Cyber-attacks: some definitions

7.  Attacks on and through the Internet can range from the trivial to the potentially catastrophic. The Internet is increasingly used as a medium for the commission of crime. The scale of just one type of criminality—online banking fraud—is enormous. One study estimated US losses in 2008 to have been $1.7 billion,[4] although recent research claims to have identified flaws in the methodology and suggests that the true figure is significantly lower.[5] In the United Kingdom, where the Payments Council collates accurate data from all of the banks, losses from online banking fraud reached £39 million for the first half of 2009, a rise of 55% over the first half of 2008.[6] Individual losses can be very large, but cyber-crime of this type by its nature depends on a fully functioning Internet; as Dr Steve Marsh, the Deputy Director of the Office of Cyber Security in the Cabinet Office, told us, it is not in the interest of criminals to bring down the infrastructure which is earning them money (Q 19). This is therefore not the sort of cyber-attack we are concerned with in this inquiry.[7] Nor have we considered the generally small-scale attacks launched by disaffected persons for their own gratification or for the admiration of their peers.

8.  At the other end of the scale is so-called cyber-warfare. This can be thought of as the politically motivated use of the Internet deliberately to damage the organs of a State or alliance of States; but "cyber-warfare is really just one end of a wide spectrum of threats" (Marsh, Q 33). In between these extremes lie many variants, including incidents where cyber-attacks against a State originate in the private sector but coincide with the interests of a potentially hostile State—"proxy" attacks.

9.  The routine weapon for many types of Internet attack is the botnet—a collection of compromised computers (bots) running malicious programs that allow them to be controlled remotely. "It is almost depressingly easy for a criminally-minded individual of even limited technical knowledge to create, maintain and exploit botnets, as many are now sold on underground markets in kit form complete with support arrangements."[8] Botnets are inexpensive and relatively easy to create and manage. In 2008 Symantec saw botnets being sold online for as little as $0.04 per member bot.[9]

10.  Internet attacks are very difficult to trace, and the ultimate source of such attacks can seldom be attributed with any confidence to a particular country, let alone a particular individual. Usually the most that can be said for certain is that a large number of bots have been commanded to send the victim a flood of traffic designed to overwhelm their servers or consume their bandwidth. This method of attack is called a distributed denial of service (DDoS), and the aim is to make the victim's computer, or even their entire network, unusable for either internal or external users.

Estonia, April-May 2007

11.  An example often given of cyber-warfare against a State, in this case a Member State, and the example used by the Commission in its Communication, is the series of coordinated DDoS attacks against Estonia in April-May 2007.

12.  The attacks were not particularly large: Dr José Nazario of Arbor Networks told us they were "modest by global standards" (Q 153); but they were particularly effective because Estonia is one of the most wired countries in the world but lacked an IT security apparatus of similar scale. This has since improved. XS4ALL, a Dutch Internet Service Provider (ISP), believes in any case that the attacks against Estonia were "atypical for the damage they caused" (p 164).

ATTRIBUTION

13.  The initial reaction in Estonia was to assume that these were attacks by the Russian State, but Dr Marsh told us that it was "very hard to say whether these were state-sponsored or state-condoned or really people who thought that they would act patriotically for whatever cause they were supporting at the time" (Q 38). One individual, a 20-year old ethnic Russian living in Estonia, was eventually prosecuted and fined for his part in the attacks, but it is clear that he was not solely responsible for events.[11]

14.  Among those who have claimed responsibility is the Russian youth group Nashi. Dr Nazario's view is that, even in the case of Georgia where the peak size of the attacks was substantially larger than the attacks on Estonia the year before, we simply do not have the evidence to attribute any of these attacks to a specific group or a Government agency. On the contrary, analysis of the data suggests non-State actors.[12]

China

15.  The attacks against Georgia to which Dr Nazario refers (and indeed corresponding attacks by Georgia against the Russian Internet) were an example—perhaps the first example—of attempts to wage war using the Internet as a weapon. But Professor Ross Anderson, Professor of Security Engineering at Cambridge University, brought to our attention an attack on a different scale but in its own way just as harmful: the infiltration, also known as GhostNet, of the email system of the Office of the Dalai Lama carried out by hacker groups and civilian auxiliaries as part of China's overall strategy.[13]

16.  The recent and on-going dispute between China and Google, which is the world's largest Internet search company, cannot be classed as a direct attack by China against Google, but rather as attempts, described by Google as "highly sophisticated", to spy upon the activities of human rights activists around the world. Discovery of a sophisticated intrusion into a corporate Google system, reminiscent in many ways of the attack on the Dalai Lama, led Google to identify about 30 other US companies that were also being spied upon, along with the compromise of dozens of individual Gmail (Google-hosted web-based email) accounts.

