Sunday, July 04, 2010

Cyberwar Is Real

A number of people, inside and outside the security world, think that any discussion of real threats is a manufactured justification for intrusive government action.

Their argument is simple.

  1. The government wants to control the people, or obtain a resource, or pursue some objective that could not be reasonably achieved if transparently presented to the citizenry.

  2. The government "propaganda machine," sometimes in coordination with "the media" and "big business," "manufactures" a "crisis" whose only solution is increased government power.

  3. The people acquiesce in order to preserve their safety, and the government achieves its objective.


As a result, those who see the world in this manner treat any discussion of real threats as step 2 in this process towards decreased liberty via increased government power. Those who seek to inform the citizenry of real threats are dismissed as sowing "FUD."

This is a tragedy, because it means that we continue to suffer at the hands of real threats who laugh while pillaging their target.

Yes, there are surely those in government who see any crisis as an opportunity to advance their agenda. Yes, governments have manufactured threats in the past to justify action. I am a history major so I am well schooled in these events, and as a libertarian I am suspicious of the government. However, I am not blinded to reality, unlike those who choose to dismiss threats as "simple espionage" and the like.

In the past I've been somewhat ambiguous about cyberwar. Starting now, I've decided to say it: cyberwar is real.

The reason some others aren't willing to say this is because they are keeping their minds narrowed to historical definitions of war, or they are not aware of the "facts on the ground," or they choose to ignore facts because they see them as elements of "step 2" and thereby inherently false.

I mentioned in a recent post that Attrition.org has decided to ridicule those who quote Sun Tzu, and I largely agree. At the micro level of civilian defense of corporate systems, where defenders cannot strike back, "war" does not seem to be the correct paradigm, so Sun Tzu fails as a way to interpret enterprise defense.

However, at the level of nation states, the entities which wage war, Sun Tzu is as applicable as ever. And this is the problem with those who dismiss cyberwar; they think that without bullets being fired, there is no war. Sun Tzu would laugh at that:

For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.

Bruce Lee, and before him Tsukahara Bokuden understood that "fighting without fighting" is the highest form of war.

Cyberwar, therefore, may be seen as a means to subdue the enemy without traditional "fighting."

It's likely that if those who dismiss cyberwar as "simple espionage" gain the political and philosophical high ground, and threats continue to ravage their victims, no bullets would ever need to be fired. The victim would not need to be "conquered" by traditional means; physical "war" would be redundant.

Does all this mean I agree with government plans to "defend" the Internet? Of course not. However, it is foolish to dismiss the threat because one does not agree with a government-proposed "solution."

23 comments:

sintixerr said...

Well said. I would leave a longer comment, but this was a really well-written post and very accurately portrays the issues at-hand.

@haroonmeer said...

Hi Richard.

A nice post. For what its worth, i recently spoke in Estonia at the "conf on cyber conflict".
You can view the slides (with notes) at http://blog.thinkst.com/2010/06/conference-on-cyber-conflict-slides.html

Would love your comments :>

/mh

jericho said...

Cyberwar is not real. <- that holds 99% of the time and is entirely accurate. The other 1% is when someone actually goes a step further to begin to define what "cyberwar" is.

Most that write about it are short sighted (or morons) and simply lump "cyber" and "war" together and do not further define it beyond mention of digital attacks, or possibly hitting important resources via networks (e.g., SCADA). The "Cold War" redefined what "war" meant in that context, and it was an applicable and reasonable term to use. To this day, we still use the term to refer to a specific period of tension between two countries, and we also use it in a more
generic capacity to refer to the type of "war" it was.

If "cyberwar" is going to have any hope of being taken seriously by the technical masses, it needs a solid definition or at least a better set of guidelines to give a clue what the term entails. Articles like this qualify what
the term means to the author, makes assertions and they are reasonable. Articles that don't, are FUDtastic and precisely used for manipulation or fearmongering.

Sam Bowne said...

