Tuesday, November 04, 2008

Response to Marcus Ranum HITB Cyberwar Talk

Many readers have been asking me to comment on Marcus Ranum's keynote titled Cyberwar is Bullshit at Hack In The Box Security Conference 2008 - Malaysia. (What a great conference; I think we are seeing the Asia-Pacific area really grow its digital security community. You can access the conference materials here. I'd like to point out my friend CS Lee spoke about NSM at the event.)

The article Don’t waste funds preparing for cyberwars summarized Marcus' talk as follows:

The billions of dollars spent on researching cyberwarfare can be put to better use because cyberwar is never going to be as effective as conventional war, said an IT ­security expert.

Marcus Ranum, chief security officer of Tenable Network Security said cyberattacks aren’t a good force multiplier in an actual war.

Many people, he said, talk about cyberspace as if it can be a new form of battlefield but this is not possible because you can’t occupy and hold cyberspace as you would a piece of enemy territory.

Ranum was speaking at HiTBSecConf 2008 here this week.

He said trying to overcome another country via cyberspace is impossible unless you also have a huge army that can defeat its forces in conventional warfare.

A small country, even with an army of hackers on its side, is never going to be able to defeat a big country with an extensive land, air and sea military force by attacking through the Internet.


If you search my blog for the term cyberwar you'll find plenty of posts, but let me try to summarize my thoughts.

In September 2007 I wrote China Cyberwar, or Not?:

DoD Joint Publication 3-13, Information Operations, differentiates between two sorts of offensive information operations.

  1. Computer Network Exploitation. Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE.

  2. Computer Network Attack. Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CNA.


You can think of CNE as spycraft, and CNA as warfare. In the physical world, the former is always occurring; the latter is hopefully much rarer. I would place all of the publicly reported activity from the last few months in the CNE category.


I'd like to add a third category not mentioned in the information operations doctrine: cybercrime. In Marcus' talk, he separates adversary action into cybercrime, cyberterror, cyberespionage, and cyberwar. I don't explicitly break out terrorism because I consider it a criminal issue, and not a military issue.

Marcus's cyberespionage and cyberwar categories relate to my points about Computer Network Exploitation and Computer Network Attack, respectively.

Marcus' slides say "packets don't hold ground." The question is whether that matters. Aircraft don't hold ground either. However, no army wants to operate without air supremacy or at least air superiority overhead. (Ask the Georgians if you doubt this.) Would you rather be able to conduct CNE, or not? If yes, why?

Combatant commanders approach the problem this way. If you're Stormin' Norman Schwarzkopf in 1991, and you want to remove the Iraqi army from Kuwait, you'll want to blind the Iraqi radar grid. If you can do so electronically instead of risking the life of a pilot or running down your missile stocks, would you want to? Most commanders I knew wanted to be 100% sure that their decision would work. Not all warfare is about holding ground.

I think the major problem with the cyberwar discussion is the idea that a real conflict could be a purely cyber conflict. This is wrong. I don't think the early air pioneers expected their role to involve purely aerial warfare. Each method of combat has been integrated into the overall ugly fabric of war. So, I don't think "cyberwar is bullshit," but I'm guessing neither does Marcus if you discuss it in the proper context.

19 comments:

Anonymous said...

Marcus's observations are unfortunately predicated on symmetrical engagements and disregards considerable thought on the strategy of conflict.

Jonathan said...

I don't agree with Marcus as well. First I agree with your statement that the goal of cyber warfare is not to hold ground. You are using an excellent example with the air force. It's to annoy the enemy by disrupting communication system. Another statement I can't agree on Marcus is the following :

"It’s pointless for a superpower to develop cyberwar techniques to attack a nonsuperpower(they can just crush them conventionally)"

Heseems to forget the enormous costs triggered by such conventional uses. Transport of troops, material and all the logistics implied are extremely complex. Also, every sane commander will want to win without fighting a battle. If you can win without even fighting, you'll be a great commander. This one is from Sun Tzu. So to restrict the use of conventional warfare is not only cost effective, it's also just make sense. Especially with PsyOps and Information Warfare, where any fatality plays on public opinion.

I believe that, by reading the keynote material, that "Cyberwar is Bullshit" is more wishful thinking from Marcus than actually concrete explanation. Financial systems ARE targets as industrial targets were targets in WWII (Dresden is a great example of this). Money is the nerve of war, no financial system will put a lot of pressure on a nation, and might strongly reduce his ability to get into a long war.

Cyber warfare is on the same level as psychological warfare and information warfare. Their purpose is not to hold ground, but to limit the resources of the enemy.

JR said...

Marcus has never spent any time in the military to fully understand and/or appreciate the benefits of non-conventional (guerrilla) warware.

