Cyberwar: Myth or Reality?

The biggest problems in discussing cyberwar are the definitions. The things most often described as cyberwar are really cyberterrorism, and the things most often described as cyberterrorism are more like cybercrime, cybervandalism or cyberhooliganism--or maybe cyberespionage.

At first glance there's nothing new about these terms except the "cyber" prefix. War, terrorism, crime and vandalism are old concepts. What's new is the domain; it's the same old stuff occurring in a new arena. But because cyberspace is different, there are differences worth considering.

Of course, the terms overlap. Although the goals are different, many tactics used by armies, terrorists and criminals are the same. Just as they use guns and bombs, they can use cyberattacks. And just as every shooting is not necessarily an act of war, every successful Internet attack, no matter how deadly, is not necessarily an act of cyberwar. A cyberattack that shuts down the power grid might be part of a cyberwar campaign, but it also might be an act of cyberterrorism, cybercrime or even--if done by some 14-year-old who doesn't really understand what he's doing--cyberhooliganism. Which it is depends on the attacker's motivations and the surrounding circumstances--just as in the real world.

For it to be cyberwar, it must first be war. In the 21st century, war will inevitably include cyberwar. Just as war moved into the air with the development of kites, balloons and aircraft, and into space with satellites and ballistic missiles, war will move into cyberspace with the development of specialized weapons, tactics and defenses.

I have no doubt that smarter and better-funded militaries are planning for cyberwar. They have Internet attack tools: denial-of-service tools; exploits that would allow military intelligence to penetrate military systems; viruses and worms similar to what we see now, but perhaps country- or network-specific; and Trojans that eavesdrop on networks, disrupt operations, or allow an attacker to penetrate other networks. I believe militaries know of vulnerabilities in operating systems, generic or custom military applications, and code to exploit those vulnerabilities. It would be irresponsible for them not to.

The most obvious attack is the disabling of large parts of the Internet, although in the absence of global war, I doubt a military would do so; the Internet is too useful an asset and too large a part of the world economy. More interesting is whether militaries would disable national pieces of it. For a surgical approach, we can imagine a cyberattack against a military headquarters, or networks handling logistical information.

Destruction is the last thing a military wants to accomplish with a communications network. A military only wants to shut down an enemy's network if it isn't acquiring useful information. The best thing is to infiltrate enemy computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, perform traffic analysis: analyze the characteristics of communications. Only if a military can't do any of this would it consider shutting the thing down. Or if, as sometimes but rarely happens, the benefits of completely denying the enemy the communications channel outweigh the advantages of eavesdropping on it.

Cyberwar is certainly not a myth. But you haven't seen it yet, despite the attacks on Estonia. Cyberwar is warfare in cyberspace. And warfare involves massive death and destruction. When you see it, you'll know it.

This is the second half of a point/counterpoint with Marcus Ranum; it appeared in the November issue of Information Security Magazine. Marcus's half is here.

I wrote a longer essay on cyberwar here.

Posted on November 12, 2007 at 7:38 AM • 22 Comments

Comments

Brandioch ConnerNovember 12, 2007 8:32 AM

The problem I have with concepts such as "CyberWar" is that the preparations make no sense in the conventional warfare sense.

Is your government (not the USofA) running Windows? Then wouldn't that be the same as trying to fight a battle against the people supplying your weapons?

Who knows what backdoors and such have been included for exactly such a contingency?

The FIRST step would be to get away from any code that your government has not vetted for itself. Whether that means your government writes its own (not a good security practice) or uses some Open Source option ... something has to be done.

And since we're talking about various forms of malware ... wouldn't there be some way to validate that a system is "clean"?

After all, the major anti-virus vendors didn't even recognize the Sony rootkit.

You would not declare war on the country that you buy your bullets from. You would learn to manufacture your OWN bullets first. Otherwise you know EXACTLY when you will lose that war.

Dave SmithNovember 12, 2007 8:40 AM

You may wish to shut down a communications method if it would force your enemy to switch to a less secure/more useful form of communications, for example cutting telephone lines to cause more traffic on radio. You may be able to accquire useful info from the system, but you can get even more useful info from the other.

RobNovember 12, 2007 8:45 AM

Even a single perpetrator of cyberterrorism can be at war with the target, in his own mind. Whatever the definitions, the outcomes and pain caused to innocent civilians are real and the same.

What would be the point of cyberwar? Would it have its own goals, or be part of a larger conflict?

In the event of real cyberwar, the strategic goals become two-fold; maintain the ability to spy on the enemy(ies) and be best at it, while diminishing the effectiveness of their cyber foes in reciprocating.

In those terms, how are we doing? Perhaps certain critical infrastructure would qualify as low-hanging fruit and puts us in a vulnerable position.

