Schneier on Security
A blog covering security and security technology.
« Computational Forensics |
| Recording the Police »
December 21, 2010
Book Review: Cyber War
Cyber War: The Next Threat to National Security and What to do About It by Richard Clarke and Robert Knake, HarperCollins, 2010.
Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they'd understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there's a lot of smart discussion and good information in the book, there's also a lot of fear-mongering and hyperbole as well. Since there's no easy way to tell someone what parts of the book to pay attention to and what parts to take with a grain of salt, I can't recommend it for that purpose. This is a pity, because parts of the book really need to be widely read and discussed.
The fear-mongering and hyperbole is mostly in the beginning. There, the authors describe the cyberwar of novels. Hackers disable air traffic control, delete money from bank accounts, cause widespread blackouts, release chlorine gas from chemical plants, and -- this is my favorite -- remotely cause your printer to catch on fire. It's exciting and scary stuff, but not terribly realistic. Even their discussions of previous "cyber wars" -- Estonia, Georgia, attacks against U.S. and South Korea on July 4, 2009 -- are full of hyperbole. A lot of what they write is unproven speculation, but they don't say that.
Better is the historical discussion of the formation of the U.S. Cyber Command, but there are important omissions. There’s nothing about the cyberwar fear being stoked that accompanied this: by the NSA's General Keith Alexander -- who became the first head of the command -- or by the NSA's former director, current military contractor, by Mike McConnell, who’s Senior Vice President at Booz Allen Hamilton, and by others. By hyping the threat, the former has amassed a lot of power, and the latter a lot of money. Cyberwar is the new cash cow of the military-industrial complex, and any political discussion of cyberwar should include this as well.
Also interesting is the discussion of the asymmetric nature of the threat. A country like the United States, which is heavily dependent on the Internet and information technology, is much more vulnerable to cyber-attacks than a less-developed country like North Korea. This means that a country like North Korea would benefit from a cyberwar exchange: they'd inflict far more damage than they'd incur. This also means that, in this hypothetical cyberwar, there would be pressure on the U.S. to move the war to another theater: air and ground, for example. Definitely worth thinking about.
Most important is the section on treaties. Clarke and Knake have a lot of experience with nuclear treaties, and have done considerable thinking about how to apply that experience to cyberspace. The parallel isn't perfect, but there's a lot to learn about what worked and what didn't, and -- more importantly -- how things worked and didn't. The authors discuss treaties banning cyberwar entirely (unlikely), banning attacks against civilians, limiting what is allowed in peacetime, stipulating no first use of cyber weapons, and so on. They discuss cyberwar inspections, and how these treaties might be enforced. Since cyberwar would be likely to result in a new worldwide arms race, one with a more precarious trigger than the nuclear arms race, this part should be read and discussed far and wide. Sadly, it gets lost in the rest of the book. And, since the book lacks an index, it can be hard to find any particular section after you're done reading it.
In the last chapter, the authors lay out their agenda for the future, which largely I agree with.
- We need to start talking publicly about cyber war. This is certainly true. The threat of cyberwar is going to consume the sorts of resources we shoveled into the nuclear threat half a century ago, and a realistic discussion of the threats, risks, countermeasures, and policy choices is essential. We need more universities offering degrees in cyber security, because we need more expertise for the entire gamut of threats.
- We need to better defend our military networks, the high-level ISPs, and our national power grid. Clarke and Knake call this the "Defensive Triad." The authors and I disagree strongly on how this should be done, but there is no doubt that it should be done. The two parts of that triad currently in commercial hands are simply too central to our nation, and too vulnerable, to be left insecure. And their value is far greater to the nation than it is to the corporations that own it, which means the market will not naturally secure it. I agree with the authors that regulation is necessary.
- We need to reduce cybercrime. Even without the cyber warriors bit, we need to do that. Cybercrime is bad, and it's continuing to get worse. Yes, it's hard. But it's important.
