Assignment

Individual

D6058 – Dr.rer.nat. Ditdit Nugeraha Utama

Session 09
To be Submitted Week 10

COMP8046 – Fundamental of Cyber Security

Please answer the questions below:
1. What are IoT security challenges?
Security is critical to IoT applications due to their close interaction with the physical world. In
Internet communication, based on TCP/IP, IP has the task of delivering packets from the source
host to the destination host solely based on the IP addresses in the packet headers. For this purpose,
IP defines packet structures that encapsulate the data to be delivered. It also defines addressing
methods that are used to label the datagram with source and destination information. As a most
widely used secure protocol in IP, TLS and its datagram variant DTLS are the main security
protocols offering end-to-end secure communications between a server and client. TLS, with its
two main constituent protocols, the handshake protocol, responsible for key exchange and
authentication, and the record protocol, responsible for a secure channel for handling the delivery
of data, makes the security of all IP-based communications a channel-based security. The secured-
channel solutions, however, do not fit into the IoT environments for several reasons:
a. The first issue with channel-based security is the overhead of establishing a secure channel.
Both TLS and DTLS require two or more rounds of security handshake to authenticate a
channel and negotiate the security parameters, before the first application data is sent out.
The second issue is that both ends of a channel have to maintain the states of the channel
until it is closed. This may impose a high pressure on memory usage when a device needs
to communicate with many peers simultaneously in a densely meshed network. Third,
channel-based security does not guarantee the security of request-response once the
application data get out of the channel. This is most troublesome when the middleboxes,
like caches and proxies, are deployed to cache the application data. The resource owners
need to trust the middleboxes to enforce the access control policies correctly, while the
resource requestors need to trust the middleboxes to provide authentic data without
tampering. The limitations above highlight the need for a different security model for IoT
applications.
b. Insufficient authentication/authorization—If recent attacks on the Internet, using smart
house monitoring camera, resulting in distributed denial of service (DDS), are any

COMP8046 – Fundamental of Cyber Security

 evidence, the IoT with its growing mesh of heterogeneous devices, whose users and devices
rely on weak and simple passwords and authorizations, is a growing security quagmire.
c. Lack of transport encryption—Most devices fail to encrypt data that are being transferred,
even when the devices are using the Internet.
d. Insecure Web/mobile interface—Most of the billions of IoT-based devices connect on the
Internet using bridging communication protocols and device management schemes that do
not do an effective job.

2. Please explain the security issues in blockchain technology!

Blockchains fall under two types: Permissionless and permissioned chains. Permissionless
blockchains allow any party without any vetting to participate in the network, while permissioned
blockchains are formed by consortiums or an administrator who evaluate the participation of an
entity on the blockchain framework.
Regardless of the type of blockchain, the business logic is encoded using smart contracts.
Smart contracts are self-executing code on the blockchain framework that allow for straight-
through processing, which means that no manual intervention is required to execute transactions.
They rely on data from outside entities referred to as “oracles,” and can act on data associated with
any public address or with another smart contract on the blockchain.
While the blockchain technology promises to drive efficiency or reduce costs, it has certain
inherent risks. It is imperative that firms understand these risks and the appropriate safeguards in
order to reap the benefits of this technology. Additionally, it’s important to understand the
evolution of regulatory guidance and its implications.
These blockchain risks can be broadly classified under three categories:
Standard risks: Blockchain technologies expose institutions to risks that are similar to those
associated with current business processes but introduce nuances for which entities need to
account.
Value transfer risks: Blockchain enables peer-to-peer transfer of value without the need for a
central intermediary. The value transferred could be assets, identity, or information. This new
business model exposes the interacting parties to new risks that were previously managed by
central intermediaries.

COMP8046 – Fundamental of Cyber Security

Smart contract risks: Smart contracts can potentially encode complex business, financial, and legal
arrangements on the blockchain, and could result in the risk associated with the one-to-one
mapping of these arrangements from the physical to the digital framework.

3. Please explain the security issues in cryptocurrency!

Cyber security breaches and violations are increasingly on people’s minds and in the news as
new threats appear more and more often, compromising our personal data and causing economic
damage. Currency manipulation, identity theft and fraud, and web-based espionage are all among
the possible calamities that “black-hat hackers” — hackers with bad intentions — can bring about
if given the opportunity.
In the financial arena, certain alternative techniques can help reduce the chances of costly
security breaches. The cryptocurrency bitcoin now has a global presence as a result of its highly
secure nature, which stems from the use of information transmission and encryption to form a
blockchain. In the wake of bitcoin’s rise and the need for bitcoin cyber security, many other
industries are adopting blockchain to securely deliver data in a series of difficult-to-trace encrypted
transmissions.
But what might the risks of these methods be? Bitcoin, in particular, has encountered some
doubt, as it’s commonly deployed in black-market purchases. And although blockchain is well
known as the driving force of bitcoin, some are skeptical of its usefulness outside of financial
matters.
Regardless, it’s quite clear that these subjects will remain prominent in the cyber security
conversation for the foreseeable future. If you’re interested in becoming an information security
professional, it’s important that you understand blockchain’s core tenets.

