Schneier on Security
A blog covering security and security technology.
« Master's Theses in Homeland Security |
| My Recording Debut »
October 1, 2010
Me on Cyberwar
During the cyberwar debate a few months ago, I said this:
If we frame this discussion as a war discussion, then what you do when there's a threat of war is you call in the military and you get military solutions. You get lockdown; you get an enemy that needs to be subdued. If you think about these threats in terms of crime, you get police solutions. And as we have this debate, not just on stage, but in the country, the way we frame it, the way we talk about it; the way the headlines read, determine what sort of solutions we want, make us feel better. And so the threat of cyberwar is being grossly exaggerated and I think it's being done for a reason. This is a power grab by government. What Mike McConnell didn't mention is that grossly exaggerating a threat of cyberwar is incredibly profitable.
More of my writings on cyberwar, and the debate, here.
Posted on October 1, 2010 at 12:10 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
OK, nothing new in this post, but I'll still respond. You are combining two things:
A) A semantic debate about what terminology we use to describe politically motivated computer hacking (with effects on systems online, offline or both) sponsored by either governments or non-state actors.
B) The likelyhood of these actions occurring.
I completely agree with you on the importance of framing and semantics. There are separate threats of cybercrime and cyberwar. There is clearly a great deal of hype associated with cyberwar. But I simply don't understand how you can say that the threat of cyberwar is "grossly exaggerated"?
Do you really think that in a future conflict, a coordinated online attack would not be one of the first actions taken? Or is it that you think that it is likely, but not actually a concern to us?
From your linked article:
" But we're not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion. "
The risks are no greater than a ground invasion?!? OK then... So in a hypothetical conflict with China, North Korea, Iran, etc, they are equally likely to send troops to US soil as they are to attempt to disrupt any and all network-connected services?
The word "war" is wildly abused in our culture. Our military operations in Iraq and Afghanistan have been "occupations" since 2003. Calling them "wars" lends them too much moral weight - excess privileges in infosec terms. "War" implies non-standard operating conditions, and can be used to set aside normal operating parameters, such as human rights of the Geneva convention (adherents suspend even the concept of "war crimes" during war). And abusing the word "war" has justified violating too many U.S. Constitutional rights as well.
We need to stop overusing the word "war," and we also need to stop overusing the word "terror" in all its "-ist" and "-ism" derivations. We need to refer to our occupations as occupations. We need to refer to information security efforts as such. We need to refer to attempted sabotage (e.g. Stuxnet) as sabotage. We need to refer to a lone shooter as such when that what the lone shooter is, and as a terrorist when that is actually what is taking place.
Couching every event in the most hysterical terms possible is exactly like operating an enterprise without data classification - lacking data classification, everything has to be run at the highest level of security, and that's expensive.
We need to correctly classify events just as we correctly classify data. We need to use appropriate language. The alternative is expensive and destructive confusion. Reserve "war" for state-on-state employment of violence towards political ends. Reserve "terrorism" for organized guerrilla violence against civilians. Apply "occupation" to the military control of a region without facing state opposition. And stop surrendering civil and human rights to hysterical language.
Different events should be denoted by different words. An online attack by some criminals against a bank would be a CyberCrime. However a state sponsored attack against our online infrastructure that disrupts large sections of our electrical grids, power stations etc could be the start of a CyberWar. Who cares if the internet is down for a couple of days. However, if our electrical grids are out for weeks or months then this would cause massive disruption to our way of life and economy.
If the contrast Bruce means to draw is between cyberwar vs. cybercrime, then it is pointless with regards to his worry about increasing government power. Both military and police are governmental functions.
My quick feeling on this has always been that I don't see who has both the capability to do it and the interest in doing so. We all know from Stuxnet now some of what is possible. But is it a military issue to defend such installations? I don't see why.
I used to cringe at any mention of the word "cyberwar", and I largely still do. But after reading about this stuxnet worm, I'm having second thoughts.
I think we need to come to an understanding that both cybercrime and cyberwar will exist. We need to come up with a meaningful and appropriate way to separate them.
You don't send in the marines every time some junkie holds up a quicky-mart, you also don't send beat cops to take on insurgents. A random worm of DoS isn't cybercrime, not cyberwar, but specially crafted worm, specifically aimed at industrial machinery just may be cyberwar.
Drawing the line is tricky. As a starting point, I think a rule of thumb (but no means comprehensive) might be "cyberwar is when there is a real potential of people getting killed".
What remains un-named at the moment is a series of network attacks, perpretated by unknown people who may or may not have access to government officials of other countries, who deeds may further the political goals of those governments in gaining leverage over our government.
I think it was Clausewitz who defined warfare as the pursuit of political goals through other means.
Of course, the noted use and misuse of the verb "war" for "War on Poverty", "War on Drugs", "War on Crime", etc., and the non-use of "War" to describe military operations against non-state actors, and states that support/encourage such actors (and who don't fit cleanly into any portion of the Geneva Protocol), further muddies things.
One further thought: though defense against foreign government action is usually thought of as belonging to the realm of international politics, a large number of IT departments may now have to worry about them.
Also, a large number of industrial-computer-support teams may also have to worry about them. (If Stuxnet is a government-driven operation, or even government-supported...)
As a final note...welcome to another way in which global computer networks cause us to need new words for new potential catastrophes.
"War" as a word has become cheap and meaningless. Thanks to terms like War on Poverty, War on Drugs, War on Terrorism.
