If two countries waged cyber war on each another, here’s what to expect
Akamai recently monitored a sustained attack against a media outlet of 363 gigabits per second (Gbps) – a scale which few companies, let alone a nation, could cope with for long. Networks specialist Verisign reports a shocking 111 percent increase in DDoS attacks per year, almost half of them over 10 Gbps in scale – much more powerful than previously. The top sources are Vietnam, Brazil, and Colombia.
Most DDoS attacks swamp an internal network with traffic via the DNS and NTP servers that provide most core services within the network. Without DNS the Internet wouldn’t work, but it is weak from a security point of view. Specialists have been trying to come up with a solution, but building security into these servers to recognise DDoS attacks appears to mean re-engineering the entire Internet.
How to react
If a country’s grid were taken down by an attack for any length of time, the ensuing chaos would potentially be enough to win a war outright. If instead its online infrastructure were substantially compromised by a DDoS attack, the response would probably go like this:
Phase one: Takeover of network: the country’s security operations center would need to take control of Internet traffic to stop its citizens from crashing the internal infrastructure. We possibly saw this in the failed Turkish coup a few weeks ago, where YouTube and social media went completely offline inside the country.
Phase two: Analysis of attack: security analysts would be trying to figure out how to cope with the attack without affecting the internal operation of the network.
Phase three: Observation and large-scale control: the authorities would be faced with countless alerts about system crashes and problems. The challenge would be to ensure only key alerts reached the analysts trying to overcome the problems before the infrastructure collapsed. A key focus would be ensuring military, transport, energy, health and law enforcement systems were given the highest priority, along with financial systems.
Phase four: Observation and fine control: by this stage there would be some stability and the attention could turn to lesser but important alerts regarding things like financial and commercial interests.
Phase five: Coping and restoring: this would be about restoring normality and trying to recover damaged systems. The challenge would be to reach this phase as quickly as possible with the least sustained damage.
State of play
If even the security-heavy United States is concerned about its grid, the same is likely to be true of most countries. I suspect many countries are not well drilled to cope with sustained DDoS, especially given the fundamental weaknesses in DNS servers. Small countries are particularly at risk because they often depend on infrastructure that reaches a central point in a larger country nearby.
The United Kingdom, it should be said, is probably better placed than some countries to survive cyber warfare. It enjoys an independent grid and GCHQ and the National Crime Agency have helped to encourage some of the best private sector security operations centers in the world. Many countries could probably learn a great deal from it. Estonia, whose infrastructure was disabled for several days in 2007 following a cyberattack, is now looking at moving copies of government data to the United Kingdom for protection.
Given the current level of international tension and the potential damage from a major cyberattack, this is an area that all countries need to take very seriously. Better to do it now rather than waiting until one country pays the price. For better and worse, the world has never been so connected.
Bill Buchanan is Head, The Cyber Academy, Edinburgh Napier University. This article is published courtesy of The Conversation (under Creative Commons-Attribution/No derivative).
