US Offensive Cyberwar Policy

Today, the United States is conducting offensive cyberwar actions around the world.

More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pretargeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice.

This is much worse than what we're accusing China of doing to us. We're pursuing policies that are both expensive and destabilizing and aren't making the Internet any safer. We're reacting from fear, and causing other countries to counter-react from fear. We're ignoring resilience in favor of offense.

Welcome to the cyberwar arms race, an arms race that will define the Internet in the 21st century.

Presidential Policy Directive 20, issued last October and released by Edward Snowden, outlines US cyberwar policy. Most of it isn't very interesting, but there are two paragraphs about "Offensive Cyber Effect Operations," or OCEO, that are intriguing:

OECO can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist.

The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other US offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive.

These two paragraphs, and another paragraph about OCEO, are the only parts of the document classified "top secret." And that's because what they're saying is very dangerous.

Cyberattacks have the potential to be both immediate and devastating. They can disrupt communications systems, disable national infrastructure, or, as in the case of Stuxnet, destroy nuclear reactors; but only if they've been created and targeted beforehand. Before launching cyberattacks against another country, we have to go through several steps.

We have to study the details of the computer systems they're running and determine the vulnerabilities of those systems. If we can't find exploitable vulnerabilities, we need to create them: leaving "back doors," in hacker speak. Then we have to build new cyberweapons designed specifically to attack those systems.

Sometimes we have to embed the hostile code in those networks -- these are called "logic bombs" -- to be unleashed in the future. And we have to keep penetrating those foreign networks, because computer systems always change and we need to ensure that the cyberweapons are still effective.

Like our nuclear arsenal during the Cold War, our cyberweapons arsenal must be pretargeted and ready to launch.

That's what Obama directed the US Cyber Command to do. We can see glimpses of how effective we are in Snowden's allegations that the NSA is currently penetrating foreign networks around the world: "We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one."

The NSA and the US Cyber Command are basically the same thing. They're both at Fort Meade in Maryland, and they're both led by Gen. Keith Alexander. The same people who hack network backbones are also building weapons to destroy those backbones. At a March Senate briefing, Alexander boasted of creating more than a dozen offensive cyber units.

Longtime NSA watcher James Bamford reached the same conclusion in his recent profile of Alexander and the US Cyber Command (written before the Snowden revelations). He discussed some of the many cyberweapons the US purchases:

According to Defense News' C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients -- agencies like Cyber Command, the NSA, the CIA, and British intelligence -- a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what's called network situational awareness. The client locates a region on the password-protected web-based map, then picks a country and city -- say, Beijing, China. Next the client types in the name of the target organization, such as the Ministry of Public Security's No. 3 Research Institute, which is responsible for computer security -- or simply enters its address, 6 Zhengyi Road. The map will then display what software is running on the computers inside the facility, what types of malware some may contain, and a menu of custom-designed exploits that can be used to secretly gain entry. It can also pinpoint those devices infected with malware, such as the Conficker worm, as well as networks turned into botnets and zombies -- the equivalent of a back door left open...

The buying and using of such a subscription by nation-states could be seen as an act of war. 'If you are engaged in reconnaissance on an adversary's systems, you are laying the electronic battlefield and preparing to use it' wrote Mike Jacobs, a former NSA director for information assurance, in a McAfee report on cyberwarfare. 'In my opinion, these activities constitute acts of war, or at least a prelude to future acts of war.' The question is, who else is on the secretive company's client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish. "It should be illegal," said the former senior intelligence official involved in cyberwarfare. "I knew about Endgame when I was in intelligence. The intelligence community didn't like it, but they're the largest consumer of that business."

That's the key question: How much of what the United States is currently doing is an act of war by international definitions? Already we're accusing China of penetrating our systems in order to map "military capabilities that could be exploited during a crisis." What PPD-20 and Snowden describe is much worse, and certainly China, and other countries, are doing the same.

All of this mapping of vulnerabilities and keeping them secret for offensive use makes the Internet less secure, and these pretargeted, ready-to-unleash cyberweapons are destabilizing forces on international relationships. Rooting around other countries' networks, analyzing vulnerabilities, creating back doors, and leaving logic bombs could easily be construed as acts of war. And all it takes is one overachieving national leader for this all to tumble into actual war.

It's time to stop the madness. Yes, our military needs to invest in cyberwar capabilities, but we also need international rules of cyberwar, more transparency from our own government on what we are and are not doing, international cooperation between governments, and viable cyberweapons treaties. Yes, these are difficult. Yes, it's a long, slow process. Yes, there won't be international consensus, certainly not in the beginning. But even with all of those problems, it's a better path to go down than the one we're on now.

We can start by taking most of the money we're investing in offensive cyberwar capabilities and spend them on national cyberspace resilience. MAD, mutually assured destruction, made sense because there were two superpowers opposing each other. On the Internet there are all sorts of different powers, from nation-states to much less organized groups. An arsenal of cyberweapons begs to be used, and, as we learned from Stuxnet, there's always collateral damage to innocents when they are. We're much safer with a strong defense than with a counterbalancing offense.

This essay originally appeared on CNN.com. It had the title "Has U.S. Started an Internet War?" -- which I had nothing to do with. Almost always, editors choose titles for my essay without asking my opinion -- or telling me beforehand.

EDITED TO ADD: Here's an essay on the NSA's -- or Cyber Command's -- TAO: the Office of Tailored Access Operations. This is the group in charge of hacking China.

According to former NSA officials interviewed for this article, TAO's mission is simple. It collects intelligence information on foreign targets by surreptitiously hacking into their computers and telecommunications systems, cracking passwords, compromising the computer security systems protecting the targeted computer, stealing the data stored on computer hard drives, and then copying all the messages and data traffic passing within the targeted email and text-messaging systems. The technical term of art used by NSA to describe these operations is computer network exploitation (CNE).

TAO is also responsible for developing the information that would allow the United States to destroy or damage foreign computer and telecommunications systems with a cyberattack if so directed by the president. The organization responsible for conducting such a cyberattack is US Cyber Command (Cybercom), whose headquarters is located at Fort Meade and whose chief is the director of the NSA, Gen. Keith Alexander.

None of this is new. Read this Seymour Hersh article on this subject from 2010.

Posted on June 21, 2013 at 11:43 AM • 45 Comments

Comments

h4xxJune 21, 2013 12:04 PM

OpenBSD is the answer. Look how they have completely redesigned giant routers with OpenBGP and pfsense and they just released OpenSMTP finally securing that old garbage mail protocol. Best part is they have kept all configuration uniform so if you know OpenBSD pf firewall syntax you know how to configure OpenSSH, OpenBGP, OpenSMTP ect.

This is the answer to insecure nerworks throw out those corporate blackboxes with NSA back doors and build your own countries infrastructure using OBSD. Run linux work terminals or OBSD terminals that are virtual routed and isolated with carp/pf so they are unable to be attacked or attack other systems on the network. Cost is minimal you just need somebody that knows what they are doing or read the man pages/get the book Absolute Openbsd 2 that just came out.

I don't understand why its still acceptable to drop cisco or MS blackboxes on a secure network handling stuff like nuclear secrets or critical national telecoms. NSA would have their work cut out for them trying to logic bomb a hardened gentoo or even fedora workstation running grsec and selinux policy, surrounded by a locked down openbsd network firewall and router.

AC2June 21, 2013 12:16 PM

OT but I think it's time the Nobel committee REALLY ask Obama to give it back...

tedJune 21, 2013 12:24 PM

What's to stop this from being used against Americans? We already see the IRS being used to harass the opposition.

aboniksJune 21, 2013 12:32 PM

@h4xx

"...you just need somebody that knows what they are doing..."

You need enough of them to rebuild an entire countries infrastructure, and then you need to retrain the vast majority of your employees to use the new systems.

You also need to make sure all the critical shiny software tools in use throughout your entire system are ported over without creating security gaps, and you have to fight tooth and nail one agency and department at a time to get the admins, users, and accountants to pull their lips away from the windows teat.

This is not anything like cheap or simple on the front end, although it's a good idea.

philJune 21, 2013 12:57 PM

AFAIK, stuxnet was designed to cause above-average but otherwise normal-looking failures of uranium centrifuges, not, as is written, to "destroy nuclear reactors".

NobodySpecialJune 21, 2013 1:10 PM

So the US military develops a set of weapons which are almost useless against both it's official enemies ( a bunch of terrorists living in medieval conditions in Afghanistan) and it's unofficial enemies (China) - but which it is itself uniquely vulnerable to.

Isn't this a little like Superman developing a kryptonite bomb?

indeedJune 21, 2013 1:43 PM

Actually I find OBSD to be far less complex and easier to master than windows or apple products. Any material on configuring windows security policy is a gigantic textbook. Windows security policy makes writing SElinux policy look like a kids homework exercise

If I'm Iran, I would want to be deploying custom security builds of open source software and make sure no blackboxes are touching my critical infrastructure. Hell, with the way the NSA has been acting everybody if they can should be doing this. I dont even trust harmless gaming consoles anymore after the Sony rootkit and MS kinetic constantly connected/spying debacle.