Clive RobinsonNovember 12, 2007 10:03 AM

@ Bruce,

"The biggest problems in discussing cyberwar are the definitions"

I suspect that the distinction is like that between conventional warfare (two or more armies etc) -v- economic warfare.

Most forms of Internet attack irespective of the entities commiting it are realy economic attacks.

Conventional warfare involves physical objects and recognised combatants (supposedly) following internationaly agreed conventions which protect the civillian community.

Terroism also involves physical objects but unrecognised combatents and the follow no international conventions and usually target civillians.

Economic warfare in general does not involve physical objects and tends to attack a countries money supply and business communities.

Likewise Cyber warfare tends to attack the money supply and businesses not physical objects.

Therefore I would count it as a subset of economic warfare.

monopoleNovember 12, 2007 10:04 AM

Spoofing is also an option. Selectively garbling comms, authenticating enemy units as friendly or generating decoy targets.

oldmanNovember 12, 2007 10:17 AM

The problem with the militairy is that they are always fighting the next war with the methods of the previous war. In the last war the american fough "surgical" strikes were the most used succesful option. SO you can expect them to bomb the next country also into the stone age. not do a cyber attack.

cyber war is more of a cold war. No real victims, the truth is the first to die.

GomezNovember 12, 2007 12:19 PM

How do you define and explain cyberfoobarbazism if your starting assumption is that we are (and have been for some time) in an Orwellian state of perpetual war? (Economically at least I'd say this is clear and present.)

I rather suspect that the spectre of cybercrime is much like the spectre of terrorism -- smoke and mirrors with a handful of nutters and amuters providing a little energy.

MarkNovember 12, 2007 1:58 PM

Hypothetically speaking, I would imagine that if _every_single_copy_ of (say) Windows in hypothetical country X was to simultaneously corrupt critical parts of its filesystem beyond recovery, zero its master boot record, and then reboot, it would cause absolute chaos, for both civilian and COTS-based military infrastructure.

And if a large-scale military attack was launched on country X at the same time, I would imagine that country X's response to that attack would be very much degraded...

MarkNovember 12, 2007 2:01 PM

...or, come to think of it, contrariwise, if this same thing was to happen to country X at the moment that it was about to launch, or in the middle of launching, a military attack on country Y.

JojoNovember 12, 2007 3:44 PM

This is like the 7th time today that this story has appeared in my RSS feeds. What is going on? I either saw it the 1st time or chose to ignore it. Why does it keep showing up? MSNBC does this with their feeds and it is very annoying.

AnonymousNovember 12, 2007 3:54 PM

@Brandioch Conner

The problems of foreign supplied weapons are well known. Most countries can't afford to make a full range themselves, but if they find themselves at war with their supplier they often find a backdoor of some kind has already been installed. I guess this just means that nobody plans to go to cyberwar with the USofA.

@Bruce

It seems to me that cyberwar as you describe it is very old hat. Communications attacks (e.g. through selling dud encryption devices) have been done for ages. During the last Iraq war, there were definitely reports of messages sent to commanders asking them to surrender or defect. I read that an explosion of a Siberian pipeline was caused by planted bad software (an example of Cyber-Cold-War?).

Surely there are more interesting ideas. How about using zombie computers for targetting? Keep pinging a host, if it stays up you know you haven't yet destroyed the building it's in. Maybe the real aim of the Storm worm is targetting? Have three or more computers with known locations surrounding a target, use their speakers to triangulate the landing of your shells. Identify the locations of enemy forces with the sounds of their engines by downloading sound recognition software to your botnet. Email urgent software patches for reactor software...

Filias CupioNovember 12, 2007 6:45 PM

Bruce:

How does this point/counterpoint work? Do you just naturally happen to disagree with Mr Ranum on everything? Do you agree to take different sides on some issue, so that what you write is not necessarily a reflection of your own opinions? Do you sometimes just end up with a 'debate' where you're both saying much the same thing?

(I didn't notice a whole lot of disagreeing in the latest pair of essays.)

Bruce SchneierNovember 12, 2007 8:14 PM

@Filias Cupio:

We try to find topics where there's disagreement. It can be hard sometimes; there are lots of things where we mostly agree and only disagree around the margins. That's why you're seeing a lot of agreement in the most recent essays; we've pretty much run out of major topics where we disagree.

We could deliberately take contrary positions, but we don't do that. Both of us write what we actually think and believe.

AnonymousNovember 13, 2007 6:30 AM


@Brandioch
" ..trying to fight a battle against the people supplying your weapons ".

This is a recurrent theme in real wars.
During the various naval wars with Spain and France in the 18th century Captains preferred to command captured French and Spanish ships as they were considered superior to the English ships.

