War of the Future National Defense in Cyberspace
Germany's military, the Bundeswehr, trains its own hackers -- and it's not the only official effort to defend a nation from denial-of-service attacks. Governments around the world are preparing for the future of war.
This is what an officially appointed hacker looks like: A man with gray hair and a moustache, wearing a blue German Air Force uniform. His name is Friedrich Wilhelm Kriesel, and he's 60 years old, a brigadier general and the head of the Bundeswehr's Strategic Reconnaissance Unit.
Kriesel has been deployed to the front lines of a battle that has recently come in for special attention from the Bundeswehr. The general's task is to prepare for the wars of the future, parts of which could be waged on the Internet. Kriesel seems to be the right man for the job. With about 6,000 soldiers under his command, his unit already operates like an intelligence service.
Strictly isolated from the publicat the Tomburg barracks in Rheinbach, a picturesque town near Bonn, 76 members of his staff are busy testing the latest methods of infiltrating, exploring and manipulating -- or destroying -- computer networks. The unit, known by its harmless-sounding official name, Department of Information and Computer Network Operations, is preparing for an electronic emergency, which includes digital attacks on outside servers and networks.
The uniformed hackers from Rheinbach are Germany's answer to a growing threat which has begun to worry governments, intelligence agencies and military officials around the world. Now that computers have made their way into practically every aspect of life, their susceptibility to attacks has risen dramatically. In the United States, experts have been warning for years against an "electronic Pearl Harbor," a "digital Sept. 11" or a "Cybergeddon."
The use of the term "war" in the Estonian case was controversial from the start, and rightfully so, since there were no dead or wounded. Nevertheless, the attack shows that assaults on the virtual world can also have disastrous consequences. The Internet has developed into a virtual battlefield, which can mirror conflicts in the real world.
Many countries are now preparing for similar threats. The Americans alone plan to invest billions of dollars in a national cyber-defense program. Western intelligence agencies and military officials are convinced that their enemies are in the East, just as they were in the Cold War -- in Russia and China. A report submitted to the US Congress last fall concluded that China is "aggressively" expanding its cyber-warfare capabilities and may soon possess an "asymmetric advantage." According to the report, "these advantages would reduce the conventional superiority of the United States in a conflict situation."
The Germans have also had adverse experiences with China in this field. Just two years ago, the Federal Office for Protection of the Constitution (BfV), Germany's domestic intelligence agency, informed the government that servers from Lanzhou province in China had attacked several German ministries and the chancellery with malicious software aimed at tapping sensitive information.
In mid-January the cabinet approved draft legislation to "strengthen the information security of the federal government." The draft legislation is now being reviewed by the Bundesrat, the upper house of the German parliament. So far it's gone largely unnoticed by the public, but the draft will be submitted to the lower house, or Bundestag, in early March. The "special urgency" of the legislation stems from the "need to safeguard government communication." The corresponding government agency, the Federal of Security in Information Technology (BSI) in Bonn, is to be expanded into something resembling a data watchdog for government agencies.
Defense Minister Franz Josef Jung ordered Bundeswehr officials to develop a cyber force for the military three years ago. It was the birth of Kriesel's unit.
The soldiers use the same methods employed by criminals. The future digital warriors learn how to load malicious software onto outside computers, unbeknownst to their users, through e-mail, external media like a CD-ROM disk or simply "while surfing by" on a prepared Internet site. Infected computers can then download additional malicious programs, such as a letter recorder that reads every keystroke on the machine, which can record whole e-mail messages, Internet addresses and passwords. Then program inconspicuously sends the collected entries to a remote computer.
The training agenda in the unit's offensive division is even more difficult and exotic. The Rheinbach soldiers no longer fight with tanks, fighter jets and assault rifles. Their weapon is the computer, and their simulations sound like science fiction or scenarios from a computer game. But Kriesel's soldiers study two major types of cyber assaults -- "denial of service" or "botnet" attacks -- based on real-life attacks on Estonia and Georgia.
Science Fiction from the Real World
In Estonia, a political conflict over the relocation of a Soviet memorial spilled over into the Internet after only a few hours in the spring of 2007. The Estonians had removed a bronze statue during the night, planning to move it from downtown Tallinn to a more remote military cemetery. A symbol of occupation for many Estonians, the statue represented the Soviets' victory over Nazi Germany on behalf of the nation's Russian minority.
In less than 24 hours, the first wave of attacks were recorded on Web sites for the Estonian prime minister, the parliament and various political parties. Hackers placed a false apology for the decision to relocate the statue on the sites. They also gave the prime minister a Hitler mustache on one of his Web pages.
