Cyberwarfare Chronicles: Taking Down the Internet
*Note: This article was originally published by the author on December 29, 2018.
What would you do if tomorrow you woke up to no Internet? How would that affect you personally and professionally? Would it hurt you socially, economically, or perhaps both? I know it is hard to imagine because for so long it has been reliably always there. For so many of us, the Internet has become such an integral part of everyday life that it’s really difficult to imagine how society would function without it for even a short amount of time due to the fact that so many things are now connected to the Internet and rely on a connection to be able to operate. The list of activities and functions that the Internet is used has become too long to list and that says a lot actually about its ubiquity, but so what? What does all of that have to do with taking down the Internet?
Well, just as it’s difficult to think of any modernized service that doesn’t rely on the Internet in some fashion or another, there are adversaries plotting, probing, and mapping out the critical vulnerabilities of our cybersecurity defenses to bring the Internet down if only temporarily and if only to deny critical infrastructure services to an adversary. Retail shopping, entertainment, news, archived information, media hosting, social media, academic and research collaboration, financial services, weather forecasts, and communication services like email and instant messaging are just a few services that now rely nearly entirely on the Web. If there is an attack on the infrastructure of the Internet, there will undoubtedly be collateral damage.
Many technologies and industries have become digitized. This has been a gradual process spanning the last three to four decades to the present. It didn’t just happen overnight. Billions upon billions of dollars have been poured into developing Internet infrastructure and content around the globe as well as the digitization of information and services. There are now deep economic dependencies to the Internet, from large corporations and tech giants such as Amazon, Facebook, Google, Twitter, eBay, Uber, and Airbnb and so many more to the smaller mom and pop businesses and bloggers who earn a living off the Web. Newspapers and magazines realizing the loss of print revenue have begun charging digital subscriptions for accessing content, it has become a sign of the times.
Shodan searches reveal way too many poorly secured critical infrastructure and Internet of Things (IoT) devices that can be used to compromise critical services we rely upon such as energy, water, agricultural systems, transportation or emergency serves. Not to mention that widespread vulnerabilities in IoT devices have already been used in Distributed Denial of Service (DDoS) attacks in the wild as seen with the Mirai botnet.
Yet, with 2021 at the doorstep, we aren’t any closer to stemming the rash of massive data breaches, ransomware attacks, identity theft, phishing emails, or spam that has become commonplace online and which serves to demonstrate how fragile the Internet really is.
All jokes aside, the threat of DDoS attacks or malware that cripples the Internet has now become a serious cyber threat that must be planned for and mitigated through resiliency. Designing cyber resiliency into hardware is similar to baking security in the design phase of a product or software application. It might help to think of cyber resiliency as fail-safe switches should something really bad happen. If America were to suffer a massive cyberattack targeting its critical infrastructure, what protections are in place to ensure redundancy of critical services?
Precision Targeted Attacks Against Specific Internet Service Providers
Cyberwarfare and information warfare are real threats, but to date, their effects have been mostly intangible with rare exceptions in cases like the Stuxnet virus. If you didn’t know this, Russia, China, Iran, North Korea, and even so-called Allies have been probing U.S. critical infrastructure looking for vulnerabilities. Should the occasion arise, our adversaries are ready to bring down the entire Internet. If three kids can bring down a whole slew of massive websites with one Distributed Denial of Service (DDoS) attack against Dyn, then surely a nation-state adversary like China or Russia can shut major sites and services down for an extended period of time unless we act now to build resiliency into our critical systems that provide critical services. The standard defenses of protecting against DDoS attacks listed below may not be enough to protect against DDoS attacks from a nation-state adversary with plentiful resources.
- Strengthen Bandwidth
- Detect & Block the attack
- Content Delivery Networks (CDN)
- Detection & Traffic re-routing at the ISP-level
- Paying for DDoS Protection Cloud Services (Akamai, Cloudflare, Google Project Shield, etc.)
Contrary to popular belief, global Internet connectivity relies upon undersea cables that span thousands upon thousands of miles across entire oceans from one continent to another. That is to say that in addition to the armies of IT infrastructure hardware and computer terminals, there are also these very crude cables connecting continents with Internet connectivity. Don’t think for one minute that America’s adversaries haven’t already scoped these out and plotted lat/long coordinates or tapped them to snoop in on traffic. Also, of equal importance, is the probability that the U.S. has already done this to everyone else. Among the list of things that keep me up at night are things like how hard it would be to cut those undersea cables or affix underwater explosives to them? Sure, there are also satellite communications that can be used to transmit signals from Earth to space and back down to Earth for Internet traffic, but that is very limited and expensive. To put it bluntly, it’s not feasible to route the entire Internet’s traffic through SATCOM.
