Cyberwarfare Policy

National Journal has an excellent article on cyberwar policy. I agree with the author's comments on The Atlantic blog:

Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.

To understand why, forget about the cyber dimension for a moment. Imagine that some foreign military had flown over a power substation and Brazil and dropped a bomb on it, depriving electricity to millions of people, as well as the places they work, the hospitals they visit, and the transportation they use. If there were no official armed conflict between Brazil and its attacker, the bombing would be illegal under international law. That's a pretty basic test. But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict. For starters, it could be considered disproportionate, particularly if Brazil hadn't launched any similar sized offensive on its adversary. Shutting off electricity to whole cities can effectively paralyze them. And the bombing would clearly target non-combatants. The government uses electricity, yes, but so does the entire civilian population.

Now add the cyber dimension. If the effect of a hacker taking down the power grid is the same as a bomber--that is, knocking out electrical power--then the same rules apply. That essentially was the conclusion of a National Academies of Sciences report in April. The authors write, "During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyber attack is governed by all the standard law of armed conflict. ...If the effects of a kinetic attack are such that the attack would be ruled out on such grounds, a cyber attack that would cause similar effects would also be ruled out."

[...]

According to a report in The Guardian, military planners refrained from launching a broad cyber attack against Serbia during the Kosovo conflict for fear of committing war crimes. The Pentagon theoretically had the power to "bring Serbia's financial systems to a halt" and to go after the personal accounts of Slobodan Milosevic, the newspaper reported. But when the NATO-led bombing campaign was in full force, the Defense Department's general counsel issued guidance on cyber war that said the law of (traditional) war applied.

The military ran into this same dilemma four years later, during preparations to invade Iraq in 2003. Planners considered whether to launch a massive attack on the Iraqi financial system in advance of the conventional strike. But they stopped short when they realized that the same networks used by Iraqi banks were also used by banks in France. Releasing a vicious computer virus into the system could potentially harm America's allies. Some planners also worried that the contagion could spread to the United States. It could have been the cyber equivalent of nuclear fallout.

A 240-page Rand study by Martin Libicki -- "Cyberdefense and Cyberwar" -- came to the same conclusion:

Predicting what an attack can do requires knowing how the system and its operators will respond to signs of dysfunction and knowing the behavior of processes and systems associated with the system being attacked. Even then, cyberwar operations neither directly harm individuals nor destroy equipment (albeit with some exceptions). At best, these operations can confuse and frustrate operators of military systems, and then only temporarily. Thus, cyberwar can only be a support function for other elements of warfare, for instance, in disarming the enemy.

Commenting on the Rand report:

The report backs its findings by measuring probable outcomes to cyberattacks and determining that the results are too scattered to carry out accurate predictions. This is coupled with the problem of countering an attack. It is difficult to determine who conducted a specific cyberattack so any counter strikes or retaliations could backfire. Rather than going on the offensive, the United States should pursue diplomacy and attempt to find and prosecute the cybercriminals involved in an initial strike.

Libicki said that the military can attempt a cyberattack for a specific combat operation, but it would be a guessing game when trying to gauge the operation's success since any result from the cyberattack would be unclear.

Instead the Rand report suggests the government invest in bolstering military networks, which as we know, have the same vulnerabilities as civilian networks.

I wrote about cyberwar back in 2005.

Posted on December 1, 2009 at 6:59 AM • 69 Comments

Comments

WinterDecember 1, 2009 7:37 AM

"Rather than going on the offensive, the United States should pursue diplomacy and attempt to find and prosecute the cybercriminals involved in an initial strike."

I seem to be somewhat off on USA politics.

Why do the US policy makers need a think tank to point out the positive aspects of trying diplomacy before the armed forces?

The same about the humanitarian aspects surrounding the destruction of the civil infrastructure of other countries?

The USA have ample experience with the aftermaths of their Iraqi invasion that completely demolished the civil infrastructure: It caused well over 100,000 extra deaths.

Have the US media reported really *nothing* about the plight of the Iraqi people?

Winter

djnDecember 1, 2009 7:56 AM

Maybe I'm just nitpicking, but I remember that some years ago a big power went about bombing Yugoslavia - explicitly and in plain sight targeting power stations...

Evil TrevDecember 1, 2009 7:57 AM

Massive fail, in the event of hostilities between two countries we would see many attacks, not from proper authorized sources but, as with most viruses and malware, from individuals and small groups acting independently of oversight.

Ordinary citizens cannot take part in traditional 'guns 'n' bombs' warfare but there are enough with the ability to attempt to use 'cyber' means.


Thus we (UK, usa, even China) need to prepare a sensible, effective and comprehensive 'cyber' defense system anyway.

There is not even a single reason to suppose that we do not need to protect our most vital systems, it would be dumb not to, unless your a politican.

Offended dumb personDecember 1, 2009 8:31 AM

@ Evil Trev

Why would it be dumb for all but politicians? Are you just saying that since they are already dumb, that doing this would be seen as signs of intelligence?

wiredogDecember 1, 2009 8:34 AM

@djn
From The Article:
If there were no official armed conflict ... , the bombing would be illegal under international law.

In the case of Yugoslavia there was an official armed conflict, under UN auspices even. So it was legal. Infrastructure (and headquarters) are perfectly legal targets in wartime. You gotta be careful of collateral damage, but as logn as a good faith effort is made to minimize it you're OK, legally.

Note that legal is not synonymous with moral.

FPDecember 1, 2009 8:36 AM

In a war, these noble sentiments are always the first to go out the window. In WW2, the British firebombed German cities, and the US nuked Japan, with huge civilian casualties, rationalized by the minimal effect on military production.

I can understand that a government wants to avoid their cyberweapons to backfire. But I believe that if the US had found a way to surgically limit their strike at the Iraqi financial markets, they would not have hesitated.

