The “nature” of cyber-attacks: The curious case of the dusk starlings

Nature and its elements are often used as a good metaphor for attacks and risks. Thus, for example, we can talk about attack “trees” and black swan theories. But, as we can read in this blog, we rarely think about “starlings” in this context. Read more to meet the starlings looking for their metaphorical attack trees (or not so metaphorical after all).

When thinking about cyber-attacks we often imagine grim individuals sitting behind desks on a dark room with the only light source of several twinkling screens. That Hollywood-induced idea of an evil-intended agent is actually a real threat to many systems in modern society, causing governments and companies to expend millions of euros in cyber-security. Attackers are always figuring out new fancy ways to overcome each obstacle, while their counterparts try to make breach-less systems. Figuratively, this can be seen as an endless war between small scavengers’ ants and big elephants.

Or not so figuratively… “hackers!” is what Scottish power suppliers were probably thinking when in late 2020 they detected some repetitive mysterious power cuts. Yet, they could not detect any suspicious activities on their systems as they checked over and over the power lines to see what the problem was. Finally, in December, an employee of a Scottish power distributor company discovered, while having a walk at dusk, the real “attackers” that were causing that much trouble. It was neither a secret organization nor a rogue nation but several hundreds of Sturnus vulgaris Linnaeus (aka starlings) bouncing over the power lines [1]

Sometimes planning measures for countering an attack take into account the attackers’ intentions [often economical these days] and for extension, its targets. But what if the harm caused was not intentional at all? This curious story with “plot twist” shows that prevision and prevention of attacks is a hard task precisely because the nature of the attack and malfunction are quite unpredictable. This unpredictability supposes a problem itself because modern cyber-security systems rely on calculating risks and consequences, identifying the reach of an attack and planning for a mitigation countermeasure. In cases like this, not only the mitigation tasks are challenging, but also the detection: who, how and why is causing this power cuts? The curious case of the dusk starlings is a typical case of the “black swan theory” [2]. Events like that can be rare but their consequences are not trivial.

So, how can we include this kind of events in our cyber-attack detector? Here the answer is just simplicity. The most basic detection is just to detect “what is anomalous” in the same way that the power supplier operators did when they detected the problem. The person knows what is “normal” and expected and thus detects the anomaly in the flow as an issue. In computer science we can do the same using our own artificial “brain”, an artificial neural network. We can “teach” this network what is normal, and it can detect automatically what is a serious alteration.

Detecting the how and why is more challenging. We surely need a huge attack tree to accommodate all these starlings. About mitigation, how can we mitigate this event? Let’s make an educated guess here; you better try with a scarecrow! [3]

---

[1] Link to NEWS: https://www.bbc.com/news/uk-scotland-tayside-central-55334891

[2] Suárez-Lledó, J. (2011). The black swan: The impact of the highly improbable.

[3] Zajanc, A. (1962). Methods of controlling starlings and blackbirds. In Proceedings of the Vertebrate Pest Conference (Vol. 1, No. 1).