A New Breed Of Hackers Tracks Online Acts of War

"We rely on local experts to help us find out why a particular site is being blocked," Deibert said. It could be a problem with the Internet service provider, a temporary connection glitch or a downed server. "But what's more effective is blasting a site into oblivion when it is strategically important. It's becoming a real arms race."

He's referring to "denial of service" attacks, in which hundreds of computers in a network, or "botnets," simultaneously bombard a Web site with millions of requests, overwhelming and crashing the server. In Georgia, such attacks were strong enough to knock key sources of news and information offline for days.

Georgian Internet service providers also limited access to Russian news media outlets, cutting off the only remaining updates about the war. On the night of Aug. 12 -- the height of the fighting -- "there was panic in Tbilisi brought about by a vacuum of information," Rohozinski said.

Shadowserver saw the first denial of service attack against Georgia's presidential Web site July 20. When the fighting began, Andre M. Di Mino, Shadowserver's founder, counted at least six botnets launching attacks, but it was "difficult to tell if it was a grass-roots effort or one commissioned by the government."

The organization detects between 30 and 50 denial of service attacks every day around the world, and Di Mino said they have become more sophisticated over the past two years.

"It really went from almost a kiddie type of thing to where it's an organized enterprise," he said. But he's hesitant to label this month's attacks as a form of cyberwar, although he expects networks to play an expanded role in political clashes.

Jose Nazario, a security researcher with Arbor Networks, said cyber attacks used to target a computer's operating system. But he's seen a "tremendous rise" in attacks on Web browsers, allowing attackers access to much more personal information, such as which sites a person visits frequently. An attacker then could learn which servers to target in order to disrupt communication.

It's unclear who is behind the attacks, however. In some cases, the locations of botnet controllers can be traced, but it's impossible to know whether an attacker is working on the behalf of another organization or government. "It's going to take a year to figure this out," Nazario said.

The data trail often goes cold when it crosses borders because there is little legal framework for such investigations. And many countries, along with the United Nations and other international bodies, are still weighing whether a cyber attack is an act of war.

"If a state brings down the Internet intentionally, another state could very well consider that a hostile act," said Jonathan Zittrain, co-founder of Harvard's Berkman Center for Internet Society, and a principal investigator for the OpenNet Initiative.

There are also strategic reasons not to disrupt networks in order to monitor the enemy's conversations or to spread misinformation.

"That's an amazing intelligence opportunity," he said.

Using the Internet to control information can be more important than disrupting the networks when it comes to military strategy, Rohozinski said. In Georgia, for example, the lack of access to both Georgian and Russian sources of information kept citizens in the dark while the fighting continued.

"Sometimes the objective is not to knock out the infrastructure but to undermine the will of the people you're fighting against," he said. "It's about the nuts and bolts, but it's also about how perceptions can be shaped through what's available and what's not."