Cyberwar and the Future of Cyber Conflict

The world is gearing up for cyberwar. The U.S. Cyber Command became operational in November. NATO has enshrined cyber security among its new strategic priorities. The head of Britain’s armed forces said recently that boosting cyber capability is now a huge priority for the UK. And we know China is already engaged in broad cyber espionage attacks against the west. So how can we control a burgeoning cyber arms race?

We may already have seen early versions of cyberwars in Estonia and Georgia, possibly perpetrated by Russia. It’s hard to know for certain, not only because such attacks are often impossible to trace, but because we have no clear definitions of what a cyberwar actually is.

Do the 2007 attacks against Estonia, traced to a young Russian man living in Tallinn and no one else, count? What about a virus from an unknown origin, possibly targeted at an Iranian nuclear complex? Or espionage from within China, but not specifically directed by its government? To such questions one must add even more basic issues, like when a cyberwar is understood to have begun, and how it ends. When even cyber security experts can’t answer these questions, it’s hard to expect much from policymakers.

We can set parameters. It is obviously not an act of war just to develop digital weapons targeting another country. Using cyber attacks to spy on another nation is a grey area, which gets greyer still when a country penetrates information networks, just to see if it can do so. Penetrating such networks and leaving a back door open, or even leaving logic bombs behind to be used later, is a harder case—yet the US and China are doing this to each other right now.

And what about when one country deliberately damages the economy of another, as one of the WikiLeaks cables shows that a member of China’s politburo did against Google in January 2010? Definitions and rules are hard not just because the tools of war have changed, but because cyberspace puts them into the hands of a broader group of people. Previously only the military had weapons. Now anyone with sufficient computer skills can take matters into their own hands.

There are more basic problems too. When a nation is attacked in a regular conflict, a variety of military and civil institutions respond. The legal framework for this depends on two things: the attacker and the motive. But when you’re attacked on the internet, those are precisely the two things you don’t know. We don’t know if Georgia was attacked by the Russian government, or just some hackers living in Russia. In spite of much speculation, we don’t know the origin, or target, of Stuxnet. We don’t even know if last July 4’s attacks against US and South Korean computers originated in North Korea, China, England, or Florida.

When you don’t know, it’s easy to get it wrong; and to retaliate against the wrong target, or for the wrong reason. That means it is easy for things to get out of hand. So while it is legitimate for nations to build offensive and defensive cyberwar capabilities we also need to think now about what can be done to limit the risk of cyberwar.

A first step would be a hotline between the world’s cyber commands, modelled after similar hotlines among nuclear commands. This would at least allow governments to talk to each other, rather than guess where an attack came from. More difficult, but more important, are new cyberwar treaties. These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities. The Geneva Conventions need to be updated too.

Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed. Enforcement will be difficult, but that’s not a reason not to try. It’s not too late to reverse the cyber arms race currently under way. Otherwise, it is only a matter of time before something big happens: perhaps by the rash actions of a low level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could actually find ourselves in a cyberwar.

This essay was originally published in the Financial Times (free registration required for access, or search on Google News).

Posted on December 6, 2010 at 6:42 AM • 70 Comments

Comments

BF SkinnerDecember 6, 2010 6:59 AM

Here's another grey area.

Denial of service attacks on Wikileaks; purportedly by a lone hacker. There has been speculation that this is actually an attack from the USG. Since the FBI has a long history of coercing and coopting hackers for their skills and access it's in the realm of the possible. And presumedly it's NSA's basic skill set. Even if it's not there have been loud calls from even louder mouths to use CyberCOM for just that. The attack of a state against a non-state actor. Since the US claims this right in it's conflict with Al-Quedia, and that conflict is extra-territorial. It's a no brainer that it ranks as a precedent for conflicts inside people's networks.

James RycmanDecember 6, 2010 7:24 AM

Would a cyberwar remain in cyberspace? Especially if there are casualties of the cyber attack?

NaveedDecember 6, 2010 7:34 AM

Respected Schneier,

In last few day, two nuclear armed state (India and Pakistan) were involved in cyber attacks on websites of each other. This include attack on Central Bureau of Investigation of India and thirty six government website includeing Pakistan Navy, Pakistan Army, National Accountability Bureau and Ministry of Foreign Affairs of Pakistan. Please read more on Tribune Newspaper links [1], [2], [3].

The question is, webservers security that much weak? I believe hackers knows more than System Administrators and Web Developers.

References

[1]. Cyber warfare: Indian hackers take down 36 govt websites http://tribune.com.pk/story/84269/cyber-warfare-indian-hackers-take-down-36-govt-websites/, Date of publication: 1st December, 2010, Date of access: 6th December, 2010.

[2]. Cyber war: Indian hackers take down OGRA site, http://tribune.com.pk/story/85909/cyber-war-indian-hackers-take-down-ogra-site/, Date of publication: 4th December 2010, Date of access: 6th December, 2010

[3]. Cyber war escalates: Pakistani hackers take revenge, http://tribune.com.pk/story/85746/cyber-war-escalates-pakistani-hackers-take-revenge/ Date of publication: 4th December, 2010, Date of access: 6th December, 2010.

MemVandalDecember 6, 2010 7:37 AM

I dont agree with you. "Cyber weapons" (as its called) cannot be compared with Nuclear weapons, or any other type of weapon in any regards.

bobDecember 6, 2010 7:50 AM

@MemVandal: insightful argument there.


Not sure how the changes to the Geneva Convention would work. Putting laws into place to protect civilians will be a bit tricky in a domain run from the ground up by civilians...

TordrDecember 6, 2010 8:32 AM

To all world leaders:
Lets just remove this thing called the Internet before someone gets hurt.

Contemplating starting a nuclear war because your webserver got hacked, someone posted something about you on the net that you did not like or someone was mean to you on the net. Is a bit of an overkill don't you think? Yes, your feelings might be hurt, but in actual fact no-one was really physically hurt.

This is a part of growing up that each and everyone has to do. You might be a big boy now and a member of China’s politburo or some other world leader. But being a leader means that bullies on the net will be mean to you, and do things that might hurt your feelings or your IT infrastructure. If you start down the road of retaliation, your retaliations might escalate out of hand you might actually cause people to die, and we do not want that?

So until we all can be responsible adults be nice to each other (and more importantly live with other people that are mean), maybe we should just turn off this thing called the net. People have lived in communities for thousands of years without the internet and have survived. Yes, it will take some adjustment to not have the world of information at your fingertips, but it might be the best thing for mankind.

Brett ODecember 6, 2010 8:32 AM

Defining Cyber war is like trying to define the edge of a cloud. Like a cloud, Cyber war is only the latest in hype without substance. The problem starts that we try to define aggressive or destructive acts in cyber with real world terms. War in the real world is defined to be between armies and nation-states. Its goal is, in its most basic, to control territory. Real-world nation-states may attack each other others' assets and we should amend the Geneva Conventions, etc. to prevent cyber agression against the cyber assets of nation-states to devolve to military action (i.e. bytes-to-bombs). But the irrelevance of nation-states in cyber agression is highlighted in the 'skirmishing' between PRC and Google (i.e. in cyber realm, they are equal). So-called protections for international banking are ridiculous - in cyber, everything or anything can and may be international (aside from cyber assets of nation-states governments and military). What is may be needed is an United Un-Nations - an non-national body to define unacceptable, define cyber-agression, and to provide unified protective and forensic tracking. Sort of a "START" treaty for cyber. However, "weapons control" is likewise silly in Cyber - the weapons are code, programs, and online devices.

