Cyberwar

I haven't posted anything about the cyberwar between Russia and Estonia because, well, because I didn't think there was anything new to say. We know that this kind of thing is possible. We don't have any definitive proof that Russia was behind it. But it would be foolish to think that the various world's militaries don't have capabilities like this.

And anyway, I wrote about cyberwar back in January 2005.

But it seems that the essay never made it into the blog. So here it is again.


Cyberwar

The first problem with any discussion about cyberwar is definitional. I've been reading about cyberwar for years now, and there seem to be as many definitions of the term as there are people who write about the topic. Some people try to limit cyberwar to military actions taken during wartime, while others are so inclusive that they include the script kiddies who deface websites for fun.

I think the restrictive definition is more useful, and would like to define four different terms as follows:

Cyberwar -- Warfare in cyberspace. This includes warfare attacks against a nation's military -- forcing critical communications channels to fail, for example -- and attacks against the civilian population.

Cyberterrorism -- The use of cyberspace to commit terrorist acts. An example might be hacking into a computer system to cause a nuclear power plant to melt down, a dam to open, or two airplanes to collide. In a previous Crypto-Gram essay, I discussed how realistic the cyberterrorism threat is.

Cybercrime -- Crime in cyberspace. This includes much of what we've already experienced: theft of intellectual property, extortion based on the threat of DDOS attacks, fraud based on identity theft, and so on.

Cybervandalism -- The script kiddies who deface websites for fun are technically criminals, but I think of them more as vandals or hooligans. They're like the kids who spray paint buses: in it more for the thrill than anything else.

At first glance, there's nothing new about these terms except the "cyber" prefix. War, terrorism, crime, even vandalism are old concepts. That's correct, the only thing new is the domain; it's the same old stuff occurring in a new arena. But because the arena of cyberspace is different from other arenas, there are differences worth considering.

One thing that hasn't changed is that the terms overlap: although the goals are different, many of the tactics used by armies, terrorists, and criminals are the same. Just as all three groups use guns and bombs, all three groups can use cyberattacks. And just as every shooting is not necessarily an act of war, every successful Internet attack, no matter how deadly, is not necessarily an act of cyberwar. A cyberattack that shuts down the power grid might be part of a cyberwar campaign, but it also might be an act of cyberterrorism, cybercrime, or even -- if it's done by some fourteen-year-old who doesn't really understand what he's doing -- cybervandalism. Which it is will depend on the motivations of the attacker and the circumstances surrounding the attack...just as in the real world.

For it to be cyberwar, it must first be war. And in the 21st century, war will inevitably include cyberwar. For just as war moved into the air with the development of kites and balloons and then aircraft, and war moved into space with the development of satellites and ballistic missiles, war will move into cyberspace with the development of specialized weapons, tactics, and defenses.

The Waging of Cyberwar

There should be no doubt that the smarter and better-funded militaries of the world are planning for cyberwar, both attack and defense. It would be foolish for a military to ignore the threat of a cyberattack and not invest in defensive capabilities, or to disregard the strategic or tactical possibility of launching an offensive cyberattack against an enemy during wartime. And while history has taught us that many militaries are indeed foolish and ignore the march of progress, cyberwar has been discussed too much in military circles to be ignored.

This implies that at least some of our world's militaries have Internet attack tools that they're saving in case of wartime. They could be denial-of-service tools. They could be exploits that would allow military intelligence to penetrate military systems. They could be viruses and worms similar to what we're seeing now, but perhaps country- or network-specific. They could be Trojans that eavesdrop on networks, disrupt network operations, or allow an attacker to penetrate still other networks.

Script kiddies are attackers who run exploit code written by others, but don't really understand the intricacies of what they're doing. Conversely, professional attackers spend an enormous amount of time developing exploits: finding vulnerabilities, writing code to exploit them, figuring out how to cover their tracks. The real professionals don't release their code to the script kiddies; the stuff is much more valuable if it remains secret until it is needed. I believe that militaries have collections of vulnerabilities in common operating systems, generic applications, or even custom military software that their potential enemies are using, and code to exploit those vulnerabilities. I believe that these militaries are keeping these vulnerabilities secret, and that they are saving them in case of wartime or other hostilities. It would be irresponsible for them not to.

