Skip to content
About these ads

Parsing Cyberwar – Part 1: The Battlefield

9 August 2012

Summary of this post by Marcus Ranum: This series is based on a lecture I presented at RSA Conference in March 2012. In it, I will attempt to isolate some of the strategic elements of the “cyber” battlefield so that we can better understand the inner dynamics of its components. This is important to do, because cyberwar frequently combine elements of the battlefield in ways that are confusing and perhaps even contradictory. In order to incorporate cyberwar into grand strategy, it is important not to do it in a way such that we step on our own toes, so I believe that a better understanding of the problem will be valuable to attacker and defender, alike.

Contents

  1. The Battlefield
  2. Cybercrime
  3. Cyberespionage
  4. Cyberterror
  5. Cyberwar
  6. Summary
  7. Next up
  8. For More Information

(1) The Battlefield

I entitled this series “Parsing Cyberwar” because that’s what we need to do – “parsing” a phrase is the process of analyzing its components and grammar and checking to see if it’s correct and comprehensible; that’s exactly the problem we have with cyberwar today. Since it first became a popular term in the computer security landscape in 1996 with the publication of Winn Schwartau’s  science fiction novel, Information Warfare, cyberwar has served primarily as a hold-all encompassing cyber-crime, cyber-espionage, cyber-terror, and cyber-war. I have seen the term used to describe everything ranging from tactical use of computers in battlefield command/control to strategic economic spoiling operations.

I credit a great deal of this to the time at which the term was introduced, and the way in which it was first presented. When Schwartau wrote his book, the intelligence community and DoD were still in the throes of re-orienting their missions (and budgets) for a post-coldwar world: cyberwar appeared first and foremost as a whole new problem that needed research – lots of research. It presented a good opportunity for both the expansion of agency missions and beltway contractors’ portfolios of offerings. Between 1996 and 1999, it was pretty much a given that any research proposal sent to DARPA needed to have “cyberwar” in the title, and it took the better part of the remaining 15 years until now for a bit of sanity to set in.

In the intervening time, perturbed violently by post-9/11 realignment in the intelligence community, cyberwar has simultaneously been a cherished bailiwick and a hot potato. One agency after another stepped forward and announced that they were going to spearhead the US’ cyberdefense efforts, then discovered that it was a hard problem, and was replaced by another. Today, there are a half-dozen agencies ranging from Department of Homeland Security to the National Security Agency which claim the turf. Meanwhile, according to every agency involved in cyberdefense, the critical electronic infrastructure remains at risk and there hasn’t been a great deal of progress made in spite of the tremendous amount of money spent.

.

Under the umbrella of cyberwar are four main components:

  • Cyber-crime
  • Cyber-espionage
  • Cyber-terror
  • Cyber-warfare

Each of these components is a problem domain in its own right, and has very different properties of attack and defense. It’s my opinion that these problems are often conflated because – simply put – it’s easier to scare your customer out of their money using the following argument:
You know for a fact that hackers and cybercriminals seem to be able to penetrate our systems at will; therefore, imagine how bad it could be if state-sponsored actors decided to do it also.

It’s a reasonable argument if left unexamined, but it avoids the deeper questions such as: “would a cyberterrorist use the same methods as a cybercriminal?” and “would a state-sponsored cyberespionage program look and act like a cybercriminal’s bot-net? This is a reasonable question, by the way, to ask a security products vendor: “is this thing you’re trying to sell me designed to foil the casual hacker, the professional criminal, or the state-sponsored spy?”
Now, let’s look at the agendas and tactical/strategic operations of the four subtypes of the cyberwar battlefield.

(2)  Cybercrime

The cybercriminal acts purely for short-term profit. In a sense, they are parasites on commercial systems and networks – they want to take advantage of the lifeblood of the cyber-age without killing or significantly harming their hosts. Because they are not organized and coordinated on a large scale, their activities will be purely tactical; they’ll hit where the money is, grab what they can, and move on.

The cybercriminal’s methods will co-evolve rapidly against the defenders’ attempts to block them (an important point we’ll come back to later in Part 2) and they’ll prove impossible to eradicate. If one group of cybercriminals is shut down, another will occupy their niche as long as its profitability outweighs the risk of capture and punishment. At present the asymmetry between that risk and the opportunity for crime is so great that we can only look forward to the activities of the cybercriminals getting increasingly professional and creative. Cybercriminals’ operations will remain entirely tactical exactly because of the pressure to innovate – the ones who make the most money will be the ones developing new scams, tools, and techniques. They will shift stance rapidly to where the money is and, because of their generally non-ideological nature, every possible target represents an opportunity; they will steal from everyone including each other.

(3)  Cyberespionage

Espionage, whether economic or military, has always been a strategic activity, if only because of its generally long-term targeting. Classical espionage involves building networks of agents-in-place, suborning the targets communication systems, and embedding within their infrastructure. Whether this is done electronically in the “cyber-“ context or using traditional trade-craft, espionage remains a slow-moving process: immediate payoffs are generally less significant than long-term results, which means that the grand strategy of a nation-state does not make for particularly nimble espionage.

Consider, as an example, the disruption in the US intelligence community’s mission at the collapse of the USSR: a brief scramble to find a new enemy to focus on that found the intelligence community caught on the wrong foot when Al Quaeda volunteered itself for the role.

Cyberespionage consists of multiple levels: useful idiots, long-term operations, and economic intelligence gathering. The useful idiots may be legions of government-associated hackers who troll the internet and engage in smash-and-grab data collection where data is poorly secured. One would assume that any competent nation-state’s intelligence apparatus would have a process for collecting, cataloging, assessing, and winnowing through such information. The useful idiots are useful because they are highly deniable and can be operated at arm’s length. Economic and technology intelligence gathering is generally a matter of collecting information that, for all intents and purposes, is practically lying about.

High tech first world societies rely so heavily on exporting parts of their technological processes to capitalize on low-cost labor, that it has long been a strategic economic activity for less technologically advanced nations to make technology transfer a condition for gaining access to their labor pool.  In cyberspace, both the useful idiots and economic intelligence gathering have almost the properties of “open source intelligence.” The problem is not so much a matter of how to collect the intelligence as how to evaluate it, sort through it, and find the important megabytes in the terabytes that are harvested.

Long-term operations, whether in cyberspace or meatspace, will continue as they have since the dawn of human history: finding out who has access to important information and convincing them to reveal it. This process can take years and is high risk for the controllers of agents in place, but pays off tremendous rewards since the people providing the information generally have an idea of the location and value of what is being collected. There will be some change in long-term operations thanks to computers and networks but it will mostly have to do with the expansion of the target’s threat-surface. Nowadays you no longer have to go after the person who generates a desired piece of intelligence, you can go after the system administrator or the person who rotates the backups. This is really nothing new – the history of intelligence operations is replete with secretaries who were suborned, or photocopier machine technicians who embedded a little extra something in a copier.

We shouldn’t expect the advent of cyberspace to do much to long-term operations other than to scale with Moore’s law – Aldrich Ames sold incredibly damaging information from the CIA on floppy disks; today it would all fit on a single USB thumb-drive. Copying things has gotten easier; getting the right person in the right place to do the copying hasn’t.

(4)  Cyberterror

When we’re talking about cyberterrorists it’s arguable whether or not we’re dealing with a myth. Terrorism is the process of attempting to influence a political process from outside, using threat, intimidation, and damage. As such, terrorism is inherently ideological or nationalistic and therefore will focus on subtargets of opportunity within a specific target.