Annie NomousDecember 1, 2009 8:40 AM

"But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict."

What alien race are these authors writing about? No, we humans never blow the hell out of a country's infrastructure, or blockade a region and starve the inhabitants, or level an entire city before breakfast.

Matt from CTDecember 1, 2009 8:48 AM

>Have the US media reported really
>*nothing* about the plight of the Iraqi
>people?

Yes.

That's one of the (less stated) reasons for the 2002 invasion in the first place -- the humanitarian suffering caused by a dysfunctional sanction regime that was in place trying to limit Iraq's threat to the region after the first, more limited war to remove them from Kuwait. Saddam Hussein's government proved themselves quite comfortable allowing their own citizens to suffer so they could divert money from what "humanitarian" sales were allowed under the sanction system.

Back on the main topic, I would think any cyber attacks need to be weighed particularly carefully since the computer systems would probably be more beneficial up-and-running for intelligence and clandestine operations support.

kangarooDecember 1, 2009 8:57 AM

I've got to agree with the other posters -- the Laws of War never stopped anyone. Cyberwar would be particularly easy to evade the Laws of War -- the prosecutors would have a hell of a time proving the connection ("It was just some teenage hackers!")

No, what limits cyberwar is the simple fact that your own economic system would be knocked out as well. Isn't it obvious why no developed country since WWII has been involved in an old-fashioned war, instead using proxies in rural regions, or nations outside of the global economic system?

Full out war is impossible unless you're willing to basically nuke your own cities. We did learn from WWII -- the only folks who won that war where the folks who were far from the action. 'Cept that not even oceans can protect you anymore.

Why do military planners and think tanks spend so much time making up bullshit reasons to not do what is undoable because it's a suicide pact? Just kindergarten level propaganda for the brain-dead -- as if the hoi-polloi even knew about these discussions.

HJohnDecember 1, 2009 9:00 AM

@Winter: "Have the US media reported really *nothing* about the plight of the Iraqi people?"
________

They've reported quite a bit, almost to the point of exageration. What it has downplayed is our humanitarian efforts there, building hospitals and schools, and infratrusture, etc.

The world media reported virtually nothing about the plight of the Iraqi people under Saddam. The New York Times, to its credit, in late 2002, reported of the at least 1.1 million Iraqi's murdered by Saddam. The world didn't seem to much care about that.

That said, of course diplomacy should be used before war, and it was tried with Hussein. Reasonable people can differ as to whether the war was a mistake, and put me on the side that, in retrospect, believe it was a mistake. But it is incorrect to asert that diplomacy wasn't tried with Iraq under Saddam.

To relate your comments and my response to cyberwar, like any war, civilians get hurt so it should be used only if no other better option exists. I think we can all agree on that. It may be disagreed upon where to draw that line, but we all agree there is a line.

Cyberwar is a problematic term because people use it differently. Everyone agrees what nuclear war is, but there is less of a consensus on what cyberwar means--some would classify defacing a government web page as cyberwar, when it is not. Cyberwar would result in massive death and destruction, not massive mischief. Tragically, as with nuclear war, a stated intent to respond in kind may be the only viable deterent--not because we should want to cut off electricity, for example, to an enemy nation, but because we want to deter others from doing it.

Rob LewisDecember 1, 2009 9:00 AM

In terms of National Security, some folks might think “no one wins at defense”. If offensive domination is not a sure thing, or can't be used legally or morally, why not shore up critical puncture points in the grid to trusted status in order to provide a “last man standing” stance in mission assurance and resilience in the case of a cyber shoot-out?

DavidDecember 1, 2009 9:07 AM

@FP: Note that both the British and US went into WWII intending to avoid massive civilian bombing. The slide to trying to maximize damage to the enemy regardless of civilian deaths was slow and reluctant but distinctly one-way. In a less desperate war, it wouldn't have happened. The USAF has done a very good job of bombing without killing civilians since WWII, partly because of better technology, partly because it's been facing lesser resistance, partly because it isn't necessary to go to those lengths.

I don't think there would have been any scruples about attacking the Iraqi financial system in a precise strike, although the US authorities might have been reluctant to reveal their capabilities.

@Evil Trev: The ability of random civilians to sit safely in their mothers' basements and cyber-attack an enemy may or may not be important, but the ability to blame cyber-attacks on such civilians could be very useful. Major powers have been using proxies to do things while maintaining plausible deniability for millenia, probably, and in this case it's possible for a covert military organization to pretend to be proxies without much fear of detection.

Carlo GrazianiDecember 1, 2009 9:26 AM

I agree with the commenters who point out that the "Laws of War" comprise a sufficiently flexible and interpretable body of ideas as to supply no effective constraint on the actions of nations in wartime, especially large, powerful nations that are only accountable to themselves. Pretending otherwise is silly.

As djb points out, Serbian power stations and other civilian infrastructure were explicitly targeted by NATO during the Kosovo conflict. The point was to send Milosevic the message that failure to capitulate would result in the loss of the government's ability to provide essential services, depriving it of the ability to maintain normalcy in the central homeland whilst orchestrating wars in neighboring states and provinces against rival ethnicities. The implicit threat to Milosevic's grip on power was clearly received and understood, and the campaign succeeded in its objective. While I wouldn't expect people who are more sympathetic than I to the Serb/Slav side of the conflict to agree that the objective was worthwhile or even just, I think that given that objective most people who don't deprecate war as a tool of statecraft would agree that this was a measured and successful application of state power.

So measuring how "cyberwarfare" might be constrained in wartime by "Laws of War" is by extension also silly. The more sensible limitations seem to me to stem from the "own-goal" risks of releasing a virus which then propagates back to one's own civilian networks (which is also the risk terrorists would run, in reverse, if they decided to release a deadly biological agent, btw.)

