The Nature of Cyberwar

This was pretty good, I thought:

However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider:
  1. The Internet is an artificial environment that can be shaped in part according to national security requirements.

  2. The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.

  3. The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.

  4. Software updates and network reconfigurations change cyberbattle space unpredictably and without warning.

  5. Contrary to our historical understanding of war, cyberconflict favors the attacker.

  6. Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.

  7. The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.

  8. The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.

  9. The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.

  10. There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.

Posted on January 30, 2012 at 6:02 AM • 31 Comments

Comments

robJanuary 30, 2012 6:20 AM

Yes good, but it's clearly false to assume (as the author appears to do) that cyberwar will be separate from physical war. There are many interesting, depressing, frightening ways that cyberwar can augment the physical kind.

"10. There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering."

So how and when is this likely to change?

MichaelJanuary 30, 2012 6:55 AM

My hatred for the use of that 'cyber' word aside, I disagree slightly with this point:

'Contrary to our historical understanding of war, cyberconflict favors the attacker.'

Yes and no. In the context of national security, etc. the only useful security strategy is one of network defence. A state that focuses on attacking, not only wastes time, effort and money achieving a short-term effect, the adversary could gain useful intelligence from the attack. Not to mention 'offensive security' could ultimately degrade the overall security of the Internet in the long term.

Michael DeWittJanuary 30, 2012 7:13 AM

@Michael: The claim that it is better to be the attacker seems to make sense if you are willing to extend the war metaphors. In that sense, a short-term conflict would favor the attacker. At the same time, your example of a state which only ever attacked would indeed be at a disadvantage over the long term war, especially since they could not rely on defending themselves by retaliating against their attackers.

PaeniteoJanuary 30, 2012 7:16 AM

@Michael: "In the context of national security, etc. the only useful security strategy is one of network defence."

That is correct but it doesn't negate the statement that the attacker is favored.
In fact, having to concentrate on defending all "borders" immediately (since the other traditional military options are not applicable in cyberwar), is the reason why the attacker is favored. The defenders are stretched out whereas the attacker can concentrate forces to attack the weakest point.

lazloJanuary 30, 2012 8:22 AM

Great list in general, and I'll add my nit to pick:

The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.

While technically mostly accurate, it's somewhat misleading. With the exception of brute-force DOS, bandwidth doesn't really matter that much. The vast majority of attacks will happen within the parameters of normally used bandwidth. As for proximity, if the attacker and defender aren't logistically speaking adjacent to one another, then at least one of them isn't connected to the internet. I think it's an excellent point, but one that needs a bit more depth to it.

Dan SJanuary 30, 2012 8:38 AM

As a comparable war paradigm, think Viking raiders. Attackers have the advantage due to defenders having no organized government, communications, or sharing of intel.

I disagree with "Contrary to our historical understanding of war, cyberconflict favors the attacker." This is dependent on theatre and period. Sword and shield have swapped advantage over and over. It can even be easily argued that in the early part of WWII the attacker had the advantage. Again, disorganized defenders, poor communications, lack of intel (and sharing.)

Thinking strategically, I don't think the war for the internet is all that different from other conflicts. What's different is those doing the thinking are not very familiar with the "geography," weapons and tactics.

Clive RobinsonJanuary 30, 2012 9:12 AM

Most of the points made are on shaky ground due to the underlying assumptions.

The assumptions come from using tangable "physical world" thinking on intangable "information world" issues.

About the only one where the author gets it right is point 3 "connectivity", at first sight you would think point 1 as well, but after a little considered thought you will realise that no such control is actually possible, there are way too many diverse conectivity methods, which just cannot be turned off. Point 2 "too many hacker tools" is effectivly negated by point 4 software updates / patches.

Which brings me onto point 5,

Contrary to our historical understanding of war cyberconflict favors the attacker

No it does not it has nothing what so ever to do with our understanding of war, and everything to do with the lack of security in our commodity/commercial OS and applications.

