Economist Cyberwar Debate

Richard Bejtlich and Thomas Rid (author of the excellent book Cyber War Will Not Take Place) debate the cyberwar threat on the Economist website.

Posted on August 1, 2013 at 3:54 PM • 18 Comments

Comments

Brandioch ConnerAugust 1, 2013 5:05 PM

That was not very enlightening.

We need to abandon plans that rely on keeping all intruders out of the network. Instead, we should expect intrusions, but quickly remove attackers once we discover that they have breached our defences.
Otherwise known as "defense in depth". And has been the preferred approach for almost two decades.
Besides Iran, security professionals now worry about North Korea, which conducted a similar "sabotage" operation against South Korea in March 2013 that corrupted over 32,000 computers.
32,000 sounds like a big number until you realize that there are zombie hordes with over a million computers in them.

So the 32,000 were not individually cracked. They fell to an automated attack. That doesn't sound like much of a threat.

Third, the number of countries transitioning from "digital nuisances" to real threats is growing.
And again, that doesn't sound like much of a threat.
Second, in February 2013, President Obama issued an executive order titled "Improving Critical Infrastructure Cybersecurity", stating: "Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront."
Appeal to Authority. Obama is the President. He has not been noted for his expertise in computer systems.
First, in October 2011, the Securities and Exchange Commission (SEC) issued "CF [Corporate Finance] Disclosure Guidance: Topic No. 2", clarifying the requirements facing publicly traded companies with respect to cyber-security.
That does not sound like "war". More like "crime".
https://en.wikipedia.org/wiki/Mail_and_wire_fraud
"It has been a federal crime in the United States since 1872."

And remember that "compliance" is not the same as "secure".

This response to the moderator's request shows that risks in the cyber-environment are real and increasing.
"Risk" is not "war".

The risks OF CRIME are increasing because more and more systems are collecting information about your transactions in on-line databases. Combine that with more services being offered on-line and someone can crack database A in company A and use that information to defraud company B while impersonating you.

And what is the government doing to prevent that?

Larry SeltzerAugust 1, 2013 10:10 PM

I can see a role for some level of regulation of some critical companies that we entrust too much, but I have a hard time with the idea that the government is in a better position to secure private networks than the companies that own and operate them. If you really believe in the possibility of World War 3.0 then the only chance we have is deterrence, just like with nukes: Make it clear that we can do the same thing to them.

Clive RobinsonAugust 2, 2013 5:05 AM

The debate started out as a disagrement about semantics, then moved to idiology, and as such it compleatly missed the point.

Warfare has many semantic meanings and is one of those imprecisly defind words which fall into the catagory of starting with much arm waving and end with the "you know it when you see it" definition.

However it can be seen in the light of conflicts over resources or ideology. That is two or more entities disagree over ownership or belifes to the point hostilities arise.

Whilst as a discription it may cover all forms of warfare it also covers all forms of crime and business as well depending on your definitions of hostilities and entities. That is a simple definition of hostilities is one where the activities of one entity does harm to another entity where the harm can be real or percived, tangible or intangible and is frequently defined differently by each opposing or observing entity.

History has taught us over many thousands of years that hostilities over beliefs are in effect unresolvable except by the beliefs becoming sufficiently diminished that hostilities cease. Whilst it has also taught us is that hostilities over resources are more harmfull both directly and indirectly. This is due in part to a secondary effect, which is due to the utilisation or control of those resources harm can be inflicted by the controling entity over the non controling entity. Thus the control of resources can be used as it's own form of warfare in the form of attritian, where the resource controlling entity starves the other entity such that it ceases to florish and withers and dies or seaks the resource from some other place.

But none of this distinquishes "War" from "crime" from "business", what does is commonly accepted rules in the form of treaties, laws and agreements. Rules only exist because of agrement amongst entities that the majority of entities agree with, usually perceived on the basis of limiting potential harm for their own good.

Currently we have no rules on cyber activities that have more than limited regional agreement, thus deciding what is war / crime / business in cyber space is difficult. Thus we currently tend to apply non cyber space rules to cyber space and whilst some fit moderatly well many don't.

The rules that do tend to fit unsuprisingly are those that are designed to deal with intangible ideas such as intelectual property, and crimes that revolve around the posession of information in tangible or intangible form.

For instance credit card theft does not involve having direct access to the physical card, just the information encoded onto the card. The transfer of money for the theft is based on information and it is only the realisation of this information into physical goods that involves anything other than the transfere and storage of information.

Likewise when looked at most business transactions and activities actually involve the transfer and manipulation of information.