In other words, unlike the cybercriminals who’ll go after anything profitable, the cyberterrorists will only go after a specific target, but might hurt it in any way possible. Critical potential subtargets within that target, however, can reasonably assume that they may be targeted, and increase their defenses appropriately. Power, water, oil, shipping, vehicle control, financial system, and other high-value subtargets should “consider themselves warned” if the nation or culture they are part of is experiencing terrorist attacks. Like with meatspace terrorism, cyberterrorism is especially problematic because of its inherent asymmetry: the attacker needs to find a single poorly defended subtarget of opportunity, whereas the defender must defend all subtargets consistently.

State-sponsored cyberterrorism presents us with a more complex problem. We’ve already seen instances of state-sponsored cyberterrorism in the Stuxnet attacks against Iran. The Stuxnet attacks, however, were not targets of opportunity; they were part of a long-term planned attack that occurred on an approximately 3-year time horizon, due, in part, to the fact that the target was carefully chosen and the cyberweapon used was customized specifically for that target. Broader-scale state-sponsored cyberterror attacks against a nation’s power grid or communications infrastructure, might or might not require such a long-term horizon; probably it would be considerably shorter.

The crucial issue with state-sponsored cyberterrorism is that it’s a tactic used in a strategic context. Consequently, the target can fairly well assess the likelihood that a given attack came from a particular quarter, whether they can prove it or not. Again, Stuxnet serves as a good example. Many geopolitical analysts and security technologists (including myself) correctly identified the US or Israel as the most likely sources for Stuxnet. Pretty much everyone did. The attackers went to a great deal of trouble to successfully launch their attack, and the attack aligned perfectly with the US and Israel’s stated political positions. Just as with meatspace terrorism, cui bono? is the question to ask, if you want to know the identity of the primary suspect. The implications of that are obvious: any state that sponsors cyberterrorism is going to have to be able to deal with any political blow-back from a cyberterror operation.

(5)  Cyberwar

Cyberwar is strategic, and consequently a long-term activity. Just as the meatspace military needs to maintain contingency plans for various situations according to a nation’s grand strategy, so does the cyberwarrior. In principle a cyberwar contingency plan would include preparations to penetrate, attack, degrade, and suborn a target’s military command/control systems as well as components of the target state’s civilian critical infrastructure.

This presents the cyberwarrior with a daunting problem: for the attack to have military utility it needs to be significantly large, but most importantly, it needs to be reliable. In the predominant cyberwar scenarios, cyberwar is construed as a force multiplier – i.e.: an adjunct to conventional meatspace operations. This, again, is nothing new; it’s what Napoleon Bonaparte would recognize immediately as another form of combined-arms attack. As such, the coordination between the arms, and their reliability on the field is paramount. The cyberwarrior has to scout a strategic target, map it out, at least partially penetrate its command/control systems without being detected, and maintain its strike capability for as long as it may be needed. In other articles and presentations I have offered skeptical arguments about the cost-effectiveness of such large-scale preparations.

If we look at strategic cyberwarfare, the cyberwarrior’s agenda is the most expensive in terms of effort, and the most likely to fail by being detected. Since the cyberwarrior cannot choose subtargets of opportunity, and has to penetrate and prepare on a long-term time horizon, they need to not only map the target, they need to maintain the penetration capability reliably against all of the deliberate or accidental actions of the defender. The entire costly effort could go up in smoke if the defender had detected some of the cyberwarrior’s penetration attempts and quietly put fall-back/redundant systems in place, or prepared to sequester their systems when they were brought under attack.

Most significantly, the subtargets may be manned by active defenders, unless they are so obtuse that they utterly fail to assess the geopolitical situation and see the cyberattack coming. As I write this in August, 2012, I have to imagine that the Iranian Government has some kind of practical plans in place for dealing with large-scale cyberattacks on their critical infrastructure. They would be crazy not to, and all it would take to block many of them would be to unplug a couple of routers when the balloon goes up. I’ll go into more detail about the reasons for my reservations regarding cyberwar as a practical force multiplier in a later part of this series

(6)  Summary

Already, you should be able to start comparing and contrasting the different problems in each of the subtypes of cyberwar, and it ought to be intuitively clear that they really are very different things. One of the primary motivations in my writing this series is because I feel that the cyberwar subtypes are often conflated in people’s minds – it’s what I call the “cyberwar hop skip and jump.”

Suppose we want to scare a congressman into spending a lot of money on cyberwar: we show them that cybercrime is a serious problem – after all, there are botnets comprising millions of systems. Then we imply that a million-system botnet argues that taking over a nation-state’s command/control systems is a problem of the same type and scale. It’s not, of course, but a congressman or a voter is not likely to know that.

(7)  Next Up

In the next part of this series, I will describe some of the deeper synergies and conflicts that may arise between these subtypes of cyberwar. In the final part, I will offer some high-level analysis of our response strategies in those areas and where we can expect defensive or offensive capabilities to overlap.

Parsing Cyberwar: the series

  1. The Battlefield
  2. The Logistical Train
  3. Synergies and Interference
  4. Patch #1 – Lessons from the Gauss malware
  5. The Best Defense is a Good Defense

(8)  For More Information

(a)  For a lengthy bibliography

See the FM Reference Page about Cyber-espionage and Cyber-war!

(b)  Some ather articles:

  1. Winn Schwartau, “Information Warfare” – (wikipedia)
  2. Cyberwar is Coming!”, John Arquilla and David Ronfeldt, Comparative Strategy, Spring 1993 — republished in a RAND report (pdf)
  3. The Farewell Dossier – (wikipedia) Economic spoiler operation or counter-espionage?

(c)  Other articles by Marcus Ranum:

  1. Obama knows how to lead America by exploiting our fears,  5 June 2009 — About cyberwar
  2. Cyberwar: a Whole New Quagmire.  Part 1: The Pentagon Cyberstrategy, 2 September 2011
  3. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  4. Conflating Threats, 14 September 2011
  5. About Stuxnet‏, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
  6. Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
  7. About Attribution (identifying your attacker), 21 October 2011
  8. You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
About these ads
35 Comments leave one →
  1. 9 August 2012 5:25 am

    Look forward to more, lots to think about. But if enemy pulls router, then he has done your work for you, one of the objectives in a cyber war is taking the enemy off line.

    I don’t think you need massive numbers of troops, just massive numbers of bots, from sources I’ve found reliable in the past confliker is NSA weapon, theoretically could be run by one person. Before stuxnet there was a mapping recon program, so Irans networks theoretically maybe already mapped. Its possible cyber IED’s have already been planted, awaiting a specific date/time, in which case taking your router off line is ineffective.

    Cyber war may not be an adjunct of a meat war,a force multiplier but its only component. Stuxnet/flame have the capability for multiple war heads, Banking, phones,C2,Army,Air force, electric etc there in lies the potential to erase a cultures data base. Restricting every thing to snail mail, Stuxnet/Flame have finished large-scale preparations.

    “fall-back/redundant systems in place, or prepared to sequester their systems when they were brought under attack.”

    If stuxnet/flame has already planted cyber IED’s redundant, back up systems may have already been breeched. Sequestering a system with cyber IED’s already implanted could be a signal to trigger the munition.

    With these considerations Iranian culture can be set back to 1950s — snail mail for everything, deleting key data bases, money, finances,stock exchanges could drop them back to 1860′s.

    At any rate turn Iran blind deaf and dumb in a military sense while the Air Force pounds nuke facilities at their leisure.
    I suspect we are about to see a whole new application of combat in the newest domain.

    Look forward to rest of your articles. Thanks.

    Gerald, Internet Anthropologist, ad magnum

    Like

    • 9 August 2012 1:04 pm

      Thank you for your thoughtful reply. It will be interesting to see what Ranum says.

      The history of military innovations suggests that the current state of cyberweaponry is far less advanced than you suggest (returning Iran to 1860′s). Perhaps the most apt analogy are the bomber-gurus, who as early as the early 1930s said that a nation could be destroyed from the air. They proved correct, even with conventionals — but far exaggerated bombers capabilities, as the large numbers of heavy bombers necessary to do so were not available until 1944. And even then the resources necessary (trained men, materials, industrial capacity) were so great as to make them an inefficient use.