Martin SchröderDecember 1, 2009 9:37 AM

@HJohn: Please do some research, e.g. read some Chomsky. The US SecState Albright at that time said publically that half a million dead iraqi children (which she was partly responsible for because of the emargo) would be a price she'd been willing to take for Husseins fall. Humanitarian efforts, indeed.

HJohnDecember 1, 2009 9:52 AM

@Martin Schoder

Chomsky? There is an impartial source. *rolls eyes*

I'm not quite sure Albright's comments have to do with the schools and hospitals being built after she was gone.

Clive RobinsonDecember 1, 2009 10:31 AM

@ HJohn, Martin Schröder,

I'm not going to take sides on the issue.

The simple fact is what was done to a sovereign nation was illegal, there was no legal justification at all.

After looking at the (suppopsed) facts it could be reasonably argued that Sadam was a civilising and stabalising force in the area.

I'm not going to support any of the arguments, I'm just pointing out it was a very very complex situation in that part of the world, and how you view it makes a very big difference to your view point.

But in all honesty even though I belive it is a legitimate security discussion I don't belive it's germain to the subject at hand.

HJohnDecember 1, 2009 11:02 AM

@Clive Robinson: "But in all honesty even though I belive it is a legitimate security discussion I don't belive it's germain to the subject at hand."
_________

I agree with that.

Jim ADecember 1, 2009 11:12 AM

I'm going to agree with David on this one. Never forget that it is the victors that convene warcrimes tribunals. The nature of war is that people will usually do WHATEVER they think is required for victory. "law of war" considerations may serve to limit what people are willing to do IF they perceive that outcome doesn't depend upon them. But if people think that an action is will make the difference between victory and defeat, they will rarely be slowed by legal considerations.

BetterIdeaDecember 1, 2009 11:17 AM

The concept of "disproportionate force" is ridiculous. If somebody attacks you you want to use disproportionate force - you almost have to in order to win and have any sort of assurance that you won't be attacked again.

Brandioch ConnerDecember 1, 2009 11:38 AM

Just pray to whatever god you follow that they never learn how to make "backups" or keep "off line spares" or even how to keep their critical systems off the "web".

They'd be able to attack us with impunity.

And I for one hate being attacked with impunity.

Clive RobinsonDecember 1, 2009 11:44 AM

@ Bruce,

The problem with these reports is they fail to realise that there is a very real difference between the "tangable" (real physical) and "intangable" (information) worlds.

The tangable world has tangable constraints the intangable world is not subject to those tangable constraints.

For instance weapons. In the tangable world these have very significant costs over and above the design costs. In the intangable world the weapons are information that only has development costs to the attacker (the costs of copying the information and running it as a program on physical equipment falls on the victim of the attack).

This has knock on effects in that you don't realy have any intel about your enemy as there are no knew production plants divertion of resources and manpower etc to give warning.

The other problem about information is it is a zero cost force multiplier for the attacker. A single person can design an information weapon that could in theory bring down the communications of all of the countries in the world. This is possible because there are so few manufactures of equipment.

Another difference between the tangable and intangable worlds.

Natural processess tend to follow the "bell curve" or equivalent. This means that you can concentrate your forces against the most probable forms of attack.

This works for two reasons basicaly the extreams of the bell curve are to expensive for both the attacker and the defender (think about stealth technology for this). That is the cost of making a weapons technology is way way over the cost of the damage it can do (think of cost of stealth bomber and the cost of the conventional munitions it carries). Likewise for the defender the cost of defending against such technology is extreamly expensive. Therefore such systems are only of use between equal partners. There is no point using stealth against anything except a very high value target which is of significant importance to the defenders. That means that stealth is effectivly usless against hill tribesmen etc armed with the appropriate hand held missiles or heavy machine guns and dispersed in tiny groups over large areas.

The intangable world does not have a bell curve to help the defender. Infact the real problem indicates that whatever point gives minimum cost to the attacker is likly to be maximum cost to the defender.

This is slightly similar to the force multiplier effect of the sniper. The information that there is a sniper in the area is conveyed by the defenders the effect it has on the defenders resources is totaly disproportianate to the resources of the sniper.

The other diference between the tangable and intangable world is there is no physical distance involved so all intangable weapons are standoff weapons...

The "laws" of the physical world don't apply, trying to make them do so is not productive.

FoobarDecember 1, 2009 11:46 AM

One problem is identifying the attacker - the attack is taking place on the net, not IRL, there are no uniforms or logotypes on IP Adresses. And setting up a proxy function, using TOR - or breaking into someones box and continuing from there isnt impossible.

And even IF an attacker is identified as being from country X, is it a sanctioned attack or is it yet another student hacker wannabe with too much time on his/her hands?

HJohnDecember 1, 2009 11:55 AM

This is one reason that computer security can be a national security issue.

Another wild card thrown into the mix is outsourcing to foreign nations, which can further weaken security. (Not saying it always does, but it can add a dimension.)

Had atomic bombs not went off in Japan in the 40s, we'd be talking in theory about nuclear weapons. Likewise, we may not know the full ramifications of cyberwar until it actually happens, and I for one pray it doesn't. Ever.

Brandioch ConnerDecember 1, 2009 12:05 PM

@HJohn
"Likewise, we may not know the full ramifications of cyberwar until it actually happens, and I for one pray it doesn't. Ever."

I'm not seeing the problem here.

Exactly what could an attacker do that cannot be mitigated through simple backups and off-line spares?

And that's even with the presumption that critical systems would even be remotely accessible.

HJohnDecember 1, 2009 12:11 PM

@Brandioch Conner at December 1, 2009 12:05 PM

Attacks have been known to have a great deal of ingenuity.