Thus we transfer our perceptions of crime and business into cyberspace with little difficulty, usually whithout realising that we have actually seperated the intangible and tangible parts of the crime and business activities.

Most people however do not see information in war, they see the tangible effects only when they consider harms.

However like other human activities war consists of both intangible information and tangible bombs and bullets, the former usually being used to aim the latter.

Inteligence analysts and senior military personnel know this and thus can consider fighting with information as a normal activity of war. Most non western military personel don't see information this way, infact western culture sees it in terms of espionage and treason at state level and do not see it at lower levels of the battle field. The same is not true for many non western cultures.

Thus in part the debate was about "culture" and the resulting mind set and the debating parties were in effect not arguing over the same issue.

And this highlights the real problem of the distinction between war and crime/bussiness. War tends to be resolved by "force of arms" involving "kinnetic weapons" and the subsiquent significant collateral damage. Crime/business tends to be resolved by money and courts and whilst their is often collateral damage it tends to be limited and not involve highly visable destruction of life and infrastructure.

But is that strictly true? We know that economic harm does without doubt cause death and destruction, the difference is it manifests it's self over time "after" not "during" the conflict.

Which kind of leaves us with the "territory" asspect, conventional warfare has untill recent times been about controling geographical areas with "boots on the ground". Nearly all of our societal rules are about territory in the form of Nation States and their borders and juresdictions. As has been frequently pointed out in the past the internet knows no borders, however we know this to not be true because it is tangible hardware that transports the intangible information and that tangible hardware is physically located somewher in somebodies juresdiction as are the users of the information.

The real problem is thus not the lack of physicality of the information, but that our rules are based on the historical notion that moving across borders is difficult. Communications systems are usually set up not for border control but convenience and efficiency of the perceived users. In effect it is convenience that knows no borders and almost invariably over time convenience wins over all restrictions political or otherwise.

Increasingly nation states are becoming less relevant as time moves on it is conveniance of trade that brings down barriers and borders, and why we have increasingly growing "free trade" zones.

Thus whilst traditionaly wars are seen as being fought between nations we will see them move to the realms of international business and crime.

Thus wars of the future will be fought less and less by armies and more and more by police and lawyers as information becomes an increasingly large part of human activites.

Will we see the end of "conventional warfare" no as ultimatly we are physical beings dependent on air, water, food and other physical resources for our very existance. But the nature of war will likewise change with more information giving finer control and more accurate aiming of kinnetic weapons lessening their collateral damage. However what we will see is increasing economic damage, which will have much the same effect as conventional warfare but over more protracted times.

The City of Detroit can be seen as a consiquence of economic warfare as can many other places where there has been significant economic down turn. A look through the newspapers etc describe many of these now deprived areas as looking like "war zones" with poor nutrition and life expectation leading to deaths that are 30-50years premature to more affluant areas. Thus different effects having similar causes...

wiredogAugust 2, 2013 6:03 AM

Whenever anyone says that cyber war is not a threat, or won't happen, or similarly niave things, I have a one-word response: Stuxnet.

Because if that isn't a cyber-attack by one government on another, as part of an ongoing campaign, than what is it?

VinzentAugust 2, 2013 6:17 AM

@wiredog: Sabotage. Plain and simple. Making a couple of products (centrifuges in this specific case) fail earlier than they usually do, certainly does not qualify as war.

HermitAugust 2, 2013 6:31 AM

Hello,
please excuse my stupid question, but I so seldom crawl out from under my rock.

I always read about this strange "cyberwar". But who is in war with whom? And when was this war declared? Anyhow nobody could give me clear answers to that. So, is this cyberwar real? And if, then is there also a cyberpacifist movement I could join?

Peace! ☮

Seth P.August 2, 2013 8:17 AM

The proposer gave a definition of cyber war then argued it's plausibility. The opposition - instead of "debating" the argument - argued about the definition. This makes the debate pointless.

unknown.soldierAugust 2, 2013 8:48 AM

There are real "cyberwar" threats.

But, there are two aspects about this drum beating which can annoy the honest sensibilities of people who work in computer security:

1. We are objective enough to realize that beating the war drum is usually used by nations to actually start wars. We have seen and do see this clearly in recent history -- now, and over the past hundred years. We also see that many are blind to this.

2. "War" in terms of "cyberwar" often means ham fisted, knuckle dragging people thinking of "cyberthreats" in terms of things like drones and tanks and planes and guns. They think they know, they think they understand, but we see they are really not honest people, so they do not see and do not know.