Various Russian Internet forums also posted instructions on how individual users could express virtual displeasure with the Estonian decision. The forums provided descriptions in Russian of how to flood Estonian Web sites and servers with test signals -- instructions for a classic denial-of-service attack.
The instructions produced the desired effect, as the volume of data traffic rose dramatically on Estonian networks. Experts with the Estonia Computer Emergency Response Team detected orchestrated attacks on individual targets coming from more than one million computers. The attacks emanated from so-called "botnets," or linked computers that have been infected with malicious software and can thus be used for criminal purposes, unbeknownst to their owners, whenever the owners are online.
The consequences were devastating. The Estonian parliament had to shut down its e-mail system for half a day. Internet providers temporarily cut off their customers' connections, and several Estonian banks were unreachable online for an extended period of time.
After that, one Estonian network provider counted a total of 128 attacks, including 36 on the websites of the government and parliament, 35 on the Estonian police and another 35 on the finance ministry.
For military officials and intelligence agencies around the world, Estonia is considered a precedent with an unsettling message. According to a Swedish study, the Estonian case conclusively demonstrates "that an individual attacker or a group can, with relative ease, significantly disrupt the normal business operations of government agencies and economic activity in another country -- and successfully conceal its involvement." In fact, it is still not clear who was behind the Estonian cyber-attack. Nevertheless, authorities know that the botnets involved had already attacked the Web site of a Russian opposition party in the past.
The attacks on Georgia last summer followed a similar pattern, although in that case they accompanied a real invasion by Russian troops. Once again, it was Russian-language Internet forums that provoked the attack, also providing a list of worthwhile Georgian targets. On "stopgeorgia.ru," a website set up for this purpose, users could download a malicious program called "war.bat," tailored for the attack on Georgian networks.
Because of the attacks a site for the Georgian president had to be taken offline for a day, and on orders from the national bank, Georgia's financial institutions cancelled all electronic banking for 10 days. Hackers also manipulated the contents of Web sites in Georgia. The foreign ministry's home page, for example, suddenly contained a collage of portraits of Georgian President Mikheil Saakashvili and Adolf Hitler.
In the Georgian case, many trails also lead to Russia. A NATO report, however, says there is "no conclusive evidence" of official involvement by the Russian government.
Warfare or Not Warfare?
Analyzing these incidents raises a number of serious questions for the Bundeswehr and German politicians. Were these situations in fact "cyber wars," that is, the shifting of a conventional war between two nations onto the Internet? Or were they simply new forms of "asymmetric conflict," in which countries are attacked by digital guerilla groups?
Should they be treated as a violation of the European Council's Convention on Cyber Crime, which 23 countries have ratified? Or are they a military action that justifies retaliatory attacks? For instance, if the Bundeswehr has identified a server controlling a botnet, does it have the authority to destroy it? Will it ultimately need its own botnet of maliciously-programmed computers?
These questions have been the subject of heated debate among military leaders and diplomats since the Estonia incident. At last year's NATO summit in Bucharest, the heads of state agreed to a joint cyber defense concept and strengthened the security precautions for their own networks, for which a NATO agency in the Belgian city of Mons is responsible. In addition, the alliance established a "Center of Excellence on Cyber Defense," in the Estonian capital Tallinn. The new institute has produced an analysis of the attacks on Georgia, in which it points to "attacks in a gray zone." According to the report, "the current question of whether cyber attacks should be treated as armed attacks remains unresolved." It will "take time to achieve international consensus on the legal issues of cyber defense," the report concludes.
Germany, at any rate, is apparently unwilling to wait that long. The draft legislation prepared by the interior ministry, now headed to the Bundestag for debate, proposes upgrading the BSI into something of a civilian cyber defense agency. In the future, it would employ automated technology to monitor the flows of data at the Federal Chancellery and ministries, so that abnormalities can be detected and corrective steps taken more quickly. In addition, the small Bonn agency would no longer simply issue recommendations to reluctant government institutions, but would have the authority to issue concrete "guidelines," such as to reduce the number of unmonitored points of access to the Internet.
In a previously unpublished report on the situation of IT security in Germany in 2009, the security experts warn that both the number and level of sophistication of attacks is rising. They predict not only a growing threat stemming from botnet attacks, but also from attacks on major systems that control critical infrastructures, such as those of nuclear power plants or traffic guidance systems.
Meanwhile, the uniformed hackers at Rheinbach are battling a particularly treacherous adversary: German criminal law, which has banned the preparation of computer sabotage since 2007. If the German cyber warriors did in fact launch test attacks on outside networks they would, strictly speaking, be breaking the law. The penalty for serious computer sabotage is a prison sentence of up to ten years.
Translated from the German by Christopher Sultan
© SPIEGEL ONLINE 2009
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH