Comments

rgaffOctober 14, 2015 9:12 PM

For the record, I'm against using the term "cyber arms"... this just legitimizes our governments acting like thugs preying on the innocent.

rgaffOctober 14, 2015 10:12 PM

It's like this: Everyone has a house. Shelter is a basic necessity of life. (except for the homeless, they lack some basic necessities, but go with me here). It not only is illegal, but it's immoral thug-like behavior for me to just run around, breaking into people's houses, ransacking, etc, right? I mean, just because not every house is built like fort knox, and is possible to break in, I should restrain myself, and not do it, right? That's civilized society.

But our government has been doing the equivalent of breaking in, planting mines, maybe a few missile silos in the basement, stealing all our papers, etc... to.. well... EVERYONE worldwide... is that fine, just because the government is doing it, instead of some private citizen? They're doing that with our electronics... and then calling them "cyber weapons"... because, OH THAT MAKES IT OK... because see... THIS IS WAR... and since everyone else is doing it, we gotta keep up with the Joneses and do it too.... otherwise we might fall behind, and fall prey to all the other thugs around the world who do this!

Right... give me a break. "cyber weapons" and "cyber arms" and "cyber war" are just a euphemisms to legitimize ransacking everyone's personal electronic items! Do we call our houses "house weapons" just because someone has broken in and ransacked them? No... Neither should we with our electronics! Call it what it is: criminal behavior!

Now that doesn't mean we shouldn't beef up our electronic security too... because, after all, even if our governments stop acting like street thugs, we still have to deal with what everyone agrees are "criminals" too... and they can break into our electronics with surprising ease. We have to increase real security too. Laws should not be our only security.

William LeeOctober 15, 2015 4:42 AM

Cyber war is upon us.

It is not what corporations & governments & military keep telling us, "bad guy country is going to blow us up because they hate our freedoms and MAD HAXXORZ!!1!".

Cyber war is the war being waged by corporations & government & military against a free and open internet.

They wage it upon us, while pretending it is something else. The something else is actually just plain old espionage. They can't paint themselves as victims & beg for more money to create new departments and new Czars and make new, more restrictive laws if it's just the same old thing it used to be.

Okay, I lost the thread, but my point stands. The "War on Internet" like "War on Drugs". This is the real war.

William LeeOctober 15, 2015 4:44 AM

On reflection, it's basically what @rgaff said, but coming at it from a slightly different angle.

GrauhutOctober 15, 2015 6:21 AM

"The world needs new norms on cyberwarfare ... When intelligence officials testified before Congress about the major threats to the United States just a few years ago, cyberwar was barely mentioned; now, it’s at the top of the list."


This just means the NSA invests too much in offensive "Cyber-Weapons" (malware) and not enough in defense and now they cry wolf whenever they get an adequate answer to their behaviour and are unable to cope with it.


NSA: "Its ok if we do it!" Is it?

No more exeptionalism please. Dear cyberspies, you have had enough time to prepare.


See study: "Cyberwar is coming!", RAND Corporation, 1993

http://www.rand.org/content/dam/rand/pubs/reprints/2007/RAND_RP223.pdf

Brian SOctober 15, 2015 6:33 AM

Cyber warfare should be agreed upon just like nuclear warfare.
Agreements need to be in place because an all out cyber warfare campaign against any nation is going to be incredibly destructive to the civilians of that nation far more than the military/governments themselves.

It's not going to be the all out loss of life of a nuclear strike to be sure. But it would obliterate vast swaths of the countries finances, and take a heavy toll on peoples livelihoods.

I'm all for preparing for an attack like that. Beefing up resiliency, the ability to mitigate failures and attacks, how to anticipate them, etc.

But actively engaging in them is just going to do nothing but escalate. As China becomes a larger and more self sufficient world power, coming up with their own products and information, they are going to need to realize this. And the USA needs to realize that "they started it" and "but they are doing it too" are not, and never have been, valid justifications.

The world needs to grow up.

SamOctober 15, 2015 6:52 AM

I'm in favor of calling them "cyberweapons", and calling it "cyberwar", mostly for the international law implications.

1/ Are you deploying "cyberweapons" against a nation state? Have you declared war? You can't just attack other nation states on a whim. That hasn't been okay for *centuries*.
https://en.wikipedia.org/wiki/Caroline_test

2/ Is the deployment of "cyberweapons" consistent with the UN charter on the use of force?
https://en.wikipedia.org/wiki/Use_of_force_by_states

3/ Does compromising a foreign server on foreign soil constitute a (cyber) occupation? International law might apply to that too.
https://en.wikipedia.org/wiki/Fourth_Geneva_Convention

4/ Is you "cyberweapon" impacting civilian infrastructure? Is that proportional to the military benefit gained? There's specific wording about "damage to civilian objects", it's not just deaths:
https://en.wikipedia.org/wiki/Collateral_damage#International_humanitarian_law

5/ If they are weapons, then xkcd 504 might come into effect (depending on your jurisdiction):
https://xkcd.com/504/

Let people call them weapons. I think that causes more issues than it avoids. But don't let this detract from the other very good points:

@rgaff
> We have to increase real security too. Laws should not be our only security.

@William Lee
> The "War on Internet" like "War on Drugs". This is the real war.

thevoidOctober 15, 2015 7:05 AM

@rgaff

is that fine, just because the government is doing it, instead of some private citizen?

In his De Civitate Dei, St. Augustine recounts an exchange between
Alexander [the Great] and a captured pirate:

For when that king had asked the man what he meant by keeping hostile possession of the sea, he answered with bold pride, "What thou meanest by seizing the whole earth; but because I do it with a petty ship, I am called a robber, whilst thou who dost it with a great fleet art styled emperor."

Anonymous CowardOctober 15, 2015 7:29 AM

--- Cyber warfare should be agreed upon just like nuclear warfare. ---
This is not going to work, due to nature of the problem. You see, Internet is full of automatic activity even without NSA. Many kinds of worms are seeking for free resources, taking over everything they can. Ranging from your router and smart TV up to full blown servers, not to mention usual desktops. And because of nature of networking, only few most arrogant and unskilled losers are getting caught at all.

There was even couple of "homegrown" BIOS-mod-bootkits before NSA joined arms race. You see, insecure systems are valuable. Even if someone does not cares about parsing data, they could use free resources. Welcome to future. New times and new challenges. Where your TV or router can easily turn against you and posses someone's else will.

Its all about control. And unfortunately, humans haven't grown up. Ultimate techs come with ultimate problems. That is it.

Bob S.October 15, 2015 7:36 AM

No need to bother with cyber war treaties.

The internet as it stands now is a dead duck, crispy critter, road kill...like AM radio. When is the last time you actually used the AM radio in your car for anything besides white noise?

When the Snowden revelations first appeared there was talk of balkanization of the internet as well as use of distributed user bases and so on. That is, people were thinking already about a whole new big thing.

Let the military and the corporations fight over our data..... we should try to starve them or feed them garbage until the next big thing arrives.

I am pretty sure it's coming, I just don't know what it might be.

Clive RobinsonOctober 15, 2015 9:42 AM

The Op-Ed starts with the wrong assumptions,

Cyberweapons, by contrast, can be as simple as a few inexpensively acquired lines of code. They are available to state and non-state actors and can be hard to distinguish from benign online activity.

They are not lines of "code" but the more general "information" likewise they are not "weapons" but "instructions".

This is a general mistake many --including those who should know better-- make, and thus their thinking almost immediately goes astray.

Neither "information" or "instructions" have any kind of physical actuality except when impressed or encoded onto physical objects for storage, transmission or processing.

Not understanding this and the implications that transpire from it, means you can not effectively deal with the effects let alone legislate or form treaties that will be effective.

The majority of legislation is about physical objects constrained by the laws of nature and how we humans and other physical objects interact. It also assumes a "controlling mind" that can be traced by evidence and prosecuted against in some way, and importantly locality.

It can easily be demonstrated that information is not constrained by the laws of nature and as such can be endlessly impressed onto any kind of physical object at will the only energy required being that to impress the information onto the object. Thus as is usually the case with malware etc the energy for the copying of information and endless replication is at the expense not of the attacker but the defender.

Thus to an attacker the only expense is that of collecting the information to form the instructions and make the primary instruction set and make the initial transmission of that set.

That set is then endlessly duplicated not by the attackers resources but by the resources of others including those of the defenders.

Imagine for a moment I give you a recipe book, you photocopy out a recipe, then go and buy the ingredients, follow the instructions and the end result is a cake. Has any crime been committed? Probably not, even if it has, then by whom?

This is where the law looks for intent but to establish this it has to have evidence of some form, often primary evidence is not available, so circumstantial evidence is used and this is at the very least viewpoint specific.

So if the cake you make poisons somebody are you guilty or is somebody else. You have to look at the evidence of what the poison is and how it got into the cake and then make a judgement call. If the poison is say arsenic then that should not be in a cake at any time thus judgement would normally say it's a premeditated act thus you go looking for the source of the poison and the controlling mind.

However what if instead of a cake it's a bean salad and the poison is found to be an alkaloid plant poison in the beans that have not been prepared properly. The judgement you now have to make is was there actually a controlling mind or due to insufficient information an unfortunate set of circumstances that inadvertently caused a poisoning. Do you go a step further and say that the recipe was lacking in information which is quite likely, and then try to say I was a controlling mind that gave you a standard recipe, knowing that you lacked the knowledge to make the extra steps before making the salad?

This is the problem with information and establishing a crime has been committed and exactly by whom. You can not legislate against the partial giving or partial withholding of information because there are too many loop holes that can be exploited. Which get worse when there is one or more intermediary points.

That is if I've loaned you a recipe book do I actually have reason to know you will only photocopy the recipe and not the earlier part that tells you how to prepare the beans correctly? What if I don't give you the book but instead the catalogue reference for it in your local library? How about I give the reference not to you but your mother?...

These are the distancing steps you take for deniable actions, which state level operators do all the time.

We have already seen this with North Korea and Sony Picture Entertainments, where the US acted as illegal investigator, biased prosecutor, biased judge and biased jury to pass sentence. We are told to take it on faith that there is evidence, but for National Security reasons we can not be told...

We were also told the same for Iraqi WMD and detainees at Gitmo. Much of which has been shown to be at best serious mistakes at worst deliberate attempts to deceive for profit and other forms of corruption.

Knowing the deaths that resulted, do you really think any kind of legislation or treaty will stop this from being done again in the future?

The way to stop this is firstly make our systems much much more secure, secondly treat things as criminal activity not military activity, thirdly come up with an impartial international court and investigators with real authority and let them do the job without political interference. That way hopefully things will not go kinetic.


SamOctober 15, 2015 10:47 AM

@Clive Robinson

> The way to stop this is firstly make our systems much much more secure, secondly treat things as criminal activity not military activity, thirdly come up with an impartial international court and investigators

Yes, a lot (the vast majority?) of hacking is civilian criminal behaviour rather than military. The Sony / NK stuff is a good example of a nation state delving into what could have just been a commercial civil dispute.

But Stuxnet, Flame, Duqu, the Equation Group, these bear the hallmarks of nation states taking hostile action against other nation states. That includes diplomatic / commercial espionage and so not military, but some of it was apparently to interference with nuclear centrifuges to disrupt weapons production. That's a military application.

rgaffOctober 15, 2015 3:21 PM

All I know is if breaking into everyone's computers is creating "cyber weapons" then breaking into everyone's houses should be called creating "house weapons"... I mean, if one is legitimate military action, then the other should be too, right? And if one is fine to do to citizens and friendly neighbors, the other should be too, right? Yeah, how about the USA levels Canada (or vice versa!) and just calls it "land weapons"... eyeroll.

GrauhutOctober 15, 2015 4:09 PM

@Clive: "The majority of legislation is about physical objects constrained by the laws of nature and how we humans and other physical objects interact. It also assumes a "controlling mind" that can be traced by evidence and prosecuted against in some way, and importantly locality.

It can easily be demonstrated that information is not constrained by the laws of nature ..."

Clive, sorry, but code is more than information, more similar to DNA or physical particle states. And you know how transistors work. Running opcode on a CPU determines the physical state of this CPUs transistor matrix, this all happens in the physical world and causality in a transistor matrix or a network of such matrices is completely measurable in theory, we just don't have the needed measuring instruments in place everywhere. NSA fights on this front! :)

Code is just another duality like the wave-particle duality, sometimes code is just definition, sometimes code is part of the physical switching state of a transistor matrix. If transistors switch because of code, this code is integral part of the physical of a transistor based system.

If malware was just information we wouldn't have given it this name, malware is more than a fairy tail monster, more than pure information, like a photon.

If i use software code i use a tool, its the same as using a hammer.

rOctober 15, 2015 4:13 PM

It's not a cyber war, it's a war on privacy and security by any means necessary.

@rgaff, WELL DONE.
Excellent job re-framing the issues.

rOctober 15, 2015 4:21 PM

@All, please excuse my convoluted use of the word security. I meant security of self, home and thoughts. I am aware that security in the mind of the United States, the Russian federation or China aren't necessarily inclusive, or for any set of Nation States for that matter.

Proper PerspectiveOctober 15, 2015 8:46 PM

@Brian

It's not going to be the all out loss of life of a nuclear strike to be sure. But it would obliterate vast swaths of the countries finances, and take a heavy toll on peoples livelihoods.

Kind of like a thousand year hurricane? Yes, it would be unpleasant to have to fix a massive bridge built by our long dead ancestors, and do a much better job of it than they did due to all the lessons and inventions since it was first built. But I find your word 'obliterate' to be a bit severe. Seriously, you remember 'too big to fail'? It's more than a little bit like that. Even VW isn't going anywhere anytime soon.

tyrOctober 16, 2015 12:40 AM


No military is going to get a budget increase for their
activities if they don't work in the word war somehow.
If what you're really up to is playing World of Warcraft
at taxpayer expense with some flimsy justification that
some group of evil boogeymen might use it to communicate
you can't get more funding. Call that activity "CyberWar"
and you're well on the way to Spandam Alexanders star
trek bridge level of funding.

The question of how to curb military enthusiasm for a level
of adventures that pose real threats to real people is one
that should be asked. I remember the Morris Worm. How do
we know that the nation states are not contemplating it
when they talk about "CyberWeapons" ? I do know that MAD
was considered a viable policy, and that civilians are
considered to be the primary target of modern warfare.
All you have to do is look at the casualty numbers to see
that. Clive is right, if all it takes is a major Net
outage to trigger Nuclear retaliation we are in deep shit.

There's a famous discordian artist (KLF) who built a
diorama in which the world is shown as an abandoned slum
populated by law enforcement and emergency services workers.
The current USA military budget exceeds the wildest dreams
of the folks who launched the last two adventures in futile
nation building, obviously they need more money to ruin
cyberspace with.

ianfOctober 16, 2015 3:26 AM


@ tyr […] “There's a famous discordian artist (KLF) who built a diorama in which the world is shown as an abandoned slum populated by law enforcement and emergency services workers.

That, the last, I'd like to see – can't trace it during shallow google perusal. For a <2h glimpse of such a dystopian world, see the “Children of Men,” which, discounting its for-Hollywood sentimental Holy Pregnant Black Ave Maria theme, feels the most realistic of all the mainstream post-apocalyptic movie depictions known to me. That's only an hour more than listening to the dross-for-already-KLF-converts [1h05m podcast] https://m.youtube.com/watch?v=kBhXtd75uLc

The question of how to curb military enthusiasm for a level of adventures that pose real threats to real people is one that should be asked.

I spy a movie plot, where a group of concerned like-minded senior scientists manage to resurrect Gen. Dwight D. Eisenhower in order to have him do something radical about the runaway military-industrial complex… only to run afoul of the opposition that's also capable of enacting movie plots (in this case a rerun of "Twilight's Last Gleaming” in which Charles Durning POTUS knowingly gets assassinated by the top brass in order to preserve the status-quo and not declassify the truth about the Vietnam War. I kid you not, can't Hollywood but love).

[…] “current USA military budget exceeds the wildest dreams of the folks who launched the last two adventures in futile nation building, obviously they need more money to ruin cyberspace with.

