Tag Archives: cyberwar

The Kangaroo Infiltration

On June 22nd 2017, WikiLeaks published documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives…

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

Excerpts from Brutal Kangaroo Press Release Wikileaks, June 22, 2017

Firing Back with Vengeance: the NSA Weapons

from you tube.

The strike on IDT, a conglomerate,… was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.  But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines….Were it not for a digital black box that recorded everything on IDT’s network, …the attack might have gone unnoticed.

Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Mr. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities…

Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours… hackers had spread their ransomware to more than 200,000 servers around the globe. The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.

In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses…

But the attack struck Mr. Ben-Oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. on Saturday on the dot, two and a half hours before the Sabbath would end and when most of IDT’s employees — 40 percent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.

The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.

A month earlier, Microsoft had issued a software patch to defend against the N.S.A. hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster. Later, when the WannaCry attack hit hundreds of thousands of Microsoft customers, Microsoft’s president, Brad Smith, slammed the government in a blog post for hoarding and stockpiling security vulnerabilities.  For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.

There are now YouTube videos showing criminals how to attack systems using the very same N.S.A. tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button….

“Once DoublePulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Mr. Dillon said.More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it.  “We’ve seen the same computers infected with DoublePulsar for two months and there is no telling how much malware is on those systems,” Mr. Dillon said. “Right now we have no idea what’s gotten into these organizations.”..

Could that attack be coming? The Shadow Brokers resurfaced last month, promising a fresh load of N.S.A. attack tools, even offering to supply them for monthly paying subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.

Excerpts from NICOLE PERLROTHJUNE, A Cyberattack ‘the World Isn’t Ready For’,  New York Times, June 20, 2017

Iran Could Kill to be North Korea

Korean Peninsula at night. Image from NASA

The US tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons programme five years  (2010) ago but ultimately failed, according to people familiar with the covert campaign.  The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear programme in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uranium. Reuters and others have reported that the Iran attack was a joint effort by US and Israeli forces.

According to one US intelligence source, Stuxnet’s developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine…But the National Security Agency-led campaign was stymied by North Korea’s utter secrecy, as well as the extreme isolation of its communications systems...North Korea has some of the most isolated communications networks in the world. Just owning a computer requires police permission, and the open internet is unknown except to a tiny elite. The country has one main conduit for internet connections to the outside world, through China.  In contrast, Iranians surfed the net broadly and had interactions with companies from around the globe.

The US has launched many cyber espionage campaigns, but North Korea is only the second country, after Iran, that the NSA is now known to have targeted with software designed to destroy equipment.

Experts in nuclear programmes said there were similarities between North Korea and Iran’s operations, and the two countries continue to collaborate on military technology. Both countries use a system with P-2 centrifuges, obtained by Pakistani nuclear scientist AQ Khan, who is regarded as the father of Islamabad’s nuclear bomb, they said. Like Iran, North Korea probably directs its centrifuges with control software developed by Siemens AG that runs on Microsoft Corp’s Windows operating system, the experts said. Stuxnet took advantage of vulnerabilities in both the Siemens and Microsoft programmes…

Despite modest differences between the programmes, “Stuxnet can deal with both of them. But you still need to get it in,” said Olli Heinonen, senior fellow at Harvard University’s Belfer Center for Science and International Affairs and former deputy director general of the International Atomic Energy Agency…

The Stuxnet campaign against Iran, code-named Olympic Games, was discovered in 2010. It remains unclear how the virus was introduced to the Iranian nuclear facility in Natanz, which was not connected to the Internet.,,,According to cybersecurity experts, Stuxnet was found inside industrial companies in Iran that were tied to the nuclear effort. As for how Stuxnet got there, a leading theory is that it was deposited by a sophisticated espionage programme developed by a team closely allied to Stuxnet’s authors, dubbed the Equation Group by researchers at Kaspersky Lab…

In addition, North Korea likely has plutonium, which does not require a cumbersome enrichment process depending on the cascading centrifuges that were a fat target for Stuxnet, they said.