17.  The discovery of this espionage has led Google to announce that it will refuse to continue the censorship of its Internet search engine in China. On 2 February 2010 US Director of National Intelligence, Dennis C. Blair, called the Google attacks a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the US private sector and our international partners." The US National Security Agency (NSA) is now joining with Google to help Google defend itself better against future attacks. The alliance is being designed to allow the two organisations to share critical information without violating Google's policies or laws that protect the privacy of online communications. Achieving collaboration is not easy, because private companies do not trust the government to keep their secrets and because of concerns that collaboration can lead to continuous government monitoring of private communications.[16]

18.  These examples illustrate that attacks can be of major importance without necessarily being large-scale. Estonia was both; thousands of machines were involved in the DDoS attack, and the results were dramatic, albeit only for a short time. The attack on the Dalai Lama involved only a few machines, was of importance only to those involved, and scarcely featured in the news. The dispute with Google, though of great political importance and constantly in the headlines, has directly involved only their corporate machine and a few dozen end users. This type of cyber-espionage, involving very small numbers of attacking machines and botnets, is not on the scale envisaged by the Commission, nor is it within their competence under the Treaties, for the reasons we give in paragraph 37. The Communication is concerned only with three types of attack:

• an attack that is aimed at the network itself, or at some specific piece of critical information infrastructure (such as the power grid), and which hence impacts on almost all users;
• an attack that uses large-scale resources to attack a small number of sites, e.g. DDoS attacks; or
• an attack (using any scale of resource) on a large number of sites, e.g. the indiscriminate bulk sending of emails (spamming).

Natural disasters and accidental damage

19.  The Internet can also be affected by major natural disasters such as Hurricane Katrina in 2005, when President Bush admitted that the administration had lost situational awareness in New Orleans as a direct result of degraded communications infrastructure (Stevens, p 161), and by major accidental damage. The Communication refers to these collectively as "disruptions".

20.  The December 2005 explosion at the Buncefield oil refinery, reportedly the largest peacetime explosion ever seen in Europe, is an example of how parts of the Internet can be accidentally damaged. The offices of the IT company Northgate Information Solutions, adjacent to the refinery, were destroyed, with short-term effects including the disruption of automated admission and discharge systems for Addenbrooke's and Papworth Hospitals in Cambridge, and as far as the James Paget Hospital in Great Yarmouth. The company also runs payroll systems for the employers of one in three Britons, paying out billions of pounds each month. Significantly however, good business continuity planning at the company in this case ensured that the disruption to these services was minimised.

21.  On 30 January 2008, while sheltering from savage storms in the Mediterranean, ships off the coast of Alexandria dragged their anchors and severed two inter-continental fibre-optic cables. The cable breaks resulted in the loss of 75% of Internet capacity between Europe and the Middle East, Pakistan and India. This severely disrupted connections from United Kingdom banks to call centres in Bangalore which make extensive use of Voice Over Internet Protocol (VOIP).

Resilience of the Internet

22.  We asked all our witnesses for their views on whether the Internet was resilient to attack, since this is a prominent concern of the Commission Communication. They were unanimous that it was highly resilient. Mr Ilias Chantzos, the Director of Government Relations at Symantec UK Ltd, part of an American multi-national company which is one of the world leaders in information security, went so far as to say: "…the Internet is probably one of the most resilient networks that has ever been built. I would argue that the Internet has been designed to withstand a nuclear war" (Q 144).

23.  Professor Jon Crowcroft, Marconi Professor of Communications Systems at Cambridge University, explained the reason for its resilience: "The Internet is a network of networks, and its management is to a very high degree decentralised. This is one of its greatest strengths in resisting attacks. It is hard to find specific weak points, and rare that any particular failure will lead to widespread problems … Terrorists and other enemy organisations are themselves organised in decentralised ways. Asymmetric warfare works for them because their targets are centralised and obvious. The net is one infrastructure which resists this, and should be understood to be more robust as a result of this" (p 124). The Government took the same view in their written evidence: "The Internet is inherently resilient due to diverse network routes, robust network designs, a variety of network providers and the use of different makes of network equipment." With regard to the position of the United Kingdom, their view was that "It is highly unlikely that the UK could be 'cut off' from the Internet by remote electronic attack or technical failure" (p 1).