SteveDecember 6, 2010 8:49 AM

How does one determine what a "stockpile" of "cyber weapons" is? All you need is one copy to launch an attack. Since most of these things are self-replicating, the "stockpile," so-called, could be anywhere, from the President's laptop to Malia or Sasha's smart phone to a bunker hidden under the Pentagon.

Scott MDecember 6, 2010 9:28 AM

@Brett O. beat me to the punch in many of his points, but I'll follow on by adding that "cyber war" mirrors a lot of the problems that modern, asymmetric warfare faces; anonymity of aggressor, ease of weapons procurement, high civilian "casualty" rate, and a fluid movement of public posturing between "justified" unethical action and indignation over others' doing the same.

If the idea of cyber war is, as with conventional war, to establish and hold "cyber territory", it is a mistaken analogy in that new physical territory limited and is not being created, whereas new networks and a larger cyberspace are simply a matter of capitalization and technical effort.

If the idea of cyber war is to corral and influence a population, one would have to see the segmentation of political viewpoints on cable television as being in the same genre - and as susceptible to the prejudices and general non-participation as television commercials usually are. This seems to be a small and temporary threat at most.

What remains is cyber war as a means of controlling economic systems - the fear of monetary rather than geophysical or political loss. And in this, there is again a continuum between "Cyber terrorists" and legitimate government efforts such as those used to hunt down and sequester criminal funds. The tools are similar, and occasionally so are the participants.

Thus, the real fear is that a malicious agent may invade and cripple the economy of a nation or a population quickly and irretrievably.

Wouldn't this then be the ideal place for the implementation of Mr. Schneier's long-advocated ideal security system of resiliency, non-brittle response and refusal to be dominated by fear?

Brandioch ConnerDecember 6, 2010 9:38 AM

I agree with MemVandal and Steve. How are you going to monitor a "stockpile" of code? Thumb drives can store over a hundred gigabytes of code.

And I think that any reference to "nuclear" in this discussion is counter-productive.

Not a single person has died in this "war".
It will never be a "war".

The closest analogy is a video game. Right down to patching and rebooting.

AndrewDecember 6, 2010 10:01 AM

The first US Government cyber-war was the attempted Wikileaks takedown by putting pressure on companies to cut services.

RHDecember 6, 2010 10:10 AM

@MemVandal: I disagree. I believe they can be just as damaging as physical weapons (though I will concede, its hard to effectivly compare them to nuclear ones). If a country shells a bridge, stopping food from flowing into a region, its effect is clear. If a country disrupts shipping computers to cause an economic breakdown in that corner of the market that prevents food from flowing into a region, it is the same effect.

Brandioch Conner, no one has died "yet." I don't think its a war yet either (though the Estonia event had some potential), but it has the potential to start killing with ease.

Adam TrickettDecember 6, 2010 10:24 AM

Can we set parameters?

Where do you draw the line and how do you know what will happen? It's easy to imagine a lone nut with an axe to grind or a whole government department launching an attack.

At the same time given how fragile and interconnected countries have become how do you know that your prank against one site would cause a major civic disruption?

Fear, uncertainty and doubt will sell lots of hardware and software to governments but I have little faith it will be of much use, until there has been a "real cyber war" and we really know what will happen...

Trichinosis USADecember 6, 2010 10:26 AM

Crippling economies is an end objective which can be the result of the manipulation of a vast number of other systems which are not well understood by the layman; and therefore can be easily compromised and their supposed safeguards circumvented. Dependence on computers for financial purposes is only part of that problem. It is easier to blame financial machinations on a "cyber war" - it's a flashy and trendy explanation that the public will readily accept from some stentorian authority - than on simple embezzlement, graft and fraud. So communications are indeed being controlled here, but not at the level one might think - the problem is between monitor and brain; the willingness of the reader to believe everything they're told when it comes from certain directions.

The immediate objective of ANY cyber warfare is to control *communications*. This takes place at all levels (down to the physical layer) and across all borders.

Denial of service, permanent or temporary. Channeling of service via specific conduits in order to alter results. Eavesdropping and countermeasures. And lies, misinformation, half-truths, diversionary "infotainment" and propaganda, which the world is well and truly awash in at the moment.

Trichinosis USADecember 6, 2010 10:37 AM

Addendum - Bruce's willingness to remain objective and scientific is what gives him credibility, but I think it's clear from the nature of the target where the Stuxnet worm came from. That really is the ultimate determinant of the source an act of war - who benefits and who does not.

What I am trying to say is that just because "Someone"(tm) says that what Wikileaks is currently releasing is classified information, that does not necessarily make that information

1) True / accurate
2) Uncensored / uncompromised
3) Without a hidden agenda attached to it's release to the public

Again: who benefits from the LATEST release of the Wikileaks information, versus the first release of the Collateral Murder video? People need to look at that - because the beneficiaries have changed between the time before and after Bradley Manning was taken into custody. The nature of the information has changed. The targets have changed.

Davi OttenheimerDecember 6, 2010 10:43 AM

Not a lawyer but pretty sure motive not as good a test as consequence.

Consequences so far are so limited as to be insignificant. Georgia's formal complaint against Russia's invasion omitted any mention of cyber anything.

More to the point, Google claims severe harm when their own perimeter is breached, yet they take a completely opposite position on harm when they breach the walls of others...

http://www.reuters.com/article/idUSTRE6B25I120101203

"Google said in a statement: 'We are pleased that this lawsuit has finally ended with plaintiffs' acknowledgment that they are entitled to only $1.'"

The plaintiffs argued imaging their private drive and posting online would cause harm...Google argued no proof of harm. The court said Google was liable, but no payout required.

So, with consequences as a test, what has Google proven in terms of harm re: Aurora? We know Georgia said there was no harm. What has Estonia proven?

I don't mind the comparison of cyber to nuclear as the latter has a known consequence. Deterrence is not pinned to motive, it is all about avoiding the consequence.

Davi OttenheimerDecember 6, 2010 10:52 AM

@ Scott M

"What remains is cyber war as a means of controlling economic systems - the fear of monetary rather than geophysical or political loss."

Good points. You isolated economic harm, but at what level of "control"?

Why not just wrap loss expectation into a model for operational risk, such as a Basel III capital offset?

War then would only be an attack that produces loss beyond a level that a national entity could bear on its own.

Brandioch ConnerDecember 6, 2010 10:54 AM

@RH
"I don't think its a war yet either (though the Estonia event had some potential), but it has the potential to start killing with ease."

How, exactly, is it going to kill a healthy adult male walking down the street in his home town?

Lightning strikes kill more people. In fact, ANYTHING that has killed a single person has killed more people.

Angelo CastigliolaDecember 6, 2010 10:55 AM

Excellent op-ed on Cyberwar Bruce

Some key points I took away are:

• We have no clear definitions of what a cyberwar actually is.
• When a cyberwar is understood to
• Previously only the military had weapons. Now anyone with sufficient computer skills [build military grade weapons.]
• Establishing the legal framework
• Hotline between the world’s cyber commands.
• New cyberwar treaties.
• Limits on stockpiles
• Restrictions on tactics

The cyber offensive and defensive weapon systems of the Department of Defense’s U.S. Cyber Command seem to still be in planning phases. The second generation of Einstein Einstein http://en.wikipedia.org/wiki/Einstein_(US-CERT_program) , is a new offensive intrusion detection system, funded by the DoD’s competitor for cyberwarfare monies, the Department of Homland Security. Einstein is the only military cyber weapon system that I am currently aware of that has actually be implemented. Einstein was architected by US-CERT.

