Schneier on Security
A blog covering security and security technology.
« Preparing for Cyberwar |
| Googling Justice Scalia »
May 1, 2009
Yet Another New York Times Cyberwar Article
It's the season, I guess:
The United States has no clear military policy about how the nation might respond to a cyberattack on its communications, financial or power networks, a panel of scientists and policy advisers warned Wednesday, and the country needs to clarify both its offensive capabilities and how it would respond to such attacks.
The report, based on a three-year study by a panel assembled by the National Academy of Sciences, is the first major effort to look at the military use of computer technologies as weapons. The potential use of such technologies offensively has been widely discussed in recent years, and disruptions of communications systems and Web sites have become a standard occurrence in both political and military conflicts since 2000.
Here's the report summary, which I have not read yet.
I was particularly disturbed by the last paragraph of the newspaper article:
Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose.
Nuclear war is not a suitable response to a cyberattack.
Posted on May 1, 2009 at 10:46 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well, if you have some nuclear weapons, everything looks like a potential target.
"Nuclear war is not a suitable response to a cyberattack."
Gee, not even surgical countercyberstrike using a W54 SADM http://en.wikipedia.org/wiki/... (dialed all the way down for a mere ten ton yield, of course) set off deep within the cyberpunk's cyberwar cyberbunker seconds before the final wave of a devastating strategic cyberterror cyberattack? Wait. or was that a movie...?
In November 2007, Bruce said: "Cyberwar is certainly not a myth. But you haven't seen it yet, despite the attacks on Estonia. Cyberwar is warfare in cyberspace. And warfare involves massive death and destruction. When you see it, you'll know it." at http://www.schneier.com/essay-201.html
Today, Bruce said: "Nuclear war is not a suitable response to a cyberattack."
In practice I would agree. However, as much as I don't like it, in an age of nuclear weapons, and as we approach an age where cyberwar may be a reality, Mutually Assured Destruction (MAD) may not be a bad deterent, provided we define cyberwar in the terms Bruce did.
I believe that if someone considering cyberwar by Bruce's definition, that would result in massive death, knowing that causing massive death and destruction would be responded to in kind, may be appropriately deterred.
Of course, if the definition of cyberwar is too broad (i.e., includes anything less than Bruce's definition of massive death and destruction), then nuclear would be an unconscienable reaction.
Mutually Assured Destruction is a scary thought, but it is what keeps both sides in check. The difference, however, is that while everyone has a pretty good idea of what constitutes a nuclear war, a cyberwar is misunderstood.
Nulear holocaust isn't the answer. We can take out large portions of a national infrastructure with an EMF weapon instead. Fewer causualties, territory remains usable, but it constitutes response in kind. In other words, you mess with my network, I'll destroy yours...
Still mutual destruction, but only for technology and related services. The target country will likely experience economic collapse, collapse of critical services, etc., but these are recoverable.
So instead of figuring out how to minimize causualties from dropping a thermonuclear device on a country because it's government brought down our infrastructure, we might want to work on less globally destructive methods of retaliation.
> Mutually Assured Destruction is a scary thought,
> but it is what keeps both sides in check.
It might work when there are two sides, but what about when there are 10 or 20 shifting alliances?
Cyberwar is screwing in some other persons playground. Yes your bank might be down for some time. Yes you may have to cook over open fire for a week. But isn't it time to un-attach from these silly values (money)?
Defacing/DDOS'ing the white house? Oh well, fix it, learn and move on.
Real actual war with a significant number of people dying and countless atrocities being committed is not comparable. And no, I don't think Joe the Plumber being without his job for some time compares. It only leads me to believe that present day people are pretty pathetic when they can't function without enormous amounts of "guidance".
If you know the US is prepared to possibly respond with a nuclear option, that is a deterrent for a rational adversary. When was the last time we had one of those? The Soviet Union maybe? Some people may actually want to provoke a US nuclear strike. There are some really F***** people in the world, and some of them are in charge of countries. Nukes are useless for almost every realistic military scenario I think. A more appropriate response would be to target the information technology capabilities of the country in question.
The concept of nukes as a response to cyberwarfare is chilling. Considering todays multi-layered TOR style networks, darknets, proxies, and rooted machines...how sure can you be you are hitting the right target?
I know if I was to launch an attack expecting a nuke to be lobbed as a response, I'd be sure that attack was sourced at a convenient country halfway across the globe.
The appropriate response to a given attack (no matter what the mode) is dependent on how much you know about the enemy, what the enemy's other capabilities are, what your capabilities are, etc, etc.
In some circumstances (i.e. a cyber attack that leaves millions dead somehow), that you know who did it, a nuclear strike may well be the right response. Especially if the 'enemy' has declared war and has nuclear weapons of his own.
Saying 'never' is never appropriate. I find it hard to imagine a circumstance where it would be appropriate, but there probably are some, and you can't rule anything out.
Er, the only "EMF weapon" we really have available right now actually is a nuclear strike. Anything smaller is currently wishful thinking, though probably achievable. My guess is that a realistic "cyber-war" strategy won't rule out using nukes (and the more strategically effective _threat_ of nukes) as a defensive element.
I have a pretty active imagination, and I can't really imagine a cyberattack much more devastating than a bunch of teenagers named Anonymous driving people insane when they should be doing homework, or a few gold digging idiots getting together and coordinating a confidence scam on myspace.
Preparedness for any sort of information warfare doesn't seem much more complicated than practicing good data hygiene, same as it ever has been. Do we really need to worry about counterstrike capabilities? Nuclear options? WTF?
There is no functional difference between decapitation and dismemberment.