      Also — given what you’ve written about EMPs, you might find these of interest:

      Like

    • 9 August 2012 4:13 pm

      (1) But if enemy pulls router, then he has done your work for you, one of the objectives in a cyber war is taking the enemy off line.

      Maybe, maybe not. It’s important to understand that some attacks might involve taking critical systems offline, whereas others might simply make them unavailable. In some cases, making the system unavailable would be a “win” and in others it might be a horrible “lose.” Let’s take, for example, a manufacturing process: if I’m under attack and I take it off the internet, then I can continue to manufacture unimpeded. In situations like the Estonia cyberattacks, where you’re attacking the civilian-facing aspects of government service, then, yes, it’s a disruption. But, still – there is a gigantic difference between, say, making the IRS’ website unavailable to taxpayers and taking down the database servers behind it.

      (2) I don’t think you need massive numbers of troops, just massive numbers of bots

      I will address that in the second part of the series, but the short answer is “not quite.” Massive bot-fleets are useful for disrupting service but military useful activities require direction. Botnets are like having a massive number of infantry with no initiative whatsoever. So, unless you tell them what to shoot at, they’re just going to stand around. When it comes to exploiting an attack in a militarily useful way, you need human decision-makers (and highly technical ones, at that) in order to decide what to do next. That’s the difference between a blitzkrieg breakthrough and simply bombing your enemy to keep their heads down.

      What I’m saying is that botnets actually aren’t that interesting.

      (3) from sources I’ve found reliable in the past confliker is NSA weapon, theoretically could be run by one person

      I don’t trade in undisclosed sources, but I find the idea that Conficker is an NSA weapon to be highly highly doubtful. First off, it’s childishly easy to detect, and it was initially fielded to grow. It’s much more likely that Conficker was a commercial botnet – someone wrote it and deployed it so as to take over a huge number of machines with the intent of cashing out by selling the entire structure to some cybercrime group who would exploit the systems that had been taken over. That’s an important point which we will revisit in Part 2: you can take over a lot of systems but you have a huge logistical problem in exploiting the results usefully.

      Yes, though, most botnets are designed to be run by one person. That is their whole value.

      (4) Its possible cyber IED’s have already been planted, awaiting a specific date/time, in which case taking your router off line is ineffective.

      It’s possible, but that would be stupid for an attacker to do. I will explain why in Part 3.

      (5) Stuxnet/flame have the capability for multiple war heads, Banking, phones,C2,Army,Air force, electric etc there in lies the potential to erase a cultures data base.

      The “potential to erase a culture’s data base” is science fiction, says this former system administrator and DBA. Until and unless a society manages to make a horrible mistake such as putting almost all of its data in a single repository and forgetting about data redundancy and basic system administration.

      By the way, you mentioned banks and phones – are you considering civilian infrastructure as a morally acceptable target in such an attack? I’m just curious.

      (6) If stuxnet/flame has already planted cyber IED’s redundant, back up systems may have already been breeched.

      In the immortal words of Rich Rosen: “Many things are possible, but very few actually happen.”
      It’s certainly possible that “cyber IEDs” could be planted but that would be foolish on the part of an attacker! Think about it a little bit harder and perhaps you’ll figure it out. Either way I explain it in Part 3.

      By the way, I do not like your “cyber IED” terminology. There is nothing “improvised” or “explosive” about cyberweapons. Besides, there is existing and ample terminology – you’re talking about what we’d term a “trojan horse.” Let’s not confuse ourselves by making up lots of new terms because then we go off into a rathole arguing about what they mean.

      (7) With these considerations Iranian culture can be set back to 1950s — snail mail for everything, deleting key data bases, money, finances,stock exchanges could drop them back to 1860′s.

      You appear to be advocating states attack civilian targets. While I understand that that’s been the prevailing form of war for a long time, let’s not mince words: you are talking about serious war crimes.

      (8) At any rate turn Iran blind deaf and dumb in a military sense while the Air Force pounds nuke facilities at their leisure.

      A minute ago you were saying that cyberwar might not be a force multiplier but might be the war in and of itself. Now you’re talking about it as a force multiplier. Reality is not that flexible. For one thing, even in an absurdly best-case scenario a cyberattack is not going to disable military antiaircraft systems. You might (if you’re dealing with an exceptionally stupid enemy) be able to disrupt some battlefield communications. But real-world armies do not configure their SAMs so that they’re only operable over the web! I suspect they never will, because of the obvious problem.

      Your suggestion of turning any country “blind deaf and dumb” in a military sense is absurd, in a technological sense. Let’s stick to real-world scenarios.

      Like

  2. OldSkeptic permalink
    10 August 2012 9:39 am

    I find a lot of the claims overblown … at this moment. But if you look at the trends you do see increasing vulnerability, particularly in western societies. For example: I remember being a network admin when companies had dedicated lines, even one that had its own private microwave link from HO to an oil refinery. Now these were difficult to penetrate or hit and even if you did it only was one company.

    But in our relentless drive to ‘cut costs’ more and more organisations and systems ‘piggy back’ on the existing internet infrastructure. Cheaper yes, but far more vulnerable. As a general point this seems to be the mantra of western society right across the board at the moment (of which the GFC is the poster child). Save money by making things more fragile and vulnerable. So the scope for damage (I’m concentrating on the attack side) is steadily increasing.

    Now here is the overall strategic bit. We in the west have flagged that will will use cyber attacks and use them quite often. so just about everyone else out there (who is not a complete moron) now knows that they have to protect their vital systems. So I’d expect lots of ‘paddling under the water’ in all sorts of places (and naturally Russia and China where the gun sight is steadily tracking towards) will be hardening their key stuff.

    While at the same time we are making our stuff more vulnerable. Hmmm, what could possibly go wrong with this scenario.

    Note that to really cause disruption in a country there are many simple ways to do it (noting that FM is a specialist site and unlikely that any ‘bad guys’ read it, or more likely haven’t already thought of this) such as take out the ATMs. You could cause a lot of damage in a very short period of time.

    Note also, backing up my original argument, that penny pinching by banks (must keep those bonuses going) means that most of those systems are hanging in by their fingernails already. Crashes are becoming more and more frequent, without any attacks.

    In fact in the US, taking another example, the electricity grid is so close to the edge that an ‘Indian’ experience is going to happen anyway within the next 10 years or so. BUT, and here is the scary part, it makes a very attractive target. Again, ‘saving money’, far too many (but not all of course) monitoring and control systems have been ‘piggy backed’ onto the existing internet infrastructure. Now If I was (say) Iran and thinking ‘thank you so much for your wonderful cyber attacks’ I’d be thinking ‘how can I really hit them if I need to’? Oops, stuxnet might not have been such a clever idea after all.

    Strategically, shooting up someone else’s little greenhouse is not such a good idea .. if your greenhouse is 20 times the size of theirs.. might give them nasty ideas after all.

    Like

    • 10 August 2012 12:29 pm

      Conceptually, OldSkeptic mirrors my thinking on this. But then I was a cutting edge techie in 1980, not so much since then. My secretary had one of the first iPods; I told her it was clever, but not a mass market device. Now my kids laugh at my lack of tech savvy.

      So I’d convert Oldskeptic’s comment in to questions for Marcus about vulnerability (which he has discussed before). How accurate are these statements?