BrianJune 21, 2013 1:49 PM

When malware is found on oil rigs, which it has, and industrial plants, which it has, and pipelines, which it has, you cannot say that our adversaries are not engaging in the exact same behavior.

aboniksJune 21, 2013 2:10 PM

@indeed

"...Actually I find OBSD to be far less complex and easier to master than windows or apple products..."

That's reassuring, because my relatively short time in the signal corps showed me pretty clearly that even the SME's didn't actually have much of a clue what they were doing with windows...and the average user (even among contractors) sitting in front of a 'doze box was frighteningly under trained.

I stand by my original point though; OBSD may well be simpler, but you still have to convince people to use it, train them to do it right, figure out how to pay to deploy it, and then execute the deployment without significantly disrupting the existing functions of the systems you're replacing.

Milo M.June 21, 2013 2:43 PM

One can only hope that we never hear the Cyber warrior version of Hue: "We had to destroy the Internet in order to save it."

Doug CoulterJune 21, 2013 2:52 PM

I doubt any new international law on cyberwarfare will have any more practical effect - and most of the same unintended consequences, than the laws against drugs, alcohol...guns...whatever. All they do is drive things underground, create wealth for the people willing to break those laws, and put power into the wrong hands. History, people! War is what happens when the laws and diplomacy fail...there are no laws at that point, unless the winner wants to kill a few more of the losers for violating them after they win (Nuremburg).

Not Your MotherJune 21, 2013 3:06 PM

You lost me at "rules of cyberwar" ... whatever foolish goal that might be.

Peter A.June 21, 2013 3:13 PM

@Phil: re: purpose of stuxnet.

I've read differing opinions. Some said the purpose was to cause "mystic" mechanical failures; others said it was to spoil the enrichment process without causing (significantly more) failures.

DirgeJune 21, 2013 3:31 PM

Yet they will consider using conventional weapons in response to a cyber-attack on the USA. That's very *interesting* position, I must say.

CraigJune 21, 2013 3:40 PM

The only problem with establishing international rules governing "cyber-war" is that everyone will pay lip service to them in public while utterly ignoring them in private. (And anyone who thinks otherwise is a fool.)

name.withheld.for.obvious.reasonsJune 21, 2013 4:59 PM

Bruce, you have missed something here!

THERE IS NO SCOPE TO THIS ACTIVITY! OCEO & DCEO is meant for any and all systems and networks regardless of any nation state status. You didn't mention the collection "feature." Also, the president does not have to be in the decision loop and any department or IC can initiate acts of war. It is the ECA and the way the IC authority is structured. You all don't know it but your government has been executing a covert war right under your noses. And there is more...

twofishJune 22, 2013 2:21 AM

There's a problem which I'm surprised that no one has brought up.....

Anything that makes the US computer infrastructure more secure against Chinese state-sponsored hackers and cyberattacks will make it harder for US state-sponsored hackers and cyberattacks. If the US goes on a program of mandating strong crypto and making the US internet infrastructure resistent to backdoors, then China will just use that technology to strengthen its systems. In addition, any effort to strength US systems through strong crypto will make it more difficult for the NSA to read data from foreign countries.

The NSA is the worst possible agency to defend the US against cyberattack, because it is in the interests of the NSA to make the US more vulnerable to cyberhacking.

I'm surprised that no one has made this point.....

twofishJune 22, 2013 4:48 AM

One thing about international law is that most of it works through custom rather than formal legislation. The problem with using formal legislation is that you can draft a complicated formal international agreement, and then have ignored in practice. By contrast, a lot of international law is of the form "if you don't do X to me, I'll not do X to you" and this can be quite effective, and a lot of this involves unwritten agreements and understandings, some of which end up happening over centuries. Informal, unwritten norms sometimes work better than formal, written ones.

One problem with international agreements with regard to cyberattack is that there is no evidence that the United States would be willing to commit to any sort of standards anyone is willing to come up with. The only way that you will get any sort of effective agreement on limiting cyberattack is if the US/China/Russia/India all point guns at each other, and everyone decides that it's not in anyone's interest to shoot, and so the purpose of the agreement is to let everyone drop their guns at the same time. This has worked in the past.

The NSA has been able to use law to get the American public to let to basically do whatever it wants. I doubt that China, Russia or India would be more understanding, and the concern over the US championing "international rules" on cyberhacking is that those rules will turn out to work the same way that FISA has worked with US cyberspying.

Clive RobinsonJune 22, 2013 5:13 AM

@ Bruce,

Appart from the issue with regards stuxnet [1] --which is always going to have question marks hanging over it along with flame et al-- there is the problem with the meaning of "created and targeted beforhand".