Don't you too get me started!

SamOctober 16, 2015 5:37 AM

@r
> It's not a cyber war, it's a war on privacy and security by any means necessary.

Some is, quite possibly most is, but not all of "it" is.

You're making a broad and unreasonable generalisation to say "It" once and lump together all motivations and applications of "hacking" into a single category. There is a war on privacy and security, but there's other stuff too.

A car having an internet-accessible control vulnerability is a civil issue. An internet-accessible control vulnerability on a Predator drone with a Hellfire missile *is* a military issue *even if* the actual antennae is the same hardware as the car.

Brian SOctober 16, 2015 5:46 AM

@Proper perspective

Sure things will eventually recover. But does that justify the pain in the first place? Some people will absolutely die due to disruptions in services (power, communications, etc). This will certainly be nothing compared to the loss of life even a single nuclear bomb would cause to be sure.

But the "thousand year hurricane" as you put it is certainly not going to be a myth in the current situation. There just isn't enough redundancy or protection in place for many of our critical systems. Companies across the Globe only spend just enough to say they are doing something. Very few are willing to truly invest in case of a major failure.

Too big to fail means something completely different than how you are using it, and I am sure the majority, if not all, large companies would come out of such an attack in one piece. But the small businesses are another matter, as are individual locations. A massive loss of finances would generally mean they close some locations down, or don't bother to rebuild them if they suffered too much damage (arson, looting, etc).

A concentrated, all out cyber attack with the intention of destroying as much as possible from a truly capable source would absolutely do more than cause some minor inconveniences.

I'm all for beefing up capabilities to identify, defend, and mitigate such attacks. But my main point was that such attacks focus the majority of their harm on the general population, not the government and military.

GrauhutOctober 16, 2015 6:05 AM

@Brian S: As soon as "too big to fail" means "too big for jail" a system deserves to go end of lifecycle. Never mind.

William LeeOctober 16, 2015 9:41 PM

@r It's not a cyber war, it's a war on privacy and security by any means necessary.

Exactly. Rather ironic (depending on your view of history) that the security agencies are waging war on security.

Proper PerspectiveOctober 16, 2015 10:59 PM

@Brian S

'too big to fail' is four words. I do see an analog between the commonest connotation, and what you described in more detail than I did- that for many scenarios under this umbrella, the end result looks like- massive establishment interests muddle through, and the world moves on. The global financial issues of 2008 or so and how ultimately non-apocolyptic even that level of house of cards collapsing caused, give me a certain optimism that the world could muddle through with pencil and paper for a few months while all the calculators are melted down and rebuilt into better ones.

A concentrated, all out cyber attack with the intention of destroying as much as possible from a truly capable source would absolutely do more than cause some minor inconveniences.

Sure, and there is a spectrum of threats under this umbrella. The most worrysome would involve a ground invasion force, perhaps preshadowed by a swarm of seek and destroy kill drones.

I'm all for beefing up capabilities to identify, defend, and mitigate such attacks. But my main point was that such attacks focus the majority of their harm on the general population, not the government and military.

I think it's critical to keep the nuance front and center of the damage done by having to go without digital calculators for a few months, versus something like agent orange causing birth defects for decades. There is quite a spectrum of 'harm'.

Ultimately I look at things like the TV series 'The Wire', and contrast with the Snowden revelations, and this new Woodward/Nixon thing about public lines versus unspoken truths about things related to these sorts of harm to humans things. One can easily imagine a direct parallel with Obama touting some hard line about torture or surveillance or drone assassination and their effectiveness, but like Nixon, perhaps knowing privately that it is a 100% bold faced lie and misrepresentation.

We won't have good national and global cybersecurity until the public lines from high places of authority stop routinely sounding like bald faced lies.

Edward M. RocheJanuary 26, 2017 7:09 PM

Hi Mr. Schneier. Actually, we met once when you spoke in front of our group at Research Board.
In any case, I wanted to point to you to a blog I am writing on Cyber Arms Control.
The link is cyberarmscontrolblog.com

I hope you are well,
Cordially,
Edward M. Roche

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.