I have an acquaintance who dealt with an attack on an institution where the attacker corrupted the backup rotation 6 months prior to the attack. Obviously, the entity should have tested their backups periodically. None the less, the perpetrator found a way, primarily due to carelessness.

I agree with you, we are not defenseless against cyberwar. I just hope our guard is never let down and we are caught with our pants down, so to speak.

PackagedBlueDecember 1, 2009 12:28 PM

An important subject to bring up regularly, Cyberwarfare policy.

The old, but goodie book, Information Warfare second Edition copyright 1994,1996, by Winn Schwartau, is a must read.

COTS and 1996, along with massive de-regulation, now we are trying to pick the pieces up and restore balance. Yeah, the ACTA way is really working wonders.

It is practically 2010, and the only somewhat secure is a lynx ncurses browser on a custom OpenBSD rig, on the right hardware, with the right kharma. GRR!

Lynx and Movable Type, on this blog sure is a 40 char clustercrude!

NobodyDecember 1, 2009 3:25 PM

>Exactly what could an attacker do that cannot be mitigated through simple backups and off-line spares?

Point the instrument landing system responder at an airport into a building?
Put all the traffic lights in NY to green at the same time?
Open all the release valves at a water treatment plant, oil refinery, chemical plant?
Root the power onto a lower capacity line causing rolling blackouts across the country.
- All these have been done by just normal screwups.

And remember a lot of hardware is controlled by software -
Every cell phone tower crashes tomorrow after reprogramming it's UPS to go into an illegal power pattern that burns out the components. Do you have spares to replace the PSU in every piece of equipment in every cell tower, how many repair crews do you have - have long would it take?

The reason for not using cyberwarfare is that it is classicaly asymetric. It's a lot easier for them to do to you than you to do to them.
It's pretty much the reason that you invade a country with tanks and aircraft carriers rather than put bombs on their buses - you want to fight them on your terms.

Clive RobinsonDecember 1, 2009 4:10 PM

@ HJohn,

"I agree with you, we are not defenseless against cyberwar. I just hope our guard is never let down and we are caught with our pants down, so to speak."

Sadly we need time and resources to defend ourselves and build in resiliance.

And with execs routienly taking short term profit against long term risk as a business stratagy, in the view that "defense is sunk costs" -v- "this quaters share price" it is no guess who will be left with their 4r5e in their hands, and who will get the 30% bonus.

marcDecember 1, 2009 4:23 PM

@nobody
"Point the instrument landing system responder at an airport into a building?" "All these have been done by just normal screwups."

I need a reference for this one please. The Instrument Landing System (ILS) antennas are 1960's analog technology. Hard to hack into when there's no computer involved.

Clive RobinsonDecember 1, 2009 4:31 PM

@ PackagedBlue,

"It is practically 2010, and the only somewhat secure is a lynx ncurses browser on a custom OpenBSD rig, on the right hardware, with the right kharma. GRR!"

Cots motherboard and DVD drive with a gig or two of RAM and a *nix desktop of your choice on bootable DVD. Is only a little less secure and any nasties go at the flick of a switch.

If you want to make it a bit more secure reflash the bios with a striped down *nix.

If you want to go further than use the boot *nix as a VM master hypervisor.

It's not 100% but close enough for a year or two.

When I'm not (in bl**dy hospital or) playing catch up I'm working on a PC104 backplane system to put my VM hypervisor into hardware with segregated IO and hardware sand boxed processes with controled/hypervised resource access and do on the fly DMA memory integraty checking of the hardware sandboxed processess.

Again not 100% but it will stick a couple of nines on the end ;)

Brandioch ConnerDecember 1, 2009 5:24 PM

@Nobody
"- All these have been done by just normal screwups."

And people have car accidents every day "by just normal screwups".

Why are those systems accessible from the 'Web? Are they really? And don't reference a movie or TV show.

"The reason for not using cyberwarfare is that it is classicaly asymetric. It's a lot easier for them to do to you than you to do to them."

IF what you said could happen really COULD happen, why would that stop terrorists?

More to the point, HOW would the victim know who attacked them?

Please, no more Die Hard movies.

ChrisDecember 1, 2009 5:58 PM

"But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict."

This doesn't even pass the laugh test. Knocking out electrical power infrastructure has been a feature of almost every large scale conflict since electricity became widespread. World War II, Korea, and Vietnam, all saw attacks against electric grids. The U.S. bombed power plants and transmission facilities during both wars in Iraq. During the Kosovo bombing campaign we used special carbon fiber warheads to take down the Serbian power grid. In any large scale conflict, taking down the power grid is always an objective.

JeremyDecember 2, 2009 4:14 AM

"...refrained from launching a broad cyber attack against Serbia... for fear of committing war crimes."
"...same dilemma four years later... ...could potentially harm America's allies... could spread to the United States."

Where is the parallel between harming your own/allies' interests, and a war crime?

GordonSDecember 2, 2009 6:28 AM

"it could be considered disproportionate... The government uses electricity, yes, but so does the entire civilian population"

Disproportionate indeed, but didn't the US target power stations in Iraqi cities on countless occasions?

But I guess it's not 'disproportionate' if the US do it though...

Mark RDecember 2, 2009 7:46 AM

I used to work for a natural gas utility, and although they used a SCADA system to manage some aspects of the pipeline operations, there were manual overrides and hardware failsafes in place... for instance, valves that close in response to pressure above a certain level without any electronics. The guys in charge of the flow of gas did not trust the operation to computers, which seemed like a good approach.

I don't know whether this attitude is in place across the industry, but at least in this case, it wouldn't be possible to blow up the gas lines or storage units without physical intervention.