Blockchain isn’t fail-safe.

It’s true that the randomness of the data transactions within blockchain’s context, and their
strong encryption, means that neither the blocks nor the chain can be duplicated or infiltrated using
malware or other exploits. However, according to Lexology, if the information at one end of the
chain is fraudulent or incorrect, the other party has no means to override it — unlike wire transfers
and card transactions, which can be stopped while pending if wrongdoing is quickly detected. In a
nutshell, white-collar criminals could take advantage of their peers’ excitement about blockchain

COMP8046 – Fundamental of Cyber Security

to commit entirely secure acts of fraud that might not be discovered for days, making bitcoin cyber
security hard to maintain.
Trust lies at the foundation of all human interactions, including business deals. Companies
using blockchain are justified in adopting a method that’s already showing itself to be a game-
changer and has the potential for even greater success. But if business leaders use blockchain
overzealously and don’t conduct due diligence with potential clients or partners, they open
themselves up to exploitation. While the growth of blockchain can’t be easily projected, there’s
little doubt it will remain part of the greater technology landscape.

4. What is cyberwarfare?
Cyber warfare is usually defined as a cyber attack or series of attacks that target a country. It
has the potential to wreak havoc on government and civilian infrastructure and disrupt critical
systems, resulting in damage to the state and even loss of life. There is, however, a debate among
cyber security experts as to what kind of activity constitutes cyber warfare. The US Department of
Defense (DoD) recognizes the threat to national security posed by the malicious use of the Internet
but doesn’t provide a clearer definition of cyber warfare. Some consider cyber warfare to be a
cyber attack that can result in death.
Cyber warfare typically involves a nation-state perpetrating cyber attacks on another, but in
some cases, the attacks are carried out by terrorist organizations or non-state actors seeking to
further the goal of a hostile nation. There are several examples of alleged cyber warfare in recent
history, but there is no universal, formal, definition for how a cyber attack may constitute an act
of war.

7 Types of Cyber Warfare Attacks

Here are some of the main types of cyber warfare attacks.
1. Espionage
Refers to monitoring other countries to steal secrets. In cyber warfare, this can involve using
botnets or spear phishing attacks to compromise sensitive computer systems before exfiltrating
sensitive information.

COMP8046 – Fundamental of Cyber Security

2. Sabotage
Government organizations must determine sensitive information and the risks if it is compromised.
Hostile governments or terrorists may steal information, destroy it, or leverage insider threats such
as dissatisfied or careless employees, or government employees with affiliation to the attacking
country.
3. Denial-of-service (DoS) Attacks
DoS attacks prevent legitimate users from accessing a website by flooding it with fake requests
and forcing the website to handle these requests. This type of attack can be used to disrupt critical
operations and systems and block access to sensitive websites by civilians, military and security
personnel, or research bodies.
4. Electrical Power Grid
Attacking the power grid allows attackers to disable critical systems, disrupt infrastructure, and
potentially result in bodily harm. Attacks on the power grid can also disrupt communications and
render services such as text messages and communications unusable.
5. Propaganda Attacks
Attempts to control the minds and thoughts of people living in or fighting for a target country.
Propaganda can be used to expose embarrassing truths, spread lies to make people lose trust in
their country, or side with their enemies.
6. Economic Disruption
Most modern economic systems operate using computers. Attackers can target computer networks
of economic establishments such as stock markets, payment systems, and banks to steal money or
block people from accessing the funds they need.
7. Surprise Attacks
These are the cyber equivalent of attacks like Pearl Harbor and 9/11. The point is to carry out a
massive attack that the enemy isn’t expecting, enabling the attacker to weaken their defenses. This
can be done to prepare the ground for a physical attack in the context of hybrid warfare.

