Response to Marcus Ranum HITB Cyberwar Talk
Many readers have been asking me to comment on Marcus Ranum's keynote titled Cyberwar is Bullshit at Hack In The Box Security Conference 2008 - Malaysia. (What a great conference; I think we are seeing the Asia-Pacific area really grow its digital security community. You can access the conference materials here. I'd like to point out my friend CS Lee spoke about NSM at the event.) The article Don’t waste funds preparing for cyberwars summarized Marcus' talk as follows:
The billions of dollars spent on researching cyberwarfare can be put to better use because cyberwar is never going to be as effective as conventional war, said an IT security expert.
Marcus Ranum, chief security officer of Tenable Network Security said cyberattacks aren’t a good force multiplier in an actual war.
Many people, he said, talk about cyberspace as if it can be a new form of battlefield but this is not possible because you can’t occupy and hold cyberspace as you would a piece of enemy territory.
Ranum was speaking at HiTBSecConf 2008 here this week.
He said trying to overcome another country via cyberspace is impossible unless you also have a huge army that can defeat its forces in conventional warfare.
A small country, even with an army of hackers on its side, is never going to be able to defeat a big country with an extensive land, air and sea military force by attacking through the Internet.
If you search my blog for the term cyberwar you'll find plenty of posts, but let me try to summarize my thoughts.
In September 2007 I wrote China Cyberwar, or Not?:
DoD Joint Publication 3-13, Information Operations, differentiates between two sorts of offensive information operations.
- Computer Network Exploitation. Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE.
- Computer Network Attack. Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CNA.
You can think of CNE as spycraft, and CNA as warfare. In the physical world, the former is always occurring; the latter is hopefully much rarer. I would place all of the publicly reported activity from the last few months in the CNE category.
I'd like to add a third category not mentioned in the information operations doctrine: cybercrime. In Marcus' talk, he separates adversary action into cybercrime, cyberterror, cyberespionage, and cyberwar. I don't explicitly break out terrorism because I consider it a criminal issue, and not a military issue.
Marcus's cyberespionage and cyberwar categories relate to my points about Computer Network Exploitation and Computer Network Attack, respectively.
Marcus' slides say "packets don't hold ground." The question is whether that matters. Aircraft don't hold ground either. However, no army wants to operate without air supremacy or at least air superiority overhead. (Ask the Georgians if you doubt this.) Would you rather be able to conduct CNE, or not? If yes, why?
Combatant commanders approach the problem this way. If you're Stormin' Norman Schwarzkopf in 1991, and you want to remove the Iraqi army from Kuwait, you'll want to blind the Iraqi radar grid. If you can do so electronically instead of risking the life of a pilot or running down your missile stocks, would you want to? Most commanders I knew wanted to be 100% sure that their decision would work. Not all warfare is about holding ground.
I think the major problem with the cyberwar discussion is the idea that a real conflict could be a purely cyber conflict. This is wrong. I don't think the early air pioneers expected their role to involve purely aerial warfare. Each method of combat has been integrated into the overall ugly fabric of war. So, I don't think "cyberwar is bullshit," but I'm guessing neither does Marcus if you discuss it in the proper context.
Comments
"It’s pointless for a superpower to develop cyberwar techniques to attack a nonsuperpower(they can just crush them conventionally)"
Heseems to forget the enormous costs triggered by such conventional uses. Transport of troops, material and all the logistics implied are extremely complex. Also, every sane commander will want to win without fighting a battle. If you can win without even fighting, you'll be a great commander. This one is from Sun Tzu. So to restrict the use of conventional warfare is not only cost effective, it's also just make sense. Especially with PsyOps and Information Warfare, where any fatality plays on public opinion.
I believe that, by reading the keynote material, that "Cyberwar is Bullshit" is more wishful thinking from Marcus than actually concrete explanation. Financial systems ARE targets as industrial targets were targets in WWII (Dresden is a great example of this). Money is the nerve of war, no financial system will put a lot of pressure on a nation, and might strongly reduce his ability to get into a long war.
Cyber warfare is on the same level as psychological warfare and information warfare. Their purpose is not to hold ground, but to limit the resources of the enemy.
A small number of well trained personnel, using a fraction of the resources (and incurring a fraction of the costs) of a large, conventional organisation can, via non-conventional or guerrilla warfare tactics, disrupt and inflict significant harm to a large organisation, contributing to 'turning the tide' of any hostilities.
Cyberware is the new guerrilla warfare for not only developing countries, but for those established countries as well.
Hacker4lease-IT Security Service
i dont't really get it.
isn't the foundation of every strategy (offense or defense) the ecpectation to be successful?
won't therefore every actor obtain every capability he can get, in order to achief his goal?
'...i don't know, nor care weather this particular capabiliy will actually bring the success, but if it is aviable i want it at my disposal...'
so in my personal opinion, an armsrace in cyberspace is a reality.
bulshit or not, if someone can afford the costs, he is gonna train some of his people in it, always thinking of them at least as a strategic option.
i agree with his point regarding cyberwarcrime and on yours regarding terror being a criminal issue.
i guess staying alert, being strictly defensive and cooperating in exposing criminal actions wil continue to be crucial in avoiding the bulshit from happening.
I'll do a writeup on the whole talk in the next couple weeks and perhaps then you'll have something tangible to consider.
mjr.
In my world, Cyberwar is not mainly the part, when you hack into a system, and close down a radar or shut down a power plant. Its just as much about who get affected by the "shutdowns", and how one can take that to ones advantage in the "real" world. Or know every move the enemy is going to take, before he makes it...
Information warfare... Knowledge is Power!
I am totally lost by this conversation. Cybercrime? What?
Also, failure to mention terrorism and looking at war from the perspective of the Cold War era assures me that information security professionals are stuck in 1992 permanently.
MIJI
Meacon Interference Jamming and Intrusion
this guy Marcus is obviously new to this game. ID be emptying my tenable products because of statements like this
Uh right, that is pretty foolish. Tenable makes Nessus which is an incredible (FREE) vulnerability scanner. You'd give that up and spend thousands more because of an opinion that he has? That opinion doesn't at all change the product that his company offers.
But I come back to one point. It must be practiced and it must be controlled, or like first World War gas attackes, you run the risk of getting your own back.
Glen Grant
GG Consulting Latvia
Estoch Estonia