-Angelo Castigliola
http://www.castigliola.com/

Brad TempletonDecember 6, 2010 10:56 AM

Bruce, I am surprised to see you take as a given that cyber defence (or even attack) should be a military, rather than civilian thing.

Military traditions were defined on the battlefield, where people's lives are on the line, and you need chains of command, obeying orders without question, and people ready to lay their lives on the line and to order people into danger.

Cyber conflict is conflict, the attacks can cause real harm. But are the military traditions the right ones? The soldiers are not at risk. While civilians are at risk, by far the greatest risk is to property. Is this more like firefighting or policework than battlefield ops? Do we want a cybercommand with a big military command center?

Clive RobinsonDecember 6, 2010 11:01 AM

First point why is it "war" call it "crime" which is what it actually is it makes life a whole lot easier if you do.

Secondly the tools used to commit these crimes do not have physical actuallity except when stored etc. They are information plain and simple just like any other information and unlike physical matter it is not constrained by forces...

This has some quite profound consiquences which people are not picking up on.

1, Everywhere is local (no distance cost metric).
2, Force multiplication is close to infinite.
3, Attack cost is only of tool development.
4, No energy is expended by the attacker.

There are no physical tools (or weapons) that have these properties they alow an individual to be a an effectivly infinate army attacking at all places at exactly the same point in time at effectivly zero cost.

Untill we get to grips with this all talks of arms limitation etc are compleatly and uterly meaningless.

@ Bruce,

You mentioned wikileaks, but did not mention that one supposed case of "cyber war" on the Brazilian power network was no such thing but importantly the US knew this but still continued to "talk it up".

I suspect we are now entering a "phoney war" era where as in the cold war every one will make predictions that expand the "enemy" capability whilst also diminishing the home "military" just to get larger appropriations and build bueracratic mountains.

However just think a while on "rouge nukes" theory and just watch that run and run.

The simple fact is that nearly all computer systems irespective of the precautions we have taken are wide open to being "owned" even if they are not owned already (hence the APT issues that zeroday's engender).

When you add in appropriate covert communications which have not been seen it brings the "sleeper agent" idea to the fore.

As the ancient Chinese curse has it our technology and our increasing dependance has put us well and truely in "interesting times".

However I'm not overly worried because unlike in the second world war and cold war all the world economies are to interlinked and mutually dependent to make "cyber war" viable except as a Saber Rattler.

The way to ensure this state is to activly encorage economic ties with nations and increase the mutual dependance. Not as we currently do issolate countries and try and weeken them.

As I said that outdated doctorin is bassed on physical weapons and armies and the oposite applies to information weapons and armies.

The big problem is thus not Nation States but rouge individuals that are committing criminal acts and it is this we realy should be diverting our "cyber efforts" to. Failing to appreciate this now is only going to cause us real pain only a short distance down the road.

CyberdawgDecember 6, 2010 11:22 AM

"A first step would be a hotline between the world’s cyber commands, modelled after similar hotlines among nuclear commands." - would that be on VOIP?

BF SkinnerDecember 6, 2010 11:47 AM

@Clive 'The way to ensure this state is to activly encorage economic ties with nations and increase the mutual dependance. Not as we currently do issolate countries and try and weeken them."

This was acutally a proposal in the early 80s. Inter-connect the Soviet and American power grids. Power distribution becomes more cost efficient and people are thought to be less likely to nuke their own power system.

However I think the logic of a cyber-war forces just that. If you want a way into to someone's networks and need a jumping off point within thier ip space how much easier is it to use your own nation's corporations world wide offices.
With or without their consent.

Bechtel Group was accused of wittingly doing that for CIA's human assets.

Also as government's continue to outsource their IT infrastructure to various companies (who outsource theirs to ...) it wouldn't be surprising to find say a GDIT or Northrup-Gruman contract managing the power IT system of say a Brazil or a Thailand. I'd say we saw just that with Iran's nuke and Sieman's with a Russian integrator.

mcbDecember 6, 2010 12:16 PM

"Bruce, I am surprised to see you take as a given that cyber defence (or even attack) should be a military, rather than civilian thing." - Brad Templeton

"First point why is it 'war' call it 'crime' which is what it actually is it makes life a whole lot easier if you do." - Clive Robinson

Lost me too, Bruce.

Call me old school, but unless your actions are creating prompt casualties in the physical world it's not war. Unless you're actually blowing up your opponent's servers or killing his programmers hacking is a crime not war. And once you're pulverizing bricks & mortar or shredding meat it's no longer a cyber event. Granting an attractive Cylon unsupervised access to the server that controls planetary and fleet defenses might qualify, but even that is mostly physical sabotage as a prelude to a shooting war.

Hotlines and batphones work (a little) when the entities operating intercontinental bombers, ballistic missile submarines, or ICBMs are well known to you. I don't see much point in calling Russian Cyber Command to ask if that was them who just emptied someone's Swiss bank account or hacked the SCADA for the Greater Atlanta water treatment & distribution system. Such attacks are so deniable you wouldn't have any good reason to believe them anyway. If you've been seriously punked you might not even be talking to Russian Cyber Command.

Economic assets are the primary target, not something every (let alone all) participants will agree are off limits. While they may investigated by parties organized under reciprocal agreements, criminals acts (almost by definition) will not guided by universal codes of conduct or constrained by treaty.

To the degree anonymous rogue actors are the norm rather than the exception you can make a stronger case for "cyber terrorism" than you can "cyber war" so why not leave it all alone and continue to call this sort of hacking online economic crime?

$0.04

CasperDecember 6, 2010 1:54 PM

All very well having 'hotlines' between governments, but the greatest thing about the Internet (assuming a level playing field) is also the most dangerous.

Anyone with a bit of skill and resource can quickly raise an 'army' capable of taking on any other presense on the net.

It's history repeating itself. People form tribes/gangs/hordes to fight other tribes/gangs/hordes.

A hotline might stop one country mistakenly retaliating against another but will there be hotlines to the tribes/gangs/hordes attacking the King in his castle?

pfoggDecember 6, 2010 2:58 PM

Treaties work only if violations can be accurately detected, while limits on weapon design and construction works only if weapons plants are readily detected, and limits on stockpiles only works if stockpiles are easily verified.

Nuclear weapons require expensive, comparatively specialized resources and production facilities to create, and non-proliferation is hard. Chemical weapons are a little easier to get away with, and biological weapons have proven trivial to produce without a trace (USSR program).

As several comments and the *article* points out, none of these conditions apply to malware. What possible use can there be for treaties and limits if there's basically just an honor code in place to assure compliance?

Alex BondDecember 6, 2010 3:16 PM

Personally, I think espionage and covert ops are a better analogy for the current internet conflict than "war" will ever be. Like expionage and covert ops, government-sponsored hacking and malware (such as Stuxnet or Aurora) will always begin covertly and it will always be difficult or impossible to attribute to a state actor. If you can't connect an attack to a government, you can't enforce any treaties that should regulate government behavior. As we see continuously in the physical black-ops world, secrecy trumps legality every time.

