Schneier on Security
A blog covering security and security technology.
June 4, 2007
I haven't posted anything about the cyberwar between Russia and Estonia because, well, because I didn't think there was anything new to say. We know that this kind of thing is possible. We don't have any definitive proof that Russia was behind it. But it would be foolish to think that the various world's militaries don't have capabilities like this.
And anyway, I wrote about cyberwar back in January 2005.
But it seems that the essay never made it into the blog. So here it is again.
The first problem with any discussion about cyberwar is definitional. I've been reading about cyberwar for years now, and there seem to be as many definitions of the term as there are people who write about the topic. Some people try to limit cyberwar to military actions taken during wartime, while others are so inclusive that they include the script kiddies who deface websites for fun.
I think the restrictive definition is more useful, and would like to define four different terms as follows:
Cyberwar -- Warfare in cyberspace. This includes warfare attacks against a nation's military -- forcing critical communications channels to fail, for example -- and attacks against the civilian population.
Cyberterrorism -- The use of cyberspace to commit terrorist acts. An example might be hacking into a computer system to cause a nuclear power plant to melt down, a dam to open, or two airplanes to collide. In a previous Crypto-Gram essay, I discussed how realistic the cyberterrorism threat is.
Cybercrime -- Crime in cyberspace. This includes much of what we've already experienced: theft of intellectual property, extortion based on the threat of DDOS attacks, fraud based on identity theft, and so on.
Cybervandalism -- The script kiddies who deface websites for fun are technically criminals, but I think of them more as vandals or hooligans. They're like the kids who spray paint buses: in it more for the thrill than anything else.
At first glance, there's nothing new about these terms except the "cyber" prefix. War, terrorism, crime, even vandalism are old concepts. That's correct, the only thing new is the domain; it's the same old stuff occurring in a new arena. But because the arena of cyberspace is different from other arenas, there are differences worth considering.
One thing that hasn't changed is that the terms overlap: although the goals are different, many of the tactics used by armies, terrorists, and criminals are the same. Just as all three groups use guns and bombs, all three groups can use cyberattacks. And just as every shooting is not necessarily an act of war, every successful Internet attack, no matter how deadly, is not necessarily an act of cyberwar. A cyberattack that shuts down the power grid might be part of a cyberwar campaign, but it also might be an act of cyberterrorism, cybercrime, or even -- if it's done by some fourteen-year-old who doesn't really understand what he's doing -- cybervandalism. Which it is will depend on the motivations of the attacker and the circumstances surrounding the attack...just as in the real world.
For it to be cyberwar, it must first be war. And in the 21st century, war will inevitably include cyberwar. For just as war moved into the air with the development of kites and balloons and then aircraft, and war moved into space with the development of satellites and ballistic missiles, war will move into cyberspace with the development of specialized weapons, tactics, and defenses.
The Waging of Cyberwar
There should be no doubt that the smarter and better-funded militaries of the world are planning for cyberwar, both attack and defense. It would be foolish for a military to ignore the threat of a cyberattack and not invest in defensive capabilities, or to disregard the strategic or tactical possibility of launching an offensive cyberattack against an enemy during wartime. And while history has taught us that many militaries are indeed foolish and ignore the march of progress, cyberwar has been discussed too much in military circles to be ignored.
This implies that at least some of our world's militaries have Internet attack tools that they're saving in case of wartime. They could be denial-of-service tools. They could be exploits that would allow military intelligence to penetrate military systems. They could be viruses and worms similar to what we're seeing now, but perhaps country- or network-specific. They could be Trojans that eavesdrop on networks, disrupt network operations, or allow an attacker to penetrate still other networks.
Script kiddies are attackers who run exploit code written by others, but don't really understand the intricacies of what they're doing. Conversely, professional attackers spend an enormous amount of time developing exploits: finding vulnerabilities, writing code to exploit them, figuring out how to cover their tracks. The real professionals don't release their code to the script kiddies; the stuff is much more valuable if it remains secret until it is needed. I believe that militaries have collections of vulnerabilities in common operating systems, generic applications, or even custom military software that their potential enemies are using, and code to exploit those vulnerabilities. I believe that these militaries are keeping these vulnerabilities secret, and that they are saving them in case of wartime or other hostilities. It would be irresponsible for them not to.
The most obvious cyberattack is the disabling of large parts of the Internet, at least for a while. Certainly some militaries have the capability to do this, but in the absence of global war I doubt that they would do so; the Internet is far too useful an asset and far too large a part of the world economy. More interesting is whether they would try to disable national pieces of it. If Country A went to war with Country B, would Country A want to disable Country B's portion of the Internet, or remove connections between Country B's Internet and the rest of the world? Depending on the country, a low-tech solution might be the easiest: disable whatever undersea cables they're using as access. Could Country A's military turn its own Internet into a domestic-only network if they wanted?
For a more surgical approach, we can also imagine cyberattacks designed to destroy particular organizations' networks; e.g., as the denial-of-service attack against the Al Jazeera website during the recent Iraqi war, allegedly by pro-American hackers but possibly by the government. We can imagine a cyberattack against the computer networks at a nation's military headquarters, or the computer networks that handle logistical information.