Moshe YudkowskyDecember 2, 2009 10:21 AM

This essay contains two startling statements: (1) That "international law" prohibits attacks unless a state of war exists, and (2) that "disproportionate force" is required under "international law." Where do these ideas come from? Did the US sign a treaty recently that bans "disproportionate force?" Or it it just an interesting hypothetical concept bruited about by college professors and diplomats?

"International law" makes for an interesting hypothetical construct, but its constant evolution continues without any grounding in realistic tests or outcomes.

HJohnDecember 2, 2009 11:07 AM

@Moshe: "Did the US sign a treaty recently that bans "disproportionate force?" Or it it just an interesting hypothetical concept bruited about by college professors and diplomats?"
_____________

Probably more the latter.

Basically, it is little more than, when you don't like the side that is winning, accuse them of being a bully. In other words, the other party can hit you as hard as they can, but you can't hit them back any harder. Silly, if you ask me.

I'm not sure how that would play out in cyberwar, I guess it would depend on what was attacked.

Matt from CTDecember 2, 2009 2:38 PM

> I'm not seeing the problem here.

It won't be long, if we're not at that point already, that the U.S. Post Office & Banking System doesn't have sufficient core capacity to process the volume of bills and checks that would return to snail mail should their be a sustained, months long attack that keeps the internet unreliable for e-commerce.

It's not a matter of simply hiring more employees if you've shuttered central mail processing and back office banking facilities and no longer have the equipment around.

Yes, given six months, a year, two we could rebuild the old ways...but it would cause a lot of financial disruption in the mean time.

Many business-to-business transactions are also done over the internet as well, which mucks up supply chains for ordering and processing invoices to even cut a check to get mailed to be delayed in arriving before it goes to the bank to sit in a pile till they can get it processed.

I suspect many other nations are / will be in a similiar boat.

Not the end of the earth, but if you mess up accounts receivable enough that a company runs short on cash and can't make the payroll so the workers can't buy gasoline to drive to work the whole impact is amplified.

Clive RobinsonDecember 2, 2009 3:45 PM

@ Matt from CT,

"Many business-to-business transactions are also done over the internet as well"

Make sure you keep a couple of those old phone / fax modems.

Sometimes it's hard to get a grip on how fast things have changed. I remember setting up the first BBS email system for a manufacturing organisation, it cut their phone bills by 80% in a month simply because they no longer used the FAX all the time to half way around the world...

Brandioch ConnerDecember 2, 2009 4:56 PM

@Matt from CT
"It won't be long, if we're not at that point already, that the U.S. Post Office & Banking System doesn't have sufficient core capacity to process the volume of bills and checks that would return to snail mail should their be a sustained, months long attack that keeps the internet unreliable for e-commerce."

And once again we return to the question of HOW that would happen.

Seriously, this isn't magic.

If an attack such as you describe is coming from a country, then the traffic from that country would be blocked. End of attack. Let them deal with cleaning up their problem.

From multiple countries, then they'd all be blocked. And they could all deal with cleaning up their problems.

From the same country that the banks are in? Then they're probably coming from cracked machines. Identify the subnets and block them. Let their ISP's clean up their problems.

It's technology. Not magic.

Clive RobinsonDecember 3, 2009 12:21 AM

@ Brandioch Conner, Matt from CT.

"It's technology. Not magic."

And very limited technology as well.

By which I mean there are very few suppliers of high end telco network equipment.

We have seen celular phone switches get subverted in one way or another (Greek Olympics) without the operators being aware it has happened and till long after the event.

Most high end network equipment comes from just on supplier Cisco and their switch OS has had problems in the past.

And a lot of manufacturing etc has been outsourced to the far east / china at some level or another.

As Apple found sometimes your supply chain can be subverted.

Likewise in the UK there where stories of EMV Chip-n-Pin E-POS terminals having additional hardware (custom celular radio modem) added in the manufacturing supply chain.

Not being nasty but most of those high end switches are designed for a long life and they have quite powerfull internal control systems but the OS is in many respects less capable than early versions of MS NT (without Windows).

The switch owners have a lot of money riding on the functioning of the switch like industrial control systems they don't get patched or updated unless there is a real need.

So it is easily possible that a country wishing to start cyber warfare to subvert major coms switches or other equipment have already laid the cuckos egg in the nest and are just waiting for it to hatch.

And contry to what most people belive software can and does destroy hardware when it runs at a low enough level.

So just shutting the stable door is not of necesity going to work especialy as most telcos do not carry the spares to repair even a tiny fraction of their network.

JeremyDecember 3, 2009 6:41 AM

@Moshe -
"Did the US sign a treaty recently that bans 'disproportionate force?'"

Protocol I of the Geneva Conventions has something to say about it. Despite signing it in 1977, the USA has never ratified this protocol.


@Matt -
"Seriously, this isn't magic. If an attack such as you describe is coming from a country, then the traffic from that country would be blocked. End of attack."

I think what you just described would actually require magic.


@Clive -
"Make sure you keep a couple of those old phone / fax modems."

Hmm. I think you'd have to be pretty lucky for that to be your solution. Banking, postal/courier systems in chaos, but at least you can (assuming the phone system is working) fax your customers and suppliers to tell them you're open for business as usual...

Brandioch ConnerDecember 3, 2009 8:00 AM

@Jeremy
"I think what you just described would actually require magic."

Jeremy, stop paying your ISP bill.

Did they cut off your Internet access?

But the people next door still have their service?

Yeah, magic.

Brandioch ConnerDecember 3, 2009 8:09 AM

@Clive Robinson
"So it is easily possible that a country wishing to start cyber warfare to subvert major coms switches or other equipment have already laid the cuckos egg in the nest and are just waiting for it to hatch."

Explain the "easily" in that statement.