All sides in World War I used some version or other of the Maxim gun. Designed by an American with British funding and licensed to arms manufactuers througout Europe.

Again in WWII both the British and Germans used Bofurs and Oerlikon guns supplied by or licensed from neutral Sweden and Switzerland. Many japanese aircraft, including the "zero" and quite a few German bombers used engines derived from the British Bristol Jupiter engine.

Later in the Falklands war the British were up against an Agrentinian navy equiped with the same ( slightly older design ) type 42 destoyers.

Supplying vital equipment to (or sourcing from ) your enimies is much more common than you would think.

-ac-November 13, 2007 8:18 AM

A good point to follow up is:
Does your organization have trained people to respond to a real cyberattack? Are you really prepared to respond?
When your over-subscribed out-sourced IT/security service is trying to handle attacks on multiple customers will you be able to mount any response at all?

Sun TzuNovember 13, 2007 12:04 PM

"Destruction is the last thing a military wants to accomplish with a communications network."

There you go, thinking like a Cryptanalysist thinking like a Military Stragetist again...

Cyberbuddy CyberpalNovember 13, 2007 3:56 PM

I vote to banish the "cyber-" prefix. It only obscures what is usually meant. There are perfectly good English terms that can be used to precisely state the problems. Let's stop trying to create new ones.

AnonymousNovember 13, 2007 5:04 PM

@ Bruce's statement: Destruction is the last thing a military wants to accomplish with a communications network.

To add to this, some communications systems may be vital to the opponent's surrender process, to tell their forces to lay down arms. Destruction of certain systems may actually prolong a conflict as soldiers who didn't get the word fight on. Are they going to believe their enemy's word that their own leaders have agreed to a ceasation of fighting or to a surrender?

The Battle of New Orleans was a good example of a battle that was needless, having taken place after Britain and the United States had signed the Treaty of Ghent.But the word of the treaty did not arrive in time.

Today, it is not the intrinsic slowness of communications that's a factor. But disrupted networks could be a factor.

ValdoNovember 15, 2007 5:44 AM

Well, if a bunch of aircrafts are bombing neighbouring capital, then i guess its considered an act of war, isn't it? You don't need to wait infantry to march over the borders to say its a war. The question with so-called cyberwar is weather we need to wait any usual military action (like airstrikes etc) to take place before we can call it a war or is a big nation-wide cyberattack enough.

Wesley ParishNovember 16, 2007 4:32 AM

Warfare has two functions - firstly, to deny territory to an enemy; secondly, to destroy said enemy. These two functions cover both defense and offense, and likewise the several services.

Anything that doesn't do either of those two functions, acts as an auxiliary and it is a stretch to term if "warfare", if not an abuse of the term intended to obfuscate.

So, "cyberwar"? If someone denies a valuable resource - communications - to an enemy, that is auxiliary to the function of denying territory. It doesn't destroy per se, unless - as in the aforementioned Siberian gas pipeline - it is intended as sabotage. Alternatively, using a compromised network to "fix" the data you want your enemy to have ... very easy if your enemy has "pre-fixed" their data already a la the Iraqi WMD dossier ...

Nearly all the possibilities of "cyberwar" fall firmly within the areas of reconnaissance, intelligence, sabotage, and propaganda. We should keep in mind Linebarger's dictum - in his magnum opus "Psychological Warfare" - that the most effective propaganda is that which presents itself - unconsciously - as indifferent, as third-party as possible.

(Propaganda's role in the two functions theory mentioned above, is to demoralize the enemy, rendering him unwilling to engage in warfare, or to continue it.)

My 0.02c - no longer legal tender in NZ, but that's life ....

NotMyNameDecember 13, 2007 2:39 AM

"You would not declare war on the country that you buy your bullets from. You would learn to manufacture your OWN bullets first. Otherwise you know EXACTLY when you will lose that war."

As has already been point out, with older, "dumb" weapons that never mattered. But I get your point. It's valid and I think I have a twenty-five-year-old example. When Argentina occupied the Falkland/Malvinas Islands, the British raided them with one Vulcan bomber at a time, (because that's as many as they could refuel enough times at one go to make the trip from England).

One of the Argentinian fire-control radars detected the British bomber and was promptly shut down in classic electronic warfare style. If I remember correctly, this one had been purchased from Germany. Another SAM was of the same type used by the British. It never detected any British aircraft at all. Funny, that . . . .

Spy GuyDecember 28, 2007 9:45 PM

I saw the former chief strategist of netscape at the SECTOR conference and he presented on the cyber war threat. I had worked with Kevin Coleman before, but his presentation really impacted me. His inventory of cyber weapons included DEWs, TEDs, and self morphing/self encrypting malicious code. We are in serious trouble. Hackers of the world should unite and hit any country that launches a cyber attack!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..