Speech made at the Cyber Defence & Network Security Conference
January 24-26th, 2012.
Radisson Blue Portman Hotel, London
Andro Barnovi
Deputy Minister of Defence of Georgia,
Rector of National Defence Academy
Let me start by quoting a paragraph from the book “Inside Cyber Warfare” by Jeffrey Carr, who has worked on the open source intelligence investigation project into Russian cyber-attacks on Georgia in August ’08. The book cites the speech by former First Deputy Chief of Staff to the President of RF and former GRU Intelligence officer Vladislav Surkov who held closed-door conference with number of Russian spin-doctors right after the war in Georgia and explained how to use information as a weapon to Fight Russia’s enemies. He instructed that Net wars have always been an internal peculiarity of the Internet while the war in Georgia showed that the Net is a front just like the traditional media, and a front that is much faster to respond and much larger in scale. In his words, August 2008 was the starting point of the virtual reality of conflicts and the moment of recognition of the need to wage war in the information field too.[i]
Surkov seemed to be inspired by fresh experience in Georgia and indeed, many believe that the Russo-Georgian war of 2008 has been the first real joint cyber-kinetic war ever witnessed. Russia undertook cyber-attacks not just to inflict damage to Georgian Government infrastructure and economic targets but as asymmetric means to create favorable conditions for downgrading the Georgian resistance capabilities and win a real war on the ground.
Russian authorities have long been preparing for a joint cyber-kinetic action. As early as mid-’90-s, Russia started to develop its cyber strategy and found it useful to intertwine it with the military doctrine. It was in fact militaries who first raised this issue in Moscow and pushed to establish a new faculty in computer networks and information security at the FSB academy.
Since then, Russia has been researching a wide variety of computer network attack options including logic bombs, viruses, microchipping, and other forms of weaponized malware. As early as late ‘90s, in the Second Chechnya War, Russia moved from computer network exploitation to computer network attack strategy in an effort to control an information flow. Having staged few experiments in Georgia, Estonia, Kazakhstan, and Lithuania, Russians have now made Cyber a very solid component in their military and information war strategies.
The function of cyber warfare as Russians assign to it in a joint cyber-kinetic strategy is to disorganize and disrupt the functioning of the key enemy military, industrial and administrative facilities and systems, as well as to bring information-psychological pressure on the adversary’s military-political leadership and population, something to be achieved primarily through the use of state-of-the-art information technologies and assets.[ii]
And this is exactly what Russians did during August ’08 war in Georgia. Attacks did not just resemble terrorist actions with limited goal to inflict damage and attract attention. They were undertaken with a well-calculated strategy, while being well intertwined with the whole rest of the campaign exercised by Russian regular Army units.
After the War, International Institute of Strategic Studies prepared Georgia Crisis Special Issue of its “Strategic Comments”, and stated that the main limitation of the Georgian army was psychological.[iii] While this is generally true observation, it is also clear that a lack of security in information domain should also be blamed for the limitation.
WHAT HAPPENED ON THE GROUND
To look at what happened on the ground, we should first note that the use of cyber-attacks varied during the War. In some cases cyber-attacks had independent function, and in some cases – a support function. In fact, not even two but the three parallel wars were taking place at a time. One was cyber as such – which aimed at disrupting the essential information and communications systems and at cyber espionage; the second was information war for which a Cyber component had a support function. And, the third was a kinetic war for which both cyber and information wars had support function.
The defacements of Georgian government websites began as early as July 20th when hackers started to roam Georgian internet at slow speed. This looked as reconnaissance operation. Later, just right with Russian tanks rolling into Georgia, a well-organized hacktivism, DDOS attacks, Internet blockade and fake BBC and CNN reports swarmed Georgian Net all at once[iv].
These attacks significantly damaged the country that had already been dragged into war. First-hand effects of these attacks were less visible. Undermining of some of the governmental web-sites and several information agencies could not be deemed as severe problem as such. However, consequent effects were more than just threatening.
