Schneier on Security
A blog covering security and security technology.
« Underage Children on Facebook |
| Weaponized UAV Drones in the Hands of Local Police »
November 3, 2011
Journal Article on Cyberwar
From the Journal of Strategic Studies: "Cyber War Will Not Take Place":
Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does not take place in the present, and that it is unlikely that cyber war will occur in the future. It first outlines what would constitute cyber war: a potentially lethal, instrumental, and political act of force conducted through malicious code. The second part shows what cyber war is not, case-by-case. Not one single cyber offense on record constitutes an act of war on its own. The final part offers a more nuanced terminology to come to terms with cyber attacks. All politically motivated cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: sabotage, espionage, and subversion.
Here's another article: "The Non-Existent 'Cyber War' Is Nothing More Than A Push For More Government Control."
EDITED TO ADD (11/4): A reader complained to the publication, and they removed the paywall from the first article.
Posted on November 3, 2011 at 1:22 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I sure hope not. Mark Russinovich paints a pretty frightening scenario in his novel "Zero Day" of what might happen as a result of a concerted "cyber attack".
It may be a work of fiction but I always think of "Die Hard 4.0" when I think of what form a cyber-war might take.
It may seem extreme but I have no doubt that some of the security issues surrounding critical infrastructure depicted in the film DO exist in the real world and could be exploited by hackers, especially those with the backing of a foreign government and the abillity to insert spies to steal encryption keys or plant trojans or other measures.
Obviously state-sponsored overt cyberwar, in the sense of trying to bring now national networks and destroy or subvert national information infrastructure risks real-world retaliation, and so is unlikely unless the aggressor dominates the victim in any event.
However, "cyberwar" is really a vague and silly term. If you include online acts of espionage, then obviously all the countries in the world are engaged in cyberwar right now and have been for years.
I can't believe Schneier would post this slop of so called research. We are currently in a cyberwar. You can listen to academics or people on the front lines of what is really going on. Take your pick. Financial Times today: http://www.ft.com/cms/s/0/...
All a matter of how you want to define things. One group defines "war" one way, another group a different way. Just games at that point.
Boils down to if you believe that other countries are looking for vulenbilities in our neyworks that they can exploit in some fashion.
If otherwise healthy people at home are NOT dying from the attack, it's not "war".
Although many experts here will disagree with that.
@ ddff -ltd & other "cyber"-war supporters
I can't believe you would post that slop of a comment. Anyone on the "front lines" of the battle is either trying to attack systems or defend them. Guess what? All cyber[attack/defense] approaches = all INFOSEC [attack/defense] approaches. Securing the computers & networks prevents cyberattacks. Any attempt to create a "cyber"-command, "cyber"-space laws, "cyber"-units, etc. is just a power or money grab. A Wired columnist also noted that anything they say that starts with "cyber" is usually bullshit.
Proof can be found in the Fritz/TPM movements & the recent attempt to "secure" infrastructure. The Fritz chips gave the government access to everyone's systems without accountability. Subversion was still possible. The TPM would give 3rd parties control over the systems & subversion is still possible. The most recent thing was the government putting "probes" and such into the critical systems and infrastructure, with a provision they could remote control it if they felt they needed. (Notice the word "control.")
Anything they're doing is just a power grab. The sad part is that people like you who swallow their Kool Aid are also victims: they have nearly unhackable systems & devices that are withheld from public use. Any truly secure system is subject to export restrictions. Depending on its development or sponsorship, it may be marked as a COMSEC or GOTS item, restricting distribution to US companies & citizens. You think you're benefiting from these "cyber"-efforts, yet the benefits you want are intentionally withheld from you.
Now, riddle me this: If the US government intends to secure Americans' systems from attack, why would they (a) consistently prevent the sale of existing ultra-secure systems to Americans and (b) instead offer Americans insecure systems with built-in remote control & cryptographic bypass?
Note: The "existing ultra-secure systems" that I'm referring to are those that have been through a B3/EAL6/A1/EAL7 certification process (or equivalent) & possess enough useful functionality that people would buy them. I'm not counting the SKPP MILS kernels in this case.
When passenger planes start falling out of the sky, we will see cyber war.
Cyber-terrorism will lead to a government-led cyber war against the group or nation responsible.
Cyber war will be an eye for an eye.
If you take out a passenger plane via cyber, the victim country will respond via cyber to duplicate the attack or to carry out a similar attack on infrastructure the public rely on.
Oddly enough, all these things keep making political noises. I think the next war is going to be a corporate one - Corporations fighting each other, and the motive is profit.