      • “more and more organisations and systems ‘piggy back’ on the existing internet infrastructure. Cheaper yes, but far more vulnerable.”
      • “penny pinching by banks (must keep those bonuses going) means that most of those systems are hanging in by their fingernails already. Crashes are becoming more and more frequent, without any attacks.”
      • “the electricity grid is so close to the edge that an ‘Indian’ experience is going to happen anyway within the next 10 years or so. BUT, and here is the scary part, it makes a very attractive target. Again, ‘saving money’, far too many (but not all of course) monitoring and control systems have been ‘piggy backed’ onto the existing internet infrastructure.”

      Like

    • 10 August 2012 8:46 pm

      (1) “But if you look at the trends you do see increasing vulnerability, particularly in western societies.”

      This is a serious problem. It seems to me that there is a class of IT managers/executives who seem dead set on doing the stupidest possible things in the name of “cost savings” or “keeping up with the joneses!” I have spent the better part of my career fighting that particular battle and only got onto the topic of cyberwar when I noticed that a huge amount of money was being pulled away from sensible, practical, security and pushed toward glib beltway bandits telling tales of WMD-like national collapse.

      I am slightly optimistic, however; as I hope this series will argue successfully, cybercrime acts a fairly strong reinforcement system and negative feedback against lameness. Let me put that another way: imagine how bad the DoD’s networks would be if it hadn’t been demonstrated over and over again the 15-year-olds could break into them. I’m not saying “thank the 15-year-olds” but clearly there’s a problem! And the 15-year-olds helped give the right people some semi-realistic perspective. As I have written in other articles on this site, I think that the US Government is pursuing some very ill-advised policies. I’m confident that the Anonymous collective, Romanian hackers, Russian Business Network and – yes – lots of “useful idiots” from China – are going to continue to force improvement with their “voluntary 24/7 penetration testing.”

      (2) “or example: I remember being a network admin when companies had dedicated lines, even one that had its own private microwave link from HO to an oil refinery. Now these were difficult to penetrate or hit and even if you did it only was one company.”

      Me too. But a lot of those dedicated lines went through AT&T, which screwed them up often enough that we had to develop fall-backs, dial-up failover, etc, etc. I agree that a lot of stuff is getting centralized and may be more vulnerable, but there has always been lots of centralized stuff. Back in 1985, for example, a friend of mine was subjected to a “service cancellation attack” – someone called AT&T and told them that all their T-1 circuits would not be needed any more. AT&T trusted the circuit numbers and – poof – my friend had a short disruption. And, now we see that the systems at the carriers have responded so that those attacks are harder. Not impossible, but much, much harder. As the situation gets worse, so it gets better – and it seems to me to be at approximately the same rate.

      There are broad trends which you correctly observe and they should scare you. I discuss a few of them here if you want to know what keeps me up at night. It’s not “cyberwar.”

      (3) “We in the west have flagged that will will use cyber attacks and use them quite often. so just about everyone else out there (who is not a complete moron) now knows that they have to protect their vital systems. So I’d expect lots of ‘paddling under the water’ in all sorts of places (and naturally Russia and China where the gun sight is steadily tracking towards) will be hardening their key stuff.”

      Yes. I’ve been referring to it as the inevitable balkanizing of the internet, as a consequence of US treating it like a private colony. Any nation’s leaders with any sense should be thinking about this problem – and, yes, it’s very very hard. It starts with having your own DNS but what next, your own Google? Ow!

      (I am not saying that a country cut off from Google will collapse into anarchy; but their civilians are going to be mighty inconvenienced!)

      (4) “You could cause a lot of damage in a very short period of time.”

      Maybe. But you could surely cause tremendous damage with ordinary state-sponsored terror attacks. Remember how much damage the DC snipers did? And they were just two idiots with no agenda other than mayhem. Yes, there are cyberattacks that could be damaging and cost a lot of money and make some system administrators extremely unhappy. But why not just shorten the sentence and say that any country our size that is an open society is extremely vulnerable to all kinds of stuff? Because that’s how any rational attacker is going to look at things.

      If I wanted to do massive economic damage to the US, I wouldn’t waste my time with cyberstuff at all. I’d have a bunch of guys with deer rifles and bows fire arrows trailing heavy-duty copper wire over transformers all over in communities more or less at random. And when the power crews came to try to fix it, shoot a few of them. That scenario is about comparable in ridiculousness to some of the cyberscenarios but it requires virtually no skills to carry out and all the gear could be sourced one-stop-shop at WAL-MART. Etc.

      We can all hypothesize all kinds of stuff, but as Rich Rosen says, “Many things are possible but very few things actually happen.” That’s why security people worry about the stuff that is most likely to happen. And in cyberspace, that most likely attack is a kid in Romania who’s bored and looking for a credit card database or an HR database.

      (5) “most of those systems are hanging in by their fingernails already. Crashes are becoming more and more frequent, without any attacks.”

      I strongly disagree. One of the side-effects of a lot of agencies outsourcing or moving to the cloud is that businesses and government agencies that suck at IT have given that problem over to people who categorically Do Not Suck. The systems administrators at Amazon are some of the best fire-breathing badasses in IT today. The NOC team at General Dynamics, which oversees a lot of the DoD networks, is vastly more skilled than the disparate, uncoordinated teams that they’ve replaced. What we’re seeing is constant change and change is always scary to us old farts. We need to remember that sometimes it’s good and sometimes it’s bad and most of the time it’s a wash.

      (6) “an ‘Indian’ experience is going to happen anyway within the next 10 years or so.”

      It’s already happened! But it happened because businesses like Cal Edison were squeezing too much profit out and deliberately let the system fail so they could ask for a rate-hike. Which is more likely – an external enemy or a good old capitalist looting of the till?

      (7) “Oops, stuxnet might not have been such a clever idea after all.”

      I agree, and have said that here before. What I think is going to happen is that the DoD is going to try to establish cyberwar as a weapon of privilege: we can do it to you but don’t you even dream of doing it to us. That has worked with nuclear weapons but only because the US has shown that it is willing to expend vast amounts of money and kill freely in order to preserve its monopoly where it can.

      I hope that doesn’t happen with cyberwar but when I read comments like Anthropologist’s I worry.

      Like

  3. 10 August 2012 1:36 pm

    I appreciate your reply, we are looking at the same elephant, but different parts.

    Stuxnet has been running Iran’s networks since 2008, we ran into it in 2009 during a joint Anonymous operation against Iran. “Our surveillance of Stuxnet starting 2009“, 13 June 2012.

    Stuxnet, Flame, Duqu and Mahdi are but payloads of overall programs designed through the work of intelligence.The preparation is done, 5 yrs of espionage and sabotage. I agree they are “trojan horses.” but thats like saying USS Regan is a boat, hense ‘cyber IED’s’

    “You appear to be advocating states attack civilian targets.”

    No I am not, exploring capabilities. But is taking out WWW, which confliker could do in Iran, taking out an civilian target? Cyber war also presents the possibility of an almost bloodless WMD. If you take out the WWW that alone would put them back to 1950′s, using snail mail.

    Your example of missile bases not connected to www, maybe true, but C2 is. The orders could be changed, intercepted, coordinates changed en route by just one integer.

    And the possibility of NULL values is a huge monkey wrench, the trojan gets root and justs reports “system down”. No actual damage, the key system just wouldn’t be used. That scenario was used very successfully by @JohnBumgarner in practice cyber war. Key data would not even have to be destroyed, just encrypted, so Iran wouldn’t have access till the regime changed.

    “Your suggestion of turning any country “blind deaf and dumb” in a military sense is absurd, in a technological sense. Let’s stick to real-world scenarios.”

    Sorry I wasn’t limiting myself to only technology, if you get C2, you could issue orders effectively making them impotent. If you can take down their WWW, CYBER or real world cutting cables,
    cut www ^ intranets, including phones, they are in effect blind deaf & dumb.

    I sincerely appreciate your valuable time in responding, I seldom get an real expert to bounce my hypotheses on. Keep up the excellent work.

