Cyber warfare is very similar in nature to the naval warfare. In international water navy encounters enemy warships, large merchant vessels, small merchant ships, fishing boats and guised surveillance ship from all directions. There are no borders to clearly establish that everything on other side belongs to enemy assets. Though there are Sea-Lanes-of-Communication but two ports are actually on connectionless service and no ship is bound to follow SLOC. In cyberspace IP address is the flag which every asset on the Internet displays but ruse is not uncommon. It is therefore necessary to identify the cyber assets positively in any cyber-conflict before any aggressive response is initiated. Wearing flag of convenience is common by sea vessels as well as cyber assets.
Tallinn Manual while drawing the rules for Cyber War has based the identity of any cyber-asset on its territorial linkages. If Tallinn Manual is used as start point for taking any decision on ‘Laws of Cyber Conflict’, then geo-spatial tagging will be a critical in deciding whether an act by a military leader amounts to war-crime or not. It is therefore necessary that any attack or counterattack in any cyberwar should be focused primarily using geospatial intelligence rather than general purpose destructive force. That is why cyber weapons such as Stuxnet, Duqu and Flame are geographically focused and are unlike other normal viruses and malwares which are general purpose to infect every vulnerable system.
Advanced Persistent Threats (APT) are selecting specific targets based on location, similarly large data mining and analytic tools are also focused to attack based on geospatial information. Operations Titan Rains, Olympic Games, ATP1, Night Dragon, and Ghostnet are all pre-war surveillance. Only Operation Orchard and Stuxnet can be called acts of Cyberwar and both operations had target location mechanism built into them. Therefore unlike other acts in cyberspace geolocation of a target is critical.
There are several techniques for IP- geolocation. Some of them are host-dependent while other are independent of host and based purely on IP address to get physical location. A brief on some of the techniques used for IP-Geolocation are discussed below.
A. Global Positioning System. Global Positioning System has become a standard fit in most of the mobile devices and tablets. The GPS uses Doppler Effect of satellites orbiting in the space. The accuracy which is achieved by non-military GPS system is about to 2 meters, it can also provide information related to altitude of the system. Most of the social-media application such as twitter, Facebook, Instagram, has integrated geolocation tagging for the images. Photographs taken by inbuilt GPS devices also have the capability of IP- geolocation tagging with the photographs. While gathering data from such device application by twitter, Google, Microsoft, Facebook, and others that correlate the IP address with geolocation of the device. In fact in a incident, where the location of the INS Vikramaditya on her maiden passage to India got compromised through social-media due to auto geolocation tagging of the photographs. The GPS project was developed in 1973 is run by US Department of Defense. Other similar systems such as Russian’s – Global Navigation Satellite System (GLONASS) , European’s – Galileo , China’s – Compass Navigation System and India’s – Indian Regional Navigation Satellite system, though exist are not extensively used with the IP enabled devices.
B. Wifi Positioning system (WiPS). WiPS is used where GPS system is not installed or switched off or signals are blocked. Each WiFi device in the world is unique through the combination of its Service Set Identification (SSID) and Media Access Control address (MAC address). Various commercial companies such as Google, Infsoft, Navizon, AlterGeo, Skyhook Wireless and Combain Mobile provide the services of IP-geolocation through WiPS, the location of the WiFi system is collated in database while other geolocation tools such as GPS are used on a device with enabled WiFi services. In fact once the geolocation of a WiFi hotspot is fixed the location of the computers using WiFi can also be found out remotely. Using signal strength techniques accuracy less than 1 meter can be achieved.
C. Mobile networks. The mobile phones using mobile networks of GSM or CDMA can provide geolocation information of such devices even in absence of GPS and WiFi receivers. The technique of geolocation in this based on delayed time between the mobile phones and the cell tower, whose position is fixed and known. Accuracy through this technique is reasonably course. In case these mobiles phones are using GPRS, 3G or 4G services, then it automatically provides IP geolocation.
D. Anti-theft hardware. Most of the motherboards of computers, laptops and mobile devices have inbuilt features for remote activation for anti-theft mechanism. These anti-theft mechanisms keep continuously gathering geolocation information of the host, as and when same is reflected in any application. This collated information is then used to develop reasonably accurate geo location of the device. In addition it can ping back the mother-site through well-established geolocated servers, where delayed times through various routes can provide reasonable accurate IP-geolocation. The leading company providing such services is Computrace.
E. Device independent IP geo location. There exists a reasonably high possibility that computers may not be fitted with features such as GPS, GSM or CDMA. There exist several client independent geolocation techniques to link IP address with the physical location. One of such techniques is using geolocation method at each step to improve the accuracy in iterative manner using time delay calculations in following sequence:
- Harvest Geolocation on the web of well-known servers in an area.
- Geolocating primary servers of ISP.
- Geolocating last mile routers of ISP.
- Time delay between last mile router and the host.
F. Non-Technical – web based information.
a. Traceroute – Traceroute fired from multiple locations to an IP address can provide IP geolocation by calculating time delay between various routes.
b. Information provide in whois records can give reasonable accuracy of such servers. The whois records are publically available. When compared with location of such companies in many cases geolocation at least up to Zipcode/ Pincode level can be established.
G. Non-Technical – Database of ISP
Stealing or legally getting information from ISP of their registered users details can also provide a reasonable accurate geolocation.
Determining geographical location of an Internet Protocol host is valuable for many Internet based application including marketing and anti-fraud activity. However in planning and execution of Cyberwar, IP-Geolocation has far more important value. Some of the applications of IP-geolocation in Cyberwar are:
(a) Allocation or area of responsibility to Cyberwar Sector Commanders
(b) Implementation of Rules of Engagement
(c) Avoiding fratricide
(d) Avoiding over-concentration of fire power or leaving gaps in attacks
(e) Encirclement and isolation of heavily defended Cyber Targets.
(f) Minimizing collateral damages
(g) Simplify Battle Damage Analysis (BDA) of cyber-attack or real-world attack.
(h) Control intensity and pace of cyber conflict.
(i) Integrate HUMINT and kinetic (physical) weapon attack with cyber-attack.
And many more.
Cyberwar in future may be launched independently or in prelude to or in support of real world conflict. An unstructured cyber-attack based on opportune target methodology (as presently being practiced) can be counter-productive to the objective of the mission. To properly control the scope, pace and intensity of cyberwar, it is necessary to IP-geolocate the target host. Therefore IP-geolocation of enemy targets is a precondition for launching any effective cyber-offensive.
Picture Credit: www.cyberwiser.eu
By Commander Mukesh Saini (Retd.)
Former National Information Security Coordinator (GOI)