What is iWar?
iWar is distinct from what the United States (US) calls ‘cyber war’ or from what China calls ‘informationalized war’. These refer to sensitive military and critical infrastructure assets, and to battlefield communications and satellite intelligence. China’s December 2006 Defence White Paper, for example, refers to the importance of gaining supremacy in space to control information assets such as satellites.
It refers to attacks carried out over the internet that target the consumer internet infrastructure, such as the websites providing access to online services.
In contrast, iWar exploits the ubiquitous, low security infrastructure. It refers to attacks carried out over the internet that target the consumer internet infrastructure, such as the websites providing access to online services. While nation states can engage in “cyber” and “informationalized” warfare, iWar can be waged by individuals, corporations, and communities.
For an example of iWar, take Estonia, 27 April 2007. A blizzard of distributed denial of service (DOS) attacks hit important websites. This continued until mid-June. The website of the president, parliament, ministries, political parties, major news outlets, and Estonia’s two dominant banks were all hit.
Just one day before the attacks started, a bronze statue commemorating the Soviet liberators of Tallinn was cordoned off, and removed two days later.
Estonia’s Defence Minister called the attacks ‘a national security situation. It can effectively be compared to when your ports are shut to the sea’.
How does iWar work?
A denial of service (DOS) attack bombards a high volume of information requests to overwhelm a computer or networking system on the internet. This can render the system unable to respond to legitimate requests, which could include providing access to a particular website. DOS attacks have existed in various forms since at least as early as the “Morris Worm” in 1988.
A distributed denial of service (DDOS) attack operates on the same principle. But it multiplies its impact by directing a “botnet” of networked computers that have been remotely hijacked to bombard the target system with many requests at the same time.
Botnets can be controlled by a single individual. Some botnets in the attacks on Estonia included up to 100,000 machines.
The new internet networking standard, IPv6, which was initially expected to mitigate many security risks, may in fact increase vulnerability to DDOS attacks.
What makes iWar likely?
I suggest that five characteristics of iWar indicate that it has the potential to revolutionize conflict, including its
- potential to extend the franchise of offensive action;
- geographical reach;
- ease of proliferation; and
- impact on “e-ready” targets.
Taken together, these characteristics suggest that the advent of iWar may mark a new military revolution on a par with the adoption of gun powder or the Napoleonic levee en masse.
First, like the early matchlock musketeer, the iWar attacker is equipped with cheap, powerful technology that requires only a modest amount of training. iWar can extend the franchise of offensive action to an unprecedented number of amateurs, whose sole qualification is their connection to the internet.
Second, iWar is unhindered by the expense and effort that often accompany offensive action against distant targets. Conventional kinetic offensive technology relying on physical assets is not only expensive, but also comparatively slow. While its damage is unconventional, iWar belligerents can inflict quick damage from anywhere, on anywhere, at virtually no cost.
Third, iWar is deniable and difficult to punish. Today it is still unclear whether the Estonia attacks were a “cyber riot of hacktivists”, or whether they were officially sanctioned. Even if official culpability could be proven, it is unclear how one state responds to an iWar attack by another.
Business organizations are likely to become increasingly dependent on internet technologies in their internal operation by using internet based applications such as Google “docs & spreadsheets” to replace conventional packages such as Microsoft Office. So iWar threatens not only interactions between organizations and their clients, or between state and citizen, but also the internal operations of organizations.
What’s the response?
No single state has complete control over the internet. It is a universal resource – like the seas. Protective policy in the past prompted the development of new international norms of behaviour, such as informal customary laws to protect access to the sea. The question remains whether a similar legal framework will evolve to protect access to the internet in the long term.
The Comprehensive Political Guidance adopted by NATO heads of state and government in November 2006 includes ‘the ability to protect information systems of critical importance to the Alliance against cyber attacks’ among its capability requirements in the next decade and a half.
Sharing information at NATO level will allow for early warning of suspicious activity and profiling of possible iWar attacks. Some NATO members have already moved to protect themselves from internet age threats by establishing national Computer Emergency Response Teams (CERT).
Coordinating these CERTs at NATO level, in cooperation with the European Union, would be a useful step to limit the impact of iWar attacks in the short term. For example, if an attack on a Czech website by a user on a French network is detected, the Czech CERT can request its French counterpart to cut the connections used in the attacks.
The Estonian example illustrates the need for immediate action. The Estonian CERT was only established in 2006, and many governments have yet to establish their own CERT teams.