If they did not have more holes than the entire production of Swiss Cheese we realy would not be discussing this.

As for point 6,

Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.

Oh dear oh deary me... Only espionage is realy valid, propaganda is realy back to the old days of 'site defacment' and as for destruction of critical infrastructure, well if system designers would stand up to accountants and the like then this would not be possible, and as an issue could be mainly solved by legislation and the correct use of secure "data diodes" and secure operating procedures.

The problem is even the military don't appear to be able to get this right either and analysis appears to indicate it's due to exactly the same failing of commercial systems "convenience and ease of use".

To be blunt when push comes to shovee we are going to get what we deserve for our own failings, no real other reason...

AdamJanuary 30, 2012 9:19 AM

@Clive

Deserve is too harsh a word here.

Maybe you could say something like "we had it coming" due to lack of security in our OSes and applications, but that doesn't in any way justify the attacker like saying we "deserve" it.

BrianaryJanuary 30, 2012 9:51 AM

Worrying: "The Internet is an artificial environment that can be shaped in part according to national security requirements."

Effective for "destruction of critical infrastructure"? Disabling, when vulnerable, but destruction?

"So far, there is little perceived human suffering." What actual human suffering are we talking about?

NobodySpecialJanuary 30, 2012 10:04 AM

@Clive - Companies pay for the level of security necessary for the risk they face. People pay taxes for defense against external enemies.

Should a small town municipality have to pay for a level of computer security on it's infrastructure capable of defending against state actors?

Businesses fit vaults and alarm systems, should they also have to pay for surface-to-air missile batteries and be built to survive a 737 impact?

karrdeJanuary 30, 2012 10:18 AM

@Clive, @Adam,

As an analogy: a visitor unfamiliar with the fair city of Detroit is staying at a hotel in the downtown area. If they travel on foot to The Game (or the annual Auto Show), and run into trouble because they took a wrong turn through a crime-ridden area of town, we'd be having the same argument.

To wit, the argument would be whether they "deserve the trouble" vs "had it coming" or failed to perform due diligence prior to local travel.

I would choose the third description. Mainly because it encapsulates the problem: someone who is not familiar with the area doesn't know how to avoid local trouble. They don't know how to read the City map and see the un-marked lines denoting higher probability of safe transit.

But cyberspace isn't just a city with a reputation. It's a meta-world, with a different measure for proximity and exposure to danger...

General ZapJanuary 30, 2012 10:51 AM

Well, there's one thing you can count on with governments and militaries (and, yes, with megacorporations): they'll keep on building their Maginot Lines and disgracing their Billy Mitchells. It's the nature of the beast, and "cyber" isn't going to change anything.

Clive RobinsonJanuary 30, 2012 10:54 AM

@ Adam, karrde,

By deserve, I'm talking about what you would expect after being criminally negligent.

Many years ago long Before Bruce even considered SCADA systems to be a significant threat (seach back in cryptogram for that) I and others were raising concern that systems that were known to be insecure by design, were being connected to either the PSTN or Internet, primarily to save the cost of having staff on site 24x7.

When you know as did most process engineers of the time that what you are doing is not just stupid but actually dangerous then you are guilty of being negligent if you carry on down that path. I at the time decided to get out of that line of work as I was not prepared to compromise on safety, luckily for me I was not tied by the need to earn the level of money I was then on and could thus find reemployment in another field of engineering.

@ NobodySpecial,

Your argument only holds if and only if it can be shown what is occuring is the equivalent of warfare that effects the National Security of the country.

If as I have maintained it is the equivalent of crime and shouldbe treated as such, then it falls very much on the company to protect their assets in exactly the same way as it's a banks responsability to ensure the security oof the money in it's vault.

NobodySpecialJanuary 30, 2012 11:20 AM

Today's version of the WTC attack would be to say, have every water treatment plant release raw sewage, every gas pipeline to shutdown or every traffic light to show all green.