    Gerald, Internet Anthropologist

    Some of our more interesting work.
    http://warintel.blogspot.com/2008/10/exclusiveal-qaeda-knew-341-lbs-nuke.html
    http://warintel.blogspot.com/2008/11/taliban-webmaster-ips-location-pakistan.html

    Like

    • 10 August 2012 3:01 pm

      “If you take out the WWW that alone would put them back to 1950′s, using snail mail.”

      That makes no sense to me, if WWW = world wide web. It’s widespread growth began in 1993, with the introduction of Mosiac (see Wikipedia).

      Also, although I don’t see data on internet penetration & use in Iran, it’s probably lower than Turkey’s (from memory about 1/3 of ours, depending on the metric). It might be similar to that of Russia and China, who are roughly half that of Turkey. Almost certainly they’re not sufficiently dependent on the internet or WWW so that crippling that pushes them back 60 years.

      These are bold claims, which IMO require some heavy support to be taken seriously.

      There are many databases on this topic. See here for data on OECD use of broadband. For a borader range of data, see Internet World Stats.

      Like

    • 10 August 2012 8:10 pm

      (1) Stuxnet has been running Iran’s networks since 2008, we ran into it in 2009 during a joint Anonymous operation against Iran.

      I’ve written about Stuxnet elsewhere on this site. It’s based on some techniques that were published in spring 2007. It’s not that complicated code; if a small team of 2 or 3 engineers worked on it, it would have been ready to field in 6-9 months, so the time-frame you’re talking about seems right.

      (2) I agree they are “trojan horses.” but thats like saying USS Regan is a boat, hense ‘cyber IED’s’

      Hyperbole doesn’t impress me much.

      No I am not, exploring capabilities. But is taking out WWW, which confliker could do in Iran, taking out an civilian target?

      Why yes, yes it is. What about the world-wide web is military? Last time I checked it was a vehicle for e-commerce, online libraries like wikipedia, online education, citizen of the world to citizen of the world communications, stock trading, banking, telephony, telepresent surgery in hospitals, civilian power-grid control systems, home automation, music, etc, etc, etc.

      The military tunnel their traffic over it in many places, using inline encryptors, virtual wires, and multiplexed optical pathways. Nobody but a fool would claim to be able to take down just the military networks and have no impact on civilian communications. Now, before you start talking about how acceptable collateral damage is, I suggest you read the Geneva Conventions – not the US DoD’s statements about what the DoD considers acceptable collateral damage. As I argued here: it can easily be argued that the military are hiding behind human shields by embedding their infrastructure inside civilian infrastructure. I probably won’t convince you of that, but I encourage you to think hard about this topic, and to do so with your reciprocity hat on.

      (3) Cyber war also presents the possibility of an almost bloodless WMD.

      Again, as Rich Rosen says, “Many things are possible but very few of them actually happen.” First off “bloodless WMD” is kind of a contradiction in terms. What about “Mass Destruction” does not involve, uh, mass, er, destruction?

      Be that as it may. Now are you advocating that the US again unilaterally use WMD against noncombatants? Are you some serious? That’s monstrous!

      (4) If you take out the WWW that alone would put them back to 1950′s, using snail mail.

      When you say things like that, you sacrifice all credibility with me. For one thing, I was building Email systems in the early 1980s and managed UUCP between 1985 and 1989. This was well before the invention of “WWW” and it provided perfectly good infrastructure over dial-up. By today’s standards it’d be clunky but any semi-competent system administrator would be able to start setting up a point-to-point alternative infrastructure – completely bypassing web protocols – in under a day. But that’s almost beside the point; your comment shows that you not only don’t understand data networking, you don’t understand the web, either.

      What does it even mean to “take down the WWW”? Google is in the US and serves a gigantic amount of the world’s email. If you take down whatever country I’m in’s internet infrastructure, I’ll have a PPP account on earthlink and be checking my email in 20 minutes. Ever hear of a modem? Oh, sure, you can take down the telephone network, too. For how long? It’s farcical to say that a country would be back in the stone-age; they’d firewall off the main avenues of attack, set up temporary links, and be back in operation in a couple days, tops. Sure, some critical services could be knocked off line, but I hardly imagine that a US cyberattack is going to also knock off Amazon’s cloud services, google, Savvis, etc. Guess what? Those are used by more than just US assets and they’re all mixed together – good luck figuring out which chunk of what data bucket at Amazon S3 is is holding which data for what government. Really.

      Besides, money would be made! One of my friends who works datacomm made a gigantic assload of money setting up alternate links when the UAE’s underwater links got cut. That disruption lasted, what, a couple weeks at most? How long was Estonia inconvenienced? Do you somehow have the weird idea that when a data link goes down, the routers on both ends can’t be configured to fail over to something else, by a competent system administrator? Have you ever heard of satellite communications and gasoline-powered backup generators? The first ISP in your target country to get enough bandwith purchased on a Chinese communications satellite would make an assload of money, for sure. China Direct Broadcast Satellite Co., Ltd.’s investors would be very happy indeed.

      I’m not saying you couldn’t inconvenience the hell out of a lot of people – especially innocent civilians that are not legitimate military targets – but this kind of “back the the horse and buggy era” rhetoric is simply not credible.

      (5) And the possibility of NULL values is a huge monkey wrench, the trojan gets root and justs reports “system down”. No actual damage, the key system just wouldn’t be used.

      I have been managing UNIX systems and data networks, some large, some small, for 25 years, and I assure you that any competent system administrator is going to shrug, boot the system off an emergency drive, figure out what’s wrong, and get busy fixing it. They will not simply sit there wringing their hands asking “what do I do!?” while the food in their refrigerators runs out.

      “NULL values” means nothing to me other than dereferencing address 0 errors in C code. Reference please?

      (6) Sorry I wasn’t limiting myself to only technology, if you get C2, you could issue orders effectively making them impotent. If you can take down their WWW, CYBER or real world cutting cables, cut www ^ intranets, including phones, they are in effect blind deaf & dumb.

      All of which has happened before, without any WMD-like effects. You are making a lot of assertions about the power of these potential attacks, but they don’t sound to this old system administrator like anything that a decent systems team at an ISP or large company couldn’t handle in a day or two.

      (7) As far as Al Qaeda knowing about transportation of weapons-grade material… Um. So? There are plenty of books (one of my favorites is Thomas Reed’s At the Abyss which has a lot of horror stories about poor custodianship of nuclear material in the former USSR. So what? And as far as the IP address of a Taliban webmaster, again, so what?

      Like

  4. 10 August 2012 11:50 pm

    Attack on the 13 internet nodes could slow everything way down, I meant taking down Irans connections to the WWW, which I thought was implied maybe not. And your right it might not be back to1950′s maybe 1985,I’m not sure what date to apply if land lines and cell phones are out too.

    “null values”
    I’m referring to is just the paradigm of having their PC’s report something isn’t working,

    “I assure you that any competent system administrator is going to shrug, boot the system off an emergency drive, figure out what’s wrong, and get busy fixing it. They will not simply sit there wringing their hands asking “what do I do!?”

    Exactly what they did during the cyber exercise, repair, fix, replace something that wasn’t BAD, over & over. Because of the expense @JohnBumgarner finally told them it was a ruse before exercise was over. And there is a balance here, I think the 13th Imam paradigm is motive for Iran to push the nuke button, MAD is an incentive for that paradigm. The question maybe come does US turn off WWW & phones in Iran to stop nuclear conflagration. In WWII US carpet bombed German cities as they did GB cities.Thank God for that paradigm shift.

    And your playing semantic games with me on WMD, a cyber attack presents the possibility of WMD TYPE effects to infrastructure with out massive loss of human life, even possibility of the WMD effects being temporary/reversible.