Excerpts from NSA tried Stuxnet cyber-attack on North Korea five years ago but failed, Reuters, May 29, 2015

Cyberespionage in South Korea 2009-2013

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013

Cyberattack can Trigger a Conventional Response

United States Power Grid. Image from wikipedia

Cyberattacks on U.S. infrastructure or networks could be met with a conventional military response, the chairman of the Joint Chiefs of Staff said today.  “There is an assumption out there … that a cyberattack that had destructive effects would be met by a cyber response that had destructive effects,” Army Gen. Martin E. Dempsey said to an audience at a Brookings Institution forum. “That’s not necessarily the case. I think that what [President Barack Obama] would insist upon, actually, is that he had the options and the freedom of movement to decide what kind of response we would employ.”  The impact of a cyberattack is a key question for elected officials to answer when considering the level of response, Dempsey said. “When does cyber theft become a hostile act?” the chairman asked. “Or when does cyber theft, added to distributed denial of services, become a hostile act? Or is a hostile act simply defined as something that literally is destructive in nature?”

Cyber has many features in common with other domains, and shouldn’t be thought of as a wholly exceptional realm, Dempsey said. Although it can sometimes feel abstract, he explained, cyber is a physical domain in the sense that it is operated by men and women over routers and servers, and cyberattacks can result in real, physical damage.  “I think that to the extent that we can always think about it in the way that we’ve always organized our thinking about the other domains, it might illuminate the challenge a little better,” the chairman said. “I do think that there are capabilities out there that are so destructive in nature and potential that it would be very difficult not to see them as acts of war.” But, he noted, “the decision to declare something a hostile act — an act of war — is certainly one that resides in the responsibility of our elected leaders.”

By Claudette Roulo American Forces Press Service, Dempsey: Cyberattacks Could Prompt Conventional Response, June 27, 2013

The Secret Bugs: Exploits

computer code

Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.

More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively”.Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesn’t identify and fix the vulnerability, thereby rendering the exploit worthless. As a French exploit developer puts it, those liable to be rapidly detected are about as useful as a “disposable gun” that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computer networks from them akin to finding “unknown unknowns”, says Kenneth Geers, a cyber-security specialist at America’s Naval Criminal Investigative Service.

Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.

Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.

The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three main factors: how hard the exploit is to develop; the number of computers to which it provides access; and the value of those computers. An exploit that can stealthily provide administrator privileges to a distant computer running Windows XP, a no-longer-fashionable operating system, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart).

Software firms also buy exploits to identify and repair vulnerabilities in their products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 people who pointed out flaws in its encryption software for online PC backups. To develop better defences for its clients’ computer systems, HP, an American giant, has spent more than $7m since 2005 buying hundreds of “zero days”, as undiscovered exploits are also known in hacker slang. (Once discovered, an exploit’s days are numbered, literally: it becomes a “one day”, then a “two day”, and so on until the vulnerability it exploits is patched.)

Such “bug bounty” schemes, however, will struggle to compete with buyers who want to exploit rather than seal vulnerabilities. Tarsnap’s biggest payout was just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupen’s boss, Chaouki Bekrar, balked, noting that he could get more elsewhere.

Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.

On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory “who’s your daddy?” notes Pierre Roberge, boss of Arc4dia, a Quebec firm that sells exploits to spy agencies. Exploit trading will continue as long as people pay big money for the opportunity to utter the same joke—this time at the expense of a victim who has been hacked.

Cyber-security: The digital arms trade, Economist, Mar. 30, 2013, at 65.

The Pipeline Cyberwar

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyberinfiltration of supervisory control and data acquisition (SCADA) systems could allow successful “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations.

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines…. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways:

• Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001.

• Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks.

• There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems.

• TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated….

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. The incidents drew new attention to an Al Qaeda video obtained in 2011 by the Federal Bureau of Investigation (FBI) reportedly calling for “electronic jihad” against U.S. critical infrastructure.  These cybersecurity events coupled with serious consequences from recent pipeline accidents have heightened congressional concern about cybersecurity measures in the U.S. pipelines sector.