I have no special knowledge about the current state of cyberwar. But if it's not real, it should be. I'd much rather attack enemies over the Internet than send human soldiers to die. No nation can morally overlook such weapons unless it is proven that they are worthless.

Roland Dobbins said...

Non-ironic use of the appellation 'cyber-' appears to be, wth few exceptions, inversely proportional to the amount of actual technical cluefulness of the speaker.

Once spimes are everywhere - stuff like nanomachines in our bloodstreams scraping away plaque so as to eliminate the need for angioplasy and the like, communicating via IPv6 over NFC - then it'll be more apt to talk of informatics-enabled war, or terrorism.

As matters currently stand, what we're seeing in the extreme democritzation and ubiquitization of espionage, along with the superempowerment of individuals and small groups to achieve disruption disproportionate to their numbers and physical resource bases via DDoS. Not informatics-driven warfare, or even informatics-driven terrorism, but rather informatic enhancements to existing espionage and sabotage capabilities.

In the case of espionage, informatics-driven approaches - i.e., compromising, botting, and harvesting computers in order to mine them for information of interest to the attacker, and/or suborning malicious insiders - have greatly eclipsed both in scope and in efficacy all but the most specialized forms of governmental and private espionage efforts. For the first time in human history, ordinary individuals are the targets of attackers with nation-state-level capabilities - in most cases, *exceeding* those capabilities - who're motivated by the eminently realizable prospect of illicitly monetizing the financial and personal details of said individuals.

With regards to sabotage, DDoS can be an exremely effective tool; its efficacy is increased by many orders of magnitude due to the utter unpreparedness of most targets. For example, the high-profile Estonian, Georgia/Azerbaijan, and RoK/USA DDoS attacks were both extremely technically unsophistcated and also small in terms of traffic volume; the unpreparedness of the defenders who were adversely affected allowed the attackers to achieve a disproportionate negative impact. Conversely, organizations who were prepared and who'd taken into account operational security in their application/service/network architectures didn't even blink.

While there are increasingly technically sophisticated and high-volume DDoS attacks occurring every day, most organizations are simply unprepared to deal with even simple/small attacks. The same is true of informatics-enabled espionage - most targeted organizations and individuals simply aren't prepared to defend themselves against penetration, nor to identify and quarantine botted hosts or malicious insiders.

So, in order to get away from all the 'cyber-'nonsense, and to try and separate the sheep from the goats, I propose that henceforth, the more technically clueful who're interested in this general topic make use of the term informatics in place of 'cyber-', as in 'informatics-enabled espionage', 'informatics-enabled sabotage/disruption', 'informatic security posture', and so forth.

Jeffrey said...

Richard, thanks for your post. I just published my response to attrition.org's rant here: http://greylogic.us/2010/07/05/throwing-the-sun-tzu-baby-out-with-the-infosec-bathwater/

Mister Reiner said...

Number 2 is definitely happening between the propaganda machine and the media. Many reporters don't know enough about computer security to discern if the risks are theoretical, perceived or real. As a result, they are easy prey for those that seek to further their agenda.

I am deeply concerned that opposing views are not being presented in the media. Public opinion is being shaped by the propaganda machine and that is not a good thing.

Electrosphere said...

Sir Bejtlich,

Those whose who doubt 'bout the reality of cyberwar should analyse and assess the real consequences. I wrote 'bout this topic for the french army magazine / webzine Defense Nationale. An english version is available here in Diploweb.com : "Can Cyberdeterrence Works in Cyberspace ?"

http://www.diploweb.com/Can-deterrence-work-in-cyberspace.html

Best regards.
Electrosphere

webjedi said...

excellent post... and for those who've been on the multiple sides of this... extremely true...

I originally thought it was propaganda... until you're actually dealing with it... I've "done" my time with the private and public sector, vendors and consumers, companies big and small...

seriously folks, this is not BS... Rich speaks the truth... and often, it's really just the scope and the targets that can justify the magnitude of what folks are seeing. If you're not the prime or sub-prime target, you'll dismiss what you see as a defender, as background noise... but if you have something the "adversary" wants... you can utilize indicators to find EXACTLY what is involved in this...