COMP8046 – Fundamental of Cyber Security

Examples of Cyber Warfare Operations
Here are several well-publicized examples of cyber warfare in recent times.
1. Stuxnet Virus
Stuxnet was a worm that attacked the Iranian nuclear program. It is among the most sophisticated
cyber attacks in history. The malware spread via infected Universal Serial Bus devices and targeted
data acquisition and supervisory control systems. According to most reports, the attack seriously
damaged Iran’s ability to manufacture nuclear weapons.
2. Sony Pictures Hack
An attack on Sony Pictures followed the release of the film “The Interview”, which presented a
negative portrayal of Kim Jong Un. The attack is attributed to North Korean government hackers.
The FBI found similarities to previous malware attacks by North Koreans, including code,
encryption algorithms, and data deletion mechanisms.
3. Bronze Soldier
In 2007, Estonia relocated a statue associated with the Soviet Union, the Bronze Soldier, from the
center of its capital Tallinn to a military cemetery near the city. Estonia suffered a number of
significant cyber attacks in the following months. Estonian government websites, media outlets,
and banks were overloaded with traffic in massive denial of service (DoS) attacks and
consequently were taken offline.
4. Fancy Bear
CrowdStrike claims that the Russian organized cybercrime group Fancy Bear targeted Ukrainian
rocket forces and artillery between 2014 and 2016. The malware was spread via an infected
Android application used by the D-30 Howitzer artillery unit to manage targeting data.
Ukrainian officers made wide use of the app, which contained the X-Agent spyware. This is
considered to be a highly successful attack, resulting in the destruction of over 80% of Ukraine’s
D-30 Howitzers.
5. Enemies of Qatar
Elliott Broidy, an American Republican fundraiser, sued the government of Qatar in 2018,
accusing it of stealing and leaking his emails in an attempt to discredit him. The Qataris allegedly
saw him as an obstacle to improving their standing in Washington.
According to the lawsuit, the brother of the Qatari Emir was alleged to have orchestrated a cyber
warfare campaign, along with others in Qatari leadership. 1,200 people were targeted by the same

COMP8046 – Fundamental of Cyber Security

attackers, with many of these being known “enemies of Qatar”, including senior officials from
Egypt, Saudi Arabia, the United Arab Emirates, and Bahrain.

How to Combat Cyber Warfare

The legal status of this new field is still unclear as there is no international law governing
the use of cyber weapons. However, this does not mean that cyber warfare is not addressed by the
law. The Cooperative Cyber Defense Center of Excellence (CCDCoE) has published the Tallinn
Manual, a textbook that addresses rare but serious cyber threats. This manual explains when cyber
attacks violate international law and how countries may respond to such violations.

5. What are global cyber treaties?

The Demand for International Cooperation
Cyber attacks and cyber exploitations from around the globe are growing in number and
sophistication, and governments, especially ours, are worried. Defenders against such attacks often
cannot quickly or easily tell when their systems are attacked or exploited. When defenders
discover an attack or exploitation, the computer or geographical source often cannot be ascertained
quickly or precisely. If a computer or geographical source is identified, it is hard to know whether
a computer somewhere else is responsible. Even if one has certain knowledge about which
computer in the world was the ultimate source of the attack or exploitation, it is often hard to know
whether the human agent behind it is a private party or a government. If the latter, it is sometimes
also hard to determine the state affiliation. And even if geographical location, precise identity, and
state affiliation are known, the human and computer agents of attack or exploitation are often
located beyond our borders, where lawenforcement capacities are weak and military capacities
cannot be used except in the most extreme circumstances.
These and other factors have enabled and emboldened untold thousands of actors from
abroad—states, criminals, hackers, and, potentially, terrorists—to steal or destroy valuable digital
assets inside the United States. The United States arguably has more to lose from cyber attacks
and exploitations than any other nation because it is among the most dependent on the Internet and
related computer/communications systems, and has more of its wealth embedded in these systems.
The U.S. government’s recent foray into international negotiation on this issue appears to reflect
a judgment that it cannot adequately protect its critical infrastructure and other digital assets

COMP8046 – Fundamental of Cyber Security

without international cooperation. And in truth, every advanced nation faces that problem to some
degree.
Many believe that an important part of the solution to these challenges is an international
treaty that does some or all of the following: (1) limits what states can do to one another in the
cyber realm; (2) imposes on them duties to ensure that private actors within their borders do not
engage in certain bad cyber acts; (3) establishes mechanisms of interstate cooperation to track and
redress malicious cyber operations; (4) clarifies definitions (such as which acts constitute war and
various crimes) in order to prevent mistaken interpretations and prevent misunderstanding or
escalation; and (5) creates an international organization to facilitate cooperation and monitoring.
An international treaty on cybersecurity might cover any number of substantive topics, ranging
from cyber-arms control to cyber crime and mutual assistance to the regulation of cloud computing
or the software supply chain. The hurdles to all such treaties are similar (though not identical). To
make the problem concrete, I will focus primarily on a proposal by Richard Clarke and Robert
Knake (C&K) that in many of its details is similar to the recently expressed views of General
Michael Hayden. C&K argue that a cyber treaty should ban cyber attacks on civilian targets but
not on military targets or cyber exploitation. Such a treaty, they argue, would protect the United
States’ vulnerable, privately owned networks but would allow the country to maintain its lead in
what it is good at, “cyber war against military targets.” C&K do not propose to ban cyber
espionage, because the United States depends so heavily on electronic and related means of spying,
and because verification of and attribution for espionage are too difficult in any event. They
acknowledge that cyber espionage might be mistaken for military attacks and could be
destabilizing. But they nonetheless oppose its international legal regulation, because “an arms
control agreement limiting cyber espionage is not clearly in [the United States’] interest, might be
violated regularly by other nations, and would pose significant compliance- enforcement
problems.” The remainder of this paper explains why I believe an international treaty of this sort
is not feasible.