- We need international cyberwar treaties. I couldn't agree more about this. We do. We need to start thinking about them, talking about them, and negotiating them now, before the cyberwar arms race takes off. There are all kind of issues with cyberwar treaties, and the book talks about a lot of them. However full of loopholes they might be, their existence will do more good than harm.
- We need more research on secure network designs. Again, even without the cyberwar bit, this is essential. We need more research in cybersecurity, a lot more.
- We need decisions about cyberwar -- what weapons to build, what offensive actions to take, who to target -- to be made as far up the command structure as possible. Clarke and Knake want the president to personally approve all of this, and I agree. Because of its nature, it can be easy to launch a small-scale cyber attack, and it can be easy for a small-scale attack to get out of hand and turn into a large-scale attack. We need the president to make the decisions, not some low-level military officer ensconced in a computer-filled bunker late one night.
This is great stuff, and a fine starting place for a national policy discussion on cybersecurity, whether it be against a military, espionage, or criminal threat. Unfortunately, for readers to get there, they have to wade through the rest of the book. And unless their bullshit detectors are already well-calibrated on this topic, I don't want them reading all the hyperbole and fear-mongering that comes before, no matter how readable the book.
Note: I read Cyber War in April, when it first came out. I wanted to write a review then, but found that while my Kindle is great for reading, it’s terrible for flipping back and forth looking for bits and pieces to write about in a review. So I let the review languish. Finally, I borrowed a paper copy from my local library.
Some other reviews of the book Cyber War. See also the reviews on the Amazon page.
I wrote two essays on cyberwar.
Posted on December 21, 2010 at 7:23 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I agree with you about the benefits and shortcomings of the Kindle. It's great for sequential access, terrible for random access.
Wouldn't cyber-war treaties be completely unverifiable? What's the value when a belligerent can just deny responsibility for an incident?
Thanks for the post Bruce; this is an interesting subject; i havent read the book or your essays but i will buy the book. I read Gadi Evrons posts on the Estonian cyber attacks and found it interesting. The two things that come to mind are: 1) its a global issue, anyone can **play the game** not just the might of the US, 2) as you point out there is a large criminal element so what part would they play? cyber guns for hire?, play both sides?... cyber treaties will only work if the crime element can be controlled.
Nice post though
@ Peter Finnigan,
"...as you point out there is a large criminal element so what part would they play? cyber guns for hire?, play both sides?.."
Playing both sides could make them very much like arms manufacture / suppliers of the 20th Century.
Thus if they are only supplying the tools of attack and not actually deploying the tools for a sponsor then technicaly they are not partaking of the conflict...
And likewise if they are cautious, not actualy commiting a criminal act either... Afterall they are not selling arms or amunition and provided they did not steal the "zero day" or what other "information" they are supplying they are not commiting theft or breach of copyright etc.
Which could make life more than a tads interesting.
How long before we see "crackers" in orange jump suits cooling their heels on some foreign soil of ambiguous teritorialty and thus juresdiction?
From this book and Mr Clarke's other statements; while it may be versed in hyperbole I think it represents a very clear description of his risk assessment.
You might also read his novel Breakpoint for a scenario.
I recall that this is the guy who remained in the whitehouse, while the vulcans and their masters were lying about wmd and playing the politics of fear, not because of the 'terrorist threat' but to complete the cyber-security strategy. Talk about balancing security needs.
There ARE large swaths of infrastructure that are lightly guarded or ignored. Much of it remains mechanical for the moment but as automation is established during upgrades they are trending to more vulnerable.
Allan Paller tells a story of the late 90s or early oughts where a hacker found his way into an unpatched dam flood gate control system that managed all the dams in N. California. Apocryphal? Doan' know. Tempting target? Open all the dams in a country at one time? Something of a significant diaster it seems to me.
I keep thinking about why countries gave up the use of gas weapons. Not because they were inhumane but because they weren't reliable.