    After the Iran strike we both will have a better view of the actual use of cyber weapons, You have focused on possible short comings, while I have focused on possible maximum effects, there is lots of middle ground.

    Even after the strike the Russian forensics may take months to answer our questions. And see what worked and what failed. Again implied w/dates, we spotted AQ recon of nuke material notified Intelligence comm. then they moved it, CIA loved Taliban IPs??

    I have much respect for your years of professional IT service, But we need to look outside the “IBM” box too. You have been most informative, & helpful, thank you again.

    Gerald, Internet Anthropologist, Ad Magnum

    Like

    • 11 August 2012 12:54 am

      “I think the 13th Imam paradigm is motive for Iran to push the nuke button”

      That statement contains several layers of misinformation and wild conjecture. It’s too off-topic to pursue here, however. If you’re interested, you can post a link to your of your posts — or you might pick up the comment thread on one of the many posts discussing these issues, listed below.

      • Very few expers — real ones (eg, with credentials, relevant professional experience), not self-taught faux experts — agree with your odd view of the 13th Iman & Iran’s public policy.
      • The world’s major intel agencies concur that Iran ended its nuke program in 2003. Israel is the unknown, as its current and past leadership publicly disagree about important details.
      • Very few geopolitical experts believe that even if Iran re-starts its program and builds nukes, they are likely to use them except in response to an attack on Iran.

      These points are supported by many dozens of expert citations, from both government agencies, ngo’s, and independent & academic experts:

      1. ISIS: “Can Military Strikes Destroy Iran’s Gas Centrifuge Program? Probably Not.”, 8 August 2008
      2. Iran’s getting the bomb, or so we’re told. Can they fool us twice?, 16 January 2009
      3. Follow-up on America’s latest wetting our pants episode: Iran’s secret atomic facility, 13 November 2009
      4. Iran will have the bomb in 5 years (again), 21 January 2010 — Forecasts of an Iranian bomb really soon, going back to 1984
      5. What do we know about Iran’s nuclear ambitions?, 6 January 2012 — US intelligence officials are clear: not as much as the news media implies
      6. What does the IAEA know about Iran’s nuclear program?http://fabiusmaximus.wordpress.com/wp-admin/edit-comments.php?comment_status=all#comments-form, 9 January 2012 — Their reports bear little resemblance to reports in the news media
      7. What happens when a nation gets nukes? Sixty years of history suggests an answer., 10 January 2012
      8. What happens if Iran gets nukes? Not what we’ve been told., 11 January 2012

      Like

    • 11 August 2012 1:43 am

      (1) Attack on the 13 internet nodes could slow everything way down

      OK, so I’m going to assume you’re talking about the peering points {see Wikipedia}.

      Here’s what a peering point does: where there’s a telecom company or some massive networking business that’s located in a technology corridor, it’s cheaper to get some data center space, have all those businesses run some bigass fiber links to the peering point, and then they can exchange data extremely quickly without having to drive the data across someone else’s infrastructure. Imagine how well it would go over if Verizon decided to tunnel all of its traffic to Apple’s iTunes store over AT&T’s network! 1) it would suck 2) AT&T would be biblically wroth. So a peering point is basically a gigantic switching center between huge internet businesses.

      First off, an attack on the peering points couldn’t slow them down because there’s nothing that can get data into a peering point faster than the peering point can switch it back out. That’s what a peering point is for. Secondly, if you disrupted the software in the switches, or whatever, some very annoyed system and network engineers would reload them from trustworthy media. If that didn’t work they’d realize real quick that something was wrong with their media and there would be glee and excitement about all the amazing fun they’d have figuring that out – meanwhile a sneakerminion would run to FRY’s and someone would call people at Cisco and cars would move with DVDs and USB keyfobs and it’d all be back and running in – I’m guessing – less than a few hours. Generally when a competent network administrator provisions a football-field-size room full of systems, they’re all running slight variations of a single master image (great system administration is a perfect combination of hubris and laziness, as Larry Wall also says about programmers. There wouldn’t be a scenario where people were reloading operating systems on thousand of machines – some sysadmin would take a slug of Rockstar and tell the thousand machines to revert and reboot.

      The potential for attacks on peering points is something that has been discussed at NANOG every year since 1994 (i.e.: they year it was founded). “Well, duh!” is the usual response. There have been people hypothesizing blowing up one of the peering points – which would really really piss a lot of people off, but the kind of networking guys we’re talking about would be hanging fiberoptic out windows and tie-wrapping it to streetlights and the lights would begin coming back on in hours. I’m pretty sure they wouldn’t step over the bodies of their dead; they’d walk around – network engineers are generally pretty thoughtful. Fiberoptic cable is expensive but not compared to downtime at the scale we’re talking – FRY’s supply might run low but believe me, I know guys who’d think it was COOL to drop line all over the place or try to go rooftop to rooftop with armored fiber.

      And please stop being so parochial and assuming that them poor dumb Iranians don’t know how to build data networks if they have to. It’s not rocket science! And there are always con$ultants standing by to make things work extra quick for a price.

      (2) I’m referring to is just the paradigm of having their PC’s report something isn’t working

      If it’s not working enough to cause a disruption, then it’s going to stick out like a sore thumb. If it’s working well enough that it’s not causing a disruption, then it’s not not working. I.e.: it’s working. Figuring out what’s not working is one of the core competencies of any system/network administrator and when something’s not working it’s really easy to triage.

      No lights on the router? It’s the router. Lights on the router, no blinky lights on the line? It’s the line. Call the guy on the other side, “Hey, Joe? Blinkycheck me?” If the blinky lights are blinking and traffic’s not getting through it might take a networking engineer 3 whole minutes to go “Hey! WOW! the blinky lights are wrong!” A novice might take 20 minutes, to be fair.

      (3) Exactly what they did during the cyber exercise, repair, fix, replace something that wasn’t BAD, over & over. Because of the expense @JohnBumgarner finally told them it was a ruse before exercise was over.

      You’re talking about the virtual simulations? In a simulation you can have a Martian attack, or Cthulhu getting into your fiberoptics. I’m familiar with the kind of scenarios they run in simulations and they have all the usual hallmarks of DoD scripted money-justifying exercises. Many of the scenarios’ premises are absurd.

      What kind of idiot would repair and fix something that wasn’t bad over and over? If it works it’s not bad. If it doesn’t work then you know your repair process is bad. This is basic basic stuff.

      (4) And your playing semantic games with me on WMD, a cyber attack presents the possibility of WMD TYPE effects to infrastructure without massive loss of human life, even possibility of the WMD effects being temporary/reversible.

      No, I am not. You are playing semantic games, first by attempting to establish a false equivalency to WMD and then moving the goal-posts by later adding “WMD TYPE“. So it seems to me that your opening position was asserting that cyberwar could cause massive damage, and now, uh, maybe not so massive. To the point where it’s temporary and reversible, which is hardly massive. Maybe only highly irritating.

      We agree, there.

      Like

    • 11 August 2012 2:51 am

      “a cyber attack presents the possibility of WMD TYPE effects to infrastructure”

      I wonder how much of this comes from propaganda from DoD (written by the same people writing pr about the F-35), and how much comes from people relying on repeated watchings of Live Free or Die Hard.

      Here’s an excerpt from a review from “a programmer and IT professional”:

      If you plan to watch this movie make sure you keep Clarkes’ third law firmly in mind. In Live Free or Die Hard technology is indistinguishable from magic. Hackers are wizards with unlimited power who can do anything the plot is calling for at the moment: reroute the gas mains, shut down the electrical grid, change stock prices, take over your GPS system, hack into your hamster and turn it into a time bomb (ok, I made this last one up) – you name it. They can shut down the country and bring about the end of civilization and the only person who can stop them is a grizzled, cynical cop who doesn’t know much about computers but can kick serious ass.