Is it the responsibility of Upper Wichita falls highway dept to secure itself against such an attack? It would be ironic if at the same time the military is switching to cheap COTS systems that municipalities were being forced to buy mil-spec secure systems.

Brandioch ConnerJanuary 30, 2012 11:40 AM

#4. cyberbattle space
#5. cyberconflict
#6. Cyberattacks
#7. cyberattack
#8. cyberconflict
#10. cyberattacks

And again, if no healthy person dies in their home as a direct result of such an "attack", it is not "war".

This is hype in order to sell products and services.

karrdeJanuary 30, 2012 11:56 AM

@clive,

Interesting.

I'm still not sure on the deserve part, but you've moved me much closer.

It mostly depends on whether my example refers to a John Doe, or an executive from a corporation.

(Sticking to an example that is local to me, the city of Detroit hosts an important Auto Show every January...and high-level execs from companies like Toyota/Honda/BMW/etc do visit the Industry-Preview week at the show. The corporations definitely perform due diligence in selecting local housing and transit options. They also keep a local contact to host the visitors...and the reputation of Detroit is only a part of the reason, because high-level execs almost never travel alone and unguided.)

...
Many years ago long Before Bruce even considered SCADA systems to be a significant threat (seach back in cryptogram for that) I and others were raising concern that systems that were known to be insecure by design, were being connected to either the PSTN or Internet, primarily to save the cost of having staff on site 24x7.

Now you're scaring me. As I hinted, I'm currently employed at a company that sells parts to auto-manufacturers.

And most such manufacturers are expanding connectivity-options for in-car entertainment. Generally, the high-level execs talk about Internet Radio as a different kind of broadcast...and not as a 2-way comms channel from a local computer.

I can't claim to have predated Bruce on warnings about security of in-car electronics.

But it worries me, and I'm not in a position to directly affect the design of connectivity communications.

flpmorJanuary 30, 2012 1:04 PM

I think what is meant by "Contrary to our historical understanding of war cyberconflict favors the attacker" is that there is very little cost to attempt an attack and fail.

Compare to traditional warfare, an army is defending a hill, which another army wants to conquer. The defenders have the tactical advantage, they can just wait until the enemy attacks. Attacking and failing will mean defeat, there is only one shot (high cost).

In 'cyberspace', the cost to attempt attacks is very low, so the attacker has the tactical advantage. The defender has the burden to close all holes, because now the attackers can try again and again until they find one.

Brett OJanuary 30, 2012 1:04 PM

The problem is nationalizing and militarizing cyberspace. The Internet should be free. Some of his points are self-defeating:

1. The Internet is an artificial environment that can be shaped in part according to national security requirements.
Yes, its artificial, but it IS NOT shaped by National security. It is Non/Multi-national. Nationalization is a bad trend, and is really invalid.
2. OK
The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.
3. This point contradicts his #1 – the internet is non-geographic. It is also Co-Geographic – adversaries, friends and neutrals are equally non-distant (indistinguishable).
Software updates and network reconfigurations change cyberbattle space unpredictably and without warning.
4. So this is beneficial especially for defensive: reconfigure your assets away from attack instantaneously. But it also exponentially increases the likelihood for collateral damage.
Contrary to our historical understanding of war, cyberconflict favors the attacker.
5. OK. If you ignore #4.
Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.
6. None of which are warfare. Piracy, Espionage, and Crimes.
The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.
7. So how does national agents, such as military, justify militarization of the Internet?
The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.
8. Collateral damage is exponentially higher – DDOS can impact other sites, degrade bandwidth, etc., not counting mis-targeted (like the organic farmers with the name SOPA?).
The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.
9. Lack of attribution. Lack of evidence. Is there anything at all to support?
There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering
10. OK, it’s a game. And lets keep it that way. De-militarize, De-nationalize: Prevent the Internet by Agreement and Law from being used as a weapon of mass destruction. Then deal with the pirates and spies.

paulJanuary 30, 2012 1:17 PM

The "favors the attacker" formulation depends strongly on your ideas about victory conditions. If victory conditions involve inflicting possibly-unacceptable damage on an adversary, rather than seizing and holding territory or resources, then warfare has favored the attacker at least since the development of long-range artillery and air power. The shift may be more about whether the kinds of actors likely to engage in cyberwarfare are also the kinds of actors for whom destroying enemy assets (perhaps even at the cost of many of their own) is a plausible victory condition.

