Research Report on Cyberattack Capabilities

From the National Academies in 2009: Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. It's 390 pages.

Posted on July 6, 2010 at 6:00 AM • 12 Comments

Comments

Clive RobinsonJuly 6, 2010 8:08 AM

@ Bruce,

"It's 390 pages."

How about giving us a week or so's notice that you are going to post about one of these not so short documents, and give us a chance to read it ;)

However the title alone sugests it's going to take more than a "month of Sundays" to read...

MacgyverJuly 6, 2010 8:29 AM


The word "cyber" is used 2,000 times in this report (minus its mention as the title on each page), out of a total of 147113 words total. Out of every 100 words you read (i.e. a paragraph), "cyber" will appear at least once and most likely twice.

By contrast, the word "threat" is used 170 times, "vulnerability" 59 times, "risk" 40 times and "security" by itself is 193 times.

Conclusion: Cyber must be a very big issue.

Mac

GweihirJuly 6, 2010 9:03 AM

Cyber does Cyber the Cyber to your Cyber! Therefore Cyber is Cyber in Cyber all the time, giving Cyber a Cyber to Cyber your Cyber! If you do not Cyber, Cyber will Cyber the Cyber in a Cyber way.

I could probably have written that report cheaper ;-)

I had a quick scan through. I think there is some good stuff in there, but it is hard to find. Possibly a good example for failure to produce an usable document.

Clive RobinsonJuly 6, 2010 11:07 AM

@ Gweihir,

"I had a quick scan through. I think there is some good stuff in there, but it is hard to find. Possibly a good example for failure to produce an usable document."

I have been told that with many "technical books" you actually have "20 pages spread across 300". That is the actual content of a book can be reduced to 1/15th of it's size and still contain the essential information.

Apparently "self help" and "managment books" you buy at the airport it's more like 1 page across 300...

However I have one or two maths and engineering books on my shelves at home that read like each page has been condensed from a book or two, so the mileage definatly varies.

I have one favorite (physics) where a whole chapter consists of one opening sentence, three formula and a three sentence closing paragraph and manages to cover 12 pages...

Brandioch ConnerJuly 6, 2010 1:40 PM

"Cyberattack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks."

So taking out an enemy's command and control with a bomber would be a "cyberattack" by that definition.

"Domestic law enforcement agencies also engage in cyberattack when they jam cell phone networks in order to prevent the detonation of improvised explosive devices."

Yeah. I think they're confusing the goal with the method. That's just bad practice.

"Second, weapons for cyberattack have a number of characteristics that differentiate them from traditional kinetic weapons."

Strangely enough, they missed the part about blowing off limbs. Or not, as the case may be.

"For example, given that any large nation experiences cyberattacks continuously, how will the United States know it is the subject of a cyberattack deliberately launched by an adversary government?"

This is the first hint that you're classifying "vandalism" as "attack".

"For example, a cyberattack could disrupt adversary command, control, and communications; suppress air defenses; degrade smart munitions and platforms; or attack warfighting or warmaking infrastructure (the defense industrial base)."

The same as regular military operations can. And regular military operations do it with better reliability.

And so on and so forth.

This plays like a bad movie. Where the evil enemy is defeated by something as simple as a correctly configured firewall.

BTW: Firewall is first mentioned on page 36. Then again on page 97.

Brandioch ConnerJuly 6, 2010 1:52 PM

Oh, another amusing thing:
Search for the string "can drop functionality on its own systems that the attacker is trying to exploit".

Compare the paragraphs in which it appears.

And for further amusement, read page 208.

This document reads like it was pasted together from wikipedia entries.

WinterJuly 7, 2010 1:04 AM

So: Cyber = Involves a VLSI chip

Which means running someone over with a car classifies as a cyber attack?

Or must you destroy a VLSI chip? That is, running a car into a tree is a cyber attack?

Clive RobinsonJuly 7, 2010 1:24 AM

@ Brandioch Connor,

"This is the first hint that you're classifying"vandalism" as "attack""

I think you have an interesting point there, the Administration and prosecuters have over used "terrorxxxx" to the point it is becoming meaningless in the voters eyes.

Thus thy need a new "scary boggieman" to get politicaly motivated prison terms.

The question then arises about the lack of reliability in the software we use.

For instance if you crash your car and kill somebody they look at how "roadworthy" the vehicle was/is and if they deem it was not sufficiently so then you are guilty of murder.

Will using out of data or unpatched or self written code become a crime that you will be found guilty of...

Tom T.July 7, 2010 1:58 AM

@ Winter:
"That is, running a car into a tree is a cyber attack?"

"Tiger Woods guilty of cyberattack!"

@ Clive Robinson: Reminiscent of the old line, "He managed to cram ten minutes of information into a two-hour speech."

@ Bruce Schneier: Isn't "informative Government study", or "informative Government-funded study" an oxymoron? (AES and SHA-3 excepted, of course :)

@ Everyone:

" Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool -- and therefore strange, spooky. ["New York" magazine, Dec. 23, 1996]

"As a stand-alone, it is attested by 1998 as short for cybersex (which is attested by 1995)."
Online Etymology Dictionary, © 2010 Douglas Harper

Hey, wait... that means that "cyberattack" is actually "cyber-rape"! ... You heard it here first. "Cyberrape" © 2010 Tom T. ;-D

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..