Excerpt, Paul W. Parfomak, Pipeline Cybersecurity: Federal Policy, CRS Report for Congress, Aug. 16, 2012

Inside the Wires: United States Cyberattacks in Afghanistan Confirmed

The U.S. military has been launching cyberattacks against its opponents in Afghanistan, a senior officer says, making an unusually explicit acknowledgment of the oft-hidden world of electronic warfare.  Marine Lt. Gen. Richard P. Mills’ comments came last week at a conference in Baltimore during which he explained how U.S. commanders considered cyber weapons an important part of their arsenal.  “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” Mills said. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”

Mills, now a deputy commandant with the Marine Corps, was in charge of international forces in southwestern Afghanistan between 2010 and 2011, according to his official biography. He didn’t go into any further detail as to the nature or scope of his forces’ attacks, but experts said that such a public admission that they were being carried out was itself striking.  “This is news,” said James Lewis, a cyber-security analyst with the Washington-based Center for Strategic and International Studies. He said that while it was generally known in defense circles that cyberattacks had been carried out by U.S. forces in Afghanistan, he had never seen a senior officer take credit for them in such a way.  “It’s not secret,” Lewis said in a telephone interview, but he added: “I haven’t seen as explicit a statement on this as the one” Mills made.  The Pentagon did not immediately respond to an email seeking comment on Mills’ speech.

U.S. defense planners have spent the past few years wondering aloud about how and under what circumstances the Pentagon would launch a cyber attack against its enemies, but it’s only recently become apparent that a sophisticated program of U.S.-backed cyberattacks is already under way.  A book by The New York Times reporter David Sanger recently recounted how President Barack Obama ordered a wave of electronic incursions aimed at physically sabotaging Iran’s disputed atomic energy program. Subsequent reports have linked the program to a virus dubbed Flame, which prompted a temporary Internet blackout across Iran’s oil industry in April, and another virus called Gauss, which appeared to have been aimed at stealing information from customers of Lebanese banks. An earlier report alleged that U.S. forces in Iraq had hacked into a terrorist group’s computer there to lure its members into an ambush.

Herbert Lin, a cyber expert at the National Research Council, agreed that Mills’ comments were unusual in terms of the fact that they were made publicly. But Lin said that the United States was, little by little, opening up about the fact that its military was launching attacks across the Internet.  “The U.S. military is starting to talk more and more in terms of what it’s doing and how it’s doing it,” he said. “A couple of years ago it was hard to get them to acknowledge that they were doing offense at all — even as a matter of policy, let alone in specific theaters or specific operations.”

Mills’ brief comments about cyberattacks in Afghanistan were delivered to the TechNet Land Forces East conference in Baltimore on Aug. 15, but they did not appear to have attracted much attention at the time. Footage of the speech was only recently posted to the Internet by conference organizers

Marine General: We Launched Cyberattacks Against Afghanistan, CBS News, Aug. 24, 2012

Plan X for Cyberbattle: DARPA

The Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) will host a Proposers’ Day in support of the anticipated Broad Agency Announcement (BAA) for the Plan X program.  The Proposers’ Day Workshop will be held on 27 September at the DARPA Conference Center, 675 N. Randolph Street, Arlington, VA from 0900 to 1600 EDT. There will be an unclassified session in the morning and a classified SECRET session in the afternoon. Attendance at the afternoon session is limited to individuals with US DOD SECRET clearances or higher. Neither session is open to the general public or members of the media. It is anticipated that the Plan X BAA will be released by the end of September 2012.

PROGRAM OBJECTIVE AND DESCRIPTION

The objective of the Plan X program is to create revolutionary technologies for understanding, planning, and managing cyberwarfare in real-time, large-scale, and dynamic network environments. Plan X will also conduct novel research into the nature of cyberwarfare and support development of fundamental strategies and tactics needed to dominate the cyber battlespace. The Plan X program is explicitly not funding research and development efforts in vulnerability analysis or cyberweapon generation.