Of course, in a dynamic world, destroying enemy assets may the equivalent of seizing and holding their territory or resources. Someone whose productive capacity has been sharply diminished isn't going to be able to compete while they're rebuilding, and if their capacity is diminished enough, they're going to have to buy from elsewhere, quite possibly including from their attackers.

(Meanwhile, I wonder -- not entirely rhetorically -- whether identifying a cyber foe is that much more difficult than identifying a physical one. In physical wars, it's tended to be rather that the space of attacker candidates is much much smaller.)

norbert wienerJanuary 30, 2012 1:20 PM

@Michael

>> My hatred for the use of that 'cyber' word

They've corrupted the original intent of the prefix, attached it to everything, and now it means nothing.

It's ranks up there with "infrastructure" .


PrometheeFeuJanuary 30, 2012 3:47 PM

They forgot the part where unlike real war, protection from cyber-war is not really a public good. How can my network be secured? Well, most likely by actions taken on my network exclusively. It's not like real wars where the military can stop the enemy at the border.

MichaelJanuary 30, 2012 9:13 PM

@norbert weiner:
Yes, that word does mean very little, if anything, these days, and that scares me a little. To someone like myself, 'cyber' is something of an ephemeral term that can't be pinned down to anything specific. Does is relate to source code, hardware, telephone exchanges, cabling? Is it just a blanket term for stuff that makes pretty pictures appear on the monitor when 'consumers' visit a web site?
It's understandable that many believe the hype about 'cyber wars', when consumerisation has blinded people to the fact the technology really doesn't work that way.

Most the infosec literature I come across talk about compliance, policies, management issues, etc., while overlooking the technical stuff - the actual nuts and bolts of what we're supposed to be protecting.

David ThornleyJanuary 30, 2012 10:58 PM

@General Zap: Two things.

First, the Maginot Line was designed to guard part of the Franco-German border with fewer soldiers, and it did that well (the French were in a serious demographic dip at this time). The expected advance into Belgium was to be handled by the more mobile forces, and that was royally screwed up.

Second, Billy Mitchell was wrong. His viewpoints were farther from reality than the most hidebound of his opponents. The closest thing we've had to his idea of war is Kosovo in the 1990s. Fortunately, the Army and Navy continued exploring the uses of airpower, and came to generally good solutions without his input.

AndersJanuary 31, 2012 2:33 AM

"So far, there is little perceived human suffering."

What constitutes "human suffering", then? Only blood and gore?
It's likely that cyberwar (whether state vs state, or terrorism) will target critical infrastructure. With modern dependency on communications infrastructure, and not to mention electricity, the road to severe human suffering is short. For instance, cutting power to (parts of) a city will soon inhibit water supply, petrol pumps etc.
It doesn't take long before that turn into severe societal problems.

BrianaryJanuary 31, 2012 8:53 PM

"or every traffic light to show all green"

This movie-plot threat brought to you by Superman III!

mrUniverseFebruary 1, 2012 7:35 AM

Clive, I think you confuse good security and perfect security when discussing infrastructure (especially power grids in this context). Right now we have bad security, and with the right tools even anons could cause blackouts. If people had listened to you, we would (presumably) have good security, and script kiddies with moderately advanced tools wouldn't be a threat- but can you really claim that the world's TLA's wouldn't be able to send something along the lines of stuxnet through? As someone with experience in software development and network security, I doubt whether companies or consumers would foot the price of really serious security, and I further doubt whether facility operators/admins/etc would be alert enough to stop determined social engineering efforts. In my experience, defending a network takes exponentially as many resources/manpower/skills as attacking does (and that experience includes running networks with thousands of users/boxes).