The dam hacker found his vulnerability by chance. I think the cyber war problem will come down to being able target what you want to bring down and when you want to bring it down. Kinetic kill weapons are more easily deployed. DDos has been the only consistently reliable method developed that I've seen. And it's counterable.
I recently read this book and came mostly to the same conclusion described in your first paragragh. The stories are exciting, but a lot of the book's content seems to revolve around "there's nothing we can do, we are all screwed, it probably already happened and we didn't even notice". While the spy vs. spy concept is hard to ignore (and probably useful to consider), I think people like the book's author completely miss the concept of security - are we trying to build perfect networks with perfect encryption and perfect implementation with flawless software running them and honest people managing their data, or are we trying to manage risk/exposure in a reasonable and effective way?
Asymmetry -- doesn't that imply that a reasonable developed world would invest very seriously in developing the undeveloped world? This is clearly a case of a non-zero sum game -- that disruption of the developed world is almost inevitable given asymmetry, and the ultimate cost to everyone individually and in sum of having undeveloped countries is much more than the cost of developing them.
Of course, the odds of the developed world being reasonable are quite low without the threat of immediate annihilation. (See 20th century for examples).
@kangaroo "the developed world "
Reminds me of the reasonable person actor in economics.
It imply's a unity of purpose which I don't think exists.
There are people/companies making large profits in the undeveloped world that, in their own self interest, have no reason to change. Our developed world governments act not in their own self-interest but in that of their companies operating overseas.
Any time Side A has a greater technical advantage than Side B, Side B would be stupid to fight Side A's fight. Instead, Side B will fight the way Side A can not, will not, or does not want to. If the USA were to somehow dominate cyberwar the way it dominates conventional war, then any potential cyberwar opponents will revert to the same tactics as current "enemies": Blowing up planes, trains & automobiles.
I think a basic issue about this is raised by the whole Wikileaks case.
Using computer attacks to hit other countries' infrastructure, damage their economy, etc., is something to worry about, but it's also pretty likely to be taken as hostile. I mean, it's hard to determine the source for an attack, but if we became convinced that some country had, say, caused a nuclear plant meltdown via cyber attack, or caused a big refinery to blow up, we'd probably treat it like an act of war.
But using computer attacks to silence people who are saying embarrassing things about you, shutting down Wikileaks or Al-Jazeera's English language site or some foreign newspaper, that's probably not going to trigger a war. And for a lot of countries, it's quite valuable. It both provides a way to keep your own citizens from seeing stuff that's embarrassing, and also gives you a way of pressuring foreign media or websites not to irritate you too much.
I haven't read that book and I'll wait to check it out of the library.
1. "We need to start talking publicly about cyber war."
How much more public can it get? It's constantly trotted out as a technology boogieman.
2. "We need to better defend our military networks, the high-level ISPs, and our national power grid."
Better security is okay. But instead of regulation (the government cannot even secure its own systems) how about a government dept dedicated to attempting to crack those systems?
3. "We need to reduce cyber crime."
First, we need to assign the costs correctly. When the banks are risking their own money, they'll change their practices.
4. "We need international cyberwar treaties."
And how, exactly, would those be verified? And if they couldn't be verified, what incentive would any nation have to follow them even if they did sign them?
5. "We need more research on secure network designs."
You do realize that the vast majority of problems occur because of management rather than technology, right?
6. "We need decisions about cyberwar -- what weapons to build, what offensive actions to take, who to target -- to be made as far up the command structure as possible."
Yeah, because that works so well with regular wars. It doesn't matter who makes the decision, any problems will be blamed on nameless, faceless "analysts" who provided incorrect information. Meanwhile, who's writing the worm software today?
And still, not a single person has died from this "cyber war".
It is not a war.
And using that kind of terminology just confuses the issue.
I agree with Larry Seltzer. Stuxnet proves that attribution is not yet certain enough to be useful for enforcing a "cyberwar treaty". Without that, any treaty is just words on a page with no value.