The most obvious cyberattack is the disabling of large parts of the Internet, at least for a while. Certainly some militaries have the capability to do this, but in the absence of global war I doubt that they would do so; the Internet is far too useful an asset and far too large a part of the world economy. More interesting is whether they would try to disable national pieces of it. If Country A went to war with Country B, would Country A want to disable Country B's portion of the Internet, or remove connections between Country B's Internet and the rest of the world? Depending on the country, a low-tech solution might be the easiest: disable whatever undersea cables they're using as access. Could Country A's military turn its own Internet into a domestic-only network if they wanted?

For a more surgical approach, we can also imagine cyberattacks designed to destroy particular organizations' networks; e.g., as the denial-of-service attack against the Al Jazeera website during the recent Iraqi war, allegedly by pro-American hackers but possibly by the government. We can imagine a cyberattack against the computer networks at a nation's military headquarters, or the computer networks that handle logistical information.

One important thing to remember is that destruction is the last thing a military wants to do with a communications network. A military only wants to shut an enemy's network down if they aren't getting useful information from it. The best thing to do is to infiltrate the enemy's computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, the next best is to perform traffic analysis: analyze who is talking to whom and the characteristics of that communication. Only if a military can't do any of that do they consider shutting the thing down. Or if, as sometimes but rarely happens, the benefits of completely denying the enemy the communications channel outweigh all of the advantages.

Properties of Cyberwar

Because attackers and defenders use the same network hardware and software, there is a fundamental tension between cyberattack and cyberdefense. The National Security Agency has referred to this as the "equities issue," and it can be summarized as follows. When a military discovers a vulnerability in a common product, they can either alert the manufacturer and fix the vulnerability, or not tell anyone. It's not an easy decision. Fixing the vulnerability gives both the good guys and the bad guys a more secure system. Keeping the vulnerability secret means that the good guys can exploit the vulnerability to attack the bad guys, but it also means that the good guys are vulnerable. As long as everyone uses the same microprocessors, operating systems, network protocols, applications software, etc., the equities issue will always be a consideration when planning cyberwar.

Cyberwar can take on aspects of espionage, and does not necessarily involve open warfare. (In military talk, cyberwar is not necessarily "hot.") Since much of cyberwar will be about seizing control of a network and eavesdropping on it, there may not be any obvious damage from cyberwar operations. This means that the same tactics might be used in peacetime by national intelligence agencies. There's considerable risk here. Just as U.S. U2 flights over the Soviet Union could have been viewed as an act of war, the deliberate penetration of a country's computer networks might be as well.

Cyberattacks target infrastructure. In this way they are no different than conventional military attacks against other networks: power, transportation, communications, etc. All of these networks are used by both civilians and the military during wartime, and attacks against them inconvenience both groups of people. For example, when the Allies bombed German railroad bridges during World War II, that affected both civilian and military transport. And when the United States bombed Iraqi communications links in both the First and Second Iraqi Wars, that affected both civilian and military communications. Cyberattacks, even attacks targeted as precisely as today's smart bombs, are likely to have collateral effects.

Cyberattacks can be used to wage information war. Information war is another topic that's received considerable media attention of late, although it is not new. Dropping leaflets on enemy soldiers to persuade them to surrender is information war. Broadcasting radio programs to enemy troops is information war. As people get more and more of their information over cyberspace, cyberspace will increasingly become a theater for information war. It's not hard to imagine cyberattacks designed to co-opt the enemy's communications channels and use them as a vehicle for information war.

Because cyberwar targets information infrastructure, the waging of it can be more damaging to countries that have significant computer-network infrastructure. The idea is that a technologically poor country might decide that a cyberattack that affects the entire world would disproportionately affect its enemies, because rich nations rely on the Internet much more than poor ones. In some ways this is the dark side of the digital divide, and one of the reasons countries like the United States are so worried about cyberdefense.

Cyberwar is asymmetric, and can be a guerrilla attack. Unlike conventional military offensives involving divisions of men and supplies, cyberattacks are carried out by a few trained operatives. In this way, cyberattacks can be part of a guerrilla warfare campaign.

Cyberattacks also make effective surprise attacks. For years we've heard dire warnings of an "electronic Pearl Harbor." These are largely hyperbole today. I discuss this more in that previous Crypto-Gram essay on cyberterrorism, but right now the infrastructure just isn't sufficiently vulnerable in that way.