Clive RobinsonFebruary 2, 2012 8:59 AM

@ mrUniverse,

First off sorry for the delay in replying, but as this is going to be a longish reply, I thought I'd leave it for other people to finish with the thread first.

With regards,

I think you confuse good security and perfect security when discussing infrastructure(especially power grids in this context). Right now we have bad security...

No and yes.

I regard good let alone perfect security in the same way I regard immortality, it sure would be nice but... time and probability ends it all.

As for the quality of security, yes in the main it's not just bad but stinks. And the reason for this is expediency or efficiency or other managment speak for saying "it gets in the way of profit".

As Bruce and others have noted in the past if security gets in the way then either managment order it removed or workers go around it because of the incentives managment put in place. That is a worker gambles they will get fired quicker for not meeting managment work targets than for a security breach that might never happen.

Now if the consiquence of a security breach appears at worst to just be a loss of privacy I can see where the attitude of "no hurt, no foul" would take it. Likewise the very short term viewpoint of cutting costs to meet next quaters targets, because as a senior manager you probably plan to be somewhere better in three quaters, so won't be there to take the flack.

As I've often said in the past I don't agree with either position but I can see why it happens and also why legislation with nominal fines will not solve the bad security problem.

But worse the acceptance of "bad security" has become "accepted custom and practice" across all areas including the militarily. This means we have signed off as a society on "bad security for expediancy" even where we know the consequences are serious harm and death to significant numbers of people...

I used to work in the petro chem industry with plant equipment worth more than the gross national debt of many countries, and daily operating figures in the tens of millions of dollars, thus the on site business risk was immense. But as we know some chemical plants have significant off site risks where it is known from previous events that the risk of death and multiple generation harm to thousands is likewise immense (in some cases chemical plants are a more significant risk than a nuclear reactor melting down, and according to many an ordinarily operating coal fired power station is doing more harm both short and longterm).

So knowing the potential direct loss to shareholders and the further liabilty through litigation loss why does any sane person accept "bad security" as a normal operating proceadure in order to save at best a few thousand dollars?

But it was and is actually worse than that, the systems that were and still are being put onto world wide public access networks are known to be not only insecure but so brittle that upgrading the OS or application is baned because of the known very high probability that it will not just break but not fail safe either.

That is the systems were not and in many cases still are not "fit for purpose" when operated in issolation localy. And as such are very unlikley to be improved simply because one or two firewalls or other control transparent systems are placed between them and a public access network adding delay and instability to control loops...

But... worse these systems are in many cases designed for a minimum of a twenty five year life and some have been running in place for over 15years. And... as the OS and applications are usually designed to a price as well, this means an MS OS ranging from Win 3.11 upwards often in an "embedded" form where upgrading would be virtualy impossible as IO cards are on backplanes that are nolonger in use...

Do these systems where the hardware, OS and app are nolonger supported in any meaningfull way sound safe in any way shape or form in isolation let alone when open to the vagaries of publicaly accessible networks like the Internet, PSTH, cellular/mobile, ISM or other unregulated radio network or open access VHF/UHF/microwave network?

Because this is the reality of process control systems both in closed plants and open infrastructure networks for road, rail, power, water, telecommunications et al.

For instance you have local power gas and water substations with UHF 12.5KHz channel PMR systems using 2100 baud modems and open easily recognised protocols often without the benifit of usernames or passwords (changable or not). Simply because it's cheaper to keep the body doing the rounds in his van rather than get out and open a box and plug

RogerFebruary 5, 2012 6:17 AM

It is an interesting area for thought, but I am not sure I unreservedly agree with all of the conclusions.

" 1. The Internet is an artificial environment that can be shaped in part according to national security requirements."

So can natural environments, and it has often been done in the past (think Great Wall of China, Maginot Line.) The question is more: what defensive shaping is economically feasible and socially acceptable? In highly authoritarian societies, a great deal; in free societies, not much. Does that give them an advantage?