How they do it is up to them.
If you take out a passenger plane via cyber, the victim country will respond via cyber
*Ahem* That's an unfortunate choice of abbreviation; consult Urban Dictionary to see why. (It definitely suggests an interesting scenario though!)
On a more serious note, the way it's being talked about has me worried. "cyber attacks are acts of war" looks like something you'd come up with if you're looking for an excuse to bomb someone.
"On a more serious note, the way it's being talked about has me worried. "cyber attacks are acts of war" looks like something you'd come up with if you're looking for an excuse to bomb someone."
Add "most cyberattacks seem to originate from China" and your worries should increase.
US is certainly beating the war drum towards China in the cyber domain and has been for a number of years.
US cannot risk a physical war with China, although I think they like the idea of a cyber war with them.
I think article author forgets what the war is.
Clausewitz: a war is a continuum of policy/politics by any means.
Sunzi: winning without fighting is most skillful.
Boyd: winning mentally, getting inside opponents decision cycle.
So is there anything which says there ever needs to be violence?
"I think the next war is going to be a corporate one - Corporations fighting each other and the motive is profit"
They already do and have been for hundreds of years, it's why we have such expressions as "Industrial espionage".
But profit, is another name for money which is the abstraction of work, which in turn is the abstraction of energy.
If you want to see the next real reasons. for war it will be for the control of,
2, Scarce raw resources needed for industrialisation.
We can already see the US doing all it can to secure access to fuel reserves whilst seaking to lock others out. Likewise we can see the US doing what it can to keep nations in "vasal" status by preventing them developing their own independent energy sources (not just nuclear).
We also see the likes of Russia and Israel using energy as a political tool to augment control of areas and to keep their people in "vasal status"
Also we see China doing the same, but also putting down very sever restrictions on rare mineral resources such as rare earth metals that have significant stratigic value especialy as most of our high tech and high tech weapons are very very dependent on them.
We also see China doing "Hearts & Minds" techniques to get land for their people in African and other third world nations by giving infrastructure and technology with a hidden leash attached. The leash is specialised components and services that can only be obtained from China, and secondarily the Chinese people installed in the country quickly become the "elite class" of proffesionals without which the country cannot function. The net result China gets not just prefferential access to the raw resources it gets land for it's excess population oh and a significant percentage of the domestic food output of the country to ship back to China.
If you want an idea of what a "resource war" can be like have a look at the history of "water rights access" from ancient history to modern times, they are brutal bloody and the loser gets the equivalent of slave status.
"US cannot risk a physical war with China, although I think they like the idea of a cyber war with them"
They do not want a direct "physical war with China" in the same way they did not want direct physical wars with Russia during the cold war.
However the war hawks in the US have been pushing for a "proxie war" with China due to first Korea and then Vietnam.
Currently the political situatuation between North and South Korea is extreamly unstable. In the North you have a premier who is getting to the point of handing over the reighs of power to an 'anointed son' but does not feel he has achived a real mark on history. In the South you have a war hawk as premier who is talking up direct action against the North at almost every oportunity.
The simple fact is China almost certainly will back the North Koreans again to protect their buffer zone of vasal states, and the US is already backing the south with war games etc being fought provocativly along disputed areas of the border.
The question is who will blink first...
"So is there anything which says there ever needs to be violence? "
No, but I think the distinction that is being sought is "declared war", or "acts of war". which just points out that sticking "cyber" on the front is pointless, since there is quite a lot of espionage happening all over the world that could *potentially* be considered an 'act of war'.
There are certainly activities that could be considered 'cyber-warfare', but I think they would gain that designation only by being associated with an actual war. Similarly violence itself isn't necessarily 'warfare', violence outside of declared war is referred to as 'assault', 'terrorism', or 'insurgency'; depending on the spin one wants to impart to the phrase.
Maybe CyberColdWar would be too complicated a term. But the current situation reminds me a lot of the stories I used to hear from military personnel about the occasional potshots, near-miss flyovers, minor naval collisions and so forth that marked the constant background level of hostilities during the US-USSR conflict.
"So is there anything which says there ever needs to be violence?"
You can kill one heck of a lot of people without using conventional or even less conventional weapons.
If you consider the idea of one country daming up a river that flows into another country. They are not using actual violence against the other country but the resulting drought and it's consiquences could in many parts of the world kill tens of thousands of people.