Not much to say beyond that. There are real threats. There are real aggressors.

One very well could point out that China has gone to "cyberwar" against much of the world. One could also point out the US, UK, and other "free" nations have also done this. They have hacked everyone and everything they can, and they do so with impunity.

Obviously, it is the nations which is the real danger. They are not the protectors. That has never been how nations really work. This has never been how they are really driven.

Might they destroy other nations through cyberattacks? That is just a matter of time, is it not? How easy it could be to decimate another nations infrastructure, be it economic or be it power or be it telecommunications...

Like with nuclear weapons, who will push the big, red button first? Unlike with nuclear weapons, pushing that button can happen very easily by accident. Or anonymously.

Everyone best bet would be to stop meddling in these things and focus on honest work and leave all threats and troubles to God. But that has never been how people work.

unknown.soldierAugust 2, 2013 9:02 AM

Vinzent • August 2, 2013 6:17 AM
@wiredog: Sabotage. Plain and simple. Making a couple of products (centrifuges in this specific case) fail earlier than they usually do, certainly does not qualify as war.

Iran very well may think it does.

How would the US or UK feel if Iran sabotaged their critical infrastructure by software. Especially their nuclear facilities? They would take that as an act of war.

What would they say if this attack was by a buggy worm? Would then they go, "Well, no bother guys, it never could have caused nuclear catastrophes." Because, you know, that was not possible. Because it was well tested and had no bugs.

I think where people get muddied thinking about this is "well, that is us, this is them", and so on. "Well, it is Iran, so what". But, objective thinking is required for visibility.

Because of stuxnet, now the whole world is open game. Consider, the US fired the first blow. What is to stop any nation from creating such malware and making it look like the US did it? Nothing.

The secrecy culture only helps that threat.

It is the whole "crossing the line" problem. It has nothing to do with reflexive left or right wing politics, with being a warmonger or a peacelover.

When you cross that line you lose what is called "moral authority".

There is no such thing as immoral authority, is the problem with that.

Brandioch ConnerAugust 2, 2013 10:23 AM

@unknown.soldier

Iran very well may think it does.
Iran is a nation. Nation's do not "think". Certain groups of Iranians may think it does. Certain groups of Iranians may think it does not.

What is Iran's government's view on targeted assassination? If this was really "war" then that could be their next step. But since there does not seem to have been a next step I'll also go with the "sabotage" definition.

How would the US or UK feel if Iran sabotaged their critical infrastructure by software.
See above. Except that the US and UK previous governments were happy to invade Iraq without any evidence of anything. So comparing them isn't really accurate.
They would take that as an act of war.
See above. It isn't whether the previous governments would take it as an act of war. It's what other things were also accepted as an act of war.

Which then led to real troops with real bullets really invading and really killing people.

It has nothing to do with reflexive left or right wing politics, with being a warmonger or a peacelover.
Only if you redefine "sabotage" to be "war". In real war, real people die who were not in any real risk before the war.

In "sabotage", equipment breaks.

"Cyber war" is about moving tax money to private companies by redefining "sabotage" and "vandalism" as "war". Said private companies usually staffed by friends and family of politicians and by ex-politicians.

If the threat was real then the government would be doing something to mitigate/ameliorate it.

bobAugust 2, 2013 10:26 AM

@unknown.soldier

Err, stuxnet damaged a few centrifuges. No "critical infrastructure" was "sabotaged". You've taken a piece of evidence that mildly supports your point of view and then massively changed it to make it support it even better. This does not a good argument make.

The "story" about Israel shutting down Syrian radar stations better supports your argument. Try that one instead.

SharkWireAugust 2, 2013 11:11 AM

@Brandioch:

Otherwise known as "defense in depth". And has been the preferred approach for almost two decades.

While it may be a preferred approach, its implementation is spotty, and not very deep in MANY organizations.

Nick PAugust 2, 2013 11:46 AM

@ Bruce Schneier

Re This Cyberwar Debate (and the obvious it missed)

Thanks for bringing the debate to our attention. As for the problem it discussed, nobody brought up two important points. One negates much of the debate. The other flips their argument's goal right against them.

"Cyberdefense" or INFOSEC?

First, the whole problem is merely INFOSEC in disguise. To keep things simple I'll use the industrial SCADA problem as an example. The hackers can connect, break their weak security, and do horrible physical damage. This can be solved quite easily by VPN, authenticated messaging, diodes, etc. And some of these have an excellent security track record, zero vulnerabilities in a few cases. And some at A1/EAL6+ level even NSA couldn't hack. Interestingly, a number of companies already use such approaches with success. Most just pinch pennies and didn't care about the risk. That means the problem is a lack of motivation rather than lack of capability.