*
As said, some of the government websites were attacked and undermined. Russians have a well-organized network of hackers – some on paycheck and some just under influence of the authorities. Besides, there are lots of so called “hacktivists” influenced by propaganda and always willing to experiment something new, if allowed. Fortunately for them, StopGeorgia.ru forum was created to instruct various Russian hackers and direct their attacks toward specific targets in Georgia. Apart from providing the list of Georgian targets, the forum also included intensive discussions of which the biggest portion was dedicated to DDoS attacks and new techniques to achieve desired results. For instance, there was discussion on the use of SQL injection vulnerabilities against Georgian information sites because traditional DDoS attacks against robust websites can require thousands of bots simultaneously attacking the victim server, whereas exploitation of SQL injection vulnerabilities require only a handful of attacking machines, etc – there were lots of similar discussions…[v] It is noteworthy that, as specialists explain, SQL injection attacks not just dysfunction the websites, but enable the attacker for further intelligence gathering. Also, in some cases, SQL injections can be used to compromise not only a database but also machines hosting the database. Then attackers can go on infecting internal networks, etc. etc. To anyone interested in those discussions and techniques, I would highly recommend to look at Jeffrey Carr’s book.
*
There is a slightly different story for media. Assaults on media were two-fold. One was purely cyber-attacks especially on those media companies which had better reliability. But also, there was a mass of disinformation available for various media channels which are always hunting for fresh information and consequently transmitting the news often without even double checking. Russians had dozens of information agencies prepared to transmit such disinformation. And they did, without any appeal to journalist ethics.
I can give you one example to show how all this worked. Because Georgian sites were down, it was mainly Russian resources that spread information around the world. A friend of mine who comes from Latvia woke up in the morning of Aug. 08 to read that Georgians are killing innocent children and women in South Ossetia. This friend of mine has lived and worked in Georgia for years, and knows the situation very well. She immediately contacted the administration of the news portal to ask where they got this information. It appeared that one of the main Latvian news agencies was spreading it. Then she went on contacting this news agency and it turned out that the information was coming from a French agency. And finally, she tracked it down that the initial source was Russian. Unfortunately, this is not a solitary case and we are still struggling with the consequences of this failure of our cyber security system.
*
In practical terms, various state and private web-sites, including official web-sites of the President, the Parliament, Ministry of Defence and the Ministry of Foreign Affairs, National Bank, Foreign Embassies incl. UK and US Embassies, TV Channels, Press, NGOs and those of popular forums were attacked.
But the invaders targeted the side effects of these attacks and these effects were much better felt. For instance, the real effect of blocking of governmental web-sites was to hinder the spread of official information, while damaging of Georgian informational resources should hamper the distribution of media information.
At the same time, Russian blogs and information resources actively spread misinformation causing social legitimacy problems to government actions and sowing mistrust and panic in the population.
*
Banking Sector - it could be another victim of cyber intrusions because there were number of attacks against banks and insurance companies. Fortunately, relative underdevelopment of cyber technologies in Georgia allowed just switching off the sites of the banks and discontinuing online transactions without severe damage to the economy. But one can easily imagine what could be the effect of such a “switch-off” for the advanced e-economies.
Cyber-attacks on Georgian banks had additional objective to ruin the sector, block financial transactions and exclude any kind of outside support to Georgia. But also, banking sector problems would cause additional panic in the population, entire economy would collapse and Georgia’s resistance capabilities would significantly weaken.
*
One more extremely interesting observation from theoretical and practical points of view is that Russian disinformation machine managed to infiltrate into the battlefield as well. Russians did it through GSM technologies which they applied in close connection with HUMINT. During the first days of the war, i.e. in times when Georgians were effectively defending their positions and Russians found it difficult to receive additional backing through narrow gorges, when Russian aviation was not yet in full play, certain individuals kept contacting people they knew in the conflict region and giving deceptive information about allegedly bombed Georgian cities and destroyed Georgian Forces. Other cases saw even the military servicemen deceived by SMSs on the battlefield. Later, there were cases with Russian secret agents directing their troops’ fire by simple GSM phones from within the theatre.
***
To summarize, Russians intended to achieve the following results through their disinformation and cyber wars:
- Sense of insecurity within the society;
- Mistrust to the government;
- Panic caused by misinformation;
- Hindering government information policy;
- Direct economic damage;
- Disorder of communication systems;
- Weakened coordination within governmental agencies;
- Dysfunction of Command and Control systems and subsequent direct physical damage;
- Decrease of legitimacy of the government activities inside the country and abroad.