One of the problems is, at least on the government side (more-so in the civilian sector) is understanding, sharing and defending effectively against those attacks. In the corporate world, it's about 10x worse, especially if you don't participate in an ISAC... and even then, stuff is held back or comes across as fluff.

There's too much close hold on useful info that could help actually in defining (as noted in a previous post) what "cyberwar" is... is it CNE, CND or something else? DO you think a sub-500 person company knows or wants to share out the info from their networks? How about if they are publicly traded? WHat does the government gain from sharing that out... how do they protect from sharing classified info? Then again, how useful is it to classify it if nobody can really act upon it... I know the DoD and it's entities have stuff, as well as the FBI and DHS... but lo-and-behold, there's not a well established way to share that to other orgs (notably the private sector... even beyond the issues with laws and so forth) to make it useful.

Hopefully some smart folks are reading Rich's posts and wake up to this fact. Of course, reading the comments would be good too.

Ben said...

Just stating "cyberwar is real" does not make it so. The vast majority of examples provided are forms of espionage or criminal behavior. It's interesting that you've keyed in on this argument as it's not, in my mind, the primary one in this debate. As jericho rightly points out above, there is a major definitional issue around "cyberwar." What is it? How do you know that you've been "attacked" in a war-like sense, versus being criminalized? Until these issues are resolved, those of us on the cautious side will continue to cite posts like this one as being utter garbage (here you say "it's real" and provide no justification, explanation, or definition; FAIL). The term "war" must be used with exceeding caution as it has specific connotations and importance. We *need* a narrow definition here, otherwise we're watering down war, as has happened with the so-called "war on drugs" and "war on terror" (neither of which generally represent true state-on-state military aggression).

Nick42 said...

I agree with Ben. I'm an infoSec professional and a civil libertarian.

I know there are real threats out there and I'm 100% ok with discussing them. However, I think the term cyberwar has become a political buzzword.

It's being used to scare the government into signing high dollar contracts and to scare the people into allowing sweeping legislative changes affecting our freedom and how the Internet is regulated.

I don't think those who oppose the term cyberwar are trying to dismiss threats or do nothing. We just don't like the political solutions that are being promoted hand in hand with the idea of cyberwar.

Given the wide range of activities that can be considered to constitute 4th generation warfare, and conversely the rise of undeclared wars, or police actions, I think deciding if the current threats constitute cyberwar is purely a political decision. And by political, I of course mean propaganda.

webjedi said...

Okay... so yeah I agree it's real... but I also denoted there's enough stuff under lock and key that would prove it. Ping some folks supporting the CND effort for the USG, such like Lockheed, Raytheon, General Dynamics, and ask them what they are seeing.

Rich's post about the JSF is dead on. The narrow-mindedness of folks here who believe a war only exists if somebody spills some black powder firing a shot or somebody physically gets killed. If you've followed your history back beyond just this past century or so... espionage is a major component of war. It's the information gathering phase on which strategies are built. So it comes across as one big game of Stratego or Risk, but if you don't need to send bodies in to spill actual blood on a battlefield by performing these activities, you still have them around for when the real fights begin... or still act as a flesh and blood deterrence.

As Rich said, the expensive JSF was felled without firing a shot. That's SMART warfare... it's cheaper to fight, it's quicker, and as we can see VERY effective.

I just can't believe with all that Rich puts out here, and he's at least dealt with this stuff personally... compared to a lot of the blowhards out there... there's this community denial. Do you think all of the criminal and espionage attacks are just some kid in their basement. Have you examined some of the malware that shows up on sites like Contagio? have you dealt and understand REALLY what APT is... how they're structured, what their TTPs are? I mean, honestly, I can't share much because, rightly, stuff like this requires clearances, but talk to folks at companies that may be a target... just follow the money.... if you're at one of these places and deny what you're seeing in the way of intrusions, you're either blind or ignorant.