" 2. The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them."

This is true to some degree, but is it really that important? There are also many thousands of firearms; I do not need to know the specific differences between a vz.58 and an SKS (both are rifles) to plan a defense against them. There are only 2 or 3 parameters that are important to know, and most of the time it is sufficient to group them as a general class.

Surely the same is largely true of cybernetic attacks? SQL injection, for example, has been around for over a decade, and can be subdivided into 9 classes; but the same basic defences that worked 10 years ago are still effective today. (IF you actually use them.)

" 3. The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography."

Bandwidth? Not really, except perhaps for cruder forms of DOS. The importance of connectivity is true, but it is not true that disconnected systems are invulnerable to military cybernetic attackers.

And if -- in accordance with point 6, below -- propaganda is a major mode of "cyberwarfare", then connectivity of the target system is irrelevant; it is only connectivity of decision makers that counts, and today that is practically universal.

" 4. Software updates and network reconfigurations change cyberbattle space unpredictably and without warning."

True of traditional military operations also -- although the changes can potentially occur faster in cyberspace. Indeed, much of traditionally military theory is based around ensuring that your plan is still workable even when everything changes or your information turns out to be wrong.

" 5. Contrary to our historical understanding of war, cyberconflict favors the attacker."

The author seems to think that our historical understanding of war is that conflict favours the defender. That is only partially true. For example, it is not true of raiding, in either the physical world nor in cyberspace [1]. Both attackers and defenders have pros and cons. At a tactical level, it is understood that currently the defender has a substantial advantage in a prepared defensive position, caeteris paribus; but this is partly a function of technology, and mainly of the posing of the question. That is, the attacker's principle advantage is to choose the time and place of battle, and thereby avoid attacking a prepared defense; this is the same advantage he has in "cyberconflict"!

At a strategic level, the defender's principal advantage is moral authority, both under international law and the court of popular opinion. This is much the same on the internet.

" 6. Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure."

How is this different from traditional military operations?

" 7. The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation."

This seems to be true, and is general feature of most malicious internet activities, from bullying, to fraud, to "cyberwar." On the other hand, it is actually less severe for "cyberwar" than it is for fraud: the culprit will often be obvious even when it is impossible to prove outright.

" 8. The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it."

This is far more true of conventional conflict than people seem to realise. You may get 24 x 7 coverage of campaigns where Western armies allow embedded reporters, but just how familiar are you with the Karen insurgency, the Sahrawi rebels, the Battle of Gospic or the Binnenlandse Oorlog?

Conversely, significant battles have already taken place on the 'net, they were publicised -- and there just wasn't a lot of interest.

" 9. The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking."

I don't understand what this means. Victory is subjective because of lack of expertise?

" 10. There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering."

If cyberattacks are used for espionage, they have the same moral inhibitions as that crime. If they are used for destruction of critical infrastructure, then they have the same moral inhibitions as arson.

Propaganada is different, though. It has become such a commonplace -- in traditional media, but even more so in the blogosphere -- that no-one really cares unless you are caught out in a massive clanger.

This again could well be more of a problem for free societies than for authoritarian ones.

___
1. In the physical world, an attack may be a raid to destroy enemy resources, or more often it is intended to seize and hold. So far as I am aware, all cyberattacks are raids. The concept of "seizing and holding" does not seem to even be meaningful here, and suggests that the whole concept of "cyberconflict" is an imperfect analogy that that becomes too tortured at this point.

Clive RobinsonFebruary 5, 2012 11:33 AM

@ Roger,

I'm guessing from your time of posting you might be in the UK, if so I hope you are enjoying the snow...

But back to your point,

The concept of "seizing and holding" does not seem to even be meaningful here, and suggests that the whole concept of "cyberconflict" is an imperfect analogy that that becomes too tortured at this point.

Yes and no, it depends on a number of view points.