With conventional kinetic weapons an entity will design, develop and amass them within their own teritory and that of their (supposed) allies not that of the enemy. Because to do otherwise in anything other than a formally enacted war is actually a war crime.

An information weapon such as an implanted backdoor or exploit code used to gain access does damage to computers (see US legislation). But importantly this is done to computers that are not in the countries own territory or that of their allies but that of the (supposed) enemy as part of the "created and targeted beforehand".

It is very important to realise that this has significant issues in that if the intent of the implanted backdoor or malware was to do a criminal act then it's covered by the various civil codes. But if the intent was to gather inteligence in another soverign nation then it is not espionage in the normal sense but sabotage, and that is considered under international treaty//law as the first step in initiating a war, which importantly is a war crime for which in the past political leaders and (supposed) non political or military personel have been executed.

A further more modern problem is that whilst it is fairly clear to those working on kinetic weapons development what they are doing and thus the potential for being held accountable for war crimes the same is far from true for what we call cyber-weapons.

Whilst it can be said that conventional kinetic weapons are dual use in that they can be used for both defense and offense the same cannot be said for cyber-weapons. They are only offensive, never defensive, and always illegal to use against others who have not given permission for them to be used against them.

But worse for those developing backdoors and exploit code etc, as we know from their past activities certain countries (such as Israel and Russia) regard the extra territorial execution of politicians and civilians involved in weapons development to be a fully legal process.

Thus the likes of Microsoft should be aware that this leaves them open legaly. If one of their employees was to be extra territorialy executed for "sabotage" for developing backdoors or exploit code etc as part of their employment then the employer has a significant liability. But in the case of backdoor code, there is also significant criminal and civil liability in every country they sell their code in, which the US Government can not protect them from.

And as Google are currently finding some countries are starting to get prickely and resorting to legal action for considerably less than "backdooring" code.

[1] Stuxnet was initialy assumed to be aimed at the Nuclear Reactor Russia was building for Iran but was slightly later found to have attacked the uranium enrichment facilities. And legaly far worse caused caused damage in civilian facilities (a war crime) in other countries (another war crime) where similar industrial control equipment to the enrichment plant was used for amongst other things food and medical drugs production (the list of this colateral damage is still far from compleate).

Clive RobinsonJune 22, 2013 5:45 AM

@ Iain Coleman,

    ... and who can't be bribed or threatened

Which is exactly the reason I've said for some considerable period of time now that "code signing" is not worth a dam.

I can remember people on this and other blogs disagreeing quite vociferously with me, but Stuxnet made them go quiet. Now there is this to show even further just how usless code signing is, because this is indicating a deliberate US Government policy of adding bad code to internationaly supplied software code bases with the full knowledge of software suppliers senior managment....

And as I've noted whilst the US Government might be able to manipulate the legal process in to protect these companies in the US they can not do the same in other juresdictions.

The question is will people start to take action both legaly and otherwise against these US controled companies?

Just buying other non US controled company software could cause significant fragmentation of the industry and would have a similar effect as "market protectionism" on the world economy.

In fact it is likely that a new series of legislative changes will happen which will be the equivalent of "market protectionism". In the same way US Government representatives were in the process of applying market protectionism measures against two Chinese telecomms companies, it is now likely that other goverments will start applying sanctions against US controled companies and US
cries of "but we're the good guys" will be laughed at at best.

JackJune 22, 2013 11:25 AM

Drawing up *battle plans* is pretty much necessary for standing militaries. It does not mean they are actually implementing them.

During the Cold War, for instance, the KGB hotly sought the battle plans for the US in Germany, the "what if the Soviet Union invades Western Europe battle plans". And they got them. They paid a lot of money for them. (Whether they were genuine or not, who knows.)

Militaries have been drawing up "what if" scenario battle plans for ages. Not something which is advisable to make the public aware of because they could misconstrue them.

For instance, I am very sure the US has drawn up battle plans for North Korea invasion. And I am sure they alter these as the diplomatic scene changes.

What the Soviet Union and the Nazis did, however, was go beyond mere battle plans and actually set up forward, "across enemy lines" systems. For instance, the Soviets planted caches of weapons and money across Europe and the US for their agents and soldiers.

We also take it as a given that when modern Russia hacks into our infrastructure they do this for "what if" scenarios. (If, in fact, they really have been doing this as some sources claim.)

JackJune 22, 2013 11:37 AM

Separating into a different post:

There is something darker here which does concern me. Namely, that these cyber war plans, and potentially implementations can allow a foreign nation, or other unfriendly entity to forge the United State's signature in an attack and so start a real war.