Cyberattacks do not necessarily have an obvious origin. Unlike other forms of warfare, misdirection is more likely a feature of a cyberattack. It's possible to have damage being done, but not know where it's coming from. This is a significant difference; there's something terrifying about not knowing your opponent -- or knowing it, and then being wrong. Imagine if, after Pearl Harbor, we did not know who attacked us?

Cyberwar is a moving target. In the previous paragraph, I said that today the risks of an electronic Pearl Harbor are unfounded. That's true; but this, like all other aspects of cyberspace, is continually changing. Technological improvements affect everyone, including cyberattack mechanisms. And the Internet is becoming critical to more of our infrastructure, making cyberattacks more attractive. There will be a time in the future, perhaps not too far into the future, when a surprise cyberattack becomes a realistic threat.

And finally, cyberwar is a multifaceted concept. It's part of a larger military campaign, and attacks are likely to have both real-world and cyber components. A military might target the enemy's communications infrastructure through both physical attack -- bombings of selected communications facilities and transmission cables -- and virtual attack. An information warfare campaign might include dropping of leaflets, usurpation of a television channel, and mass sending of e-mail. And many cyberattacks still have easier non-cyber equivalents: A country wanting to isolate another country's Internet might find a low-tech solution, involving the acquiescence of backbone companies like Cable & Wireless, easier than a targeted worm or virus. Cyberwar doesn't replace war; it's just another arena in which the larger war is fought.

People overplay the risks of cyberwar and cyberterrorism. It's sexy, and it gets media attention. And at the same time, people underplay the risks of cybercrime. Today crime is big business on the Internet, and it's getting bigger all the time. But luckily, the defenses are the same. The countermeasures aimed at preventing both cyberwar and cyberterrorist attacks will also defend against cybercrime and cybervandalism. So even if organizations secure their networks for the wrong reasons, they'll do the right thing.

Here's my previous essay on cyberterrorism.

Posted on June 4, 2007 at 6:13 AM • 17 Comments

Comments

anonymous - ya rightJune 4, 2007 6:32 AM

While some what related to the article, this involves the fact that if they could break into a system, then they could get information off hard drives. Also this article shows that Hard drive manufactures have backdoors as per the articles fact that vargon was able to recover data after is was supposed to be gone!

http://cmrr.ucsd.edu/Hughes/subpgset.htm
Secure erase newsletter 1004.pdf

Clive RobinsonJune 4, 2007 7:15 AM

You define Cyberwar and Cyberterrorism in ways that are effectivly the same if you are the recipient of the attack.

The point is that a great number of the "first worlds" (supposadly) critical infrestructre is extreamly brittle, especially where the "free market economy" previals.

This trend will only get worse with time as there is usually either only lipservice to, or no provision for adiquate reliability or prevention. Think SCADA systems being connected not just to dial up lines but actually to the internet so a company can save the cost of having "out of hours" occupancy in offices etc...

THis makes the first world very very vulnerable to this kind of attack where it would have little effect on the third world. Therefor it makes no difference if it is a terorist, a state sponsored terorist, a hired gun or person paid from the public purse.

Or how about just a plain disgruntaled employee?

9/11 was an example of turning "first world technology" against a "first world country". I fully expect this type of sideways thinking and attacks to carry on, as what incentive has a country or organisation go to not use these avenues of attack.

But was it original? no a disgruntaled employee of a courier company tried to get control of one of the companies aircraft and fly it into the companies buildings.

Essentialy there ought to be some way of preventing "shareholder value" being used to increasingly weaken the infrestructure and make it more vulnerable to just about any odd ball with a grudge.

AJJune 4, 2007 9:14 AM

Most countries have at least 3 independent branches of the military, based on the theatre of operations they concentrate on: An Army for land war, Navy for war at sea and an Air Force for the air battles. I guess that's because there are fundamental differences between the ways that you wage such warfare. How long before we get Cyber Servicemen and women for war on the internet, and what will their ranks be named? Private, Seaman, Airman, Cyberman? (Dr Who would be appalled...)

ChrisJune 4, 2007 10:22 AM

I would suggest the addition of Cyber Espionage for non declared hostilities.