As I said in my earlier, I thought much of all this was scare tactics and BS, until you actually come face to face with it. I was in a position to see the big picture, and honestly, it's amazing folks just haven't given up and gone home... they're that good... and of course, it's paralleled that their targets are sometimes just stupid and gullible.

I'm sorry I didn't give you a Powerpoint or Keynote demo... but that's S//NOFORN. :-P

Richard Bejtlich said...

I might expand on this later, but there need not be mutual exclusivity between "espionage" and "war," i.e., it's either espionage OR war. Espionage isn't conducted for the sake of espionage. Adversaries conduct espionage to support some other effort, and waging war can be one of those efforts. So, if someone says "that's just espionage" I'm likely to say "and?"

Ben said...

Richard - It would be good if you could expand. I think espionage in the context of a conflict meets the definition, but espionage outside a conflict does not. Consider the recent arrest of alleged Russian spies. Notice that there was no accompanying declaration of war on Russia as a result.

The thing I'm seeing from the outside/civilian perspective is a lot of cybercrime being held up as examples of "cyberwar." Consider the Google incident that brought APT into mainstream infosec language. I'm sorry, but China hacking Google with what appears to be intent to further persecute dissidents is not imo "cyberwar." The only argument I see as being marginally feasible here is one of "economic warfare" (which perhaps is about the only kind developed, profit-driven countries will now undertake), but even that seems like a stretch. Even stealing JSF plans doesn't in mind constitute an act of war.

More important here are a couple quick things:
1) "War" needs a narrow definition given the requirement for a Congressional declaration, and for the connotations of military action. This is *not* to imply armed, physical-world conflict, but rather that being at a state of war is a specific condition with specific rules (e.g. how would the Geneva Conventions translate, especially as pertains to collateral damage?).

2) Wherever possible, electronic acts of aggression probably should be treated as cybercrime unless there is a very compelling reason to classify it as state-on-state aggression with strategic implications.

Overall, I have no problem with our getting to a point of having cyberwar doctrine, etc., but I think we need to be exceedingly cautious about how we define it.

webjedi said...

The thing is Ben... APT has existed long before the Google incident, and I think I stated in another comments section, that the press as we know it, grabs on to sensationalism (this is the same press obsessed over Kate Plus 8 and writes about Albert Gonzalez in Rolling Stone referring to "sequel" injection).

As for equating cybercrime to state sponsored activities is to forget that Russia, in general at this point, is a kleptocracy, living from ill-gotten gains (oil, organized crime, weapons dealing, etc.). I'm going on history here, but the Estonia issues a few years ago were not just some random assortment of uber-patriotic hackers, they WERE organized, and very few powers have the tacit approval in a state like that to move that freely across networks. WHo do you think nurtures the Chinese side of things? A company like Foxconn making crap for Apple, or even a shadowy company like Huawei - even with their largess, getting approval to move freely in a controlled state such as China has to have approval from higher up in the government.

I'd recommend getting your hands on the PDF for The Dark Visitor and read the blog: http://www.thedarkvisitor.com/

You must realize we're not the only targets as well. You should know there was a side think in Vietnam during the Google/Aurora incident regarding quashing labor issues in the coal mines over there. There's even inter-country aggression in places such as South America on the info/cyber-war issues. (I stumbled across the depths of this investigating an attack that was launched from an IP in Peru that had been compromised by a webshell, then traced the activity to a message board noting that this was a string of attacks between Peru and Chile - are they at war? Is it brewing at the surface ready to boil over?) Don't be complacent by not viewing this in a larger context... explore news sources, investigate and try to cut through the obfuscation. Once you find a thread or two a lot of what going on unravels into a bigger story.

A lot of this is to further a nation's goals or ideals... that's a more intellectual war... once again, not guns or bullets but still following a doctrine from the nation-state.

webjedi said...
This comment has been removed by the author.
Ben said...

@webjedi -

You warn against complacency, I warn against hysterics, FUD, overzealousness, and overreaction. It's a bad situation when Congress attempts to legislate responses that further authorize civilian agencies to take ill-advised actions (as one example) that perhaps more properly belong under the purview of law enforcement or the military.