Unless we develop massively improved attribution techniques, we will never have an effective law of cyberwar. For a more detailed analysis, see my blog post on the subject: http://renaissancesecurity.blogspot.com/2010/09/cyberwar-revisited.html

SeiranDecember 6, 2010 3:42 PM

The idea of "cyberwar" is an invention created to frame cybercrime in the context of a real war, which is clearly is NOT. Films, books and TV series that exaggerate the potential effects of cyber attacks, such as Season 7 of "24", and Schneier's suggestions to establish "hotlines" unfortunately serve to legitimize this notion.

I am working on a lengthier analysis - to be posted elsewhere in the interest of brevity. Essentially, there are several defenses and responses to "cyberwar" that reduce the threat. These are: reducing single points of failure through partitioning and platform diversity, managing insider threats by controlling access, robust failovers, and a hardware-level security overhaul synchronized with a new OS model that sandboxes everything. As I will propose, although perfect security may be unachievable, the barriers to attack can be raised sufficiently to make most amateur attacks unfeasible.

Fictional works such as Dan Brown's "Digital Fortress" and "Live Free or Die Hard" (2007) often revolve around detected, active attacks. In Dan Brown's book, a plot device is also added so that the system cannot be easily disconnected or turned off. In reality, most attacks are not detected until the damage is already done - though this makes for boring reading - and the first response to a system-disrupting attack is to isolate it.

In the case of an unlikely catastrophic attack on infrastructure that is ongoing, a selective disconnection and/or partitioning of the Internet can be achieved by unpeering or filtering links between ISPs, and client isolation. For example, Verizon Business could force certain traffic to go through a filtering proxy allowing only 80 and 443. Provider-level responses are also most effective against brute force DoS.

As for DDoS and consumer-targeted attacks, these theories can be coupled with real measures, which can be implemented today and very cheaply, to wipe out most botnets and malicious code. Initially I had imagined using CDs as a trusted boot source to allow for mass disinfection of computers. There is actually a much simpler solution that Microsoft could implement. Provide free copies of Windows Vista Basic (or whatever OS is two generations behind), sponsored by computer stores and widely distributed with no activation needed. The disc would look for a copy of XP (licensed or not), zip the old Windows directory, do an in-place reinstall of Vista Basic and turn on all the updates.

This would permanently remove a large number of zombies by wiping out some of the 2000/XP install base, along with increasing uptake of Windows Updates. It will reduce piracy and Linux usage, enhance their brand perception while preserving revenue from premium edition sales and OEM royalties.

JTDecember 6, 2010 4:44 PM

Wow, this is a totally awesome blog and I intend on checking up on it as much as I can!

@Seiran
Yes, any movie about computer security is going to be overdramatized and inaccurate. I think our best defense against cyber crime is an educated public. You can have the best anti-virus, but if you're uneducated, then your will probably just push the "allow" button anyhow. And goodluck with the whole Linux/Windows thing. I use Linux most of the time, but Windows is a huge corp. and I will be shocked if they ever give up their power and go open source. Also find it hilarious that some of these comments are longer than the actual blog post! :)

Dirk PraetDecember 6, 2010 4:53 PM

Since the dawn of times, man has waged war on others, and for every possible reason. Throughout time, technology, strategies and methodologies have changed and evolved. So have stakes and players.

The huge dependency of today's society on its cyber infrastructure makes it an interesting target to control, exploit, subvert or bring down individuals, companies and states alike. Even more appealing is that it requires relatively much less resources than conventional warfare and is much harder to trace. At its sneakiest, it could be considered a contemporary form of hi-tech ninjitsu.

We can only speculate as to what a full blown "cyberwar" would actually look like. What we've seen so far - or at least what we are aware of - are nothing more than skirmishes and experimental test runs, such as Stuxnet or the attacks on Google alledgedly ordered by PRC government officials. To date, it's a fantasy as depicted in Die Hard 4, Terminator, or my all-time favorite "A Taste of Armageddon", episode 23 of Star Trek: the Original Series, first aired in 1967, in which two worlds wage war on each other by computer simulations, but with real executions.

It's reasonable to assume that all but the most clueless and naive governments nowadays have agencies specializing in cyber monitoring and defence. Although none are likely to confess to it - that is till some next episode of Wikileaks - , cyber offense is just a step away. The required resources and skills are pretty much the same. In this respect, it does make sense to proactively work on international legislation and regulation. Unfortunately, I believe that this is not going to happen anywhere soon. It is just not in human nature to take such measures until form and consequences of such a conflict become clear and irrefutable to the general public, i.e. when illustrated by a major event, deliberate or by accident.

Maybe with the exception of germs, most weapons grade technology ever invented has at some point been used before treaties were put in place to regulate its quantity, usage and proliferation. Chemicals were used in WWI, in Vietnam and other places. Nukes were used in Japan. The main reason they haven't been used since is by fear of retaliation and the risk of planet-wide escalation, not because of its atrocity. The same goes for biological warfare: the chances of a first strike backfiring on yourself are just too big to even consider its use, that is unless you don't mind wiping out yourself too. And in quite a horrible way.

Now herein lies an interesting thought for potential advocates of cyberstrikes. If your argument is that it offers the opportunity for surgical precision strikes and that it allows for "clean" warfare with limited loss of human lives or collateral damage to other but cyberinfrastructure, you may just be in for a big surprise. There is just no telling what chain of events you might set off or to which extent you could contain them to prevent wreaking havoc not only on your opponent, but also on yourself .

I therefor wholeheartedly concur that the best way to deal with a possible cyberstrike or cyberwar, is by building highly resilient systems, secured from the ground up, and not depending on one and the same technology. With which I mean more than just different vendors or codebases. Regulation is just not likely to happen before we are actually faced with such an event.

Mike LambrellisDecember 6, 2010 7:34 PM

I agree that infowar "weapons" are different from nuclear/conventional weapons. However, I agree because I believe the impact of infowar weapons are potentially far greater and the effects more long-lasting.
When a conventional weapon is deployed - everyone knows about it.
When an infowar weapon is deployed - people may not even be aware its happened. Think about the long term potential for shaping the thinking of millions of people through the appropriate psyops.
Why do you think Wikileaks has generated such a vitriolic reaction?

Brandioch ConnerDecember 6, 2010 7:54 PM

@Mike Lambrellis
"However, I agree because I believe the impact of infowar weapons are potentially far greater and the effects more long-lasting."

"greater" than nuclear? You do not know what you are talking about.

"When an infowar weapon is deployed - people may not even be aware its happened."

Exactly.

"Think about the long term potential for shaping the thinking of millions of people through the appropriate psyops."

Exactly how would that happen?

"Why do you think Wikileaks has generated such a vitriolic reaction?"

From who? Answer that and you'll answer the "why".

Mike LambrellisDecember 6, 2010 8:15 PM

@Brandioch

If you look at the single instance of nuclear weapon use - the immediate effect was on accelerating the end of WWII. However the long-term effect was one of turning many people (and states) against the whole concept of nuclear weapons for generations - an outcome which if it had been considered by the military (who knows), may have counselled against its use at that time.

As for shaping the thinking of millions of people through psyops - re-read Orwell or Goebells. Or consider the Romans' bread and circuses. Or consider the extent to which the American republic is haemorrhaging its freedoms (drawn out over decades) in the name of security, all the while its citizenry continues to believe that it maintains those same freedoms.

As regards the reaction to Wikileaks - the reactions from the holders of power is predictable. What interests me are the masses of people who find it far easier to focus on the possibility that Assange is a foreign rapist out to destroy America, rather than on the certainty that their government(s) are acting illegally and (arguably in a lot of cases) against the interests of their citizens.

