Taking the Crowbar to Cyber-Denying Eyes

I’ve been quiet with my blogposts lately. I know and I apologise. Between writing a lengthy article on Cyber Warfare for PenTest Magazine, writing papers for the MBA degree I am working on, and snowboarding the gorgeous slopes of Val Thorens (France), it’s been sort-of busy. I must say though, that when I sat down and went looking for a subject for a new article, the last thing I expected was that there are still actually people out there who flat-out deny the threat of Cyber Warfare. To be honest, I was dumbfounded. This next piece is, I’ll admit, a bit of a rant. Mostly because quite frankly I enjoy ranting occasionally. Consider it a brief post-holiday deviation from my usual style. Blame it on the cocktails if you must. I’ll give you a brief summary of Jerry Brito’s article. I’ll only do some minor paraphrasing, honest.

“Cyber Warfare doesn’t exist! Yes we’re being robbed blind through Cyber Espionage by nation states, but thats not Cyber Warfare. Cyber Warfare is kinetic cyber attacks! What do you mean Stuxnet? …DuQu? Yeah but those didn’t cost lives! The rest is just DDoS attacks! I can’t see any evidence to the contrary so it must be a hype. Did I mention im really comfortable here with my head resting in a hole in the ground? A bit sandy though.” 

Okay so that last sentence might have been a little less-than-true, but still. Whats worse is, is that this guy is the Technology Policy Program Director at George Mason University. When people wake up after he introduces himself (can someone please shorten that title?), people listen to this guy! Why do we let people like this represent our industry, or even anywhere near our young to educate them? It seems to me that making your own arbitrary (and apparently poor) definition of Cyber Warfare, and then discounting MOUNTAINS of evidence that undermine your point, isn’t very scholarly to say the least. It’s a bit like arguing against Darwin’s theory on Evolution by taping a bible to your forehead and plugging up your ears screaming “I CANT HEAR YOU” over and over.

Can we please stop giving a stage for these people who are obviously cherry-picking their way to an uninformed argument? I will grant you that there is still a lot of debate going on about the true definition of Cyber Warfare. There are many definitions and most are considered incomplete, too narrow or too broad. But we all agree that there is at least some element of Political Will involved, and computer systems and networks are the playground on which this assertion of said political will is taking place. Technically, Cyber Espionage often involves a pretty much equal amount of breaking-and-entering as it would be to shut down the targeted system. The difference is mostly in the intent, not the methodology. If this is committed by a nation state, or a non-state actor with political intent, then Yes: you could (and should) call it  Cyber Warfare. In this regard it is the same as a nation state sending a military airplane into enemy airspace. Whether its a spyplane, a fighter jet or a bomber, it is still politically motivated and thus could be called Air Warfare. You can’t run around yelling “DDoS don’t count!” or “It doesnt count ’till someone ends up dead!” because those aren’t relevant points in this debate. By the same token, not all traditional military operations require someone to die. You cannot discount entire swathes of activities and still expect your argument to hold water.

So that pretty much covers the faulty logic of his argument. But we’re not there yet. Even IF we would be foolish enough to accept his premise at face value, he is still factually incorrect, because he is basing his statement on two very critically wrong assumptions:

1. His own perceptions of reality and;
2. His limited understanding of the current situation.

First off, it is highly unlikely that every succesfull cyber attack is common knowledge. For a nation state to be severely compromised through cyber attacks is embarassing. These systems are supposed to be highly protected. So much embarassing, that it is unlikely that they would publicly come forward about it themselves. Iran didn’t publicly admit their Natanz site got hit with STUXNET until the attack code was discovered by (non-Iranian) security researchers. Aside from the embarassment, its also possible that admitting such weakness sends out an invitation to other would-be attackers. All things considered, I have more sympathy for governments staying quiet after a breach than I do for corporations, simply because the stakes are so much higher. In any case, Jerry’s “evidence” by which he measures his statement is almost certainly severely incomplete.

Secondly he is saying that Cyber Warfare is a hype based on his ‘evidence’ right now. But just because a cyber attack that fits his cherry-picked definitions hasnt happened yet, doesn’t automatically mean it never will! If there is one major certainty in Cyber Warfare, is that things change – and change FAST. Any information you receive is completely obsolete a second later. New attacks and even entirely new concepts of attack methodologies are developed daily. A few years ago, the US Air Force figured that there were roughly 120 countries developing Cyber Warfare capabilities. This was before major international debates on the subject started. I think its safe to assume that more countries have started a Cyber program since then, don’t you? Compared to the individual, these are all players with extremely deep pockets. Deep pockets capable of investing heavily into cyber attack research. Im sure that at least some of them managed to come up with an idea or two that hasn’t been field-tested yet, further eroding mr. Brito’s argument. Again I would ask that we stop giving airtime to these silly arguments and get back to the more important task of actually securing ourselves.

Cyber Warfare Semantics – Can’t we all just get along?

A great many people (expert and layman alike) have been fighting a war on Cyber Warfare semantics these last few months. Some argue that Cyber Warfare is really nothing more than cyber espionage, others even completely dismiss the notion that Cyber Warfare exists. Regardless of your opinion, Cyber Security in general and Cyber Warfare specifically are the talk of the town. Books are written, blogs are typed up and experts roar their opinions from every soapbox they can find. But whats the point?

