Page 8 of 15
Interesting video of Brian Snow speaking from last November. (Brian used to be the Technical Director of NSA’s Information Assurance Directorate.) About a year and a half ago, I complained that his words were being used to sow cyber-fear. This talk—about 30 minutes—is a better reflection of what he really thinks.
This article talks about legitimate companies buying zero-day exploits, including the fact that “an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit.”
The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher payout. Sometimes, the money is paid in instalments, which keep coming as long as the hack does not get patched by the original software developer.
Yes, I know that vendors will pay bounties for exploits. And I’m sure there are a lot of government agencies around the world who want zero-day exploits for both espionage and cyber-weapons. But I just don’t see that much value in buying an exploit from random hackers around the world.
These things only have value until they’re patched, and a known exploit—even if it is just known by the seller—is much more likely to get patched. I can much more easily see a criminal organization deciding that the exploit has significant value before that happens. Government agencies are playing a much longer game.
And I would expect that most governments have their own hackers who are finding their own exploits. One, cheaper. And two, only known within that government.
Here’s another story, with a price list for different exploits. But I still don’t trust this story.
A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph:
At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.
Why isn’t the obvious solution to this to take those critical electrical grid computers off the public Internet?
Good article by Thomas Rid on the hype surrounding cyberwar. It’s well worth reading.
And in a more academic paper, published in the RUSI Journal, Thomas Rid and Peter McBurney argue that cyber-weapons aren’t all that destructive and that we’ve been misled by some bad metaphors.
Some fundamental questions on the use of force in cyberspace are still unanswered. Worse, they are still unexplored: What are cyber ‘weapons’ in the first place? How is weaponised code different from physical weaponry? What are the differences between various cyber-attack tools? And do the same dynamics and norms that govern the use of weapons on the conventional battlefield apply in cyberspace?
Cyber-weapons span a wide spectrum. That spectrum, we argue, reaches from generic but low-potential tools to specific but high-potential weaponry. To illustrate this polarity, we use a didactically helpful comparison. Low-potential ‘cyber-weapons’ resemble paintball guns: they may be mistaken for real weapons, are easily and commercially available, used by many to ‘play,’ and getting hit is highly visible—but at closer inspection these ‘weapons’ will lose some of their threatening character. High-potential cyber-weapons could be compared with sophisticated fire-and-forget weapon systems such as modern anti-radiation missiles: they require specific target intelligence that is programmed into the weapon system itself, major investments for R&D, significant lead-time, and they open up entirely new tactics but also novel limitations. This distinction brings into relief a two-pronged hypothesis that stands in stark contrast to some of the debate’s received wisdoms. Maximising the destructive potential of a cyber-weapon is likely to come with a double effect: it will significantly increase the resources, intelligence and time required to build and to deploy such weapons—and more destructive potential will significantly decrease the number of targets, the risk of collateral damage and the coercive utility of cyber-weapons.
And from the conclusion:
Two findings contravene the debate’s received wisdom. One insight concerns the dominance of the offence. Most weapons may be used defensively and offensively. But the information age, the argument goes since at least 1996, has ‘offence-dominant attributes.’ A 2011 Pentagon report on cyberspace again stressed ‘the advantage currently enjoyed by the offense in cyberwarfare.’ But when it comes to cyber-weapons, the offence has higher costs, a shorter shelf-life than the defence, and a very limited target set. All this drastically reduces the coercive utility of cyber-attacks. Any threat relies on the offender’s credibility to attack, or to repeat a successful attack. Even if a potent cyber-weapon could be launched successfully once, it would be highly questionable if an attack, or even a salvo, could be repeated in order to achieve a political goal. At closer inspection cyber-weapons do not seem to favour the offence.
A second insight concerns the risk of electronic arms markets. One concern is that sophisticated malicious actors could resort to asymmetric methods, such as employing the services of criminal groups, rousing patriotic hackers, and potentially redeploying generic elements of known attack tools. Worse, more complex malware is likely to be structured in a modular fashion. Modular design could open up new business models for malware developers. In the car industry, for instance, modularity translates into a possibility of a more sophisticated division of labour. Competitors can work simultaneously on different parts of a more complex system. Modules could be sold on underground markets. But if our analysis is correct, potential arms markets pose a more limited risk: the highly specific target information and programming design needed for potent weapons is unlikely to be traded generically. To go back to our imperfect analogy: paintball pistols will continue to be commercially available, but probably not pre-programmed warheads of smart missiles.