The same problem exists backwards, of course. Someone could forge what analysts believe is a Chinese signature in an attack, and so on.

And this problem exists with terrorism.

One nation could set up an attack on another nation and pose as yet another nation entirely. Or another entity.

Iran has already been doing this, for instance, with terrorism, setting up attacks in the past which were designed to look like Palestinian Sunni attacks.

So there is the "anonymous" vector to both cyber attacks and terrorist attacks which is possible. (Or, as one of my friends likes to say "ambiguous".)

Coupled with the above concern: What is the US Government doing dealing with companies that have such apocalyptic sounding names and who hire hackers with dubious backgrounds that do not even have clearance, but instead merely sign NDAs? I mean "endgame", what is that? Endgame for what? The world?

Then, there is the fear problem, or mass hysteria problem. Why is the objective so often to work up fear, paranoia, even mass hysteria? Are those noble spirits to fan the flames of? Does not fear make people vulnerable?

Does not fear and delusion go hand in hand? Fear, or so it appears, is what is governing these nations. Not people. Fear.

Maybe Teddy Roosevelt was correct, "the only thing to fear, is fear its' self"?

Kevin an AuditorJune 22, 2013 1:59 PM

I am surprised no one has brought up the fact that the US planned for a cyber attack on Iraq (particularly the banking system) prior to the 2003 invasion. The Bush administration rejected the plan for two reasons; Firstly, the effect on civilians could and likely would be construed as a war crime, Secondly, the malware was likely to spread into French banks and possibly other European banks.
http://www.infosecisland.com/blogview/6750-Cyber-Warfare-and-the-Conflict-in-Iraq.html

If the fear of "collateral damage" seems to ring hollow a decade on, consider it proof that the White House lacks both crystal balls and time machines. Also consider it evidence, of some sort, that indiscriminate "logic bombing" was not then policy.

IraqiGeekJune 22, 2013 9:49 PM

@Kevin

A cyber attack on Iraq back in 2003 would have been pointless, especially on the financial system. The country didn't have a single ATM machine. Foreign currency accounts were not allowed, and the exchange rate with the Iraqi Dinar, and hence inflation, could fluctuate by as much as 20% on a given day because of whatever piece of news, or rumor, spread that day. Financial institutions were not connected. If you wanted to withdraw money you had to go to the specific branch were your account was. Ditto for deposits. So, people didn't use banks to safeguard their money.

As for the the government, there wasn't much that was connected simply because the country lacked the basic infrastructure needed.

Scott "SFITCS" FergusonJune 22, 2013 10:44 PM

@Clive Roberston
[1] Stuxnet was initialy assumed to be aimed at the Nuclear Reactor Russia was building for Iran

That's the problem with assumptions. Consider the possibility that Stuxnet is/was just a re-purposing of existing code - originally developed for the same class of controllers. Ufa.
Despite the claims and counterclaims one thing is true - Ufa happened because the gas valves automatically opened when they should not have, and, would not respond to control commands to close. Proof that this was not the result of sabotage is that the controller were SCADA, which somehow makes software sabotage an unsupportable scenario... (and Thomas Reed is/was deluded, and the Farewell dossier is a fake etc).

That, far-fetched, scenario would account for code fragments that considerably predate Iran's nuclear program.

Scott "SFITCS" FergusonJune 22, 2013 10:59 PM

@IraqiGeek

A cyber attack on Iraq back in 2003 would have been pointless, especially on the financial system.

!Huh?!

Seriously? I'm hoping you're going for irony/sarcasm rather than irretrievably and dangerously naive.

Any number of projects could easily be "effected", any of which would have crippled the government and further impoverished the people. And that's without even considering the elephant in the room (SWIFT, which has been used against Iran).

Difficult? Even delaying pensions by a day or two would be trivial and it's affect critical (especially if Iranian opposition had foreknowledge).

I could speculate - but why when (your?) government could just ask Ross Perot. (sigh).

Michael MoserJune 23, 2013 7:14 PM

treaties on cyberwar are a good idea, but those are impossible to verify; remember that the critical issue in nuclear arms negotiations was verification; this element is lacking here.

I will not be surprised if some countries will go off the internet as a result of these games; though. Now that would be a really stupid development.

Dirk PraetJune 23, 2013 8:21 PM

But in the case of backdoor code, there is also significant criminal and civil liability in every country they sell their code in, which the US Government can not protect them from.

Only in theory.

Any company backdooring its products on behalf of the USG would require substantial assurances that they would never be held accountable, especially outside of the US as for all practical purposes this would destroy their foreign markets.