DARPA seeks innovative research in four key areas in support of Plan X:

• Understanding the cyber battlespace: This area focuses on developing automated analysis techniques to assist human operators in planning cyber operations. Specifically, analyzing large-scale logical network topology characteristics of nodes (i.e., edge count, dynamic vs. static links, usage) and edges (i.e. latency, bandwidth, periodicity).

• Automatically constructing verifiable and quantifiable cyber operations: This area focuses on developing high-level mission plans and automatically synthesizing a mission script that is executed through a human-on-the-loop interface, similar to the auto-pilot function in modern aircraft. This process will leverage formal methods to provably quantify the potential battle damage from each synthesized mission plan.

• Developing operating systems and platforms designed to operate in dynamic, contested, and hostile network environments: This area focuses on building hardened “battle units” that can perform cyberwarfare functions such as battle damage monitoring, communication relay, weapon deployment, and adaptive defense.

• Visualizing and interacting with large-scale cyber battlespaces: This area focuses on developing intuitive views and overall user experience. Coordinated views of the cyber battlespace will provide cyberwarfare functions of planning, operation, situational awareness, and war gaming.

A system architecture team is also sought to lead the end-to-end Plan X system development. This will include working with Plan X performers to develop the standard system application programming interfaces, data format specifications, and performer integration schedule. The system architecture team will also be responsible for purchasing Plan X system infrastructure and hardware.  The Plan X program is structured around an on-site DARPA cyberwar laboratory where performers will continuously integrate developing technologies into the end-to-end Plan X system.

Excerpt from: Special Notice Plan X Proposers’ Day Workshop, DARPA-SN-12-51, August 17, 2012

Foundational Cyberwarfare (Plan X)

Proposers’ Day Workshop, 27 September 2012

Digital Bombs: DARPA and the Digital Battlefield

The Pentagon is turning to the private sector, universities and even computer-game companies as part of an ambitious effort to develop technologies to improve its cyberwarfare capabilities, launch effective attacks and withstand the likely retaliation.  The previously unreported effort, which its authors have dubbed Plan X, marks a new phase in the nation’s fledgling military operations in cyberspace, which have focused more on protecting the Defense Department’s computer systems than on disrupting or destroying those of enemies.  Plan X is a project of the Defense Advanced Research Projects Agency, a Pentagon division that focuses on experimental efforts and has a key role in harnessing computing power to help the military wage war more effectively.  “If they can do it, it’s a really big deal,” said Herbert S. Lin, a cybersecurity expert with the National Research Council of the National Academies. “If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”

Cyberwarfare conjures images of smoking servers, downed electrical systems and exploding industrial plants, but military officials say cyberweapons are unlikely to be used on their own. Instead, they would support conventional attacks, by blinding an enemy to an impending airstrike, for example, or disabling a foe’s communications system during battle.  The five-year, $110 million research program will begin seeking proposals this summer. Among the goals will be the creation of an advanced map that details the entirety of cyberspace — a global domain that includestens of billions of computers and other devices — and updates itself continuously. Such a map would help commanders identify targets and disable them using computer code delivered through the Internet or other means.

nother goal is the creation of a robust operating system capable of launching attacks and surviving counterattacks. Officials say this would be the cyberspace equivalent of an armored tank; they compare existing computer operating systems to sport-utility vehicles — well suited to peaceful highways but too vulnerable to work on battlefields.   The architects of Plan X also hope to develop systems that could give commanders the ability to carry out speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code — a process considered much too slow.  Officials compare this to flying an airplane on autopilot along predetermined routes.  It makes sense “to take this on right now,” said Richard M. George, a former National Security Agency cyberdefense official. “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

The shift in focus is significant, said officials from the Pentagon agency, known by the acronym DARPA. Cyber-operations are rooted in the shadowy world of intelligence-gathering and electronic-spying organizations such as the NSA.  Unlike espionage, military cyber­attacks would be aimed at achieving a physical effect — disrupting or shutting down a computer, for example — and probably would be carried out by the U.S. Cyber Command, the organization that was launched in 2010 next to the NSA at Fort Meade.  “Because the origins of cyberattack have been in the intelligence community, there’s a tendency to believe that simply doing more of what they’re doing will get us what we need,” said Kaigham J. Gabriel, acting director of DARPA. “That’s not the way we see it. There’s a different speed, scale and range of capabilities that you need. No matter how much red you buy, it’s not orange.”