"The switch owners have a lot of money riding on the functioning of the switch like industrial control systems they don't get patched or updated unless there is a real need."

So the attacker would have had to have compromised the process YEARS ago.

I think you should stick to your UFO abduction theories.

Clive RobinsonDecember 3, 2009 9:43 AM

@ Brandioch Conner,

I know you have a propensity to be rude and unplesant so I will say the following

1, The supplier chain has been proven to be subvertable.
2, The supply chain for infrestructure products is increasingly through countries where the Politicos currently belive they are engaging in cyberwarfare.
3, The Chinese in particular are known to take a long term view as evidenced by their current behaviour in Africa.
4, The US and other first world nations are increasingly taking shorter and shorter term views often as little as the next financial quater.

I do not know what you actualy belive nor do I particularly care.

Primarily because there is evidence currently out there to substantiate the points I have made.

If you chose to belive that nothing can go wrong until you are forced to pull the plug then please feel free to belive that you will join a whole host of business execs who cannot see beyond the next quaters share price and their resultant bonus.

However it might be beholdent on you to explain your view point to your employers etc who might not share such a short term view point.

Sometimes what you have to say is of interest to other people and I like others agree with you.

However your propensity to your own self certainty and your rudness to those who chose how ever rationaly and carefully explaind to disagree with you appears to be on several blog sites including this one.

If you have anything pertainent to this blog to say and it is reasonably well supported then I would be happy to read it.

However if you respond with non relevant, insulting and plain stupid comments of the likes of,

"I think you should stick to your UFO abduction theories."

Then don't be surprised if people treat you as an illmanered and unlearned Troll.

The choice as they say is yours...

Brandioch ConnerDecember 3, 2009 9:48 AM

@Clive Robinson
"1, The supplier chain has been proven to be subvertable."

Provide support for that.

Go ahead.

Provide support that the chips that Cisco uses are provided by a supplier who is or has been compromised.

Do that.

You've already claimed it can be done "easily".

Matt from CTDecember 3, 2009 12:56 PM

>If an attack such as you describe is
>coming from a country

1) I did not describe an attack in either of my posts.

2) I believe you're making an assumption this would be a distributed denial of service attack from saying you could simply shut off the source machines.

The attacks, instead, could be against specific vulnerabilities and only need a very limited number of machines to execute.

If you don't need continous connectivity then something as simple as disconnecting someone who didn't pay their bill is not very worthwhile.

I would think highly targetted, state sponsored attacks against things like DNS and certificate authorities would be far more damaging then some simple denial-of-service bot network.

Brandioch ConnerDecember 3, 2009 2:09 PM

@Matt from CT
"The attacks, instead, could be against specific vulnerabilities and only need a very limited number of machines to execute."

Which vulnerabilities would those be?

Be specific.

"I would think highly targetted, state sponsored attacks against things like DNS and certificate authorities would be far more damaging then some simple denial-of-service bot network."

How would the "state sponsored attacks" work against Verisign (one of the "certificate authorities") and what would the damage be.

Again, be specific.

Matt from CTDecember 3, 2009 4:06 PM

>Which vulnerabilities would those be?

>Be specific.

Most likely a vulnerability that hasn't been discovered, or at the very least isn't well known so that it hasn't been patched yet.

I have a question for you: What software has been proven mathematically to be vulnerability free?

Be specific.

> (paraphrasing) how would an attack
>against a certificate authority work and
>what would the damage be

It would work by undermining trust in or making unavailable the CA, and what's the point to a CA that is untrustworthy or unreachable?

And once the CAs isn't trustworthy or available, there is no protection from man-in-the-middle attacks on ssl encrypted transactions since you can't independently verify you're connecting to who you think you are.

Brandioch ConnerDecember 3, 2009 4:41 PM

@Matt from CT:
"Most likely a vulnerability that hasn't been discovered, or at the very least isn't well known so that it hasn't been patched yet."

So the good guys have somehow missed this critical vulnerability ... but the bad guys are going to use it to bring down our country?

And it is going to be cross-platform, right? Because there are different platforms running at different businesses.

But you believe that is possible.

You've watched too many movies.

http://art.penny-arcade.com/photos/...

The HamburglarDecember 3, 2009 5:55 PM

"But they stopped short when they realized that the same networks used by Iraqi banks were also used by banks in France. Releasing a vicious computer virus into the system could potentially harm America's allies."

I thought that France was not considered an ally during the whole "Freedom Fries" episode.

DuffDecember 4, 2009 7:07 AM

The US obviously has no issue with shutting down a nation's power grid -- we did just that in the opening days of the First Gulf War by sending tomahawk missiles loaded with aluminum and copper chaff to Iraqi power substations and transmission facilities. The country went dark in minutes.

In 1991 and 2003, missiles and manned aircraft were the preferred methods to perform this sort of destruction. Today, drone aircraft and missiles are probably the preferred methods. Until we go up against an opponent with a mature air defense system and Air Force that can remain in the air for more than 30 minutes, cyberwar will be an exotic toy.

Other countries, like China, lack an ability to project military power at great distance, with the exception of ballistic missiles and submarines. For them, cyber warfare is not only an interesting tool -- it is their only offensive weapon that can be deployed against the Western Nations and Japan.

Clive RobinsonDecember 4, 2009 7:28 AM

@ Matt from CT,

A piece of free advise to protect both your sanity and your name and not upset the moderator.

Both myself and HJohn have in the past tried to present reasoned argument to Brandioch Conner.

It does not work he will not answer your questions, and if you don't answer his he will acuse you of such things as "not knowing what you are talking about" or taking as "proof" the fact that you will not commit an illegal act to prove him wrong...

If you do answer his question he will either ignore it or pick an unreasoned fault with it.