- For starters, it's safe to assume that any such efforts would be undertaken in a way that would allow for "plausable deniability" and "reasonable doubt" cards to be pulled. "Oops. That seems to be some piece of code from the debug version." or "The rogue programmer responsible for this has been fired."
It's been done in the financial sector too, when in 2008 French trader Jerome Kerviel was made a scapegoat by the Société Générale over breach of trust, forgery and unauthorized use of the bank's computers resulting in losses valued at €4.9 billion.

- NSA’s Gen. Keith Alexander has been petitioning Capitol Hill for a while for some sort of cyber shield immunity for companies collaborating with the USG.

- Both USG and US based companies are lobbying very hard against any legislation/regulation in other countries that would possibly compromise their interests. One example is Article 42 (also known as the anti-FISA clause) of the European Commission Draft Data Protection Regulation on international data transfers. With the Snowden revelations, this is now back on the table and the consequences of implementation thereof could be dramatic for US surveillance and other programs.

NobodySpecialJune 23, 2013 8:23 PM

Although it's unlikely that congressional immunity would help a Google banned from the eu or iPhones banned in China.

itgrrlJune 23, 2013 11:29 PM

@Michael Moser: Exactly (re: verification). Compliance (or non-) with nuclear treaties can be monitored. In conventional warfare, massing of troops and equipment can be tracked quite well. Without the ability to assess compliance, such treaties are worthless. I don't believe it's possible to create a monitoring scheme that is verifiably accurate in the cyber-realm - certainly not one that all signatories could ever agree upon.

@Jack: The 'fear itself' quote was from FDR, not Teddy. :-)

Scott "SFITCS" FergusonJune 24, 2013 12:14 AM

@h4xx

OpenBSD is the answer.

Maybe (if the question was "what does Playstation 4 run?"), but you failed to mention the question it answers.... ;)

I think your 'advice' is, um, incorrect, as OpenBSD is not a "secure operating system" (nor was it ever designed to be one).
This definition cannot be applied to OpenBSD as OpenBSD was not designed with security in mind and provides no real way to lock down and limit a system above standard UNIX permissions, which are insufficient.


Security is not intuitive, or simple. And I've previously referenced OpenBSD and code backdoors.

OpenBSD do produce great documentation though.

Michael MoserJune 24, 2013 2:17 AM

the security solution cyber war has side effects (that's the way with security solutions) : it is bad for business; from now on a lot of people in foreign lands and foreign governments will ask questions about privacy / security when dealing with with US based IT/telecom companies.

We can only hope that the whole cyber war thing will be scrapped because it harms business. If CISCO/IBM/Apple/Microsoft speak up then this could make a difference.

JacobJune 24, 2013 8:28 PM

Ok. I have a question. What if country A (cough, china) attacks us and makes it look like country B (cough Russia) did it. If the attack is big enough that a big response is the consequence or kinetic through ratcheting up along the lines of WW1? China could eliminate two global adversaries at once. It might work if well covered and big enough. Maybe that's a storyline for next years contest.... :) still scary thought though.

sushiJune 26, 2013 2:27 AM

@ Clive

indicating a deliberate US Government policy of adding bad code to internationaly supplied software code bases with the full knowledge of software suppliers senior managment....

---
I suspect that current US policy goes firther than this.

Almost any sophisticated form of hardware (farm tractor, train engine, airliner, bulldozer, combine, you name it, contains microprocessors and most of these are intended to be used on communications networks.
If I was selling (or "donating") such hardware while seeking Total Information Dominance, I suspect I would be tempted to arrange for each such article to be compromised in such a way that I can gain information from it, or I can remotely access it and halt or degrade certain functions.

Think of all those future F-35 JSF warplanes being sold to countries worldwide with the USA being the only nation with access to the codebase used in those planes (some 35 million lines). I think if I was worried about these things I would design a system such that if one of those aircraft were to be used against me I had available a means to degrade its function and render it useless.

I'm sure you can spin this set of ideas much further. And I think that gives an indication of the nature of the problems that crop up when the state and the corporate sector decide to get into bed together.

Clive RobinsonJune 26, 2013 6:31 AM

@ Jacob,

    What if country A (cough, china) attacks us and makes it look like country B (cough Russia) did it. If the attack is big enough that a big response is the consequence or kinetic through ratcheting up along the lines of WW1? China could eliminate two global adversaries at once.

You are making an assumption of "Country A" it is actually "Person A" when you think about it...

That is after you have developed the payload and delivery mechanism in secret, a single person puts out a single copy and the near zero cost force multiplier effect of the Internet takes over.