Cyber Warfare only covers military networks
Every security expert worth his salt will agree with the simple statement that Networks- and Systems security permeates every aspect of today’s society, and it is woefully underappreciated. Everyday life is controlled by all kinds of systems that find themselves connected to the internet, whether they should be or not. To think that this fact has gone unnoticed by military leaders all over the world is simple folly, and it is demonstrably false. Based on books about asymmetrical warfare such as Unrestricted Warfare (Q. Liang & W. Xiangsui, 1999), there  is much to say about targetting civilian systems during times of war, and so it would be unwise to think that only military networks would be targets during a cyber war.

Cyber Warfare is really just Cyber Espionage
Some people argue that Cyber Warfare is just digital espionage, and at best we could call it Cyber Espionage. This is probably based on China’s numerous cyber espionage operations, but to think that this is the limit of what cyber warfare can do is naive. Even though there is no definitive proof -always a key issue in everything cyber- that it was Russia, those DDoS attacks on Georgian government websites at the same time their tanks came rolling across its borders were timely to say the least. It could also certainly be argued that Stuxnet was politically motivated. Seeing as how War is the “continuation of Politics by other means”, this means it falls within the realm of cyber warfare.

Cyber Warfare doesn’t exist
This is the Big One; the Big Denial. Its generally backed up by saying that the Cyber Warfare terminology is (mis)used to pull in a larger piece of the government budget, or to cede more control to the military. In some cases I’ve even seen this statement followed by several reasons that confirm that Cyber Warfare does exist, but that we shouldn’t call it that because it has such ‘negative connotations’. But when 150+ countries worldwide are ramping up their militaries to deal with Cyber Warfare, what is the point of such semantics? Sure, it can be argued that Cyber Warfare is nothing more than IT Security with a military flavor. In many ways it is. But is not the application of use most prevalent in determining the meaning of an action? Is intent not the determining factor in a Murder or an Accident, the factor that turns a kitchen knife into a murder weapon? The same can be said for guns. One man using a gun to kill someone is murder. When battalions of two or more nations engage eachother for political motives, this turns it into War. The same reasoning can be applied to IT Security: If it is used by one nation state to further its political will upon another nation state, this is Cyber Warfare.

IT as a sector has historically been the realm of Geeks, Nerds and the Socially Awkward. You may not like it or agree with it, but this has been mainstream consensus for decades (though it is declining as technology becomes more common). IT Security as a specialization has historically been the realm of the Paranoid and the Technically Gifted in IT. You may not like it or agree with it, but this group is generally considered the Nay-Sayer of the IT world (though it is declining as Security becomes more important with the rise of internet connectivity). Cyber Warfare is a fringe area. A niche; a specialization in a specialization. Information Security is poorly understood by the mainstream populace, a fact well evidenced by the digital exhibitionism taking place on the various social networking sites. In fact, it is even poorly understood within the IT sector itself. How is the mainstream populace ever to understand how important Security is, if we can’t even reach consensus amongst ourselves?

I feel that it is important that all of us should stop arguing over Semantics and start working together constructively. It is important for the IT sector as a whole to form a united front if we are to positively influence the security habits of those who we aim to help.

“Threat of cyber war is overhyped” – Bruce Schneier

Bruce SchneierThis month’s Ostrich Award would have to go to Bruce Schneier for his opinion piece on CNN.com. In it, he states that he’s seeing  a power struggle in the US government about who’s in charge of Cyber Security. In a surprizingly anti-establishment departure from his normally so levelheaded approach, he surmises that there’s some kind of goldrush going on that the Military is winning. By continuously beating the war drums, says Schneier, the Internet may become militarized and we can infer by this rhetoric that “citizens lose” when that happens. However: what he’s really seeing is the various branches of the armed forces rushing to finally defend the networks they were already supposed to be defending.

His article quotes people like Richard Clarke, General Keith Alexander and NSA Director Mike McConnell whom, according to Schneier, have all been actively hyping the dangers of cyber war just to get a leg up for their respective agencies. In a dangerous demonstration of sticking one’s head firmly in the sand, he goes on to point out that what we’ve seen so far is nothing but a little cyber espionage and little kids playing ‘hackerz’ on the internet. Sadly, by doing so he is dismissing the overwhelming evidence out there of the state-level involvement by multiple countries with the planting of logic bombs in national power grids (not just in the US) to what is seen by the military as ‘preparing the battlefield’. He also essentially dismisses cyber espionage being an act of war because we can’t properly attribute it, even though we’re seeing a massive exfiltration of data in virtually all fields (military, commercial and political). No reasonable person would consider it a minor infraction if this had been done by spies in the field – attributed or not. Apparently, the fact that its ‘only digital’ espionage makes it harmless.

Schneier concludes that this whole beating of the war drums reinforces the notion that we’re vulnerable. Well Yes Bruce, have you considered that this might be that its because you are? Really, you should do a little more research about discovered breaches into armed forces networks (SIPRNET et al) and critical infrastructure networks before writing this stuff. There are tons of articles out there that would further discredit your opinion piece on CNN. You could also go ahead and pick up a few books like Richard Stiennon’s Surviving Cyber War or Jeffrey Carr’s Inside Cyber Warfare. Hell, even Richard Clarke’s Cyber War contains some interesting stuff that you can actually go out and validate yourself.

If nothing else, you could go by the notion that if something is possible, you can bet that someone is doing it.