You said:
"A lot of this is to further a nation's goals or ideals... that's a more intellectual war... once again, not guns or bullets but still following a doctrine from the nation-state."

You've not captured war in the least here, and this is my concern. Cultural expansionism (some might say "imperialism") has been going on for eons. While military might has been a tool for that, not all acts of expansion are war, nor are all acts of war expansion. Electronic/cyber warfare is a tool in the overall arsenal, but let's be careful to elevate it too highly.

The argument that many of us are maintaining here is that this notion of "cyberwar" has become highly politicized and is being used for a good old fashioned turf grab rather than being properly defined. War is a rather serious thing, and it should be treated circumspectly and with proper attribution, definition, and boundaries. To continue down this slippery slope of classifying everything as war is sheer folly. At what point do we end up needing Congress to authorize a declaration of war against all other countries competing in the Olympics every other year? You should rightly view that as absurd (though not mocking), but it is where we are with "cyberwar" today. Nobody seems able or willing to define it, let alone in a reasonable, narrow, meaningful manner (which of course makes it politically useful as a FUD-based tool for growing budgets and fiefdoms).

None of which is to disagree with some of the citations of actual acts of aggression via electronic warfare. Instead, it's to say that we need to make a concerted effort to move away from rhetoric, fear, and panic, back to a cold, calm, rational state of discourse. If we don't, then I fear the day where real-world physical repercussions proceed from the actions of loyalists who attack a private interest without real evidence linking those loyalists to anything resembling state-sponsored aggression (suspicion and supposition aside).

webjedi said...

@Ben - you did hit on a point here of which I'd agree on, and suffer the idiots daily... which are how leaders treat things. Yes, they have czars, x-war on this, cyber-that... they are leveraging the power of words... and the press... because, to a point, yes it's propaganda. And for those who are dealing with the "very real" rather than the abstract (who do you think actually read, writes and develops policy that gets voted on on The Hill... definitely not the folks we elected.. it's the staffs and advisers...) - so they grab on to this or that that has entered the popular vernacular, and like Dave Letterman used to do with jokes in the 1990s, beats them into submission.

I know folks I've worked with cringe at the tossing of these very serious words around attached to anything from the obesity epidemic (oh, wait, did I just debase the word "epidemic" - let's see how folks at the CDC glam on to that) to illegal drugs. Yeah, I know we'd all like somebody to risk their clearance (like the Pfc. Bradley "Collateral Damage" manning) to share stuff that folks want under wraps, but due to the reason and how things like that are handled, you won't see it until 2032... tough luck for us unless we have a deal (in the private sector) to consume that type of intel, or in the public sector (USG) where it's shared very poorly (don't get me started on the incident data sharing snafu that is currently making its' rounds through DHS).

I used to be press, I used to be academic, I've worked for two government agencies and worked for the DoD... same with time in the private sector... crap gets spun, and the folks who have the power to do anything bend it either to 1) for political gain or 2) financial gain (how many former high-spot govies sit on the boards of beltway bandits?). Heck, even Rich's compadres from AFOSI have spread their wings and leveraged their contacts.... it serves them right to keep up the spin machine to survive... but it's up to intelligent people to gather the facts and come to their own judgement - you've obviously come to yours given the information available, as have I... I still remain open minded and willing to accept new data and information as it arrives... but given what I have and know to this date and time, my views are as stated...

Until your Chinese Premier, your Russian Figurehead, your Middle East fearmongers and nutjobs (I cite equally Netanyahu and Ahmadinejad) - stand up and lay all the cards out on their tables and say "Yeah, we're doin' it.. so what" - you'll have to put the puzzle piece together with what you have or others are willing to share...

Sorry for the treatise...

Ben said...