People do not like being woken from slumber. The fact that so many have been slumbering for so long, is a testament to just how exquisitely powerful propaganda can be.

I'm reminded of that scene in Monty Python's "Life of Brian", where the shackled prisoner is telling Brian how wonderful the Roman's are; that the citizens don't know how lucky they are and that they don't deserve the Romans; and that opponents should be condemned - "Nail 'em up I say! Nail some sense into 'em!"

KBDecember 6, 2010 8:54 PM

Segregation is necessary. New organizational mechanisms require new organizational responses. It's naive to think that nation-states can regulate a medium which is not bound by regions.

Nations work because of propinquity. You know your neighbors and they know you. That's the premise that binds societies together, and strategic interest is what binds societies together, from municipal government to coalitions. This method of organization doesn't make sense when infrastructure which defies these traditional boundaries is introduced.

As long as the rate of organization online is greater than the rate at the organizational rate of traditional social institutions a sort of power vacuum will remain.

Brandioch ConnerDecember 6, 2010 9:11 PM

@Mike Lambrellis
"If you look at the single instance of nuclear weapon use - the immediate effect was on accelerating the end of WWII."

Interesting. I would have thought that the "immediate effect" was the death of so many people in Hiroshima and Nagasaki. Considering that it took 9 days for them to surrender after the first attack.

But I'm sure that having to restore a computer from a backup is just as bad as that (if not worse).

"As for shaping the thinking of millions of people through psyops - re-read Orwell ..."
and
"I'm reminded of that scene in Monty Python's ..."

Let's leave works of fiction out of this for now, okay?

"Or consider the extent to which the American republic is haemorrhaging its freedoms (drawn out over decades) in the name of security, all the while its citizenry continues to believe that it maintains those same freedoms."

You still have not explained how any computer worm would accomplish that.

50,000 people dead in a single blast and more dying later
vs
Restoring from a backup tape.

No, I'm not seeing your point.

Mike LambrellisDecember 6, 2010 9:45 PM

@Brandioch

> You still have not explained how any computer worm would accomplish that.

> 50,000 people dead in a single blast and more dying later vs Restoring from a backup tape.
> No, I'm not seeing your point.

The point is that I'm talking about information warfare not PC hacking. The definition at Wikipedia is close to how I consider it:

"Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance(s) that one's own information is valid, spreading of propaganda or disinformation to demoralize or manipulate the enemy and the public, undermining the quality of opposing force information and denial of information-collection opportunities to opposing forces. Information warfare is closely linked to psychological warfare."

In my consideration I've focused on:
- spreading propaganda and disinformation to manipulate the enemy and public,
- undermining the quality of opposing force information,
- denial of information collection opportunities

In that context, the propagation of the "war is peace", "security is freedom", and "dissent is traitorous" memes in the past decade have softened up the (majority of the) public to not only accept but demand increasing restrictions on their freedoms.

I hope that frames my original comments in the appropriate context.

DanDecember 6, 2010 9:58 PM

Who cares about proliferation, stockpiles, etc?

Just declare "cyber-warriors" to be combatants - this will be fun!

Imagine, unrestricted bombing of civilian targets based on (probably faulty) wifi geolocation. :)

Is Dec 6 the new April 1?

I agree with mcb 100%... (and I'm a bit disappointed.)

Mark GrinbergDecember 6, 2010 11:40 PM

As this blog gets increasingly more traffic, I've started to get interesting articles sent to me from all sorts of places. One of these was sent to me awhile ago, and I've chosen to get around to responding to it now, as I would like to spend some time addressing the scope of cyberterrorism and whether or not it actually constitutes a threat.

I believe that I have shared some insight into what terrorism attempts to accomplish, and to sum this up in one word, one might say that terrorism attempts to change. This change is not inherently wrong, but usually, the methods (terrorism) used to achieve the change are unjust. I'm going to ask you to leave this in the back of your head for now.

The article I was asked to respond to was Seymour M. Hirsh's article in the New Yorker (November 1rst, 2010) which makes several important points. John Hudson over at The Atlantic Wire sums up how most bloggers are responding, but I'll bring up a few new things in addition to Hudson's points. First of all, as Hudson notes, Hirsh makes an important distinction between cyber war and cyber espionage. There is a difference. Cyber espionage is, to paraphrase Hirsh, attempts by one government to glean information regarding troop movements, economics, or other fields that would be useful knowledge. Cyber war, on the other hand, is an outright attack, such as hacking an electrical grid (though Hirsh doubts the possibility of this.)

What Hudson doesn't bring up, however, is that Hirsh makes another important distinction - the difference between cyber war and cyber terrorism. Obviously, if you've been reading to this point, you understand that the primary concern of this blog is the latter. Hirsh skips over a precise definition of cyber terrorism in his final few pages, but does suggest that it is constituted by cyber war conducted by non-governmental agencies (such as Al-Qaeda). Hirsh suggests that this threat is not eminent, as most terrorist organizations are focused on defense - for now. However, he notes that in the future, cyber terrorism could be a real, important threat.

This links back into what the main goal of terrorism is, as I mentioned earlier - change. Governments, on the whole, according to political realist theory, usually wish to protect the status quo (for the most part) in order to maintain their own existence. They are, on the whole, not interested in chaos or mass change. This is where they differ from terrorist groups, especially radical terrorist groups like Al Qaeda, who wish to create mass change through chaos or violence. States often use violence, often - but usually to protect the status quo or keep themselves in power.

Therefore, I come around to the second of Hudson's points pulled from Hirsh. Cyber warfare is a sham. It will not happen anytime soon, because any form of cyber warfare would destabilize the entire system, causing mass chaos around the world as governments responded to domestic attacks and those attacks had inevitable externalities and repercussions outside of those designed by the attacker. (see: Stuxnet, which Hirsh offers points about on page 2 of his article) However, terrorists would doubtlessly utilize the internet and our increasing inter-connectivity and reliance on technology to de-stabilize the system and cause mass panic. Although cyber terrorism is not currently in our backyards, it is a looming threat that is important to defend against and prepare for.

-Excerpt from Flash Drive Terrorism (http://flashdriveterrorism.com)

Brad TempletonDecember 7, 2010 2:18 AM

It's not that the cyber attacks aren't dangerous, and the response isn't important. It's that the structures of the military, born in battlefields where anything but strict obedience to an order from your superior could result in death, may not be the structures for cyber battles.

I think you want a civilian agency, without military rules as a given, and without military authority as a given. Also, cyber defence must often be done on U.S. soil where the military does not normally wage war.

AC2December 7, 2010 3:28 AM

Bruce, sorry but your original post contains more garbage then anything I have read on the net in the past 6 months...

Not even worth spending time putting up a detailed response...

A blog readerDecember 7, 2010 5:38 AM

Can one imagine concepts along the lines of "cyberwar" or "cyberterror" being used when influencing the actions of consumers? One seems to remember an ad that related to information security (possibly an ad for security software.) Among other things, this ad showed a hand grenade that had keyboard buttons on the outside.

Clive RobinsonDecember 7, 2010 6:49 AM

@ Brandioch Conner,

"> 50,000 people dead in a single blast and more dying later vs Restoring from a backup tape
> No, I'm not seeing your point.

There are a number of assumptions underlying both yours and Mikes comments which is part of the overal problem of the name issue of "cyber-war", "cyber-terrorism", "cyber-crime" and plain simple crime.