24.  We do not think the Government are being complacent: our witnesses generally thought the United Kingdom had sophisticated defences compared to most other States. ENISA, the European Network and Information Security Agency, commenting on mechanisms for dealing with Internet incidents, wrote that "the UK, along with a limited number of other Member States, is considered a leader in this area with developed practices that set benchmarks for others to adopt." It was for this very reason that, in their view, the United Kingdom could only benefit from the development of greater capabilities in other Member States (p 73).

25.  The 9/11 attacks on the World Trade Centre took down many network connections in New York, but did not bring the Internet down, though they slowed it. JANET, the United Kingdom academic network, told us that their main link went to one side of the World Trade Centre and the back-up link to the other side, but there was a link to New Jersey as well.[17] Chris Gibson, the Chief Finance Officer of FIRST,[18] added: "In my bank we build the network to cater for that, we will have satellite connections that are wholly separate from the ground connections until they get to the building so if someone takes a JCB and drives through it, fine, we have a satellite connection and it will work" (Q 87).

26.  This is not to say that attacks cannot take down individual parts of the Internet and have a dramatic short-term effect. We have already referred to the effect of the Buncefield explosion on hospitals a long way away, but this was put right in a matter of days. The United Kingdom Information Systems Security Association (ISSA-UK) and the BCS (the Chartered Institute for IT), which submitted evidence jointly, explained that individual enterprises and critical infrastructures can be vulnerable to attack (p 143), and Mr Cormack was "confident" that a botnet could take any university off the JANET UK network (Q 87). A failure of the Thames Barrier would flood the London Docklands and have a major impact on the Internet. But the point repeatedly made to us was that the Internet itself would be able to withstand attacks robustly, and better than any traditional alternative means of communication.[19]

27.  Whether enough has been done to protect the infrastructure itself is another matter. Section 2 of the Digital Economy Act 2010[20] will insert in the Communications Act 2003 a new section 134B1(h) which will require Ofcom to prepare reports on "the preparations made by providers of UK networks for responding to an emergency, including preparations for restoring normal operation of UK networks disrupted by the emergency". The impact on the Internet of a failure of the Thames Barrier is a prime example of the sort of matter Ofcom should be considering.

28.  We are conscious that cyber-attacks, or natural or man-made disasters, can cause acute disruption to the Internet in the short term. However we believe that the United Kingdom is reasonably well placed to cope with such disruptions. We note that it is thought to be a leader among Member States, with developed practices that set benchmarks for others to adopt.

5   Cormac Herley & Dinei Florêncio: A Profitless Endeavor: Phishing as Tragedy of the Commons. New Security Paradigms Workshop, 2008:
http://research.microsoft.com/en-us/um/people/cormac/papers/phishingastragedy.pdf Back

6   http://www.ukpayments.org.uk/media_centre/press_releases/-/page/732/ Back

7   Cyber-crime was the subject of a report by the House of Lords Science and Technology Committee: Personal Internet Security, 5th Report, Session 2006-07, HL Paper 165-I (report) and 165-II (evidence), and a follow-up report: Personal Internet Security: Follow-up, 4th Report, Session 2007-08, HL Paper 131. Back

8   Payments Council, p 155. Back

9   Symantec, p 52. Back

10   Staff, "Cyber Security Strategy," Estonia Ministry of Defence. Back

11   http://news.bbc.co.uk/1/hi/technology/7208511.stm Back

12   Nazario, Politically Motivated Denial of Service Attacks, a paper presented at the Conference on Cyberwarfare organised by the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, in June 2009. During the Georgian attack there was a peak bandwidth utilisation of over 800 Mbps, as compared with 95 Mbps in the Estonian attack.  Back

13   There is a discussion of China's cyber programmes in our report Stars and Dragons: The EU and China (7th Report, Session 2009-10, HL Paper 76, 22 March 2010). Back

14   A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised: see http://en.wikipedia.org/wiki/rootkit Back

15   Q 246. Extracted from The snooping dragon: social-malware surveillance of the Tibetan movement, by Shishir Nagaraja and Ross Anderson, University of Cambridge Computer Laboratory Technical Report No 746, March 2009, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf. Back

16   Washington Post, 4 February 2010. Back

17   Andrew Cormack, Chief Regulatory Adviser of JANET (Joint Academic Network) (UK), Q 87. Back

18   Forum for Incident Response and Security Teams Back

19   See, in addition to the witnesses already cited, ENISA (p 70) and Tim Stevens (p 161). Back

20   The reference is to clause 2 of the Digital Economy Bill at the conclusion of the Report Stage in the House of Lords on 8 March 2010. Back