Border Gateway Protocol Hijacking
Border Gateway Protocol (BGP) hijacking is when a portion or all of the Internet traffic is temporarily re-routed through other regions or countries through the sharing of poisoned or bad routing information. Think of the Internet as a vast array or network of networks, kind of like constellations of stars in outer space only connected together. These networks are called Autonomous Systems (AS) and are each numbered. According to the Internet Assigned Numbers Authority (IANA), there were 840,000 AS’s as of 2018. This number is constantly changing as the Internet continues to expand with more and more routers, switches, servers, and terminal users coming online each year. BGP is an Internet protocol that is used to communicate externally between AS’s. BGP can be used internally within AS’s but it isn’t mandatory or routing rule configuration settings will vary between different AS’s. External BGP (or eBGP) is the protocol that is used to communicate traffic between different AS’s.
Rest assured that without BGP, the Internet would not work as we know it today. BGP is what enables a user connecting to the Internet from Poland to access a website from Japan in just a second or two (depending on their Internet speed and the status of the Japan webserver). Cloudflare likens BGP to the postal service delivering data all over the global Internet. BGP gets the Internet traffic to its destination (IP address) using the quickest route with the fewest number of hops along the way. The only way BGP can successfully do its job is for these AS’s to talk to each other and share TCP/IP routing table information with the AS’s it connects. This way, if AS#000011 is down for whatever reason (e.g., ISP DDoS attack like Dyn), BGP knows to re-route it using a different path.
Here’s where things start to get a little weird though, you see BGP AS’s are managed by Internet Service Providers (ISPs), tech companies (like Microsoft and Google), universities, government agencies, and scientific institutions that are sometimes hostile toward each other for business competition or other reasons. BGP management organizations such as those listed above can advertise their AS’s as being the best destination for all Internet traffic which can mess with traffic routing for the entire Internet and route all traffic through a particular region that owns the best-advertised AS’s (e.g., China or Russia). Adverse changes to BGP routes can be intentionally or accidentally spread to siphon massive amounts of Internet traffic. When a country like China repeatedly does this and is known to have the IT infrastructure resources and manpower to handle a BGP hijacking, well you get the idea as to the implications involved here to proprietary and sensitive information or national security. Sometimes cybercriminals also use BGP hijacking to steal cryptocurrency as is what happened to Amazon in April 2018.
BGP could also be the Internet’s saving grace, however, as it can be configured to deny all inbound traffic from specific AS’s. In order for something like this to occur though, it would need to be fairly catastrophic because e-commerce relies on trusting the open routing of the Internet which we’ve known for some time now can be hijacked at a moment’s notice for hours or longer. Think about your organization’s most sensitive data which may only be encrypted with SSL/TLS encryption that is stripped and re-encrypted along its journey to its destination, being BGP hijacked and routed through China, Russia, North Korea, or Iran. Suddenly using Public Key Infrastructure (PKI) encryption and secure VPN tunneling sounds better and better.
“Yeah, But Are these Cyber Threats Really All That Serious?”
Do you remember what happened with Dyn and the Mirai botnet? Now try to imagine what would happen in a coordinated cyber-attack by a nation-state against strategic ISPs and other critical infrastructure targets. It is rather daunting to think about.
Go ahead and perform a quick Google search [using the Internet, of course! Don’t take it for granted…] of the populations of China or India. Now imagine an army of hackers that consisted of only 1% of their population. Take China, with a population currently estimated to be 1.386 billion people, and consider that the latest estimates of China’s army size to be at 2,183,000 personnel. Do the math and you’ll find that the size of China’s army is only 0.0015% of its total population. Of the 5 largest armies in the world, it’s no surprise that China takes the top billing, followed by India with 1.395 million, the U.S. with 1.347 million, North Korea with 1.19 million, and Russia with 831,000 troops. Now, don’t forget that these are only active-duty troops and the figures are not representative of these nations’ Intelligence services which most assuredly also engage in computer network espionage (CNE), computer network attack (CNA), and computer network defense (CND) activities.
It is a known fact that China, like the U.S., has military units that specialize in hacking or what is commonly referred to as Information or Cyber Warfare. Now imagine a DDoS attack from China that consisted of only 1% of China’s army that might be actually be trained in Information Warfare. 1% of 2.18 million soldiers is 218,000 coordinated hackers taking orders from a centralized regime. Let that sink in for a second to appreciate the gravity of this and also realize that there doesn’t need to be a human being sitting behind the computer terminal for that computer’s resources to participate in the attack. It can all be controlled remotely by botmasters using malware to enslave infected computers. It is not beyond the realm of possibility to imagine that an autocratic regime could order an ISP to have all of its users unknowingly participate in a massive DDoS attack.
Now you begin to understand how and why China has been so successful at cyber espionage for decades. They’ve been systematically mapping the Internet and infiltrating every aspect of it that they possibly can with an army of hackers and resources no other country on Earth can match. China is using whatever means necessary to steal data from wherever it exists on the Web because there is no law that says it’s illegal, and no one can do anything to stop them from doing it. It hasn’t amounted to any serious backlash against China thus far, no tangible effects so why stop now? Hacktivist collectivists such as Anonymous could never hope in the wildest dreams to raise that number of hackers, all coordinated for a single operation. Who is to say that there are even 200,000 skilled or unskilled hackers total on the planet? It’s not as if there is a hacker database that can be easily referenced and fact-checked. Welcome to the shadowy world of cyber warfare.