If you think about just the end results of death and destruction then a nuke is a very very poor return on investment as a weapon. If you look at the cost per death then Hiroshima was the highest financial cost per death ever.

An information based weapon has no cost other than development time which is trivial by modern standards.

Stuxnet is an interesting because of this. It's development costs are negligable against the cost of other weapons as simple as handguns. Once launched it had little or no cost for the sponsor it was in effect "fire and forget".

The damage it has done is almost impossible to calculate including the secondary effects (such as those Iranians who have supposadly been "disappeared") So as a return on investment it was potentialy an extrodinarly cost effective weapon and potentialy has saved the cost of another major war (depending on your view point).

However unlike nukes info weapons are effectivly one time use of the development. That is most if not all the development costs are negated because as a weapon it's success is based on it's design being unknown to the target. Nukes on the otherhand can even when all their design principles are known to the target be used against the target again and again without further development.

So the question arises can an information weapon be developed that remains stealthy and thus unknown to the target whilst still inflicting major damage to the target or can a weapon be produced that has minimal development costs but does significant damage to the target.

Well the answer to the latter is yes and it's the cost of Captin Hotpants and Corp Hotfoot the economic cost of the TSA and DHS is probably more than the cost of a major war (I need to dig out the figures) both directly and indirectly.

Now the question is, is it (A) the "information of how to make PETN" or (B) the "physical presence of PETN in somebodies clothes" that is causing the cost or (C) even the possibly faux "information on what could have been".

Now I'm going to argue that it's not B because the weapons (appear) to not have been viable. I'm also going to argue it's not A as the information was (and may still be) in a "local library" in the UK and as it worked for me to make PETN it appears to be correct but it's cost is just that of keeping the book. So that kind of leaves C or "the fear of what might be".

C is arguably nothing more than information that has become knowledge in peoples minds and this knowledge has invoked fear in some people that in turn has incured the vast extra cost of the TSA and DHS in recent times which as it has a sizable economic cost which if accumulated may excead the cost of Hiroshima depending on how you decide to calculate it.

Having established (based on view point) that an information weapon can produce a huge economic cost and the resulting damage that causes we need to establish if it is possible that a covert source of information can do similar.

So back to my former question,

"Can an information weapon be developed that remains stealthy and thus effectivly unknown to the target whilst still inflicting major damage to the target".

I think the answer is yes and that it can be done even despite you comment,

"... vs Restoring from a backup tape".

You have a presumption in the "backup" being capable of "restoring" to some former working state.

As I have said before on this blog this is an unsafe assumption simply because we cannot see the data stored on the tape and are reliant on a "trusted agent" and are thus assuming we can get access at some future point without actually knowing.

MS has proposed in the past encrypting all user data in a way that makes it usless to an untrusted party, but importantly the mechanism they proposed allowed them or others up stream of the document be able to revoke access at any time and do it irrevocably.

Put simply if the data on a backup tape is encrypted then if the key is lost then recovery is not possible. As it is not possible to see the data on the backup tape you do not know if it is encrypted or not. You are reliant on a "trusted agent" (the back up software) to tell you. If the agent can be subverted in some way then it could start encrypting all your backups from now onwards to some point in the future where it is activated and forgets the key and the data on the backup tape is lost at that point, if it also corrupts the data on the hard disk then restoring the backup won't help.

Now there is a variation on this whereby "old files" get corrupted bit by bit. On many systems you can find out not just the date when data was created or updated but also when it was last looked at. Let us assume that I randomly select from data files that have not been accessed (apart from backup) for over three months and randomly flip a bit and I do this once every five minutes.

Slowly with time all you files that are more than three months old will become corrupted in a random way. In some files this will not be much of a problem to sort out as the individual bit might be of little consequence in others it may be of major consequence.

This has the effect of instilling in people the knowledge that the IT systems they have become dependant on have become "untrustworthy" this could have a very major economic impact.

Even if a specific instance is found the fear will be there, the trick is to keep it alive so people know it is not juat a one off that will fade with time.

So yes I think it is possible to develop a cyber-weapon that could have an overall cost greater than the Hiroshima bomb.

DDecember 7, 2010 7:44 AM

I predict a re-interpretation of the Second Amendment to the US Constitution to classify computers and software development tools as munitions, require permits to own and operate them, and felony charges when your computer is involved in an attack.

Brandioch ConnerDecember 7, 2010 7:45 AM

@Mike Lambrellis
"The point is that I'm talking about information warfare not PC hacking."

And that has what, exactly, to do with Bruce's original article?

"In that context, the propagation of the "war is peace", "security is freedom", and "dissent is traitorous" memes in the past decade have softened up the (majority of the) public to not only accept but demand increasing restrictions on their freedoms."

You do realize that "1984" was chosen by swapping the last two numbers in the year 1948, right? And there weren't many computer worms back in 1948.

Again, what does that have to do with Bruce's original article?

Not a single person has ever died from a computer virus or worm. So equating such with nuclear war is counter-productive.

MemVandalDecember 7, 2010 10:06 AM

Some comments disagree with my previous post. But, what effectively all these "Cyber" things can do is espionage. And its just spying, so calling it "Cyber Spying" wont change a bit; spying is spying no matter what technology you use.

Some may give example of Stuxnet, but again I would say pulling such a feat is very difficult and may not be effective in all cases and always. The best the Stuxnet people could have done is just gather intel which would have been more useful.

MemVandalDecember 7, 2010 10:12 AM

"So yes I think it is possible to develop a cyber-weapon that could have an overall cost greater than the Hiroshima bomb."
@Clive Robinson at December 7, 2010 6:49 AM

Clive, you seriously dont know what a nuclear bomb can do. Also, dont forget new nukes are number of times more powerful than the Hiroshima one.

Clive RobinsonDecember 7, 2010 1:07 PM

@ MemVandal,

"Clive, you seriously dont know what a nuclear bomb can do. Also, dont forget new nukes are number of times more powerful than the Hiroshima one."

Few people have experianced it and most of those are now dead. However for my sins in a younger life I did what was called at one time "Civil Defence Planning". It was not exactly a bundle of laughs working out and ploting the effects.

However nukes came in all sizes and a lot where small enough to be fired as conventional munitions.

But flip the argument on it's head, the only country which has ever had nukes used against it became the industrial and economic power house of the world for a number of years. And had growth rates the US has not had in anbodies living memory.

Likewise Germany was fire bombed in ways that where more devestating than nukes are and again it rose Phonex like out of the ashes.

The two things these countries have in common was they did not have a "Defence budget" slurping up 5% of GDP...

Which is one reason why it is difficult to judge just how costly an economic war can be and why it is possible for it to be more costly than a nuke.

Hopefully we will never have cold examples of either to use for real comparison.

Brandioch ConnerDecember 7, 2010 1:17 PM

@MemVandal
1 minute after the first nuclear bomb was dropped, the people where it was dropped were dead.

1 minute after a worm is launched, most people won't even notice.

5 minutes later they won't notice.

And so forth.

With a computer virus, the houses are still standing. The children are still playing. Anyone equating that to a nuke does not understand nukes.

MemVandalDecember 8, 2010 1:58 AM

@Brandioch Conner at December 7, 2010 1:17 PM

Thats precisely what I am saying.