I think covert ops are a better analogy for this conflict than cyberwar. We have international law about covert ops, but they're pretty useless ... just ask Majid Shahriari and his still-unknown killers.
A minor nit: Can we please take the overused "Cyber" prefix by the scruff of the neck and fling it forcefully out of the vocabulary?
There's got to be a better term to use, such as "Information" or "Infrastructure" attacks...
@ Brandioch Conner
"not a single person has died from this "cyber war. It is not a war."
Meh, same with war dialing, but who complains about that phrase. We've been calling it cyber war since at least 1987. Why stop now?
Funny thing happened... after reading this article, my PC crashed, attempted to restart and a small flame was visible from the processor fan port... I am not kidding... Way to get your point across Bruce. ;-)
(disclosure: it had been crashing randomly for weeks).
A good read? But full of hyperbole? I expected a more serious assessment than that here. From this review, the book sounds just like I would expect: propaganda aimed at spreading fear, dis/misinformation, and providing justification for ever-expanding militarization of the internet. And justification for ever-expanding budgets for themselves and the "contractor" buddies. And erosion of civil liberties and everything else that normal people actually enjoy.
"We need international cyberwar treaties."
I still don't see how such treaties would be enforceable given that that the technology involved is ubiquitous, deniable, and unverifiable. Attacks can be launched from anywhere for next to nothing. What value would this sort of "gentlemen's agreement" serve? How would a treaty have affected the deployment of STUXNET for example? What am I missing?
I guess I should blog about this separately, and I have done so a little already, but here's my take:
1) Clarke is great about warning us of yesterday's windmills. The discussion has been public for a while now (since at least 1999) and money is being funneled into the congressional-military-industrial complex (original term preferred by Eisenhower). It's not necessarily a bad thing, and he should be congratulated on this, but it's time to update the story.
2) The (newish) risks he could warn about are related to a dimension of hyper-collaborative bonds and time-bound social groups. When people ask "who was behind stuxnet" they really should be asking who was *not* behind stuxnet. What Gonzales showed in spades is that special collaboration is the new nuke. Attribution is a pain and definition of foe is nearly impossible. This is part of what I tried to argue at RSA Europe -- don't ban crossbows, out-think the mercenaries. A government could seed a group with a dumb and attributable tool, for example, like LOIC; that makes definition of their foe easy, since they've tagged a group (even for future reference).
3) I asked Clarke how and why he brings up but does not compare the risk of a mechanical gas-pipe explosion in California with the cyber-alteration of uranium enrichment in Iran. He said it was because the latter is "so much more complex". That indicates a common cybermistake to me -- fear of the unfamiliar, rather than the likely or the severe. Maybe he can make a good case for the stuxnet severity, but I still don't see it.
To me the cold and calculated assassination of the uranium enrichment scientists should have been in the press as much as stuxnet, no? Motorcyclists who stick a bomb to the door of a scientist and then ride away? How's the treaty against that going?
Back to 2) there are many other examples of real (severe and likely) risk that need to be addressed, such as the impact from failing education and health of children. That's why, turning his own model around, I wish Clarke spent less time on how to respond to printer fires and worms and more on new forms of attack prevention -- why/how to keep youth from being recruited into (temporal social network) groups that will intentionally or even accidentally blow gas lines. Whether they use a wrench, ssh or java does not scare me as much as how easily they are misdirected.
"Meh, same with war dialing, but who complains about that phrase. We've been calling it cyber war since at least 1987. Why stop now?"
Because it confuses the issue. No one is calling for international treaties limiting war-dialing software, are they?
The first step in understanding a problem is being able to define the terms used. That way it is possible to compare/contrast the individual elements.
Your example of assassinating scientists is a good example. The term is understood.
Until the first healthy person at home dies as a direct result of "malware", we should avoid the use of the term "war".
