on the higher level issues in the name of brevity and breadth of coverage. This is understandable, since stories and their public interest characteristics emerge and disappear quickly. News comes in pieces, usually from a number of sources, sometimes linked with previous events, sometimes not. On the other hand, contributing analysts, by nature of their function, look at events in a continuum. For them, the Sixth Online War didn't begin on April 30. It continued from where five previous PRC online wars left off. It's viewed as the most recent phase of a continuing significant security threat, not a "factoid" in a finite period in time. If something is lost in translating information from a long term, ongoing analytical product into an encapsulated interview quote, it's probably less hype and more a matter of time constraints and a reflection of the scope of the event.
The true significance of the Sixth Online War doesn't reside in its visible end results. Its actual importance is in what it might have been and could be in the future. This time we had foreknowledge of intent. We knew the PRC hacker group names and had lists of their preferred attack tools. There were public chat rooms discussing anti-U.S. hacking activities throughout the eight-day period. We even had schedules for attacks on specific U.S. sites. Though these could have been part of a misinformation campaign, they were surprisingly accurate data sources.
Eliminate all the things we knew or suspected. What if all of the ingredients -- the coordination, the experienced hackers and the destructive tools -- were all focused against the U.S. without even a hint that attacks were forthcoming? There are myriad possibilities for the numbers of tools and methodologies that could have been employed. Experienced hackers could have launched simultaneous, multiple tool attacks against government and commercial sites. Networks could have been rendered useless through concerted virus, denial-of-service and massive distributed denial-of-service attacks. Because these are viable possibilities for future conflicts, a good strategy might be to shift our attention and energy away from what we saw during the seven-day offensive and focus on prevention of those things we fortunately didn't have to experience.
The data we gathered from the Sixth Online War provides a strong foundation for analysis. It helps define the issues and provides structure for determining likelihood of occurrence and potential impact. It gives us indicators of security measures that require immediate action and which ones can be deferred. Attacks designed to disrupt U.S. networks may not be imminent, but the likelihood of their future occurrence is growing. Analysis of these types of events is not hype. It's a necessary first step in security planning, risk assessment and effective information infrastructure defense. Asking "what if," evaluating the risks to your networks before a disruptive attack, is significantly better than having to ask "what now" after it has occurred.
About the author
Gerald Freese, director of intelligence for Vigilinx, is responsible for overseeing Vigilinx Security Intelligence System (VISIS) operations, as well as the development, production and distribution of the firm's intelligence services. Freese also develops ongoing digit technology threat assessments, intelligence white papers and articles for commercial security publications.
This was first published in June 2001