Plan X is part of a larger DARPA effort begun several years ago to create breakthrough offensive and defensive cyber-­capabilities.  With a cyber budget of $1.54 billion from 2013 to 2017, the agency will focus increasingly on cyber-offense to meet military needs, officials say. DARPA’s research is designed to foster long-shot successes. In addition to helping create the Internet, the agency’s work gave rise to stealth jet technology and portable global-positioning devices.   “Even if 90 percent of their ideas don’t pan out,” said Martin Libicki, a cyberwar expert at Rand Corp., “the 10 percent that are worthwhile more than pay back the difference.”

A digital battlefield map, as DARPA envisions it, would plot nodes on the Internet, drawing from a variety of sources and changing as cyberspace changes.  “In a split microsecond you could have a completely different flow of information and set of nodes,” Gabriel said. “The challenge and the opportunity is to create a capability where you’re always getting a rapid, high-order look of what the Internet looks like — of what the cyberspace looks like at any one point in time.”  The ideal map would show network connections, analyze how much capacity a particular route has for carrying a cyberweapon and suggest alternative routes according to traffic flows, among other things.

The goal would be a visual representation of cyberspace that could help commanders make decisions on what to attack and how, while seeing any attacks coming from an enemy.  Achieving this will require an enormous amount of upfront intelligence work, experts say.  Michael V. Hayden, a former NSA director and a former CIA director, said he can imagine a map with red dots representing enemy computers and blue dots representing American ones.  When the enemy upgrades his operating system, the red dots would blink yellow, meaning the target is out of reach until cyber operators can determine what the new operating system is…

Plan X also envisions the development of technology that enables a commander to plan, launch and control cyberattacks.  A commander wanting to hit a computer that controls a target — a strategically important drawbridge in enemy territory, for example — should be able to predict and quantify battle damage while considering the timing or other constraints on a possible attack, said Dan Roelker, Plan X program manager.

Cyberwar experts worry about unintended consequences of attacks that might damage the flow of electricity to civilian homes or hospitals. A targeting system also should allow operators to stop a strike or reroute it before it damages systems that are not targeted — a fail-safe mechanism that experts say would be very difficult to engineer.  DARPA will not prescribe what should be represented on the digital map.  Some experts say they would expect to see power and transportation systems that support military objectives.

Daniel Kuehl, an information warfare professor at the National Defense University’s iCollege, said the Air Force built its history around attacks on infrastructure — in Korea, Vietnam, Serbia and Iraq.  “In all of those conflicts,” he said, “we went after the other side’s electricity with bombs.”  Today, he said, cyberweapons could be more humane than pulverizing power grids with bombs.

If a cyberwarrior can disrupt a computer system controlling an enemy’s electric power, the system theoretically can also be turned back on, minimizing the impact on civilians.  But retired Gen. James E. Cartwright, who as vice chairman of the Joint Chiefs of Staff until August pushed to develop military cyber-offense capabilities, said the military is focused less on power grids than on “tanks and planes and ships and anything that carries a weapon.”  “The goal is not the single beautiful target that ends the war in one shot. That doesn’t exist,” said Cartwright, who is now with the Center for Strategic and International Studies. “The military needs more of a brute-force approach that allows it to get at a thousand targets as quickly as possible.

Ellen Nakashima, With Plan X, Pentagon seeks to spread U.S. military might to cyberspace, Washington Post, May 30, 2012