A DDoS attack using the Internet of Things (IoT) compromised devices from 218,000 (a conservative figure, to say the least, it could easily be much higher) Chinese soldiers behind the keyboard would most assuredly cripple, if not break, at least a portion of the Internet temporarily until mitigations could be performed. There are techniques for defending from a DDoS attack as I previously mentioned, but is every U.S. system designated as “critical infrastructure” and ISP adequately protected with a service such as Cloudflare or Google’s Project Shield? And there would be no advance warning for a cyber attack which could be a prelude to kinetic warfare.
The Sleepy Dragon Awakens
There is a reason China has survived for over 5,000 years. When studying your enemies, it is wise to treat your enemies with respect. That being said, the Chinese have demonstrated throughout history that they are ruthless and cunning. Historically, China has fought in wars and battles such as WWII and the Korean War. China and Japan have been feuding over territorial islands and fishing rights for centuries. Japan was ruthless against China in WWII (note: I highly suggest reading The Rape of Nanking by Iris Chang which details atrocities committed by Japan against China). China helped defend North Korea from American invasion during the Korean War by sending hundreds of thousands of soldiers marching South towards the 38th Parallel, many without even a rifle to call their own.
China knew that many of them would be slaughtered, but they sent them anyway knowing the reinforcements could use discarded rifles from fallen soldiers and continue the fight. All of this historical context is provided to provide a tiny glimpse into how the Chinese machine thinks. People are just numbers in China, they do what they are told are they are put in place quickly. There is no free speech rhetoric allowed, you will be put to death. Things in North Korea, Iran, and Russia are not much different in many respects.
China, however, is by far the biggest cyber-espionage threat to the U.S. in terms of sophistication and by sheer numbers. Russian hackers may have them with sophistication, but China has been grooming legions of hackers that take orders from the Ministry of State. When you have a country of over a billion people, an army of a million hackers is but a mere drop in the bucket. Imagine the pooled resources for DDoS attacks. Assuming China actually has a million hacker Army, if every hacker concentrated their computer processing power and Internet of Things (IoT) botnets against any DDoS attack, it would be enough to take down substantial defenses, perhaps even an entire country the size of the U.S.
Imagine the persistent capability that China could bring to bear, unending rotational shifts of hackers working 12-hour shifts constantly looking for new vulnerabilities and entry points into adversarial networks. This is coupled with China’s international presence in academic institutions and also the Chinese expatriates living in the U.S. that work for various organizations and companies. China has an entire network of spies living in San Francisco alone. Why do you think that is? Could it be the tech industry perhaps?
The growing U.S. skills gap will only be exacerbated with increased and constant Computer Network Espionage (CNE) activity from China and other adversaries in the coming years. China has made it known that they do not care to help other countries like the U.S. find software code flaws and vulnerabilities by competing in international hacker competitions, also known as Capture the Flag (CTFs) contests. Instead, the Chinese government wants them to focus on discovering vulnerabilities (zero-days) that can be used for Chinese national interests. China’s mentality appears to be a nationalistic approach of “Keeping the talent at home makes China better at cyberattack.”
“China’s actually backed off quite a bit on intellectual property theft, but when it comes to military trade secrets, military preparedness, military readiness, satellite communications, anything that involves the US’s ability to keep a cyber or military edge, China has been very heavily focused on those targets,” says David Kennedy, CEO of the threat tracking firm Binary Defense Systems, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “And the US does the same thing, by the way.” ~ Wired, Lily Hay Newman 6.22.18
Rogue Nations Who Will Not Sign International Cyberspace Treaty
Russia, China, and the United States have all refused to sign the Paris Call for Trust and Security in Cyberspace cybersecurity pact. That surprises no one. Name the 3 countries in the world that are more concerned with maintaining or achieving global domination than any other country and are in a position to do so. Hmmm? Same 3 countries. So the hacking and CNE, the hoarding of 0-days, and the implicit denials of hack attributions will continue for years to come because let’s face it, cyber warfare is a hell of a lot cheaper and more palatable to the American public and political constituents than actual ground warfare military engagements with a lot less collateral damage. Perhaps wars are better fought this way, without bloodshed, with 1’s and 0’s and soon-to-be qubits (quantum superposition).
The Future Is Cloudy With A Chance Breaches
Nations will continue to duke it out online in cyberspace and citizens and organizations will continue to be collateral damage. The cybersecurity industry and technology will continue to grow and become increasingly more important while Artificial Intelligence will emerge from the dark recesses of research laboratories to take on a more central role in cybersecurity and security monitoring. These are fun times kids, grab your lawn chairs and crack open a beer. Watch the fireworks to come!