@Clive, sorry, still I dont agree with you. "CyberWar" can be easily averted plus all the "stockpiles" be rendered useless simply by Microsoft releasing a patch. In case of attack, the damage can be recovered by system admins in quite less time (in fact they are used to it with regular virus threats, some just go and format the machines clean and work goes on as usual)

CPDecember 8, 2010 3:17 AM

Here is another grey area of the cyberwat

Well I suppose you cannot answer presently due to other commitments. In protective custody LOL. As a fellow Australian and Queenslander and indeed advocate of free speech and "real" antiwar activist, I feel I must comment. The problem - as you know, is that it is difficult to find these releases credible in the main because the patterns are pretty bloody obvious. 'Scientific journalism - give me a break! Also Sweden has always been the covert operative - as tigger says - its what Swedens do best. The point is that the principal allegation against you is that you work for the CIA and this whole release is a pretext - an asuaging of the masses, mass media, gearing us for the coming conflict between the allies and XXXXX. This will obviously be the biggest conflict in human history and the US's systematic and otherwise "very undiplomatic" release will create a fertile environment for the germination of that conflict. Its a very targetted release and it is volumnous!

My question to you or rather your wikicolleagues er hiccup CIA is this: Why this path now? I will guarantee none of you have a clue why you are doing what you are doing - that is the tragedy. The irony is that in the world of mass communication we are more in the dark than ever

CP

averrosDecember 8, 2010 3:33 AM

When private citizens hack into other people's computers we call it crime.

When governments do it we glorify it calling it "cyber war".

Well, it's still nothing more than crime.

Rain OttisDecember 8, 2010 5:41 AM

Good article. I just wanted to make a small comment on the Estonian case. I agree that it should not be called a cyber war - politically motivated hactivism is probably a better description for most of the attacks in that case. However, the reason why only one person has been found guilty in participating in the campaign is twofold:
* the person launched his attack from Estonia so enough evidence could be gathered for finding him guilty of organizing an attack on ONE web server, for which he received a fine of about 1500 USD;
* the Russian law enforcement promptly refused the official Estonian investigation request to track down attackers that appeared to reside in Russia.

I find this "one man army" to be an interesting little myth about the Estonian case, but it serves no useful purpose to propagate it.

-December 8, 2010 6:45 AM

"Yes, your feelings might be hurt, but in actual fact no-one was really physically hurt."
yeah, same goes for the people still whining that obama "bowed too low", while lauding the tact of boehner and bolton.

Clive RobinsonDecember 8, 2010 7:43 AM

@ MemVandal,

"@Clive, sorry, still I dont agree with you"

That's alright, the world would be a dull place if everybody agreed with everyone else.

And importantly we'd all be stuck in a huge rut 8)

ropeDecember 8, 2010 11:35 AM

at brad templeton, you state that in the military "anything but strict obedience to orders could result in death" shows that you have not been in a real war, where strict obedience will inevitiably result in your death, or perhaps you were an officer secure in some bunker ordering others fight the war, like goddamed cheneybush

Cyber war could kill wall street dead? I doubt it, the government prints money when geithners friends call him for some new money.

The vulnerablity is wallstreet, not the internet, and penalties for crashing the world economy should be death or absolute incommunicado internment on some remote island like napolean

Petréa MitchellDecember 8, 2010 12:04 PM

You know, for all this hypothetical talk of nation-states attacking each other, I think we have something roughly analogous to war going on right now.

http://www.csmonitor.com/Business/new-economy/2010/1208/MasterCard-website-goes-down.-Payback-from-WikiLeaks-supporters

If you feel "war" is defined as only happening between nations, then we have conflict, terrorism, crime, or whatever term you prefer. But in terms of actual things that are likely to happen that could case direct or collateral damage to networked computer capabilities, this is the thing to look at.

RobertTDecember 8, 2010 7:23 PM

OT Wikilinks Hiroshima historical link

After the bomb was dropped on Hiroshima the US and British govt's made plans to occupy the area, specifically they wanted to take control of the Naval Munitions center at Kure, about 10 miles from Hiroshima.

Well the problem was that both sides knew that radiation was not good for their troops, so somehow after much horse trading Britain convinced Australia / NZ to provide troops to secure and dispose of these munitions. These forces were called BCOF British Commonwealth Occupation Force

Australian gov't was in charge and it would appear that they also suspected that it was not something that their regular army should be involved in, instead they sent many young 19 / 20 year old's with very little supervision. Needless to say, the whole thing turned into a fiasco that everyone involved wanted to forget.

It is known that there are many encrypted diplomatic cables OTP that deal with the "horse trading" about who drew the short straw to occupy / demilitarize the Hiroshima area.

It has been a goal of many Australians to prove that their government knew of the dangers but took absolutely no steps to inform the troops of the dangers of residual radiation.

To this day, Australia does not acknowledge that the troops were in any danger or suffered any ill effects from radiation exposure in Hiroshima.


MithrandirDecember 9, 2010 11:38 AM

It's not war. It's espionage.

Wars involve massive numbers of people. Espionage is carried out by a few highly trained individuals. Sabotage, information gathering, and positioning agents for future use are the staples of espionage, and that's what we're talking about.

The distinction is important, because war and espionage require different approaches.

Doug CoulterDecember 10, 2010 11:48 AM

Just because it's difficult to point to a person who has died as a direct result of (only) cyber this or that doesn't mean there's no effect, or that the only way to take someones life from them is to kill them. That's dodging reality to a great degree.

I'd submit that having to defend a lawsuit against the RIAA for something moderately innocent, and wind up being fined more than you'll ever make in the rest of your life "takes your life".

Disruptions of the supply chains can take lives directly, or force lower more conservative standards of living if people have to backstop a system they didn't used to have to.

As pointed out above, restoration from backups may not solve everything. Since all the money in the world is bits, and it matters that you knew what the state of those bits were milliseconds ago, the potential for mass disruption is large.

Some would argue that could be good, but I don't think they think things through far enough, and there are other ways to work on injustice that would hurt more bad guys and fewer good guys.

Disruption of supply chains in a JIT world has serious consequences. You can't just run twice the trucks next week after restoring from backups. There aren't twice the trucks, twice the roads, or the places to store buildups until normalcy is restored. Basic War College stuff.

Messing up the electric grid alone kills people, though indirectly. How many people don't have a way to run even fossil fuel heaters if there's no power for the thermostat and fans. Wouldn't hit me (I'm off the grid anyway) but...for some people it's fatal. Personally, I think that's a lack of readiness on people's part, but it's there just the same. And then we blame the deaths on weather, like we do car crashes caused by fog (rather than the obvious truth -- bad drivers who should just pull over if they can't see).

And the main cyberwar is on the normal guy, from surveillance that should be illegal -- the fear of that keeps me from doing things I want to do that are probably legal, but not worth risking Gitmo for -- that takes away part of my life. It's going on at all levels down to corps tracking my buying habits, and the charge card companies selling the government information that it's illegal for the government to collect directly itself -- big loophole there.

All these take a little life from a lot of people -- when does that add up to taking one life? I think long ago, but that's me.

Messing up a big SCADA system in any big plant can really take lives -- refineries, power plants, things like that. We can't be sure it hasn't happened already as the evidence kinda gets blown up in those cases.

But reducing the quality of millions of lives a little I think is bad too, and cyber attacks can definitely do that, some more than others.

Look at what a few low buck terrorists have managed to do to my freedoms (with willing accomplices in the government). Does that not take away some of my life, now that I find it too nasty to fly so as to take a vacation, or make a business deal that would create jobs, endangering my life further if I decide to drive instead?