Firstly in conventional warfare "seizing and holding" has two distinct posabilities. The first is to gain advantage of resources for your own forces, the second and more usual is to deny the use of resources to the enemy forces. In both senses there is an implicit but unstated assumption that resource has tangible physical form.

Which secondly means you have to seperate the "intangible" resources from the "tangible" resources and explicitly check the physical form assumptions apply under all attack vectors.

Thus a cyber-crime/espionage act on the "intangible data" can firstly copy the data surreptitiously, secondly delete the data (which is usually only an act of anoyance due to backups etc), or thirdly and much more effectivly "future trojan it". That is by actually encrypting the data and modifing the file system such that the normal user is unaware their data files have been encrypted, so that all backups etc are likewise encrypted. Then at some future point the modification to the file system delets the encryption key, thus properly denying access to the data by the normal user not just in the file system but in the backups as well (which is just another reason why you should ALWAYS properly check your backups...).

Then there is cyber-crime/espionage against the tangible hardware in various ways. Firstly more on the espionage side an intangable such as an OS Driver can be changed in some way such that the hardware either emits or is more susceptable to external fields and forces (think infra/ultra-sound or EM fields from DC-Daylight) such that a new unknown to the enemy communications path can be opened (an existing example of this is TEMPEST-Fonts as demonstrated by the Cambridge Labs). Secondly another attack which causes real tangible damage and is thus on the criminal side is the "poke to explode" problem Commador had in the 1980's whereby a particular sequence of instructions and data caused real physical damage to the hardware. Of more recent times some HP printers are reputed to have a similar failing. And if you think about it the drive to reduce manufacturing and other tangible object costs, such attack vectors are becoming considerably more likely. That is the increasing trend of putting the main design effort into intangible software not tangible hardware means that protection components will be left out of hardware designs and dangerous circuit configurations will be "assumed safe" because "the software won't do that"...

However even a simple DoS attack, denies access by the enemy to their tangible resources, thus whilst in progress the tangible technology can be considered to have "been captured" even though the attack vector was effectivly by intangible information (see below about energy). Likewise any malware that causes the enemy to lose access to their tangible computing resources can be considered to be an attack that has "siezed and held" those resources until such time as the intangible malware is expunged from the tangible storage on the tangible computing resources.

As I've noted a number of times in the past because of the difference between "intangible" data and "tangible" hardware and the human failing of making assumptions about the tangible physical world applying to the intangible information world, we get odd comparisons (and often glaring security holes).

One such odd comparison is "cyber-conflict" to "armed-conflict" also incorrectly called "conventional warfare". My personal belief is you can only extend "cyber" to certain types of "crime" and certain types of "espionage" because in reality the original crimes or espionage were actualy "intangible" information based activities, even though they might have suffered from one or more physical limitations caused by storage and communication etc.

That is copying of secret battle plans etc (espionage) or other essentialy information based targets, have a physical property limitation, as the information is traditionaly stored on paper which was likewise traditionaly kept in a safe. Both the storage of the information on the piece of paper and the control of it's communication via lack of access to the safe interior apply the limitations of their physical forms to the information. However the "copying of information" does not take the information, it mearly duplicates it. Thus once the physical constraints of accesss to the storage the information is on are overcome the actual duplication is not physically constrained, as you can take as many copies of the information as you wish to do and have the physical resources to store them to or communicate to other storage.

The problem of the confusion between intangible and tangible resources arises because although information is intangible and effectivly without physical constraint, it's storage, communication and processing are constrained by our physical universe as we understand it. That is it requires energy to transmit information, energy to make a state change in the storage medium and likewise energy to make perceivable changes to information (by processing it and then making it available to view).

We should remember that the limitation is due to the use of energy not to the information it's self. We then also need to remember who pays for the energy, because in cyber crime and espionage, almost invariably it's the victim not the attacker who pays and this is very much at variance too our normal physical world viewpoint where the attacker is constrained by their access to and control of energy.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..