It is one of those differences between our "physical world assumptions and information world realities" effects I mention from time to time. The upshot is a single person becomes "an army of one" and the results can be not just "eliminate two global adversaries at once" but one heck of a lot of colateral damage as well (in theory the "nuclear winter" of the MAD / Doomsday policies of the cold war).

It's why I also say that we should talk about "cyber-crime" which is what it realy is rather than "cyber-warfare" which it is not, because in our human minds we assume Crime is dealt with by policemen, courts and legislation, where as War is dealt with by Soldiers, bullets and WMD.

Like most of us I don't want a more or less harmless stray bit to become a real game of "Global Thermo-Nuclear War" with the joy of being colatoral damge named "Ash City" (what London was only half jokingly refered to during the height of the Cold-War and "Mad Maggie" Thatcher / Ronny "Ray Gun" era).

Clive RobinsonJune 26, 2013 7:33 AM

@ Scott,

I was working in the petrochem business a few year after the Russian Gas line did it's fireworks number.

I remember that even from back then that most systems used "Ladder Logic" systems at the business end and this is where all the safety interlocks were implemented. SCADA systems back then were back in the control center as the computers used did not like the environment at the business end where the valves etc were. The reasoning of putting the safety interlocks as close to the valves as possible was partly historic from mechanical interlocks but also due to well known problems with railway signalling.

Afterall back in 1982 personal computers were still ultra expensive and the likes of the PDP11 and MicroVax were the norm for SCADA and similar systems. Reliable as such systems were they were not upto the requirments of safety systems by a very long way.

So I definatly think Ufa was not down to SCADA software. Apparently the CIA have said they supplied dodgy turbines but don't claim they would have caused the explosion.

An examination of much Russian technology including that of their space program, shows little in the way of control systems with automatic safety systems. Thus there were many Russian industrial accidents we did not hear about, only the significant ones like Chernobile etc.

Oh and remember Ufa had a second gas pipline explosion in 1989 due to very very significant quantities of gas escaping and then getting set off by the sparks from trains. There are various quotes given but the bottom end estimate is around 250tones TNT equivalent. It resulted in the deaths of many children and around a thousand or so other deaths and injuries.

From my experiance with a couple of hacking incidents in the UK and the way they have been conflated into one in many (supposadly) well researched books by accademics I can see how easily two stories can get mixed over time taking the most shocking bits from each to make them more graffic in the retelling.

I've always doubted the story of the CIA backdooring the software not just for the above reasons but also what has happened with claims about Ronnie "Ray Gun" and "Starwars". A number of people want to make out that Ronnie had this wonderful idea given to him by a select group of SciFi writers that would end the cold war.... The simple fact is that we knew then and have even more evidence now that Russia was not economicaly up to the cold war, and as in WWII and WWI and for that matter the US Civil War it was the US industrial base and raw resources that tipped the balance. In fact one of the reasons behind starwars predated Ronnie by a long way and it was that US analysts had concluded that as the economic situation in Russia deterioated Russian leaders would go to war rather than give up power etc, also that US Gov spending on such a system would bring in effect the combined economic effects of WWII and the Space Race (which it did in some measure).

Clive RobinsonJune 26, 2013 7:49 AM

@ Dirk Praet,

Whilst I would agree that the plausable deniability and rouge agent cards could be played and have been in the past such a stratagie is inherantly dangerous.

In effect the likes of Micrsoft and Google have already overplayed those cards and have been whacked over the knuckles by the EU amongst others. So they fairly clearly know that the US Government cannot indemniffy them against non US juresdictions taking punitive action.

So the risks are high stakes and that means they are going to want high reward in return for taking them, unless some other preasure can be applied.

One such perk may well be no investigations of monopolistic behaviour or to much interest from the tax authorities.

The problem now is as you note that the veil has been lifted (all be it for a short period) and various lobbying efforts that were thought done and dusted are (for) now dragged back onto the table...

Clive RobinsonJune 26, 2013 8:20 AM

@ Sushi,

I would think the probability of the USG having gone further is quite high.

And examples would not be to difficult to find with even a cursory glance or two.

The problem is a game of balance and tipping points.

With regards weapons with hidden kill switches it's an issue the US DoD has raised it's self with "supply chain poisoning" and Far East component supply.

However there is a significant risk involved. Much of the US military high tech weapons development is not actually paid for entirely from US tax dollars. In fact quite a big slice comes from the profits of foreign sales to certain well oiled parts of the world. If "kill switches" were found then this would cause the US military / armarments manufactures significant problems due to lost sales, something the EU and Russia would quite happily step in and fill the lost orders.