I have previously tried to get him to accept that "not 100% secure" is "not secure" that is the degree does not matter.

He used the following argument,

"I have a linux boot CD box, you cannot effect the files on the CD, therfore you cannot exploit it"

When it is pointed out to him that there are other parts of the "box" that are mutable (Flash ROM for BIOS and some IO devices) or the software on his CD might have faults by which the mutable parts of his box might be effected.

He comes back with,

"Prove it effect my box"

And says,

"You cann't do it so I'm right".

He will then ignore the fact even though you point it out to him that,

1, it is illegal unless certain steps have been taken (which he won't take).

2, He has not told you where his box is.

So his version of "proof" is not worth the breath it takes to sigh.

For an example of his rude and unreasond behaviour on this page look at my posting on December 3, 2009 12:21 AM to you and him and his response at 8:09 where he says,

"I think you should stick to your UFO abduction theories."

Does this sound like a rational / sane person?

Then look at his posting of 9:48 where he says,

'@Clive Robinson
"1, The supplier chain has been proven to be subvertable."

Provide support for that.'

And if you go back to my posting to you both you will see,

"As Apple found sometimes your supply chain can be subverted.

Likewise in the UK there where stories of EMV Chip-n-Pin E-POS terminals having additional hardware (custom celular radio modem) added in the manufacturing supply chain."

That is either he has not read it or has chosen to ignore it for some reason.

The former can probbably be ruled out (he responded to the post), thus the latter is the likley explanation.

But why, is his memory so defficient he did not remember, does he not belive what I have said, or is it to hide the fact that he is going to make an unsupportable statment next?

Now if he feels I have made it up he should say so (but I suspect he knows it is correct, if he thought not, he would have said something).

So lets look at what he says next,

"Provide support that the chips that Cisco uses are provided by a supplier who is or has been compromised."

You will see that I have not made that statment. All I have said about Cisco is they are a major supply of network equipment.

However he goes on to say,

"Do that.

You've already claimed it can be done "easily"."

So a further incorrect statment by him to support something that has not been said.

The question then arises as to why he is like this.

Well if you google his name you will find a person by the same name used to be held in high regard on another blog, but for some reason suffered a fall from grace that appears to be not unrelated to the behaviour exhibited by him on this page.

I'll let others dig further if they wish.

As for me I'm not going to enter into his silly childish games of "I'm right your wrong nah nahny nah ha".

And I would advise others to avoid it as well.

HJohnDecember 4, 2009 10:03 AM

I think the "professionals" vs "attackers" provide an interesting paradox.

First, it is true that it is difficult to come up with a huge (key word) vulnerability the professionals haven't found. Sure, there are many small ones, but huge ones undetected are tougher.

Second, the professionals are often at an inherent disadvantage to attackers. Attackers only have to find one significant vulnerability before the professionals do.

The odds of a vulnerability that would allow a huge attack is lessened based simply on the fact that the unknown hole would have to be significant. However, this is at odds with the fact that professionals need to find more faster and attackers need only find one first.

Zero day protection is important. Entities should assume there are weaknesses they do not know about, and reduce the impact of any such weaknesses. Easier said than done, I know. But, ideally, an exploit would have to find weaknesses on several layers, not just one, in order to work.

Brandioch ConnerDecember 4, 2009 10:09 AM

@Clive Robinson,
If you cannot answer the questions, then you cannot answer the questions.

Now you're resorting to lies in an attack on me personally.

Brandioch ConnerDecember 4, 2009 10:17 AM

@HJohn
And the huge vulnerability would have to be cross platform.

And it would have to have existed for years (and still exist).

That's what makes this a movie plot threat. The number of requirements that have to happen perfectly and be impossible to mitigate even when following "best practices".

HJohnDecember 4, 2009 10:24 AM

@Brandioch Conner: And the huge vulnerability would have to be cross platform. And it would have to have existed for years (and still exist). That's what makes this a movie plot threat. The number of requirements that have to happen perfectly and be impossible to mitigate even when following "best practices".
_________

I agree it is unlikely. One wild card is people who do not upgrade, or patch, etc. This is a particular problem in some sectors such as government or utilities where they are basically monopolies (no competition basically means reduced incentive to do things right).

The movie plot aspects are interesting. It is movie plot that is unlikely to ever happen. Then again, so was 9/11. Had it been stopped, we'd have laughed at any officials that said they saved the WTC and at least 3,000 lives from 19 people with box cutters. Not saying I live in fear of cyberwar (I don't), I'm just saying that if a way is found to do something, it will be interesting to say the least.


Brandioch ConnerDecember 4, 2009 10:41 AM

@HJohn,
"One wild card is people who do not upgrade, or patch, etc."

Nope. That doesn't matter because the attack would have to work against systems that were fully patched.

Otherwise the attack would end quickly as the systems were taken off-line, patched and brought back on-line.

Remember Slammer, Code Red and Nimba?

As for the WTC attacks, that wasn't a movie plot threat because there wasn't one thing (or two things) that could happen wrong and end the attack. They had multiple groups with multiple destinations and fall back options. Even when one person was late, the attack still happened. Even when one plane was re-taken, the attack still happened.

Not to mention that a similar plot was prevented before in France.
http://en.wikipedia.org/wiki/...

HJohnDecember 4, 2009 10:50 AM

@Brandioch Conner: "As for the WTC attacks, that wasn't a movie plot threat "
___________

I absolutely agree with that. However, had it been stopped, and officials argued the WTC and thousands were saved, it would have been considered a movie plot threat.

Nothing seems like a movie plot threat when it actually happens. After something happens, it becomes crystal clear what could/should have been done to stop it. The problem is, when trying to make the case before the fact, the crystal clarity simply isn't there.