      Like

    • 11 August 2012 1:45 am

      If I may: argumentum ad xkcd: Devotion to Duty
      .

      Devotion to duty

      Like

  5. 11 August 2012 12:12 am

    Gauss: Nation-state cyber-surveillance meets banking Trojan, GReaAT (Kaspersky Labs), posted at SecureList, 9 August 2012

    This raises some interesting points that I’ll be commenting on in Part 3: the difficulty of keeping overlapping attack techniques secret over time. When an organization knows that it is under attack from one vector (e.g.: Stuxnet) they may begin to profile certain aspects of their systems and networks and discover closely relateed malware applications. In a weird example of negative synergy, the more you attack some targets the harder they become to successfully attack in the future – this does not map to real-world battlefields cleanly at all.

    During the course of the analysis, we discovered a separate cyber-espionage module which appeared similar to Flame, but with a different geographical distribution.

    “Oops!”
    A conspiracy theorist might hypothesize, of course, that these are all stalking goats and that there exist other, deeper layers of malware. Indeed, it’s turtles all the way down and finally ends in the kernel, which also came from the USA.

    What we do see from this is that Stuxnet was not an isolated incident. The intelligence community and DoD are not only acting very aggressive in cyberspace; they are expanding the scope of their programs and tool-sets. We are moving farther and farther along the path toward turning cyberspace into a weapon of privilege.

    Like

  6. 11 August 2012 5:37 am

    Well-known expert Thomas Ria has a post at Kings of War: What War in the Fifth Domain? Marcus is leading a spirited debate in the comments.

    Like

  7. snailsnot permalink
    11 August 2012 5:56 pm

    Re: Stuxnet etc.

    Let me get this straight: our only actual enemies live in caves and mud-brick compounds, and refuse to touch anything high-tech, using couriers instead of telephones. We, on the other hand, are utterly dependent on gismos, especially our military, which has demanded billions of dollars in order to make itself even more dependent on gizmos.

    So, we respond to this situation by inventing and tossing around weapons which ONLY work against the gizmo-dependent, knowing that the exact same viruses can be copied, tinkered with, and sent right back. Even the Romans were smart enough to make sure their javelins could not be thrown back at them – making our “high tech” cyberweapons a technological step backwards, by more than 2000 years.

    It’s like spending a huge amount of money on a glass house, then spending more to give brickbats to all your enemies.

    US foreign policy since 1992 looks like the story of a mercenary company, looking for trouble wherever it can be found, making trouble when it can’t, and switching sides on a dime. (Islamists and secular Arab dictatorships are the new Oceania and Eastasia). The only difference is that in in the 30 Years War etc. the customers paid for the service, whereas today it’s the people with the least use for the mercenaries – We The People – who end up paying.

    There’s a huge incentive problem here, when we pay people to deal with problems. We end up with a lot of expensive treatments but no cures and no prevention. Instead we should devise a system that pays people more the less of a problem there is.

    What if we paid the military for every year we’re at peace? If our security apparatus was paid more when polling data shows more people feeling secure?

    Imagine if prisons were paid a certain amount of money for every year a criminal doesn’t commit another crime. Maybe they could keep a bit of the ex-cons wages, thus giving the prisons a stake in the ex-cons success (it might give the system an incentive to lock go after white-collar criminals too).

    What if we paid the health system based on how many people are healthy? (Adjusting for age, of course.)

    Now of course there’s variables – more example crime tends to have more to do with the economy and social cohesion than what the police can do – but in the private sector our economic system is based on paying people for success, regardless of circumstances. Better than our current model of paying for failure.

    Like

  8. 12 August 2012 3:03 am

    Let me preface by saying that I have yet to read all the comments. Working on the industrial side I have long considered the cheapness of wireless control a false economy. It saves copper and time but puts that factory in a much more vulnerable position. Here is a short bit I wrote in that vein about the “smart” grid.

    Smart Grid Security?“, ECN, 14 November 2011

    But there are much larger threats to the system that “everyone” (all governments of the world large and micro) knows about. Follow this link — Terrorists Dealing Drugs, August 2012 — to the Catherine Austin Fitts – Narco News articles. What happens when everyone knows those facts? The world system as we know it collapses.

    For some reason not clear to me even the losers in wars prefer that the system remain in place – take Japan. Two good searches “Japan Manchuria opium” and “Japan French Indochina”. WW2 in the Pacific was a war for the control of the dope trade. A fact easily discernible if you know where to look. And yet “hidden”. What is the advantage to every country in the world of maintaining a criminal infrastructure? A good question even for CyberWar.

    Like

  9. M Simon permalink
    12 August 2012 3:34 am

    Well I’m going to go OT here:

    “The world’s major intel agencies concur that Iran ended its nuke program in 2003.”

    Maybe. There is only one worthwhile secret: triggers. And you don’t need a “nuke” program to develop those. In WW2 the computations were done with IBM punch card machines. Feynman has written about running those. A “386″ is adequate to cut the time from years (2 to 3) to hours. The big delay is in deciding what the numbers show and altering the inputs for another run.

    The choke point is nuclear material. The choke point for that is the electrical grid.

    Amusing is comparing the computing power applied to “the bomb” to that applied to “Enigma” and “Magic”. Why? For war fighting – intel timeliness is critical. Back on topic I see. How did that happen?

    Like

    • 12 August 2012 3:55 am

      That’s an interesting comment. Perhaps you’d like to pursue it on one of the threads about Iran’s nuclear program.

      Like

    • M Simon permalink
      12 August 2012 4:00 am

      Uh. I’m in the middle of developing stuff. I’d like to spend more time but have already far exceeded a reasonable allotment. Maybe in a week or two if I get some slack.

      Like

  10. M Simon permalink
    12 August 2012 3:57 am

    BTW we don’t need a “Smart” grid to make the grid more reliable. There are easier ways to accomplish that without putting every load in the country under the thumb of the grid controllers/government. If I have thought of it so have others. It is cheap. Can be monitored locally and is under local control. Why aren’t we doing it that way? Now there is the real question.

    Like

    • M Simon permalink
      12 August 2012 4:07 am

      That is one of the products I’m working on. A little bit of intel – a display – and a relay. Everything you need to know about grid health can be read locally without having to know anything about the bigger flows.

      Like

  11. OldSkeptic permalink
    18 August 2012 9:26 am

    (5) “most of those systems are hanging in by their fingernails already. Crashes are becoming more and more frequent, without any attacks.”

    ‘I strongly disagree. One of the side-effects of a lot of agencies outsourcing or moving to the cloud is that businesses and government agencies that suck at IT have given that problem over to people who categorically Do Not Suck. The systems administrators at Amazon are some of the best fire-breathing badasses in IT today. The NOC team at General Dynamics, which oversees a lot of the DoD networks, is vastly more skilled than the disparate, uncoordinated teams that they’ve replaced. What we’re seeing is constant change and change is always scary to us old farts. We need to remember that sometimes it’s good and sometimes it’s bad and most of the time it’s a wash.’

    Yes, there are some good ones. But here in Australia we have had repeated failures in our internet banking in recent times across a couple of banks. I worked for a couple and trust me, they are just hanging in there at times (including the amusing, where a person got accidentally credited with $500 million, my area detected it and raised the alarm .. result .. I got fired).

    And in the UK as well, including their ATMs. Vaguely remember some reports about various bank systems in the US at various times.

    Relating to your other points there are several key targets. People’s money, water and power (inc gas). All of those are incredibly vulnerable.

    I once was part of a team looking at vulnerabilities of the UK gas system (during the bad old of days of IRA terrorism). We quickly came to the conclusion we could not protect it. Some key areas yes, but that was about all. We used to scare ourselves with basically quite simple scenarios and the havok they could create.