- Acquire reliable information about the actions and dislocations of Georgian army units and leadership
***
It is true that Russian information campaigns brought significant damage to Georgia’s resistance capabilities. This damage would be much worse if not rapid decisions of the government, which sometimes were not very popular and caused additional problems to retaining trust of the society. However, they were needed and they were made in timely manner.
In practical terms, several decisions were made, which seemed to have no alternatives. First of all, hosting of government resources was rapidly changed and their absolute majority was switched to the hosting promptly offered by partner nations.
Following decision was to block Russian resources. Several social networks and popular forums were blocked, because it was practically impossible to control misinformation. Russian TV channels were also blocked.
As for the banks, they have never stopped functioning, but they ceased online activities immediately after the first attack.
Of course, there were spheres absolutely impossible to struggle against. For instance, blocked Russian online resources could be reached by proxy servers and despite our attempts to also block those servers, Russians dynamically renewed them and information was rapidly spreading in population.
Considering natural interest of the society to any kind of information, no Georgian resources were blocked despite of the fact that some of them were spreading unverified information which was particularly destructive in times of war.
***
It is interesting, that the cyber-war caused very harmful results for a country that by the August of 2008 was relatively underdeveloped in terms of informational technologies. Only 7% of the population had access to the internet at the time. Georgia was connected to global networks through 10 channels, half of which passed through Russian territory. Other parts of the connections, which were mainly provided by Turkish and Azeri companies, were afterwards routed through Russia, and this created convenient conditions to wage cyber-attacks and isolation of Georgian segment from global net.
Attackers also gained control on the routers of the third country internet providers, so they could control part of Georgian internet traffic and isolate certain segments of the internet.
***
During last years, informational technologies are rapidly growing in Georgia. In comparison to 2008, in 2010 already 28% of population (4 times more) was using internet. The volume of electronic services provided by state and private sector has dramatically increased. Hence, it is obvious that we need to have well equipped professionals capable to act flexibly and dynamically in crises situations.
As a conclusion, we could say that cyber war, despite its special character, still significantly depends on traditional components of security. Its physical side is so important and I would even call it cyber geopolitics. This implies the placement of the cables connecting to global networks, the level of diversification of those and the points of their interconnection. Is it possible to protect the segments of global network? Is it possible to apply special norms and mechanisms, including in international legislation? Is a broad consensus possible on this issue? These are very important questions to envision the character of our cyber-future.
***
It is very clear also, that traditional ingredients of information policy and security are still relevant. This implies the concepts of society’s general development and social consolidation and consensus, level of trust to the government, unity of values and etc.
These concepts are important not only to decrease damage during cyber-war, but also for countermeasures and effective defence. Governments, organizations and significant parts of the society should have enough knowledge in relevant technologies, to at least protect their own selves and not to fall victim to intruders. Importance of having proper skills in business sector and in governmental agencies is obviously hard to overestimate.
After the war Georgia received following lessons:
- Better coordination;
- Smarter legislation;
- Better education;
- Diversification of physical infrastructure
It is no easy to implement all the above mentioned because it needs huge resources, time and energy. But in case of their proper combination it is indeed not impossible. As an example, after the war, a cyber security strategy has been developed in Georgia, and National Security Council became the main policy coordinating body of the country. The Strategy considers challenges to legal normative base and institutional coordination issues. Moreover, mechanisms of increasing social consciousness and establishing educational base are identified.
From practical activities, it is worth mentioning that quite recently, a governmental Computer Emergency Response Team (CERT) was created in Georgia and it already became the member of Trusted Introducer – which is the union of similar European centers.
We also have specific decisions in educational system. For example, in the National Defence Academy of Georgia the special program on informational technologies was launched on BA level and on we are working on a special Master’s program in cyber security.
We understand from our lessons, that partners’ cooperation in this sphere is crucially important. For this reason, we work on mentioned changes not alone but together with our friends. On the other hand, we have regional approach in our schools and trying to enhance the educational level in the entire region, not only in Georgia.
[i] Inside Cyber Warfare, by J. Carr, O’REILLY, 2010: p. 164
[ii] Ibid, p. 167
[iii] Russia’s Rapid Reaction, IISS Volume 14, Issue 07, Georgia Crisis Special Issue
[iv] State Sponsored Cyber Terrorism, by Kh. Mshvidobadze: Georgian Security Analysis Center, p.2
[v] Inside Cyber Warfare, by J. Carr, O’REILLY, 2010: p. 141
Comments