Clive RobinsonDecember 4, 2009 11:58 AM

@ HJohn,

"First, it is true that it is difficult to come up with a huge (key word) vulnerability the professionals haven't found."

How about a protocol error in TLS/SSL it covers many platforms and had effectivly remain "unseen" for several years.

So by no means beyond the bounds of possibility.

"Sure, there are many small ones, but huge ones undetected are tougher."

When you get into infrestructure equipment you are talking about a very limited number of equipment vendors.

For instance the Greek Olympic mobile phone hack. It went undetected for a very long time and effected over 100 senior politicians and civil servants.

This was probably done by profesionals. But these days crackers are guns for hire.

"Second, the professionals are often at an inherent disadvantage to attackers."

Depends what you mean by profesionals "sys admins" or "spooks".

Sys admins have limited time, very limited if non existant resources, to much work, often insufficient training and the main OS keeps changing their Admin Interface every year or so.

Spooks on the other hand are well resourced have the best tools for the job and have little difficulty in finding the right people to work for them.

"Attackers only have to find one significant vulnerability before the professionals do."

No they have to find one vulnerability that is not patched on any given machine. It is quite possible to lever on from that position because of admin mistakes and assumptions. For instance if an admin runs an automated script from their machine how do the other machines know if what that machine is telling them is correct or not?

"The odds of a vulnerability that would allow a huge attack is lessened based simply on the fact that the unknown hole would have to be significant."

Again no.

"However, this is at odds with the fact that professionals need to find more faster"

Again not true there where certain protocol errors that where known about proffesionaly for years but nobody did anything about it untill somebody exploited it.

"and attackers need only find one first."

Not quite true, they need to find one open vulnerability on each machine they wish to get access to.

"Zero day protection is important. Entities should assume there are weaknesses they do not know about"

That is an absolute given but it appears not to be on most peoples horizons or if it is it's wiped off their radar by more pressing "noise" from other aspects of the places they work.

"and reduce the impact of any such weaknesses."

As you say,

"Easier said than done, I know. But, ideally, an exploit would have to find weaknesses on several layers, not just one, in order to work."

Time and time again the "onion" model has either not been implemented, has been bypassed or it has not been possible.

The thing is we know this can happen because not only has it happened once it has happened several times.

Once somebody is in your systems unless you are lucky or hyper vigilant they can stay there for a very very long time.

As we know from root kits they can make the system lie to you and unless there are other symptoms to make you suspicious are you going to go chasing "ghosts" when "the man" has more important "business requirments".

And after reflection I think most would agree there is very very little "movie plot" about it unless you are talking a "historical" or "bio pic".

HJohnDecember 4, 2009 12:41 PM

@Clive Robinson at December 4, 2009 11:58 AM

Good and fair points. I appreciate the dialogue

Brandioch ConnerDecember 4, 2009 12:49 PM

@Clive Robinson

A search on Google for:
"protocol error" TLS/SSL
results in 3,520 hits.

http://www.google.com/search?...

And the majority of those hits are questions about connection errors.

"So by no means beyond the bounds of possibility."

That is entirely dependent upon how you define "the bounds of possibility".

With almost no references to your supporting evidence available, your attack scenario likelyhood seems to be near zero.

ModeratorDecember 4, 2009 2:52 PM

Brandioch and Clive, you both need to stop sniping at each other and dredging up stuff that happened in other threads.

Brandioch, you need to learn to disagree with people more civilly if you want to continue to comment here. Badgering people to answer exactly the questions that you've decided are essential is not a good way to provoke reasoned debate, and you've done it enough that that ought to be clear to you by now. Snide comments like "I think you should stick to your UFO abduction theories" are not helping, either.

Clive, the thread is about cyberwarfare, not about Brandioch's personality. Bringing up stuff that happened in a previous thread and in some other forum is not only a distraction in itself, but leaves him with no way to fully defend himself except to go into the details of past conflicts, which would have derailed the thread even further. If you refuse to engage with Brandioch based on past behavior, just note that *briefly* and move on. If people really want to know the history then they can search the site themselves.

Clive RobinsonDecember 6, 2009 10:44 PM

@ HJohn,

It appears that others have realised that there is more than one type of bot net out there.

Yes you have the bold and the brash that DDos twitter or launch a torrent of SPAM messages. And more recent ones for pushing malware (H1N1 - Zbot).

But also smaller more specificaly targeted bot nets, that use stealth to avoid being detected.

Have a look at,

http://searchsecurity.techtarget.com/tip/...

It is a trend I thought likley some time ago, however it appears to be one, researchers are not currently acknowledging (there are several explanations as to why this might be so I'll make no further comment).

The big problem I see with botnets is that the operators of large DDoS and SPAM botnets are not being stealthy mainly due to the fact they are attacking services not information.

Thus the sys-admins and researcher's appear to be like rabbit's caught in car headlights mesmerized by the intensity involved.

Micro bot nets that target information are stealthy and can use various layers of cloaking.

You can see why this difference is important at,

http://www.lightbluetouchpaper.org/2009/10/17/...

filobusDecember 17, 2009 8:35 AM

and wat about declaration of war? would be enough a cyberwar attack? would be it a good excuse to declare war to someone else? (cyberwar attack could be a fake, but not its effects, perhaps, but cyberwar attack'0s origin could be a fake)

bombs awayDecember 26, 2009 11:37 AM

The blog entry describes the military policy of the USA for the last 60 years, find an adversary that cannot defend itself, has not attacked us, and blow up and totally destroy any infrastructure it has causing massive suffering. USA number 1!!!

NathanaelJanuary 5, 2010 3:35 PM

Yeah, the US government *likes* to commit war crimes. The administration dealing with Yugoslavia was a rare exception.

So expect the US to commit cyber-atrocities.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..