Schneier on Security

Clive Robinson • November 24, 2012 1:24 AM

@ Michael Lynn,

Can someone please explain the theory behind using offensive cyber weapons to defend?

Yes, it’s releativly simple from the limited military point of view.

First you need to realise that in conventional or cyber warfare considerations defense is considerably more expensive than a focused attack.

This is because of the issue of maintaining a large perimeter defence capable of delaying or stopping a potential enemies focused attack at all points.

Further a focused attack has the benifit of optimum efficiency from both the human and force multiplying resources, where as defence requires significant down time for rest, training and equipment maintanence cycles.

Thus a focused attack on key points in an enemies offensive capability reduces their ability to mount an attack of any form and is generaly known as a premptive strike (and is illegal under the rules of war for conventional warfare).

However though this is considerably less expensive than maintaining a suitable defensive capability, in conventional warfare it also usually stops the countries productive economic capabilities and provides a clear oportunity for other potential enemies to make an attack against your now weakend defences (This is what the US did with “Mr. Madison’s War” of 1812 to what is now Canada when it was effectivly British Canadian territory and Britain was engaged in a significant European war against France and it’s “petty tyrant” Napoleon).

Thus in conventional warfare a premptive strike is generaly only of use against a very much weaker or weakened potential opponent who is generally not actually a threat (hence the reason it’s considered an illegal act).

As cyber-warfare is not regulated by any treaties, articles of war or other conventions currently, premptive strikes are much under consideration from the millitary outlook, especially as they can be conducted in a way that alows for the much loved politicaly “plausable deniability”.

From a wider perspective than that of the military, defence costs are a significant drain on a countries economy and GDP. And from a certain political viewpoint these costs should be minimised as much as possible.

To remain as effective defence costs can only be reduced by having significant intelligence advantage over potential enemies. Which means in practice the savings are rather less than expected because effective intelligence costs are quite significant.

Importantly this intelligence advantage needs to be both in terms of having accurate and upto date intelligence on all potential enemies be they currently friend or foe, but also on denying all potential enemies accurate intelligence such that either, they gain no benifit from their intelligence activities or more preferably such that they will have an incorrect view of your defences such that they will believe your weak points to be strong, and hopefully that your strong points are weak such that any focused attack they perform will be against the strong points or a trap set out to gain numerical and tactical advantage.

Unfortunatly whilst this “Intelligence Advantage” sounds good in theory and as a sound bite for politicos in practice it does not work for conventional intelligence gathering to any significant advantage during what is in effect “peace time”.

To see why you need to take a step outside the limited military and intelligence view and look at the nature of what is inside your peace time defensive perimeter…

In an open society your potential enemy can move fairly freely within the defensive perimeter and thus gather intelligence fairly easily, but importantly also be able to sufficiently cross check it to make your ability to mount deceptive intelligence operations difficult if not impossible.

Whilst a closed society alows deceptive intelligence operations to be mounted with some chance of success, the nature of a closed society reduces or prevents trade and other activites that are generaly needed for a strong economy that can afford a robust defensive capability (it was this that brought down the old CCCP / USSR in that the US could always out spend it).

Further you need to consider there is a considerable difference between conventional intelligence gathering and cyber intelligence gathering and it is important to understand a fundemental asspect of the difference between them when it comes to intelligence advantage as well as premptive strikes.

In the conventional intelligence setup you have two basic areas covered. Firstly technical intelligence gathering via Signals Intelligence (SIGINT) comprising Communications Intelligence (COMINT) and Electronic Inteligence (ELINT), Geographical and Image intelligence (GEOINT/IMINT), Technical inteligence (TECINT) and Measurment and Signiture inteligence (MASINT) all of which is usually carried out by regular military personel using military vessels/vehicals and satellites. Secondly civilian personel with jobs almost the equivalent of investagative journalists carrying out activities such as Open Source Intelligence (OSINT), Financiial Inteligence (FININT) and the messy face to face Human Intelligence (HUMINT) which usually involves “field duties” in foreign countries. The setup for this is generaly “intelligence officers”[1], “contractors”[2] and “agents”[3] as human resources and they may use technical resources of various kinds to augment their activities.

Cyber intelligence gathering is generaly not a job with “travel prospects” nor is it particularly high risk, as it is the job of deploying and operatimg “software agents” onto computers in the targets of interest from remote locations. As such the activity is currently called “APT” and the software agents “malware”.

However there are a couple of less well known activites one of which is to employ contractors[2] for computers that are not remotly accessable, the other is supply chain poisoning [4]. It is the latter that is gaining quite a bit of interest of more recent times. However it is suspected that quite a bit of the former has happened but has been put down to just ordinary technology theft or burglary and in some cases arson.

Thus cyber-espionage is considerably different to conventional espionage in most respects and with a little forethought can be mitigated more easily simply by using proper air-gap techniques and reliable physical security.

However in not all cases do those preparing to make cyber-attacks take the care required to fully issolate the computerss the use to develop their offensive capability.

Which brings me to your second question,

How exactly can I use an exploit to “destroy an enemy’s cyber capabilities”.

If and only if you have sufficient cyber-intelligence and your potential enemy has not been carefull in their preperations then you could moount a premptive strike against those computers. However in practice it would achive little and thus be fairly irrelevant.

What would however not be irrelevant would be a fundemental attack on some asspect of their economy that either requires connectivity to function (say online banking) or due to connectivity is vulnerable to some kind of secondary effect, it is this we saw with stuxnet.

Prior to that I had worked out how to attack voting machines that are technicaly issolated or air-gapped systems but are vulnerable to “maintanence technicians” laptops which in turn are connected to the internet from time to time, thus providing a steping stone.

From many countries perspectives having a Democrat in the Whitehouse is a considerably better option than a Republican with War Hawks sitting on their shoulder…

[1] As a general rule the officers are citizens of your country who are employees of your government and when working abroad have diplomatic immunity, their job function is not that of “James Bond” but investagative journalists.

[2] Contractors are the intelligence equivalent of mercenaries and may be a citizen of any country, as such they are employed in a deniable fashion for specific tasks within a single operation and have no immunity or protection, their job function is often highly specialised as for instance burglars to either remove or copy information or place surveillance equipment.

[3] Agents are generaly citizens or residents of the country under observation as such they are considered by that country to be traitors and if caught will generaly be imprisoned for long terms or more simply executed, their job is simply to betray the confidence of their employers and country and turn over information for idealistic or monetary reasons, as such they are not trusted by their handlers who may well be “case officers” attached to the embassy.

[4] Supply Chain Poisoning happens simply because some time ago for reasons of cost savings many countries stoped trying to produce their own computer hardware and operating systems and instead buy comercial equipment, most of which is actually produced in part or fully in one or more foreign countries.

When it comes to telecommunications equipment the majority of the semiconductors are produced in the Far East either in part or totaly. This has caused conciderable concern just recently as the politicians have finally woken up to the implications of this (although the industry has been aware of it for over a quater of a century).

Put simply the hardware in systems can not be trusted because it’s not possible to tell if remote kill or other functions have been added. One such concern is that routers in government or other sensitive networks might be releasing information via covert channels. Whilst no evidence of this has been produced publicaly [5] it has become a political issue used against a number of Chinese telecommunications equipment manufacturers.

[5] What the US Department of Defence has discovered is that they have been subject to the more ordinary criminal activity of “passing off” where substandard parts have been remarked as much more expensive specialy qualified parts and as such are likely to fail when used in challenging conditions.

[6]