Again their are many companies puting heaven alone knows what into ground water supplies that cause neurolgical disorders, cancer, birth defects and other unfortunate events covered by the expression "toxilogical disadvantages". Is it violence? negligence or good business... I guess it depends on your point of view (money maker or victim).
Thus to kill people you don't have to actually use the bombs and bullets violence of convensional warfare. Afterall "dead is dead" whatever the cause, be it no water, contaminated water or a bullet in the guts, nor does death have to be quick a long slow lingering death from lead poisoning is still a death caused by others.
Until we fully admit that human economics is also information based, and that human survival more often depends on information, we will fail to recognize war in the information realm. (Reparations failed to end World War round I, because they continued World War, with disastrous consequences in round two).
During the Cold War, Intel used to say that,
if they did their job right,
the next World War would be solely economic,
and not military.
Well, what do you think?
Fear mongering at its best.
"Look, we created this thing to be fearful of, and we saved you from this fearful thing. You should be grateful and vote us back into office."
They never think of the unintended consequences of when someone "actually" implements that "fearful thing" and uses it, only to find out later nobody can saved from it.
With regard to unintended consequences, the Bolivian Water Wars went that way with people actually dying in order to remove the scourge from financial decisions.
An approach to beat superior enemy with any means possible. Meaning economically, regulatory etc. Points also what Someone pointed out - war is continuum of politics/policy. So war with violence is one way to conduct policy/politics. If one manages to affect hearts and minds like Sunzi, Boyd et al points out there is no need to use guns, weapons, or kill anyone directly or indirectly.
Not only do you not need violence...
The proper object of war is to subjugate the enemy, not kill them or destroy valuable resources.
Think about this the next time you hear from some important organization that "we don't have to be reasonable, we have policy" - they have already warred on you, and won.
If more people thought like this and realized what was going on, the world would be a much better place now, and we'd not be tolerating the privatization of profits but the socialization of risks.
Didn't the banks just win against all their customers in what is just as real a war as any other?
People have at times claimed to prefer death to slavery. I guess they all got their wish, as I see plenty of slaves around.
"Think about this the next time you hear from some important organization that "we don't have to be reasonable, we have policy" - they have already warred on you, and won"
Yup that's very much what quite a few organisations do. Even worse some claim "We're doning this because the law says we can"...
In some cases the law does say something like that but it's never been tested in court, on other occasions the law does not say what the organisation claims it does.
I've seen a number of organisations under financial preasure make claims that "they are required under law to..." when chalenged they say something like "under law X.Y". You go look the law up and guess what it actually says the opposite. You write them a polite note pointing out that the law they quote says no such thing and the organisation either ignore you or try to keep up the pretence.
One such organisation in the UK is South West Trains (SWT) run by a brother and sister Brian Souter and Ann Gloag through their joint company Stagecoach.
SWT are responsable for issuing tickets and colecting penalty fares for those who use their service but don't pay. They are also responsable for maintaining the ticket machines to ensure they work...
Well this latter duty cost them profit and in the past they have failed to maintain the machines correctly (this was prior to blackmailing Transport for London into replacing the entire SWT ticketing system). So rather than spend money on maintanence they spent the same sort of sums on "revenue protection officers" who's job it is to inspect tickets and issue penalty notices this turned out to be a nice littler earner.
However SWT went over the top and started issuing penalty notices to those who could not buy a ticket because the ticket machines were not working and ticket office staff were not available (because SWT would not pay overtime money or employe the required number of staff).
This happened to me and when I could not get a ticket to travel I used the platform "Help system" and asked what I was supposed to do as I could not get a ticket. I was told (correctly under law) to procead with my journy and get a ticket from either the guard or the first member of SWT platform staff. On speaking to the train Guard he told me to get on and pay at the first "maned station" or at the end of my journey.
My mistake was to actually follow the latter piece of advice by both the help system operator and the guard, as on seeing a member of platform staff I got off the train and approached. them to get a ticket. It turns out they where a RPO wearing platform staff uniform (which is technicaly not allowed) and refused to sell me a ticket and said I had to see the RPO's down stairs. [If I had known what I know now I would have demanded his identification photographed him wearing the wrong uniform and then got on the next train, and submitted a formal complaint via the House of Commons select commity].
Any way the upshot is the RPO made demands he should not have made deliberatly and fraudulently filled in the paperwork. I refused to sign the paperwork and was told by a faux policeman (we have a bunch of jokers in this country called Police Community Support Officers who at the time did not have powers of arrest but were issued Police uniform so you could not tell if they were PCSO's or Police) after he assulted me that I would be arrested if I did not sign the paperwork. I simply z'ed it out and walked away. The RPO chased after me and said "Don't f**k with us we always win".