Another problem, calling things a "war" allows your patriotism to be called into question if you object.
If I hear "cyberwar," I think "cover your wallet."
You should read "Washington Rules" by Andrew Bacevich. It's a damning analysis of the military industrial establishment and how those in charge of assessing risk have little to lose in overstating it.
To call Estonia a Cyberwar was the biggest miscalculation I've seen to date.
Not even Stuxnet is a Cyberwar.
To have a Cyberwar you need two-sides fighting the *offensive* arena.
We haven't seen that yet.
The "Internet Kill Switch" legislation is currently grinding through the Senate. Should it pass, any outage that occurs could be caused by foreign or domestic action, and the number of people who will be capable of proving one vs another will be extremely small. Our system of checks and balances quite simply no longer functions as it should, and the governmental power grabbing has yet to stop.
I'll say it again: the only type of security some government entities are interested in is JOB SECURITY. It would be pathetically easy to contrive a false flag Internet disruption within the United States with a government-controlled Internet kill switch in play, and blame it on the target-du-jour.
Much mainstream discussion of "cyberwar" is designed to precondition the American public into a state of mind(lessness) that would be easy to exploit after a real or contrived event.
@n3td3v: So you don't believe in the possibility of a one-sided war? So a war is only when two sides are both on offense? So the invasion of Iraq wasn't a war?
@Andrew: how many of those people wouldn't be dead or wounded right now if our own intel community hadn't cooked the books to make it look like Saddam Hussein had anything to do with 9/11?
Someone is certainly cooking the books to make Stuxnet look like Israel.
Let's hope nobody jumps to conclusions on the Cyberwar front.
@Andrew: I was referring to the invasion, not the aftermath. The invasion itself, the whole part before the clown declared "Mission Accomplished", was very much a one-sided affair.
@n3td3v: While declaring the origin to be Isreal is sheer speculation, stuxnet is definitely not the work of some kid getting his rocks off or the typical organized crime thugs. The author(s) clearly had in depth knowledge of the very expensive industrial systems involved.
"I think it was Clausewitz who defined warfare as the pursuit of political goals through other means."
'Tis true. But the corrollary - that the pursuit of political goals is warfare by other means - is NOT true.
Meh...we already live in Czarist America.
Two of the craziest things I've seen in the last 20 years:
The Republicans allowing themselves to be re-painted as red. Traditional, until late 90s, when maps were drawn blue was used for Republicans and appropriately red for those commie pinko Democrats.
Two, the land of McCarthy starts using Czar as a title (even if just a knickname) for federal officials.
I believe the first "War" was the War on Cancer. Who do you sign the peace treaty with?
>But the corrollary - that the pursuit of
>political goals is warfare by other means
>- is NOT true.
Someone who wanted to work at it probably could come up with a cogent philosophical argument to the contrary.
The Cold War was, compared to the stakes, relatively very low intensity and very heavy on states-craft.
More importantly, the primary hallmark of civilization is yielding a monopoly on use of force to the state. While there may be some carve-out for self-defense, and dealing with situations of revolution involving the armed overthrow of the state and replacement with another, largely politics replaces family and tribal warfare in a state.
@Trichinosis USA & Andrew
There is no war in Iraq or Afganistan. Noone is trying to take anything over. There was an invasion followed by an occupation. That is why it drags on, Mission Accomplished was declared when Iraq was occupied. That was the goal. The goal of the resistance is to end that occupation. The US cannot 'win' more than they have.
"To have a Cyberwar you need two-sides fighting the *offensive* arena."
Re-defining warfare? Warefare does not always involve two sides engaged in the offensive arena, it can take place with one side fighting an offensive battle and the other side knowing all they need to do to win is fight a defensive battle.
Right now I would say stuxnet has the looks of being cyberware. If it turns out a country was behind this in an attempt to attack Iran's power infrastructure then I would classify that as war.
And if you frame it as a public-health isssue, you get ye another different set of responses.
I just wrote an article about a case of cyberwarfare from 1982 in SC Magazine.
Basically, the comparison made is stuxnet to The Farewell Dossier, a well documented event in the early 1980s which I had only heard rumors about.
I think we would all agree that an explosion listed as 25% as strong as Hiroshima could be defined many ways. Nobody was harmed, but there definitely could be a case made for this being an act of war or at least sabotage under espionage.
These days we would call it terrorist most likely.
"I think it was Clausewitz who defined warfare as the pursuit of political goals through other means."
Of course, by that definition... what is the War on Drugs other than pursuit of political goals? (Increases in funding to police forces, clubs to use against 'undesirable' elements...)
Well, it was certainly an attack. The problem with cyberwar doctrine is how it reframes the problem incorrectly and dangerously. The cyberwar proponents look at the situation like a bunch of identifiable entities committing acts of war against one another on the Internet. The reality is that our systems are simply insecure and should have basic defenses. As for attackers, the reality is we can't know who owns the enemy IP or if the owner knows of an attack.
So, the problem should be defined as poor system security, not cyberwar weakness. The example you gave is a good case in point. They say "This is an act of cyberwar." If the attackers just used a road, would they talk about "road war." If they kicked in a physical door rather than a digital one, should we start shoring up defenses in doorspace, identifying potential foes? It's just crazy. Systems are just an entity on the battlefield that might become a tool to attackers if not defended. We have ways of solving poor system security, although cyberwar initiatives seem more focused on giving government omniscience and omnipotence. That's always been a more serious threat to Americans than any rogue nation-state or online criminal organization.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.