So, if companies deploy secure border/messaging tech in front of SCADA sites, that massive risk shrinks just as massively. The "cyberwar" can no longer cause physical damage to many infrastructure sites remotely. The government can even subsidize, with money or staff, the deployment of the tech. So, why don't those worried about ICS's targed in cyberwars reference easy, existing solutions in these debates? That's a good question. I suspect politics and money have plenty to do with it.

Ok, let's say cyberwar people are right: who will be at the helm?

The other problem is the defensive operations. The US govt talks massive cyberwar claiming we need defence contractors to receive billions of tax dollars, larger military "cyber" budgets, and near total control over all domestic computers/networks to prevent cyberattacks. They say we should trust them with the protection that commercial entities "can't do." The implication is that they CAN protect us because of superior skill and experience dealing with TLA-style threats.

That's a lie. The lie is laughably easy to prove. Their own documents told us that China and Russia broke into their most sensitive networks to steal nuclear secrets for decades. Regular black hats have compromised government and military installations regularly for the past two decades. So-called "APT's" cut a huge swatch through the security operations of very agencies and defence contractors that are supposed to provide the future cyber defence. Their poor handling of insider threats led to the leaks of massive amounts of their secrets via Manning and Snowden.

If there is a cyberwar coming, a big IF, then my question is "will putting the US military and defence establishment in control be the right way to handle it?" They've failed to stop even their least capable opponents for about four decades. So, the answer is a resounding "NO!"

Sidenote: It would have been nice if the host of the debate told the audience Bejtlich has a huge conflict of interest. If people think his side is wrong, his company looses a large sum of money. This financial motive explains his (and his colleague's) position more than their stated arguments. I wonder if knowing this might have affected the audience's perception of his claims. Just a thought...

Brandioch ConnerAugust 2, 2013 12:28 PM

@SharkWire

While it may be a preferred approach, its implementation is spotty, and not very deep in MANY organizations.
100% agreement there.

Now consider a scenario where we were actually in a real war with an enemy that could put real troops at our "critical infrastructure" sites such as nuclear reactors.

Wouldn't our government assign real troops of our own to those sites to defend them? And build additional barriers and barricades at those sites?

Wouldn't our government make sure that those troops had appropriate weapons, ammo and current qualifications with those weapons?

I agree that most companies do not do "defense in depth". Most companies don't even do perimeter defense correctly. But in a real war situation, our government would take steps to protect critical infrastructure as much as possible. Whether the civilian owners did it themselves or not. And from all the reports, that is not happening.

Instead, the reports are of the government spending money on "cyber defense" (take a shot) by stockpiling "cyber weapons" (take a shot) so that we can retaliate when an enemy launches a "cyber attack" (take a shot) in a "cyber war" (take a shot).

name.withheld.for,obvious.reasonsAugust 2, 2013 3:33 PM

This appears to be an opportunity for the collective, Clive has touched on something of great interest to me.

1. The U.S. Constitution or provides war powers for the Declaration of War.
2. The United States is employing the powers given congress, not the executive, but the congress believes that the rules and even funding should be left to the executive.
3. The "Authorization Use of Military Force" is not a Declaration of War.
4. The United States is executing the AUMF with the dangerous power of the state.
5. The U.S. Constitution. and well covered in the Federalist Papers, never intended to have a standing army. The militia (states) are to provide resources in the case of exigency.
6. Cyber warfare is meaningless when in "meat" space we are violating our own laws, priceless, and moral. Until we correct our own misguided righteousness we are just expending hot air.

Stanislav DatskovskiyAugust 6, 2013 1:01 PM

The one and only genuine 'cyber-aggressor' is: Microsoft - without whose crapware we would not be having this discussion.

There is no 'cyber warfare', there is only cyber laser tag. Dare to take off the vest.

I wonder about the fellow who was responsible for implementing the Windows-based system in the ill-fated Iranian fissiles plant. Was he shot for treason? If not, why not? "You can't get fired for buying IBM?" Lifting critical code from your enemies wholesale didn't end well for the Soviets, and won't end well for today's chumps.

JeremyAugust 7, 2013 3:06 PM

Bejtlich opens with "...the power to access data via unauthorised means inherently contains the power to destroy that data."

Wat?

The ability to eavesdrop on two people talking inherently contains the ability to destroy their prior knowledge of everything they talked about?

I am totally unable to take this person seriously after that opening.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..