I appreciate what you're saying @webjedi, and I don't think we're necessarily all that far apart. Ultimately, you highlight once again the very nature of this debate: definitions. I do not except that espionage == war. Espionage can be used as a tool of war, but they are not synonymous. In the hear-n-now, law enforcement is a much more appealing/palatable approach to handling the majority of these cases than any sort of military response. Check out Schneier's post on CNN.com (http://edition.cnn.com/2010/OPINION/07/07/schneier.cyberwar.hyped/) as I think he covers this topic very well (except for his outright disallowance for "cyberwar" in any situation - I still think a case can be made, just so long as it is definitionally clear, concise, and narrow). Anyway...

Davi O said...

@webjedi

"A lot of this is to further a nation's goals or ideals... that's a more intellectual war... once again, not guns or bullets but still following a doctrine from the nation-state. "

Aside from the fact that a nation is not the same as a state or a nation-state, I thought it might help if I point out that you have just made the same argument used against American music, TV shows, etc..

On the other hand perhaps we could agree that a cyberwar is not the same as war in the same way that a nation-state is not the same as a nation.

webjedi said...

@Davi O - SO we're going to drag this into a semantic argument at this point rather than talk about the events that are actually going on...

While I agree that we've removed the meaning of some of the words like war, epidemic and others... but to dick about over saying x over y is a nation, country, nation-state, province, nation, continent... whatever... why don't you go an stick you head in the sand like the proverbial ostrich... (which we know is a myth)

I think the debate is... well, is this activity happening or not... does a tree fall in the forest and nobody's around, does it make a sound? It is about the observation and the determination of magnitude... so you had a guy probing your network... is that a sapling falling when you saw it... or you found that 50GB of data (regardless of content) just was exfiltrated from your network... is that a big f'in sequoia falling down right in front of you? Stuff happened, what's worse? Is the probe a pretext to war (gawd, Bush loved this) - or do we only act after a theft of sensitive or classified data is stolen... is it the same crime if it doesn't cross international borders... what if you only can trace it to a college computer in Seattle, but the ultimate destination is one of those countries I mentioned earlier...

Think about all the crap we went through before we launched the folly that is Iraq and Afghanistan... one was off an attack, and one was a feeling that something was about to happen... who was right... same goes for our virtual world... do we need a weapons system to fail in a combat zone that is eventually attributed to theft of this data... or do we just need to find that there was a theft to provide a response... seriously, do you think the Ft. Meade crowd just sits and listens?

yeah, what we have is an ideological battle, but if it's not for money, religion, land or other property, it's most likely being fought over some form ideology... communism vs. capitalism, hutu vs. tutsi, jews vs. muslims, etc., etc. pick your battle... so what are we battling against now... the US has managed to piss off just about everybody in the world... probably some on other planets too... so we have a big target painted over everything we hold near and dear... and those are exactly what folks target...

So yea, back to "war" - as I said earlier... it's a discussion of the observation of magnitude... are we doing enough to "battle" illicit drugs to determine it a war... how about fighting the fact we have a lot of overweight people... how about the lack of sufficient education... it's a convenient term, but it's trying to convey magnitude or the amount of effort "we should" be putting in (according to leaders)... are we battling thing in the virtual world defending our networks and systems... is it a bigger deal than the previous items... who's determining this... are people calling it a "war" to get attention, or is it really that large of a conflict that it's REALLY deemed to be in the traditional definition...

Ben said...

@webjedi - It's not a debate about whether or not bad things are happening. That's a given. The debate is about whether or not those bad things reach the level of being "acts of war." To a significant degree it is absolutely a semantics game, due in large part to the lack of definition around what does or does not qualify as war-like activities. Just sayin'...

sintixerr said...

@Ben, @Rich: If you want a "line in the sand", the decision to call it "war" is always a political one - anything at any time can pretty much be called "an act of war" by the ruling government and, by that decision, become so. That, however, doesn't really seem a pertinent definition. Maybe the better question is "are there state sponsored activities designed to manipulate the political, economic, and social standing of other states by force using networked computers and the overall internet as weapons?"

When considering whether you think the answer to that is yes or no, also ask yourself why would anyone -not- attempt that route? You have to come up with a pretty lengthy series of rationalizations to justify -not- engaging in force over the internet for political purposes.