The Cautionary Tale of the Cybercrime Convention

Calls for international treaties to govern harms caused over the Internet are not new.7 Since
the early 1990s, Internet experts have worried about the fact that the net is a borderless medium
over which people can communicate globally and instantaneously in ways that seem to resist

COMP8046 – Fundamental of Cyber Security

geographically based regulation. One worry was that a national government could do nothing to
stop a content provider on the other side of the globe from making content available locally (via
a website or e-mail), violating local laws regulating intellectual property, libel, crimes of various
sorts, and much more. This concern was that the net would undermine national sovereignty. A
different and somewhat antithetical worry was that since websites could appear everywhere in the
world, every nation might try to regulate every web transaction, leading to multiple and
inconsistent regulation of the same activity that would stifle free speech and Internet commerce.
The concern here was that nations exercising sovereignty to combat local Internet harms would
destroy the global resource.
The answer to both problems, it was widely believed, was international agreements.
International treaties could establish global norms that would tamp down on both harmful Internet
communications and harmful national over-regulation of the global resource. And yet, despite
years and years of loud discussion and all manner of cross-border digital clashes, the nations of
the world have agreed on only a single treaty regulating cross-border Internet harms or the cross-
border regulation and sharing of electronic information: the Council of Europe’s Cybercrime
Convention.
That convention establishes a “a common criminal policy aimed at the protection of society
against cybercrime.” It requires signatories to adopt legislation banning various computer crimes,
including illegal access and interception, data and system interference, misuse of devices, forgery,
fraud, child pornography, and intellectualproperty offenses. It also requires countries to adopt laws
concerning the investigation of computer-related crimes, and to cooperate in the investigation and
prosecution of such crimes with other countries (i.e., via extradition and mutual law-enforcement
assistance).
The Cybercrime Convention is widely viewed as unsuccessful. It achieved “consensus” on
computer crimes only by adopting vague definitions that are subject to different interpretations by
different states. Even with vague definitions, many nations conditioned their consent on
declarations and reservations (the United States had more than a half dozen) that further diluted
the scope of covered crimes, making the treaty’s obligations even less uniform and less
demanding. While the mutual assistance mechanisms in the treaty improve on what came before,
they do not work well. The duty to cooperate contains large loopholes for requests that prejudice
such essential interests as national sovereignty and security. As a recent National Research Council

COMP8046 – Fundamental of Cyber Security

study concluded, “[A] signatory nation may decline to cooperate with its obligations under the
convention on fairly broad grounds, and the convention lacks an enforcement mechanism to assure
that signatories will indeed cooperate in accordance with their obligations.”As a result, signatories
often flout or ignore the cooperation provisions.
Despite the general weaknesses of the treaty and the relatively sparse demands it makes on
nations, few have ratified it. Every nation was invited to join, but only the United States and two-
thirds of Council of Europe states have ratified the treaty. Notable COE holdouts include Belgium,
Georgia, Greece, Ireland, Poland, Russia, Sweden, Switzerland, Turkey, and the United Kingdom.
The treaty has not gathered support outside of the COE because many nations do not like its
definitions of crimes (for example, the criminalization of intellectual-property violations), its
general Western focus, or its (weak) sovereignty-intrusive cooperation mechanisms.
To get a flavor of how some non-Western states view similar matters, consider the
International Information Security agreement among the Shanghai Cooperation Organization
nations (China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan). The SCO agreement
emphasizes state security and state control over information technologies and threats. It lists as
major threats the “dominant position in the information space” of Western nations and the
“dissemination of information harmful to the socio-political systems, spiritual, moral, and cultural
environment of the States.”
The Cybercrime Convention experience teaches that nations significantly disagree about
what digital practices should be outlawed and are deeply skeptical about even the weakest forms
of international cooperation in this area. It is a cautionary tale for those who believe in the
feasibility of a broader cybersecurity treaty involving more nations and covering more ambitious
topics that bear a closer relationship to sovereignty and national security.
Referensi:
1. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-blockchain-
risk-management.pdf
2. https://online.maryville.edu/blog/blockchain-and-bitcoin-cyber-security-risks/
3. https://www.imperva.com/learn/application-security/cyber-warfare/
4. https://www.hoover.org/sites/default/files/research/docs/futurechallenges_goldsmith.pdf
5. Kizza, J. M.. (2020). Guide to computer network security. 5. Cham: Springer. ISBN: 978-
0133594140. chapter 24

COMP8046 – Fundamental of Cyber Security