A small number of well trained personnel, using a fraction of the resources (and incurring a fraction of the costs) of a large, conventional organisation can, via non-conventional or guerrilla warfare tactics, disrupt and inflict significant harm to a large organisation, contributing to 'turning the tide' of any hostilities.

Cyberware is the new guerrilla warfare for not only developing countries, but for those established countries as well.

securityservice said...

Thank you for sharing useful information.Financial systems are targets as industrial targets were targets in WWII.Money is the nerve of war, no financial system will put a lot of pressure on a nation, and might strongly reduce his ability to get into a long war.We want you to come up with more information.



Hacker4lease-IT Security Service

iamnowonmai said...

JR: Marcus did indeed spend time in the military (Army).

Anonymous said...

I like your points better. Cyberwar and cyberattack could be a very important assistant method to help win a war.

JR said...

iamnowonmai: Thank you for the correction. Interesting than that he doesn't see the benefit, whether to an advesary or a defender, of cyberwarfare.

Anonymous said...

"Therefore cyberwar only makes sense to the side that is likely to win anyhow"
i dont't really get it.
isn't the foundation of every strategy (offense or defense) the ecpectation to be successful?
won't therefore every actor obtain every capability he can get, in order to achief his goal?
'...i don't know, nor care weather this particular capabiliy will actually bring the success, but if it is aviable i want it at my disposal...'
so in my personal opinion, an armsrace in cyberspace is a reality.
bulshit or not, if someone can afford the costs, he is gonna train some of his people in it, always thinking of them at least as a strategic option.
i agree with his point regarding cyberwarcrime and on yours regarding terror being a criminal issue.
i guess staying alert, being strictly defensive and cooperating in exposing criminal actions wil continue to be crucial in avoiding the bulshit from happening.

Brendan McKenna said...

Cyberwarfare is CLEARLY not bullshit. This just sounds like the ramblings of a prototypical non-conformist to me.

Marcus Ranum said...

The article seriously mangled/mischaracterized most of my observations, unfortunately. Because the interviewer didn't understand what I was saying, all that they did was pick out a bunch of assertions and print them. :( There is actual real honest-to-goodness reasoning behind what I said. :(

I'll do a writeup on the whole talk in the next couple weeks and perhaps then you'll have something tangible to consider.

mjr.

Edwardbf said...

The best defense, is offense? If you have total control over information within a country, or a hostile group, like terrorists (Which is just as much as an enemy, right?), you have better ways to prepare your self for the "war". For me, the Cyberwar is more about getting the information, to own the enemy if one must. To know as much about the enemy as one could, would be the main goal.
In my world, Cyberwar is not mainly the part, when you hack into a system, and close down a radar or shut down a power plant. Its just as much about who get affected by the "shutdowns", and how one can take that to ones advantage in the "real" world. Or know every move the enemy is going to take, before he makes it...

Information warfare... Knowledge is Power!

Anonymous said...

Gee.. I wonder why DOD 3-13 made mention of CNO (CND, CNE, CNA) alongside other IO: EW, PSYOP, Disinformation, and OPSEC.

I am totally lost by this conversation. Cybercrime? What?

Also, failure to mention terrorism and looking at war from the perspective of the Cold War era assures me that information security professionals are stuck in 1992 permanently.

zoom said...

Pre-biblical. Warfare.

MIJI

Meacon Interference Jamming and Intrusion

Anonymous said...

:) I advise you not to watch a lot of Hollywood's movies like Diehard4, because this is cyberspace, in this place there are no places for cowboys and heroes, there are no places for countries or "languages", simply you can only find good or bad people, so don't go deep choosing you're best English words to describe what bad people can do, you can't know unless they do as Marcus said.

Anonymous said...

this guy Marcus is obviously new to this game. ID be emptying my tenable products because of statements like this

Anonymous said...

Anonymous Anonymous said...

this guy Marcus is obviously new to this game. ID be emptying my tenable products because of statements like this

Uh right, that is pretty foolish. Tenable makes Nessus which is an incredible (FREE) vulnerability scanner. You'd give that up and spend thousands more because of an opinion that he has? That opinion doesn't at all change the product that his company offers.

Glen Grant said...

Cyber warfare (like air warfare) is simply a tool to be used when it is needed by a commander. If you have practiced it and know how to focus and use it, it is a good tool. If it buys you a couple of hours of electronic darkness and you can more real forces during that time unseen then it could be a battle winning tool

But I come back to one point. It must be practiced and it must be controlled, or like first World War gas attackes, you run the risk of getting your own back.

Glen Grant
GG Consulting Latvia
Estoch Estonia

123 123 said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

White Wolf Security's post Cyber War is Bullshit is Bullshit addresses MJR's comments pretty well.