I submitted a formal complaint and it was rejected I wrote to SWT Company secretary (then. Tony Skilton) who basicaly decided that a fraudulant claim by one of his employees was unworthy of his time even though he had a legal duty of care. However after a protracted series of letters he did eventually finger the CPSO who assulted me as 7125TW but no name (so if anybody out there in Twickenham Police SW London knows who he is I would like to know).
Mr Skilton decided that the (supposed) independent organisation paid for and run by SWT out of their registered office would be responsable for what his staff did next.
Which was to prosecute this was carried out in a totally inept way by a Mr James Allen out of an office above SWT's Southhampton Railway station. He would never speak on the phone and consistantly lied in his letters which his own staff grassed him up about. Oh and to avoid purjuring himself he finnaly dropped the case by not turning up to court and sending in a stooge instead.
Meanwhile I had been digging the dirt and it appears that nearly all the Magistrates Courts in South London were absolutly sick to the teeth with Mr Allan and his antics at the behest of SWT, and it was they who gave me the most helpfull advise on dealing with the coruption that was SWT and Mr Allen defiling their courts.
Even though Mr Allen did not attend Court, and had supposadly dropped the case it was still heard by the Magistrates who awarded me 25GBP costs out of Court funds to cover my expenses, and seriously advised me to take legal action against SWT for damages.
This was extrodinary action by the Magistrates who were so sickened by the level of behaviour of Mr Allen and SWT staff as revealed by the letters. It was abundantly clear to all that SWT with the full cognizance of it's Company Secretary Tony Skilton was running a blackmail racket where they played fast and loose with the law for the process of making money by extortion. Presumably as this still goes on within Stagecoach operating companies both Brian Souter and Ann Gloag are likewise fully cognizant of this extortion racket.
But Both of them would have you belive via their press output that they are whiter than white, and it would appear that Ann Gloag has managed to con even reputable charity organisations as she is to receive the prestigious Eleanor Roosevelt Val Kill Medal Award in New York State.
However from out of Ann's own mouth (BBC Radio 4's Woman's Hour) she revealed a dirty little secret behind her charity work. It appears that where ever she does it Stagecoach move in behind to fix up more lucrative takeovers etc.
And how does Ann pay for this charity work and the two castles in Scotland she own's... Well SWT after pleading dire poverty with the UK Government got a significant handout of something like 67Million pounds, then just a few weeks later Stagecoach make an exceptional bonus payment to Brian Souter and Ann Gloag of 44million pounds each (you can read more on this in Private Eye).
Oh something Ann does not talk about is the death of her husband who was the original founder of stagecoach... Well let's just say there are quite a few in her old home town who believe she was responsible for his death, and that it was this that caused her apparent "born again" christian behaviour, rather than the naked greed of her and her brother using it as a business promoter that others attribute to it.
Whatever the cause they both obviously beleive they are winning a war to extort moneies they are not entitled to out of people by their own peculiar view of the law, ably assisted by both the English and Scottish Parliaments who mistakenly beleive despite all evidence to the contary so far displayed that Stagecoach will be good for their respective treasuries...
@ Doug Coulter
"The proper object of war is to subjugate the enemy, not kill them or destroy valuable resources."
Sun Tzu would agree with you. ;) However, I have to post an exception: zealots. If you're enemy are true believers, then it can be nearly impossible to deter or convert them. (I mean, they're willing to eat cyanide or blow themselves up...) Best to destroy them if their cause is maintaining its image & strength. (Weakening cause might give an opportunity to convert them into zealots of a different kind. ;)
Cyberwar is a moronic term.
Was hacking Enigma cyberwar? What about using Colossus?
War is a state of armed conflict between different parties.
Are computers arms? What about modern aircraft? What about satellites?
There may or may not be war. It may have a greater or lesser computer related element.
Let's not focus on stupid buzzwords but rather the actual issues at hand.
@Brandioch Conner @Someone: We deliberately disrupt communications of enemy combatants during time of war, and it is considered good strategy. What name could we give that behavior, if not covered by cyber-war?
Nick P, I take great solace in the fact that you don't know what you're talking about.
'Cyberwar is a moronic term.'
'Let's not focus on stupid buzzwords but rather the actual issues at hand.'
You know, I couldn't agree with you more, bob. Keyboard warriors do like to play soldier and talk big. Of course, precious few of them ever see proper action.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.