Soccer commentJune 4, 2007 10:27 AM

It's to be hoped that the English Soccer team provide a denial of service defence of their goal this week in Estonia.

UNTERJune 4, 2007 12:11 PM

Collateral damage? Why repeat a term that is basically a dodge? The "collateral" damage is often the most significant damage - war is primarily economic, and has been for a century. If you get into a hot war, cyber or otherwise, that will last any length of time, your primary motivation is to disrupt the enemies economy. That can only be done by targeting civilian installations, even if there's a cover of "military application".

Just ask Curtis LeMay.

ColoZJune 4, 2007 12:47 PM

Assuming the attacks are truly coming from the Russian government, it doesn't neatly fit any of these categories. It is not war, since there are no other overt hostilities between the countries. It is not terrorism or simple crime if it's coming from a major government. I would suggest perhaps calling it cybersabotage, or the clunkier cyber-covert action.

GuillermoJune 4, 2007 1:59 PM

Regarding the "equities issue" definition you mention. While I agree with most of what you say, I think you're missing out on a very important topic. Open Source software, while in theory part of a community that gives and receives, can be used by any country as a way of hardening their defenses. Imagine basing all your infrastructure on a system where you are able to make as many modifications and vulnerability fixes as you need to make it more secure, while keeping all of these vulnerabilities to yourself in case of a cyberwar. No wonder many countries are starting to look into OSS for their infrastructure. I guess this is both a blessing and a curse for OSS.

-ac-June 4, 2007 3:45 PM

Add planting sleepers in the A-V companies to release a devastiaging A-V update that disables the system (wasn't it the Chinese version of Symantec???)

Going right for the most concentrated trust points.

EricJune 5, 2007 7:45 AM

Indeed this is nothing new at all as you quite rightly state. Winn Schwartau testified in front of congress in 1993 I believe, stating that state sponsored cyberwarfare was inevitable in the next 10 years or so.

Two weeks ago Winn gave a presentation at an ISC2 event on Information Warfare and completely stumped govt. participants when he revealed it was the exact same presentation he gave in 1993 - nothing had changed, and in fact matters had gotten far worse. The message - we need to start thinking ahead of the curve here as now that the Chinese and likely others clearly own many of our systems, we need to figure out what they want to mitigate against it.

...And just a quick word on blogging. The industries first Blogger & Podcaster Magazine was released as an electronic and podcast publication last month. You can subscribe for free at www.bloggerandpodcaster.com

clausewitzJune 6, 2007 11:20 AM

I suggest a distinction be made between cyberwar and cybersabotage. "War" inevitably involves consideration of the actors involved - war is something involving state actors. By definition, a small group of radicals cannot engage in war, although they can commit acts of sabotage, terror, etc. One of the problems with the GWOT is precisely that it misuses the word "war" and thus obfuscates important distinctions of scale, motivation, etc. Useful for war-mongers, but politically very dangerous for just that reason. We make a distinction between a police force and an army; we should make a similar distinction when discussing cyberspace attacks.

X the UnknownJune 6, 2007 1:11 PM

@ColoZ : "It is not terrorism or simple crime if it's coming from a major government."

Perhaps this is true in the twisted definitions promulgated by the Bush administration. I, however, feel that "terrorism is terrorism", whether promulgated by a lone kook, subversive organization, or major government.

The fire-bombing of Tokyo and the destruction of Dresden were both terrorism, pure and simple. Their objective was to terrorize the populace (and it worked).

bobAugust 24, 2007 6:45 AM

@X the Unknown: No. While they might have induced terror, the objective of those bombings was to cause the target country to lose their will to fight. And it did not do that any more than the Blitz caused Britain to drop out (with the possible exception of Kosovo, bombing per se has NEVER won a war.)

Those bombings did however cause them to lose their ABILITY to fight and in that fashion contributed to the successful (from the perspective of the people ordering the bombing) accomplishment of the objective.

DebNovember 1, 2007 11:17 AM

I found your comments helpful, as someone defaced my webpage, and this had never happened to me before. If someone has nothing better to do than attack a poetry site, they must have a pathetic life indeed.

nikhil vemuriFebruary 24, 2008 12:34 PM

yah it's really help ful for me to do a small project work in my college
I would suggest the addition of Cyber Espionage for non declared hostilities.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..