Although there are no borders in cyber world, cyber attacks are not always generic, and are many times directed towards a particular country. The writer thus feels that geospatial tagging is critical in deciding a country´s response to a cyber attack
Cyber warfare is very similar in nature to naval warfare. In international waters, navy encounters enemy warships, large merchant vessels, small merchant ships, fishing boats and guised surveillance ships from all directions. There are no borders to clearly establish that everything on the other side belongs to enemy. Though there are Sea-Lanes-of-Communication (SLOC) but two ports are actually on connectionless service and no ship is bound to follow SLOC. In cyberspace, IP address is the flag which every asset on the Internet displays but ruse is not uncommon. It is therefore necessary to identify the cyber assets positively in any cyber-conflict before any aggressive response is initiated. Wearing flag of convenience is common for sea vessels as well as cyber assets.
Rules of Cyber War
Tallinn Manual, while drawing the rules of cyber war, has based the identity of any cyber-asset on its territorial linkages. If Tallinn Manual is used as start point for taking any decision on ‘Laws of Cyber Conflict’, then geospatial tagging will be critical in deciding whether an act by a military leader amounts to war crime or not. It is therefore necessary that any attack or counterattack in any cyberwar should be focussed primarily using geospatial intelligence rather than general purpose destructive force. That is why cyber weapons such as Stuxnet, Duqu and Flame are geographically focussed and are unlike other normal viruses and malwares which have a general purpose to infect every vulnerable system. Advanced Persistent Threats (APT) are selecting specific targets based on location. Similarly, large data mining and analytic tools are also susceptible to attacks based on geospatial information. Operations Titan Rains, Olympic Games, ATP1, Night Dragon, and Ghostnet are all pre-war surveillance. Only Operation Orchard and Stuxnet can be called acts of cyber war. Both operations had target location mechanism built into them. Therefore, unlike other acts in cyber space, geolocation of a target is critical.
Techniques for IP-geolocation
There are several techniques for IP- geolocation. Some of them are host-dependent while others are independent of host and based purely on IP address to get physical location. A brief on some of the techniques used for IP-geolocation are discussed below.
- GPS: It has become a standard fit in most of the mobile devices and tablets. The GPS uses Doppler Effect of satellites orbiting in the space. The accuracy which is achieved by non-military GPS system is about 2 meter, it can also provide information related to altitude of the system. Most of the social media applications such as Twitter, Facebook, Instagram, etc., have integrated geolocation tagging for the images. Photographs taken by inbuilt GPS devices also have the capability of IP- geolocation tagging with photographs. Also, one can gather data from such device application by Twitter, Google, Microsoft, Facebook, and Credit: Fotolia others that correlate the IP address with geolocation of the device. In fact in a recent incident, the location of the INS Vikramaditya on her maiden passage to India got compromised through social media due to auto geolocation tagging of the photographs. The GPS project, which was developed in 1973 is run by the US Department of Defense. Other similar systems such as Russia's GLONASS, Europe’s Galileo and China’s Compass, though in existance, are not extensively used with the IP enabled devices.
- WiFi Positioning System (WiPS): It is used where GPS system is not installed or switched off or signals are blocked. Each WiFi device in the world is unique through the combination of its Service Set Identification (SSID) and Media Access Control address (MAC address). Various commercial companies such as Google, Infsoft, Navizon, AlterGeo, Skyhook Wireless and Combain Mobile provide the services of IP-geolocation through WiPS. The location of the WiFi system is collated in a database while other geolocation tools such as GPS are used on a device with enabled WiFi services. In fact, once the geolocation of a WiFi hotspot is fixed, the location of computers using WiFi can also be found out remotely. Using signal strength techniques, accuracy less than 1 meter can be achieved.
- Mobile Networks: The mobile phones using mobile networks of GSM or CDMA can provide geolocation information of such devices even in the absence of GPS and WiFi receivers. The technique of geolocation is based on the delayed time between mobile phones and the cell tower (whose position is fixed and known). Accuracy through this technique is reasonably course. In case, these mobiles phones are using GPRS, 3G or 4G services, then it automatically provides IP geolocation.
- Anti-theft Hardware: Most of the motherboards of computers, laptops and mobile devices have inbuilt features for remote activation for anti- theft mechanism. These anti-theft mechanisms keep continuously gathering geolocation information of the host, as and when same is reflected in any application. This collated information is then used to develop reasonably accurate geolocation of the device. In addition, it can ping back the mother-site through well-established geolocated servers, where delayed times through various routes can provide reasonably accurate IP-geolocation. The leading company providing such services is Computrace.
- Device Independent IP Geolocation: There exists a reasonably high possibility that computers may not be fitted with features such as GPS, GSM or CDMA. There exist several client independent geolocation techniques to link IP address with the physical location. One of the techniques is using geolocation method at each step to improve the accuracy in iterative manner using time delay calculations in the following sequence:
- Harvest geolocation on the web of well-known servers in an area
- Geolocating primary servers of ISP
- Geolocating last mile routers of ISP
- Time delay between last mile router and the host
- Non-Technical – Web Based Information . Traceroute – Traceroute fired from multiple locations to an IP address can provide IP geolocation by calculating time delay between various routes.
Non-Technical – Database of ISP
Stealing or legally getting information from ISP of their registered users details can also provide a reasonable accurate geolocation.
- Determining geographical location of an Internet Protocol host is valuable for many Internet based applications including marketing and anti-fraud activity. However, in planning and execution of cyber war, IP-geolocation has far more important value. Some of the applications of IP-geolocation in cyber war are:
- Allocation or AoR to cyber war sector commanders
- Implementation of rules of engagement
- Avoiding fratricide
- Avoiding over-concentration of fire power or leaving gaps in attacks
- Encirclement and isolation of heavily defended cyber targets
- Minimising collateral damages
- Simplify Battle Damage Analysis (BDA) of cyber attack or real world attack
- Control intensity and pace of cyber conflict
- Integrate HUMINT and kinetic (physical) weapon attack with cyber attack
And many more.
Cyber war in future may be launched independently or in prelude to or in support of real world conflict. An unstructured cyber attack, based on opportune target methodology (as presently being practiced), can be counter-productive to the objective of the mission. To properly control the scope, pace and intensity of cyber war, it is necessary to IP-geolocate the target host. Therefore, IP-geolocation of enemy targets is a pre-condition for launching any effective cyber offensive.