On January 3, a Saudi hacker group called, "Group-XP" claimed that it had stolen half a million Israeli credit cards. The Bank of Israel claims their exposure is information on only 15,000 credit cards, all of which were immediately blocked. The hacker group's stated purpose was to see Israeli cards fall into disrepute, "like the Nigerian cards." The cracker, "0xOmar" is identified as the individual performing the hack, and says he plans to publish information on an additional 200 cards per day.
In response to the Saudi hack release of user credit information, an Israeli hacker going by the name of "OxOmer" ("O" instead of zero, "e" instead of "a"), aka Omer Cohen, has published the information on hundreds of Saudi credit cards. Cohen, a soldier in the Israeli Defense Force (IDF), says he published the information as a "deterrent." The card info was apparently used to purchase goods on Saudi websites, thereby ratcheting things up a little by not just releasing information, but stealing funds.
Cohen believes his government has not responded quickly nor strongly enough. This "deterrent" language, of course, mirrors the military language of providing overwhelming negative consequences to keep an opponent from acting in the future. The news of the world does indeed talk up electronic hacking and cracking though the use of military terms, but there are those who argue that cyberwar doesn't really exist - at least not yet.
I would expect that none of the credit card information released belonged to either of the hackers, but rather to "innocent bystanders." Cohen apologized if any innocent people were hurt by his actions.
In this sense, at least, this small conflict mirrors (however weakly) the world's real wars with their "collateral damage." A columnist in the conservative Jerusalem Postsays that the credit cards really belong to users living in the United States, but that in any case, this kind of cyber-fighting is better than fighting by using objects of the material world, such as bullets or missiles.
And really, who's to say he doesn't make a very good point?
Regarding the debate noted above - does cyberwar really exist? - an article by Jeffrey Carr in Slate online magazine entitled, "What Is Cyberwar?" asserts that "We" don't really know how to define an act of cyberwar. That's "We," the international community, We the U.S. Senate, We the Department of Defense.
Currently, NATO's Cooperative Cyber Defence Centre, one of NATO's fifteen Centers of Excellence says that cyber aggression rises to the level of an act of cyberwar only if it is done in conjunction with a physical attack AND can be attributed to a specific government AND if it can be shown that the attack caused injury. Otherwise, there is no legal basis on which to use force against an aggressor - that is, counterattack. This opinion dates from 2008, in the absence of other international treaties on the subject. Furthermore, in a 2010 Wired interview the US cyberczar, Howard Schmidt, famously said, "There is no Cyberwar." Only online crime and espionage.
By both of these perspectives, the 2009/2010 Stuxnet worm that damaged Iran's nuclear centrifuges and set back that country's uranium enrichment efforts was an act of sabotage, not cyberwar. The 2008 Russian military attack on Georgia that coincided with a seemingly Russian-coordinated cyber attack (for while there may not be an agreed-upon definition of cyberwar, there clearly are cyberattacks) wasn't an act of cyberwar because it couldn't be proved that Russia carried out the cyber portion of the attack, nor could it be shown that the cyber part caused injury.
The news has been full of stories about the many attacks and acts of espionage against targets in the USA originating from IP addresses in China. But apparently no one can adequately prove that the Chinese government was the entity that carried out these attacks.
So, what does what does describe an actionable act of War By Computer? If millions of dollars, hundreds of companies and governments can't place the cyberfinger on a given government with the resources at their cybercommands, what will it take?
Could it be a good thing that no act of war is legally actionable against a cyberattack? Or does a lack of definition or agreement make damaging attacks by state actors more likely? What do you think, dear reader?
Steve Burgess is a freelance technology writer, a practicing computer forensics specialist as the principal of Burgess Forensics, and a contributor to the just released Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens, et al. Mr. Burgess may be reached at http://www.burgessforensics.com or via email at steve@burgessforensics.com
No comments:
Post a Comment