The use of this weapon analogy points to a larger and dangerous problem: the militarisation of cyber-security. William J Lynn, the Pentagon’s number two, responded to critics by pointing out that the Department of Defense would not ‘militarise’ cyberspace. ‘Indeed,’ Lynn wrote, ‘establishing robust cyberdefenses no more militarizes cyberspace than having a navy militarizes the ocean.’ Lynn may be right that the Pentagon is not militarising cyberspace—but his agency is unwittingly militarising the ideas and concepts to analyse security in cyberspace. We hope that this article, by focusing not on war but on weapons, will help bring into relief the narrow limits and the distractive quality of most martial analogies.
Here’s an article on the paper.
One final paper by Rid: “Cyber-War Will Not Take Place” (2012), Journal of Strategic Studies. I have not read it yet.
Good essay on the dangers of cyberwar rhetoric—and the cyberwar arms race.
This was pretty good, I thought:
However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider:
- The Internet is an artificial environment that can be shaped in part according to national security requirements.
- The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.
- The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.
- Software updates and network reconfigurations change cyberbattle space unpredictably and without warning.
- Contrary to our historical understanding of war, cyberconflict favors the attacker.
- Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.
- The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.
- The “quiet” nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.
- The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.
- There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.
A hack against a SCADA system controlling a water pump in Illinois destroyed the pump.
We know absolutely nothing here about the attack or the attacker’s motivations. Was it on purpose? An accident? A fluke?
EDITED TO ADD (12/1): Despite all sorts of allegations that the Russians hacked the water pump, it turns out that it was all a misunderstanding:
Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.
The end of the article makes the most important point, I think:
Joe Weiss says he’s shocked that a report like this was put out without any of the information in it being investigated and corroborated first.
“If you can’t trust the information coming from a fusion center, what is the purpose of having the fusion center sending anything out? That’s common sense,” he said. “When you read what’s in that [report] that is a really, really scary letter. How could DHS not have put something out saying they got this [information but] it’s preliminary?”
Asked if the fusion center is investigating how information that was uncorroborated and was based on false assumptions got into a distributed report, spokeswoman Bond said an investigation of that sort is the responsibility of DHS and the other agencies who compiled the report. The center’s focus, she said, was on how Weiss received a copy of the report that he should never have received.
“We’re very concerned about the leak of controlled information,” Bond said. “Our internal review is looking at how did this information get passed along, confidential or controlled information, get disseminated and put into the hands of users that are not approved to receive that information. That’s number one.”
Notice that the problem isn’t that a non-existent threat was over hyped in a report circulated in secret, but that the report became public. Never mind that if the report hadn’t become public, the report would have never been revealed as erroneous. How many other reports like this are being used to justify policies that are as erroneous as the data that supports them?
From the Journal of Strategic Studies: “Cyber War Will Not Take Place“:
Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does not take place in the present, and that it is unlikely that cyber war will occur in the future. It first outlines what would constitute cyber war: a potentially lethal, instrumental, and political act of force conducted through malicious code. The second part shows what cyber war is not, case-by-case. Not one single cyber offense on record constitutes an act of war on its own. The final part offers a more nuanced terminology to come to terms with cyber attacks. All politically motivated cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: sabotage, espionage, and subversion.
Here’s another article: “The Non-Existent ‘Cyber War’ Is Nothing More Than A Push For More Government Control.”
EDITED TO ADD (11/4): A reader complained to the publication, and they removed the paywall from the first article.
On Monday, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal:
That’s my list, and they all have the potential to be more dangerous than cybercriminals.
The long-standing ANZUS military treaty now includes cyberspace attacks:
According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both.
Exactly what this means in practice is less clear: practically every government with a connection to the Internet is subject to pretty much constant attack, and both Australia and America regularly accuse China and North Korea of playing host to many such attacks (China just as regularly denies any government involvement in Internet-borne attacks).
According to Reuters, it’s the first time any non-NATO defense pact has extended to the Internet. US Defence Secretary Leon Panetta is quoted as saying “cyber is the battlefield of the future.”
Sidebar photo of Bruce Schneier by Joe MacInnis.