Then there is the issue of "second sales" the US recently bought up for a "fire sale" price the UK harrier Jump Jets whilst thisparticular sale is a little unusual it shows that military kit does get sold from nation to nation. So what does the US do when it sells kit to the UK, does it include or not include the kill switch, knowing that there is a distinct possibility that the UK will at some point sell the kit on to some other country...

If you think back to the Falklands War the French had sold technology to the Argentinians which were then used against the UK convoy and landing forces. Only a couple of years earlier few people if anybody would have beleived that Argentina would go to war with the UK. The UK had also sold weapons to Argentena and no doubt some were used against UK forces.

This gives rise to an issue of if you have a kill switch when do you use it? Most conflicts these days are in effect highly local almost to the point of being civil war, few if any are even regional and certainly none are global. Do you reveal a kill switch for a quick win in a regional war or save it for what might become a global war?

Scott "SFITCS" FergusonJune 26, 2013 12:14 PM

@Clive Robinson


I was working in the petrochem business a few year after the Russian Gas line did it's fireworks number.

It's the '89 event I'm referring to, though there are many conspiracy stories about an earlier event. It was theorised that the ignition was a predictable event, but not part of the sabotage. The "theorist" was not privy to secret knowledge, but analysing (from a distance) events of that nature was within his area of expertise. (he didn't "know" it happened, only that it was feasible, unlikely to have happened the way it was claimed, and that similar sabotage had been planned). He also said that at the time the USSR was starved for cash, gas and oil prices had been plummeting (end of the USSR) and sticks and spit were the most common tools in use. So it could easily have been an accident - except that the CIA didn't take credit for it (which he believed supported his theory that they were responsible).

He claimed the system was SCADA (running a proprietary networking protocol), that the same (German based) company was involved the sabotage (with US support) as was involved in engineering Stuxnet and other variants in later years.

He "thought" it would be relatively simple to over-ride equipment on "gathering-lines" at a remote location, in a harsh environment - to jam valves open while the remote control centre believed pressures/flow was normal. Corrosive chemicals and explosion would likely remove the evidence.

He (sic) was very cynical about many Cold War intelligence agency "successes" (on both sides) and suspected that another (earlier) gas-line disaster in the USSR was less serious than claimed, and not the result of US sabotage as claimed - this may have been the turbine incident you refer to, and there were many attempts to sabotage technology in the USSR (and it's allies) feeding dodgy material to Directorate T, (and probably even before Vernoff), as claimed by Thomas C. Reed, and most likely later under Reagan. Not all of them are likely to have failed.

IraqiGeekJune 26, 2013 12:52 PM

@Scott

I wasn't joking at all when I said it would've been pointless. Almost any sort of cyber attack you could think off would have had no effect at all. As I said, the country did NOT have a single ATM machine, no credit or debit cards, barely any data communications infrastructure, and certainly no interconnected bank system.

Pensioners, just to reply to your own example, each had what was called a "pensioner book" where they'd get a stamp for each month. Mind you, for over 95% of pensioners the amount they received wouldn't have made any difference in their lives. But I digress...

Each branch of each bank maintained their own database that was independent from any other branch. Ditto for most other information systems in the country. Think of the effectiveness of a cyber attack on the US in the late 60s or early 70s cause that's closer to the reality of the communications infrastructure in the country prior to 2003.

Mind you, I'm not saying the US didn't paralyze the government in 2003, or in 1991 for that matter, with some key strikes. Limiting myself to Baghdad, the old Ma'amun and Rasheed exchanges were the backbone switches for the entire country, and were each hit four times in 2003.

Scott "SFITCS" FergusonJune 26, 2013 2:31 PM

@IraqiGeek

I wasn't joking at all when I said it would've been pointless.

I didn't think you were.

Nor was I. However I was talking about Iran, not Iraq. My apologies. (too little sleep, too many distractions)

A lot of cyber effort was put into trying to stop Sadam's petroeuros in the period leading up to the war, in fact it's those petroeuros that are probably the cause of the entire war. (those same petroeuros are the reason for the US declaring war on Iranian banks in 2008, the cutting of the undersea cable is another matter).

As for cyber attacks during the war - I'd heard a couple of radar installations might have been affected by malware delivered in printer drivers. Otherwise it sounded just as you described.

name.withheld.for.obvious.reasonsJune 28, 2013 1:52 PM

It you do not believe we, the United States, are not executing a general cyber war then you are fooling yourself. Part of the strategy is subterfuge and disinformation campaigns. If you haven't been reading the newspapers, magazines, and the intelligentsia's journals then you haven't been following along. I'd hoped for being delusional but have to resolve myself to the fact that we are at war. We are at war with everyone.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..