    Fortunately most terrorists are dumb, but that is not a good thing to bet the farm on forever. Heck you could bring Melbourne to a complete standstill with a couple of chainsaws (and no I’m not going to mention where). Scares the cr** out of me, especially since we spend all our time and resources on ‘security theatre’ these days.

    As for the cyberwar stuff, we are getting more and more dependent on concentrated systems, all ran on the cheap. Now If a was State actor, especially if I was in the target sights of the US (etc), I’d be doing some homework and surveys (ironically most can be done over the internet) and picking some key targets. Hmm reverse engineered Stuxnet, wonder what that could do?

    No we are not at the point of being able to be completely collapsed by a severe internet attack, but we are steadily heading that way. But an internet attack combined with a basic physical attack could be really damaging.

    Like

    • 18 August 2012 1:20 pm

      Oldskeptic,

      (1) “I once was part of a team looking at vulnerabilities of the UK gas system (during the bad old of days of IRA terrorism). We quickly came to the conclusion we could not protect it. … We used to scare ourselves with basically quite simple scenarios and the havok they could create.”

      Ranum is talking only about cyberwar. Physical infrastructure is, as you note, another story.

      (2) “Banks hanging on by their fingernails”

      I worked for a bank briefly in the early 1970s. I too heard those stories (even the $500 million check story. Imagine if she had asked for cash! World ends!). They were probably old when told to newbies in Babylon 3,000 years ago (not enough quality control on those clay tablets; I tell you someday they’ll be an error that will shake this city…).

      Commercial systems are built to “good enough” standards, not the “absolutely never fail” level people demand when writing letters to the Editor (of course, imagine the complaint letters if such systems were built — and fees were raised accordingly). Therefore people imagine them all simultaneous failing! It’s the equivalent of going to horror films.

      Like

    • M Simon permalink
      19 August 2012 3:52 am

      Watch for my column Monday: ECN magazine.

      About what happens when you slack on quality control. You get very bad press. A $35 part that didn’t meet spec is going to cost a chip company a LOT of business. Funny thing is – I have indications that they have known for a while that it didn’t meet spec.

      “The warning lights are flashing down in quality control…..”

      Fix everything you know is wrong that can be fixed. Reduces the chances of cascading failures.

      Like

    • Pluto permalink
      21 August 2012 12:52 pm

      Ranum: ” One of the side-effects of a lot of agencies outsourcing or moving to the cloud is that businesses and government agencies that suck at IT have given that problem over to people who categorically Do Not Suck.”

      I’m not going to argue with the companies you’ve mentioned. Everything I’ve heard about them is very good. But there are an astonishing number of companies selling cloud computing services that are extraordinarily bad at them. My company has worked with several and found them to be terrible.

      My (least) favorite war story alternates between two companies. The first advertised 99.9% uptime and then had several lengthy failures in the first month. When we asked about their uptime guarantees they doubled their fee without warning or justification. It was a two month contract so we stopped using their services and stopped paying and just walked away when it expired.

      The second company (hired after the debacle of the first company) kept switching everything on us without warning. I’m talking support reps, servers, bandwidth capability, RAM, disk space, everything. Sometimes we got a fantastic upgrade at no cost and other times we were relegated to 1980′s level performance. The price stayed the same and the uptime met the contracted levels but we terminated the contract. We still cannot figure out why or even how this happened. It seems to us that the cost of all of that chaos would have been far greater than any benefit they might have received.

      Like

    • 21 August 2012 2:55 pm

      “there are an astonishing number of companies selling cloud computing services that are extraordinarily bad at them”

      Yes; there are always opportunists and bandwagon-jumpers. They don’t last long because they either mature to compete with the real players, or burn through their pool of potential customers and collapse. They’re a problem for the ignorati who look at the marketing literature and think, “Wow! Secure data hosting at only $1 per whattabyte, completely redundant, guaranteed 100% uptime! Sounds legit!”

      Like

  12. OldSkeptic permalink
    21 August 2012 8:30 am

    Two real stories from bankland.

    When I investigated the $500M error (yes it was real and on my watch). What I found was a piece by piece disassembly of all the checks and balances within the system. Back in the past each branch used to do daily balances. But that took time and staff. So they moved to weekly, then monthly. At my bank it was .. basically never. The only check was my area’s weekly balance change analysis and this stood out like a real statistical spike, So we started ringing around to find out what happened. No one knew, until we talked to the individual branch and found that a teller had typed in the account number instead of the dollar amount. So, for ‘efficiency’ we had got rid of every check and balance within the system .. except my area. If we hadn’t picked it up then it could have been there for ages .. or until the person checked their balance and were honest or moved it.

    I wrote a report, sent to the higher levels about the failures of the system and proposed some simple checks and balances to make sure it didn’t happen again .. basic stuff this. I also picked up another failure. We had (to keep it simple) a main data warehouse. Used for all our reports, monthly reporting, et al. I found that, because of a historical accident, 40% of deposits were not recorded. Yes, no one in the entire bank, all the IT people, all the data quality people, had done a simple exercise of taking the opening balance, taking the transactions then calculating the closing balance and comparing it with the recorded closing balance.

    Note this had not been done for 10 years.

    Yes the opening and closing ones were correct, they came in from the legacy mainframe systems that ran all the branch and individual account systems. Which was correct. But all the management reporting and marketing systems ran off the data warehouse. Yes all the standard monthly reports, et al, were wrong. Plus all the marketing stuff, including the (very impressive, nice piece of maths but GIGO) complicated point scoring system to market credit cards, mortgages, et al, to customers. Yes, this is why sometimes 5 year old children got offered $20,000 credit cards .. and dogs.

    Another report .. result .. boot. Since no one cared, far easier to get rid of the noise than deal with it. Dealing with it would mean spending money. Plus some people admitting they had been mind bogglingly incompetent for years (decades?).

    What really scares me is that bankland seems well ran compared to the MI/NS (Military Industrial, National Security) state.

    Like

    • 21 August 2012 3:00 pm

      What you’re describing there is a classic example of organizational failure because of tightly coupled systems and complex interactions. I’m reminded of Charles Perrow’s analysis of the Bhopal accident (in Normal Accidents) you have safety mechanisms that misfire and are turned off instead of reset, then suddenly you discover that the entire system has become unsafe without anyone ever making an actual decision to put it into an unsafe condition. This happens everywhere, basically, except for where it’s done deliberately (insert many Wall St references here) for whatever reason.

      Like

  13. 22 August 2012 1:29 am

    With regard to the earlier comment about knocking nations off the ‘web: Syria sidesteps sanctions by turning to China for Internet bandwidth, Ars Technica, 21 August 2012 — “And at least one Syrian ISP site finds a home on US servers”

    I hypothesized that the Chinese would be perfectly happy to capitalize (‘cuz they don’t communize anymore) on the business opportunities afforded by an attempt to cut off a country. No; I didn’t know this article was already in the pipeline or that Syria was being digitally blockaded. But it neatly illustrates exactly the problem I was referring to.

    The harder someone tries to knock a country off the internet, the more money skilled con$ultants and creative ISPs will make fixing the problem.

    Like

  14. 29 November 2013 7:28 am

    You might find this of some interest:

    http://classicalvalues.com/2013/11/the-smart-grid-is-a-stupid-idea/

    We are making ourselves vulnerable to no good purpose.

    Like

  15. 29 November 2013 7:29 am

    If you look around the ‘net there is way more on the vulnerabilities the smart grid is introducing.

    Like

Trackbacks

  1. Cyberwar – Marcus Ranum « ClearSky Cyberdefense Forum
  2. Cyberterrorism after STUXNET | OSINT ZONE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,425 other followers

%d bloggers like this: