Hands Off The Ballot, Or It's Infowar!
Cyberguerrillas speak for East Timor

East Timor held a referendum today to decide the question of its independence from Indonesia, but there's no guarantee that this election will be enough to defuse an ugly situation. Nobel laureate Jose Ramos-Horta is coming out fighting: If voting doesn't work, he's threatening to launch a cyberguerrilla campaign that will bring down the Indonesian government.

See also...
... by Duncan Frissell
... in the Scope section
... from August 30, 1999

East Timor, which occupies half of the island of Timor, was on the road to independence in 1975 when Indonesia invaded. Ramos-Horta, the co-winner of the 1996 Nobel Peace Prize has worked to free the former Portuguese colony throughout 24 years of rape, torture and forced sterilization -- and some 200,000 Timorese dead. [Click here for disturbing photographic documentation.] Thanks to Indonesia's current political weakness, he may well succeed.

Horta has warned that Indonesian interference with the referendum would be met by an attack against Indonesia by "computer hackers who would penetrate the entire Indonesian banking system, finance system, [and] governmental institutions in order to create havoc, chaos that would cost them hundreds of millions of dollars." He also claimed that a dozen computer viruses had already been created to infect communications and transportation systems in the country. The alleged troops for this infowar consist of more than 100 hackers from the US and Europe, most of them in their late teens.

This declaration of infowar is not the first. It's not even the first involving Indonesia. In fact, a Portuguese hacker may have opened the modern era of international cyberconflict on February 11, 1996, when he hacked a computer belonging to the Indonesian Department of Foreign Affairs and destroyed a number of computer files. And Indonesia itself has been accused of infowar. Last January, an Irish ISP that provides support for East Timor's country code domain (.tp) accused the Indonesian government of attacking its servers.

In recent months, international infowar has seemingly become a popular pastime, particularly in China. We've seen reports of China attacking Canadian ISPs hosting the Web sites of the banned Falun Dafa (or Falun Gong) religious sect. China's Peoples Liberation Army has called for the creation of special Hacker Force trained to attack China's enemies over the Internet.

Threat...or Mere Menace?

Students of war know that God fights on the side with the heaviest artillery. Just how heavy is the artillery of modern infowar? Aside from annoying attacks on each other's Web sites and Net servers, how realistic is Mr. Horta's threat to use cyberattacks to take down the Indonesian economy?

We asked computer security expert and Internet Engineering Task Force member Perry Metzger, president of Piermont Information Systems, whether he thought Indonesia was under a genuine threat of economic disruption."I find the claims lacking in credibility," he said.

"Indonesia is a Third World country. Their infrastructure is not automated enough or networked enough to be easily disrupted purely over the Internet. It would be possible to disrupt the functioning of a country like Indonesia, but it would take brains, money, organization, and motivation that I'm not sure Mr. Ramos has.

"An attack would have to be carefully planned, and the attackers would need a great deal of specific information about the locations and nature of the computers and electronic control systems that are to be attacked. Just the first step of conducting such an attack -- the gathering of such intelligence -- requires large amounts of time, money, and expertise."

Additionally, Mr. Metzger pointed out that such an attack would not be done with computer viruses or amateur hacking, as Mr. Ramos implied. It would require substantial coordination, inside intelligence, some physical attacks on infrastructure, and fairly dramatic resources.

Computer security experts generally agree that viruses are difficult to use in attacks on mainframe computers or the specialized electronic equipment that is sometimes used to control a country's commercial and physical infrastructure. Hackers don't usually have these sorts of computers or equipment around to practice with, so they're not as familiar with mainframe hardware and operating systems. Large computer systems are usually customized, so it's hard to predict the operating environment a virus will face. And electronic control systems make extensive use of embedded program chips (software in hardware) that don't load other programs. Thus, they can't be fooled into loading virus programs.

Mr. Metzger continued, "Many of the targets in the sort of attack that Mr. Ramos is threatening are not even physically connected to international computer networks. Attempting to disrupt them would require physically destroying their communications links, power sources, or the machines themselves. The most successful attacks on the information infrastructure of a country are best carried out physically by cutting fiber-optic cables, power lines, and such. The US did not attack Serbia with computer viruses in spite of an obvious desire to do so. Even our most elegant nonlethal attacks on the country -- disrupting their electric power grid and telecommunications -- involved physical devices dropped from airplanes."

"What hackers could more easily do -- and actually routinely manage to accomplish --would be to deface Indonesian Web sites or disrupt communications links."

These sorts of attacks usually exploit well-known security holes in the mail servers, Web servers and name servers that computers use to exchange information with distant machines over the Internet.

Computers controlled by the attacker may hit the target machine with thousands of synchronized requests that are never completed. This "syn flood" attack is the TCP/IP equivalent of tying up someone's phone line with constant hang-up calls. A computer hit with a syn flood will refuse all new connection requests (including legitimate ones) until its connection queue clears.

The most common hacker attack against Web sites uses weaknesses in the UNIX or NT operating systems to gain control of the target Web server and substitute the attacker's own Web pages for the originals. This can be quite annoying, particularly if it happens several times in a row, as happened to the FBI recently. It tells the world that the controller of a Web site doesn't know how to properly secure it. But no physical damage is done.

Winning Through Intimidation

Though most hacker attacks are more annoying than dangerous, they can have an impact out of proportion to their actual harm. In the post-Cold War world, many insurgencies such as East Timor's are fought more with publicity than with weaponry. It is much cheaper to give a newspaper interview than to equip a squad of armed guerrillas.

In this new kind of PR war, hacker attacks on "enemy" Web sites can play an important role. Defacing or taking down an enemy's Web site is a very public act. It creates the perception of vulnerability. The public is unable to distinguish between weak Internet servers and the security of more vital computer or electronic systems operated by the same organization.

Thus, whether or not Mr. Horta is bluffing about the existence of his Hacker Guerrilla Army isn't the point. In modern cyberwar, the threat is given more weight than the reality. This is not completely new. Even in conventional warfare, defeat is not the pure application of force. It is a process that occurs in the mind of the enemy. Beset by economic and political collapse and numerous religious and regional conflicts, Indonesia may lose its cyberwar with East Timor -- without a shot being fired.

Duncan Frissell, an attorney, writer, and privacy consultant, has worked in what he insists on calling the "Right Wing Nut Investment Community" for more than 20 years.