Thursday, September 30, 2010

Why Neither the US Nor China Admits Cyberwar

Why won't the US or China (or even Russia) admit we're engaged in cyberwar? I have a theory based on historical precedent, involving all three countries: the Korean War. Since my time in the Air Force I knew that US pilots had directly engaged Russian pilots in the skies over Korea in the 1950s. This was an "open secret." Recently I watched the NOVA episode Missing in MiG Alley, which confirmed this fact:

NARRATOR: For 40 years, Russia's role in Korea remained a secret. Now, one of the Soviets' top aces, Sergei Kramarenko, can finally talk about his exploits in MiG Alley.

SERGEI KRAMARENKO: (Russian dialogue)

INTERPRETER: It was a secret mission, neither before nor after the war were we allowed to reveal that we were going to fly for the North Koreans...against the Americans. It was top secret.

SERGEI KRAMARENKO: (Russian dialogue)

INTERPRETER: We were told that in case we were shot down beyond the front line we had to kill ourselves. Not to surrender was in the interests of the State.

SERGEI KRAMARENKO: (Russian dialogue)

INTERPRETER: Of keeping the military secret.

NARRATOR: If word got out of their involvement, the Russians feared the Korean conflict might trigger World War Three. But then, this was not a secret easily kept...

NARRATOR: And yet, while the pilots knew who they were up against, the American public did not. Both sides, Western and Communist, kept the secret.

Colonel Orlov was a Soviet intelligence officer in North Korea.

COLONEL ORLOV: (Russian dialogue)

INTERPRETER: It was kept from the American public in case they demanded action against the Soviet Union. By this time Russia had atomic bomb and neither Washington nor Moscow wanted to risk full-scale nuclear war.

The comparison with our current situation is clear: neither side has an incentive to talk about cyberwar, because it could incite both sides to clamor for escalation.

In a related issue, both sides have no incentive to admit that while their offense is very effective, their defense is horrible.


D. Dieterle said...

Crazy... So the war via proxy continues.

Except now, it is not Korea, or Vietnam but digital infrastructure.

And instead of Russian "military advisors" in Vietnam and Chinese "logistical support" in Korea, it is the "Russian Business Network" and "rogue Chinese hackers"...

jbmoore said...

It depends upon what weapons you conduct war with. Bioweapons make no distinction between friend or foe. If the target is a susceptible human, the human gets infected and dies. Ideology and nationality don't play into it. The same is true for digital viruses. They make no distinction between vulnerable systems. Now, you can more easily build a replicating digital weapon that may infect every Windows system on the planet, but if you know your target systems, their software, their purpose,and their use, you can create a weapon to just kill them. Stuxnet rather convincingly proves this point and shows that it is incredibly cost efficient as well. So in that respect, self-replicating attackware differs from a bioweapon in the ability to discriminate between target and innocent computer system while infecting both. And, it's much cheaper to make and deploy digital attackware than nuclear weapons, chemical weapons, or biological weapons.

Nuclear escalation is a definite deterrent from the use of attackware on nuclear states, unless attackware can be crafted to disable key sectors of a country without harming any one. What happens if the U.S. went essentially dark overnight, or all the major banks' databases went down. By the time forensics showed that it was a cyber attack, the damage would be done, but there could not be a nuclear retaliation because no one was physically hurt. Of course, you could invoke Marcus Ranum's argument that people would launch first and ask questions later, but that is assuming that they can tell whether the incident was due to cyber war or a systemic computer error caused by faulty software. All one has to do is modify one Microsoft binary update, and Microsoft would be blamed rather than the entity that modified the binary that now has a malicious payload. Or, you could craft a Stuxnet type worm and release it into the wild near your target and let it spread with a payload trigger sometime in the near future, say 6 months. Good luck recognizing that you've been attacked until hours or days after the payload was triggered. The trail of whoever did it would be quite cold. You could even plant false evidence in the binary to implicate another state.

I agree that defense is lagging. That seems to be due to ignorance of the capabilities of the technology and a lack of imagination by policy makers and leaders, as well as a lack of intelligence gathering and sharing by the IT Security community in general. Another possible reason is the fear mongering and hype IT Security companies use as marketing tactics for selling their products. The government and private sector buy these expensive products and then they don't work or perform as advertised. One gets a feeling of security from their use, but is still as insecure as they were before they deployed the product until the worst happens. But we also did some stupid things. We took inherently secure systems, SCADA, and made them inherently insecure by networking them in order to save a little money.

You didn't state the obvious in your last sentence though it is implied. The side that fixes their digital defenses first will have a definite advantage offensively until the other side catches up, if they ever do.

jbmoore said...
This comment has been removed by the author.