People who look for black and white "one shot, one kill" events are using the lack of them to justify a world-view that misses the point.

Brandioch ConnerDecember 10, 2010 1:43 PM

@Doug Coulter
"Just because it's difficult to point to a person who has died as a direct result of (only) cyber this or that doesn't mean there's no effect, or that the only way to take someones life from them is to kill them."

One minute after a nuclear bomb was dropped on Hiroshima, children were dead.

One minute after a computer worm is released, children are still playing on their tricycles.

Five minutes later they are still playing on their tricycles.

An hour later, they're still playing on their tricycles.

"People who look for black and white "one shot, one kill" events are using the lack of them to justify a world-view that misses the point."

McAfee lists over 100,000 computer viruses and worms and such.

Not a single child has died from over 100,000 computer virus attacks.

The point is that computer cracking is in no way comparable to nuclear attack or war.

NickDecember 11, 2010 2:29 PM

@Brandioch Conner

How about possibilities of nuclear plant centrifuges and oil refineries being messed up, dams made to flood populated areas and so on?

ArjunDecember 11, 2010 10:58 PM

This comment by Mr.Ranum is interesting-
"In cyberspace, the old dictum "the best defense is a strong offense" does not hold. The best defense is a good defense. Cyberwar pundits who talk about pre-emption or retaliation are just hanging a sign around their neck that reads "I don't actually understand the internet, or warfare, or technology newer than WWII-era strategic bombing." "

Clive RobinsonDecember 11, 2010 11:20 PM

@ Brandioch Conner,

"Not a single child has died from over 100,000 computer virus attacks"

Err I would not make a statment like that unless you can realy back it up (which I think you cannot).

In the UK Hospitals are cutting back expenditure on the likes of neonatal units because they do not have the funds to buy and maintain the equipment or hire the staff. And yes if you look into the figures from the likes of Dr Foster you will see that this is having an effect on new born child mortality.

World wide about 50% of children who die in the first five years die in the first 28 days after birth. Nearly as many again die during birth and a significant number. of the mothers die as well.

Interestingly US figures in certain communities are as bad if not worse than the better third world figures and this has been attributed to not being able to get the appropriate health care (you can find links to the relevant reports on the Gates Foundation web pages).

One of the reasons that the UK NHS is so cash strapped and has been for a number of years is the idiotic NHS Spine forced onto it by the Tony Blair's "No 10 Think Tank" and dubbed "the worlds largest ICT Contract" it has been an unmitigated disaster from day 1.

Worse the hospitals where forced to buy into this compleatly inappropriate and still to this day nonfunctioning IT system. The escalating cost that at the start was going to be 12Billion GBP (~25Billion USD at the time) is rising significantly.

And neither the then Government or it's successors has put a real budget in place so this enforced cost comes from "budget savings" in other areas such as neonatal (see the UK Goves weasle words in the link to the petition below).

This dirty little secret came out when Gordon Brown's (Chancelor and later PM in the previous UK Gov) child died. Various promises about neonatel units where made however the UK Gov weaseled out see http://www.hmg.gov.uk/epetition-responses/petition-view.aspx?epref=nntaskforce .

One of the problems seen on a number of occassions with the NHS Spine and the dependant IT Systems in hospitals which also appears to be rapidly escalating is the cost of virus and other attacks.

So perhaps you should be reconsidering your apparent "knee jerk" statement.

As for your statment,

"The point is that computer cracking is in no way comparable to nuclear attack or war"

That realy depends on how you measure the effects and over what period of time.

If as you apear to do consider the very very short term then you are only considering the initial impact and not the secondary effects. This is a mistake we often see commited in drugs trials and costs vasts amounts in both human and economic terms.

As I pointed out earlier Japan is so far the only country to have suffered a nuclear attack in the process of war. After the cesation of active hostilities, because in part it did not have a deffence budget it went on from being a war torn and in parts a nuclear wasteland to becoming one of the top 5 economic powerhouses in the world in less than 40years.

So I could argue that nuclear war is good for a country economicaly in the long term.

But I will not for a whole host of reasons, all I will say is that the death rate from a nuclear attack in the long term has been way less than predicted. And also that the numbers killed in Horsishima at the time compare in surprising ways with those European Cities that were carpet bombed with high quantities of incendiary devices to create fire storms, and the subsiquent death rates of the survivors.

Before you make any further posts on the subject I sugest you go and acquaint yourself with with the information available and try to make sense of it in the broader terms of refrence of say two compleate generations.

Brandioch ConnerDecember 12, 2010 11:35 AM

@Nick
"How about possibilities of nuclear plant centrifuges and oil refineries being messed up, dams made to flood populated areas and so on?"

Now imagine what Bruce would say if such scenarios were used to justify further TSA restrictions.

The term would be "movie-plot threat".

But the fact remains that computer viruses have yet to kill a single child. And that a child playing in a sandbox would not even notice that a computer virus was released.

Now compare that to the dead children in Hiroshima.

Clive RobinsonDecember 12, 2010 10:51 PM

@ Doug Coulter,

"All these take a little life from a lot of people - when does that add up to taking one life? I think long ago, but that's me"

No it's not just you, I think a lot of people are getting to the point of saying "enough is enough" they want to "live free", not die the "Death of a thousand cuts".

Some years ago I noted that there where open and closed societies, and that they tended to behave differently to percieved or actual threats.

That is in a closed society the cost of security rose untill it bankrupted the country.

And in open societies the costs of security would go up with some event then slowly die away as time passed (this being a prolonged version of the response generaly seen in nature in a herd).

I also posed the question what effect the rapidly falling price of technology would have on the open society response.

That is if the price of technology dropped to the point where the cost of the increasing surveillance of the citizens remained effectivly the same or actually droped?

Both the US and the UK have had there major terrorist attacks as have other countries. What is noticable is the difference in behaviour.

The US has apparently flipped from "open society" behaviour to "closed society" behaviour the UK appears to have partialy tagged along.

However most other countries have behaved as you would expect an open society would.

Which makes me think is it just the politicians keeping the level of surveillance rising or has the steadilly droping price of technology reached a tipping point where it enables it to be possible within the other economic constraints.

And if not a technology price tipping point is it something else?

For instance the "Internet memory" issue. In times past a Politico could make a statment that was at variance to their earlier position and this switch would not be picked up on in the press. In the main due to the lack of quickly searchable records and the lack of skilled searchers.

The Internet changed this now every time a politician says something a small army of amateur political activists search out the differences via the "Internet memory" and make them known. This has scared politicians into effectivly saying nothing and going with the herd direction. Our politicians are now effectivly "all image and no substance" dancing to the tune of long past utterings and the agenders of those we do not see or elect.

Thus are we being terrorised not just by those who use the traditional weapons of war but also by those who just use words?

Have we proved "the pen is mightier than the sword"? are we fighting wars of words?

And at the end of the day words are just information...

subsariDecember 13, 2010 11:41 AM

I think that the government is taking good actions in place to protect ourselves from cyber attacks in the future.

The reality of these types of attacks is certain. It is a matter of "when" not "if".

The Cyber shockwave simulation was a great success to show what a great failure.

However, we all know the rule of failure. The important is not to fail but how you stand back up and keep moving forward and becoming stronger.

The ramifications and complications of interconnected systems and our dependencies on them give rise to the fact that no one really could have known how to react in cyberwarfare circumstances.

I wonder why this was not done long time ago!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..