There are many facets to a war which do not involve the direct infliction of casualties. (Endless staff meetings, for one.) Just because cyberwar does not -- yet -- inflict casualties, does not mean it will not in the future nor, as with staff meetings, does it mean that the other bits of the war will be bloodless.
Yeah, books like this frame the issue in terms that are only favorable to those in power. By engaging others in discussion within this framework you are almost guaranteed to lose.
Let's look at the first "point":
"We need to start talking publicly about cyber war. This is certainly true. The threat of cyberwar is going to consume the sorts of resources we shoveled into the nuclear threat half a century ago, and a realistic discussion of the threats, risks, countermeasures, and policy choices is essential. We need more universities offering degrees in cyber security, because we need more expertise for the entire gamut of threats."
Translation: "we need to agitate the public to allow us to do what we want. the policies will be rammed through in an atmosphere of hysteria. More research will be done as universities that will further entrench this Medusa and ultimately will funnel tax money to our companies."
Follow the same basic rubric for the other points. These people are rather openly preparing us to live in a national security state. The punchline is this: you pay (in terms of money, freedoms and fear) and we collect.
@BF: Our developed world governments act not in their own self-interest but in that of their companies operating overseas.
Which is why democracy isn't just a moral idea -- it's essential to align the world system with the interests of actual, you know, actual people. Our long-term survival is at stake -- including those short-term thinkers who currently rule the world in their short-term personal interest.
Some broad debate may indeed be useful. It's never a good idea to just leave any type of warfare to either the military or all kinds of obscure secret agencies.
I'm a bit sceptical about proactive treaties, especially as long as there are no commonly accepted definitions of what actually constitutes a cyber act of war. On top of that, most politicians nor the general public have any clue whatsoever as what to imagine under "cyber war". This will make it somehow difficult to justify big budgets for the courses of action suggested above. As long as there is no compelling business case (read: major cyber attack with serious impact), I guess the entire topic will remain pretty much low-profile.
"We need more research on secure network designs."
I've just completed a PhD which deals with secure protocol design, where "secure" is relative to threats like DDoS rather than traditional access authorisation issues. I wouldn't call it the definitive work on secure network design, but it's worth noting if you're constructing a literature review of relevant material.
have you read "Surviving Cyberwar" by Richar Stiennon? If so, what's your opinion?
Bruce, you make a small but important misstatement about when government regulation of infrastructure security might be merited: It's not when the value of an asset is greater to the nation than to its owners. (That's any company that has positive externalities---which is pretty much all of them.) It's when securing drives costs to owners above the going-forward value of the asset.
You also assume that the regulatory system can do a better job of securing, which is a premise worth examining. Given the incentive structure government officials face, regulation is likely to over-secure, creating the appearance of security success while wasting national assets.
Thanks for the review. I picked up the book based on your description... hopefully it will make for some enjoyable reading during holiday travel.
I am about two thirds of the way through this alternately interesting and exasperating book. The thing that strikes me is that, so far anyway, Clarke is long on speculation and short on hard facts. Well, this could happen, or that, or maybe that. OK. That is what strategists are supposed to do. But it ignors the bigger problem. Nobody knows what the risks really are, and consequently cannot assess whether to take them.
Its a given, for example, that anybody can theoretically plant a logic bomb in somebody else's network. But that begs the question: Will it work when you trigger it? Heck, how does the first person know the logic bomb is still there? How does the first person know the "victim" hasn't done something, intentionally or not, to disable it? The "victim" may or may not have been able to find and quarantine it, or maybe through a series of software and hardware upgrades the "victim" rippled the host machine off to no-man's-land, wholly ignorant of its payload.
And even if it does work when you trigger it, how do you know what effect it will have? Administrators are constantly configuring and reconfiguring their networks for multiple reasons, some of which may involve security and some may not.
In short, it seems to me, while cyber warfare is potentially destructive, it is also intensely unreliable, and hence will not likely be a significant factor in any country's strategic arsenal.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.