All other things being equal, the consequences of assassinating the president, bombing CIA headquarters, etc. should be no different than breaking the defense/intelligence infrastructure.
@Rich: "It might work when there are two sides, but what about when there are 10 or 20 shifting alliances?"
It gets messy, and sometimes may not work. But no matter how many there are, for one side to know they can cause massive death and destruction without consequence provides no deterrent.
I'm not saying I like MAD, I don't. I'm just saying that I think the odds of the "massive death" scenario are far reduced when there is deterent, and MAD does that to an extent.
No it isn't the season - it's feeding time. Someone is getting ready for funding for a project.
This is so used and old that it isn't even funny - This is how Ben Franklin use do make public policy - first publish, get public opinion going and they bring in your proposal, only he was generally on the right side of the issues.
I don't expect anything good out of NYT.
I think this [http://esr.ibiblio.org/?p=906] is unlikely, but any sort of massive attack (not a pinprick like 9-11) on the U.S. could do it; I think it could be more likely than a nuclear response.
The effectiveness of MAD is based on the certainty of symmetric results; *Mutually Assured* Destruction. A debilitating(+) nuclear attack at this time still requires the resources of a nation and the intent of a government, and can't be made anonymously. Not so "cyber-attacks".
(+)The loss of a US city or two to privately built, "hand delivered" nukes, would be horrific, but not incapacitating.)
For MAD to be effective, three things must be true (1.) Both parties must believe with minimal doubt that an attack will result in an equivalent response. (2.) Both parties must stand to lose the same percentage of their resources. (3.) Both parties must believe there is a sufficient time lag between the knowledge of an attack being made and the effects of the attack for the response-in-kind to be launched. (Potential reduction of this lag to less than our response interval caused the Cuban missile crisis)
Mention of nukes is inappropriate as a deterrent to cyber-attacks because (1.) It is not necessary for cyber-attackers to actually BE anonymous to render MAD ineffective, only for them to *think* they are anonymous, (2.) A cyber-attack can be made by entities without territory, infrastructure, and population to lose, and (3.) True or not, cyber-attackers may think we will be incapacitated before a response can be made. These are the same three reasons nukes in the hands of non-governmental radicals is so problematic.
Anyone who would consider a nuclear response to a cyber-attack doesn't understand the game-theory behind MAD.
The magnitude of injury cased by an offensive attack, and the ability to limit our response to "tactical" levels are irrelevant if the identity of the attacker and the correct target for the response are even slightly in question. Even if it was possible that a cyber-attack caused nuclear-weapon scale destruction, uncertainty of the source should be enough to take a nuclear response off the table.
Nuclear weapons are scary. A nuclear armed nation that doesn't understand the fundamentals of MAD is truly puckering.
Given the difficulty of tracing the actual source of many types of cyber-attacks, a policy of nuclear response sounds more like an invitation for a Joe job than a deterrent.
if you're going to be really pro-active about crippling your enemy, then you're going to try to take them off-line before you do anything else.
as someone else may have mentioned, determining conclusively that the aggressor was a specific nation and not a terrorist act (at the broadest definition) by a ngo, would be challenging.
no immediately verifiable aggressor = no large-scale retaliation.
> I was particularly disturbed by the last paragraph of the newspaper article:
> "Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose."
> Nuclear war is not a suitable response to a cyberattack.
Indeed, and the Pentagon seems to agree with you. This suggestion was made by the journalist. The various anonymous officials who responded all said, essentially, that they weren't in a position to define Administration policy but thought this would be a really bad idea.
Despite these denials, the journalist then reiterates the idea in the closing paragraph, presumably so as to end on a "controversial note". It worked, despite the fact that the Pentagon actually agreed with all the posters who are now criticising them.
When our cyberattack against the Russian natural gas pipeline burned those Russian engineers alive, did they respond with a nuclear attack?
Nope, several million different viruses, maybe, nukes, no.
@wkwillis: "When our cyberattack against the Russian natural gas pipeline burned those Russian engineers alive, did they respond with a nuclear attack?
Nope, several million different viruses, maybe, nukes, no."
As tragic as that was for the engineers, that was not widespread death, so responding with nukes would have been completely inappropriate, so we have no disagreement there.
I think one of the difficult things about defining "cyberwar" is that many people in the conversation define it differently. Many don't disagree as much as they think if they were talking about the same definition, and not the same word.
That's why "nuclear" is usually agreed to, is most people have a consistent definition of it.
I subscribe to Bruces definition of cyberwar, which is widespread, massive death. This is different from cyberterrorist, cyberattacks, cyberstrikes, etc. I consider the russian pipeline attack a cyberstrike or cyberattack, but not cyberwar.
Are we talking about the pipeline explosion caused by booby-trapped software that the russians thought they stole from the west? That's not a cyber-anything, it was just really bad judgment by the Russians.
Furthermore, there doesn't seem to have been any casualties., althought that may just be bad info as a way for the Russians to save face.
Now, We can say that Nuclear war is not a suitable response to a cyberattack. But in future, it may be that cyber crime is the most responsible for nuclear attack.
Cyber war or attack can broadly be defined as criminal activity involving an information technology infrastructure, including illegal access, illegal interception, data interface, system interface etc. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.
I was at the 2009 AFCEA cyber symposium, ended up sitting in on the breakout group where we were addressing "redlines" and response, and the overall feeling was that a "kinetic response" of a scale to "deter future attacks" was called for.
I'm actually in the process of putting my thoughts down on much of this, and will provide a link to them soon, but to say that all parties there with the exception of myself and a few university students who were granted permission to attend due to connection with the Nebraska University Consortium on Information Assurance, seemed in support of this decision is a MASSIVE understatement.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.