One important thing to remember is that destruction is the last thing a military wants to do with a communications network. A military only wants to shut an enemy's network down if they aren't getting useful information from it. The best thing to do is to infiltrate the enemy's computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, the next best is to perform traffic analysis: analyze who is talking to whom and the characteristics of that communication. Only if a military can't do any of that do they consider shutting the thing down. Or if, as sometimes but rarely happens, the benefits of completely denying the enemy the communications channel outweigh all of the advantages.
Properties of Cyberwar
Because attackers and defenders use the same network hardware and software, there is a fundamental tension between cyberattack and cyberdefense. The National Security Agency has referred to this as the "equities issue," and it can be summarized as follows. When a military discovers a vulnerability in a common product, they can either alert the manufacturer and fix the vulnerability, or not tell anyone. It's not an easy decision. Fixing the vulnerability gives both the good guys and the bad guys a more secure system. Keeping the vulnerability secret means that the good guys can exploit the vulnerability to attack the bad guys, but it also means that the good guys are vulnerable. As long as everyone uses the same microprocessors, operating systems, network protocols, applications software, etc., the equities issue will always be a consideration when planning cyberwar.
Cyberwar can take on aspects of espionage, and does not necessarily involve open warfare. (In military talk, cyberwar is not necessarily "hot.") Since much of cyberwar will be about seizing control of a network and eavesdropping on it, there may not be any obvious damage from cyberwar operations. This means that the same tactics might be used in peacetime by national intelligence agencies. There's considerable risk here. Just as U.S. U2 flights over the Soviet Union could have been viewed as an act of war, the deliberate penetration of a country's computer networks might be as well.
Cyberattacks target infrastructure. In this way they are no different than conventional military attacks against other networks: power, transportation, communications, etc. All of these networks are used by both civilians and the military during wartime, and attacks against them inconvenience both groups of people. For example, when the Allies bombed German railroad bridges during World War II, that affected both civilian and military transport. And when the United States bombed Iraqi communications links in both the First and Second Iraqi Wars, that affected both civilian and military communications. Cyberattacks, even attacks targeted as precisely as today's smart bombs, are likely to have collateral effects.
Cyberattacks can be used to wage information war. Information war is another topic that's received considerable media attention of late, although it is not new. Dropping leaflets on enemy soldiers to persuade them to surrender is information war. Broadcasting radio programs to enemy troops is information war. As people get more and more of their information over cyberspace, cyberspace will increasingly become a theater for information war. It's not hard to imagine cyberattacks designed to co-opt the enemy's communications channels and use them as a vehicle for information war.
Because cyberwar targets information infrastructure, the waging of it can be more damaging to countries that have significant computer-network infrastructure. The idea is that a technologically poor country might decide that a cyberattack that affects the entire world would disproportionately affect its enemies, because rich nations rely on the Internet much more than poor ones. In some ways this is the dark side of the digital divide, and one of the reasons countries like the United States are so worried about cyberdefense.
Cyberwar is asymmetric, and can be a guerrilla attack. Unlike conventional military offensives involving divisions of men and supplies, cyberattacks are carried out by a few trained operatives. In this way, cyberattacks can be part of a guerrilla warfare campaign.
Cyberattacks also make effective surprise attacks. For years we've heard dire warnings of an "electronic Pearl Harbor." These are largely hyperbole today. I discuss this more in that previous Crypto-Gram essay on cyberterrorism, but right now the infrastructure just isn't sufficiently vulnerable in that way.
Cyberattacks do not necessarily have an obvious origin. Unlike other forms of warfare, misdirection is more likely a feature of a cyberattack. It's possible to have damage being done, but not know where it's coming from. This is a significant difference; there's something terrifying about not knowing your opponent -- or knowing it, and then being wrong. Imagine if, after Pearl Harbor, we did not know who attacked us?
Cyberwar is a moving target. In the previous paragraph, I said that today the risks of an electronic Pearl Harbor are unfounded. That's true; but this, like all other aspects of cyberspace, is continually changing. Technological improvements affect everyone, including cyberattack mechanisms. And the Internet is becoming critical to more of our infrastructure, making cyberattacks more attractive. There will be a time in the future, perhaps not too far into the future, when a surprise cyberattack becomes a realistic threat.
And finally, cyberwar is a multifaceted concept. It's part of a larger military campaign, and attacks are likely to have both real-world and cyber components. A military might target the enemy's communications infrastructure through both physical attack -- bombings of selected communications facilities and transmission cables -- and virtual attack. An information warfare campaign might include dropping of leaflets, usurpation of a television channel, and mass sending of e-mail. And many cyberattacks still have easier non-cyber equivalents: A country wanting to isolate another country's Internet might find a low-tech solution, involving the acquiescence of backbone companies like Cable & Wireless, easier than a targeted worm or virus. Cyberwar doesn't replace war; it's just another arena in which the larger war is fought.
People overplay the risks of cyberwar and cyberterrorism. It's sexy, and it gets media attention. And at the same time, people underplay the risks of cybercrime. Today crime is big business on the Internet, and it's getting bigger all the time. But luckily, the defenses are the same. The countermeasures aimed at preventing both cyberwar and cyberterrorist attacks will also defend against cybercrime and cybervandalism. So even if organizations secure their networks for the wrong reasons, they'll do the right thing.
Here's my previous essay on cyberterrorism.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..