Category Archives: Cyberwar

Fight the hysteria about the hack of OPM’s files. It’s probably not a big threat.

Summary:  We’re told the OPM hack will have horrific consequences for America. Just as we have been told so many times since WWII, almost always falsely. I expect this too will prove to be a wet firecracker. Here are the reasons why, obvious things few journalists have told you. {1st of 2 posts today.}

China cyberattack

Know fear, America, that you might be easily ruled. Graphic from Third Certainty.

Contents

  1. OPM, our latest bout of hysteria
  2. An alternative forecast
  3. Why so much hysteria so often?
  4. Other posts about the OPM hack
  5. For More Information

(1)  OPM, our latest bout of hysteria

We were confidently told that the revelations of Private Chelsea Manning would cause countless deaths of American soldiers (example). But they never materialized. US authorities confidently predicted even more horrendous results from Edward Snowden‘s revelations. Again, nothing big happened (unfortunately, that “nothing big” includes reforms of the NSA). These are just the most recent in the long list of scary stories the government has told us since WWII.

The latest nighttime story concerns the hack of the Office of Personnel Management database (see the posts at the end for details). A wide range of information has been stolen on tens of millions of Americans, as the OPM announced on July 9

Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints.

What could someone do with this treasure trove? Anonymous government officials, private experts, and amateurs have let their imaginations run wild. Both Left and Right go wild, predicting horrific results. See how fear-mongering brings America together. Here’s my favorite, from Naked Capitalism on July 27.

Continue reading

Seeing behind the headlines about China’s attack, stealing the governments’ jewels

Summary:  China attacked! Playing a script from countless action-adventure movies, our political leaders and columnists gear up for bold headlines by screaming for war while they know nothing. It’s America. But the info highway gives us information to see beyond the headlines and sort fact from fancy. Here’s the latest news about the massive theft of Federal personnel data. It’s a follow-up to the post describing the attack and who was at fault.

“Experts, shmexperts. Time for action…. Attribution solid enough for the US government is solid enough.”
— Tweets from a man on the street. The kind of American that rulers dream of having.

Cyber Warriors

Contents

  1. Dueling US officials.
  2. About attribution of attacks.
  3. What we know.
  4. For more information.

 

(1) Dueling US officials

From the initial announcement of the theft of files from the Federal Office of Personnel Management (OPM), anonymous officials confidently blamed China — which journalists repeated as fact. The FBI has made no official statement since its “we working” on it statement on June 4. China has denied the accusation, of course.

Today we got more useful information from the GeoInt 2015 Symposium (geoint: geospacial intelligence):

“So what really makes you think that, as the head of NSA and Cyber Com, I’m going to talk with you about this,” he told a reporter here today. … Rogers’ response did seem a trifle dismissive of a reasonable question asked reasonably in an open forum. {Breaking Defense}

Rogers spoke in response to a question about how the National Security Agency was going about attributing the breach to the Chinese government. “You’ve put an assumption in your question,” he said. “I’m not going to get into the specifics of attribution. It’s a process that’s ongoing.”

… Rogers’s hedged response, given during a question-and-answer session at the GEOINT symposium in downtown Washington, comes in stark contrast to the NSA’s approach to attribution during the Sony hack. In that case the FBI, working with the NSA and DHS, quickly named North Korea as the perpetrator, resulting in the prompt issuance of sanctions.

Rogers called that a great example of cross-agency collaboration. “Working across the United States government, DHS, FBI and the National Security agency, we were able to relatively quickly come to consensus about the characterization of the activity we were seeing coming in, which formed the basis of our attribution, and with a relatively high confidence factor, which allowed us to respond in a very public and direct way.”

Why hasn’t that collaboration worked in the case of the OPM hack? Said Rogers: “every dataset is different.”  {Defense One}

Director of National Intelligence James Clapper also spoke at GeoInt, giving a remarkably casual statement on a matter of such importance.

Continue reading

Advice from Sun Tzu and John Boyd on winning at cyberwar

Summary: While we’re enmeshed in 4th generation wars we don’t know how to fight, (let alone win) a new form of conflict arrives. Least we repeat our feckless habit of fighting then thinking, let’s develop strategies before serious clashes begin. Chet Richards helps us decide if the military classics can help us, or has new tech made them obsolete?  {2nd of 2 posts today.}

“Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.”
— Sun Tzu in The Art of War.

 

Chet Richards comments on

InfoSec, Sun Tzu & the Art of Whore
by Steve Tornio and Brian Martin.
Posted At Attrition, 2 July 2010.

.
The authors did a great job. I found nothing to argue with in their article. But they appear to have underestimated the power of Sun Tzu’s advice, even in the unique realm of cyberwar.

I can’t argue with their observation that if you try to follow the specific prescriptions of of The Art of War,  you’re either going to be playing with analogies or you must find an opponent willing to act like a Chinese army of the Warring States Period (475-221 BC).

However, when viewed from another perspective it’s possible to see beyond the specifics of long-ago technology for deeper insights. These insights are rooted in human nature and so may prove as useful to cyber war as to any form of conflict.

Their criticism, for example, of how people tend to apply Master Sun’s advice also applies to the works of the late John Boyd (Colonel, USAF), whose major briefing, Patterns of Conflict, appears to be all about war, and mostly about the German Blitzkrieg. But to find deeper meanings, let’s start with what Boyd said about Sun Tzu’s Art of War, on Patterns of Conflict chart 13. First, he talks about some of the “themes” he finds in the work:
Continue reading

How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking.

Summary:  The theft of the Federal government’s personnel data has brought information security back to the front pages. Along with the usual cries of “off with their heads” for the guilty and promises of Total Information Security in the future, as the signal to noise ratio in the media drops towards zero. To help restore our sense of proportion, here’s an article from the past by two well-known experts discussing the difficulty of e-defense in the 21st century.

This is a follow-up to About the theft of the Federal government’s personnel records: sorting fact from fiction, another in a series about a new age of conflict in which the old ways no longer work.  {1st of 2 posts today.}

“As we shall show, defense is a stronger form of fighting than attack. … I am convinced that the superiority of the defensive (if rightly understood) is very great, far greater than appears at first sight.”
— Clausewitz, On War, Book 1, Chapter 1

 

InfoSec, Sun Tzu
& the Art of Whore

By Steve Tornio and Brian Martin.
At Attrition, 2 July 2010.

Posted with the authors’ permission.

 

Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In The Art of War, Sun Tzu’s writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren’t terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu’s work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  { The Art of War}

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don’t need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don’t see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy.

Continue reading

About the theft of the Federal government’s personnel records: sorting fact from fiction

Summary: We’re into the phase of the OPM records breach scandal where the US public policy crisis process predictably breaks down into finger pointing and aggressive guessing. Here is a brief on what little we know, and pointers on what we certainly don’t know.  {2nd of 2 posts today.}

cyber war

Contents

  1. How was it done?
  2. What was taken?
  3. Who was at fault?
  4. Who did it?
  5. Panic!
  6. For More Information

(1)  How was it done?

We can learn the bare bones about this series of attacks from the statement by Office of Personnel Management (OPM) Director Katherine Archuleta (bio here) to the House Oversight and Government Reform Committee. For an easier to read version see this typically excellent ars technica article by

Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Beyond this we hear mostly guesswork.CyberEspionage

(2)  What was taken?

Lots of high-volume guessing in the news. The best answer might be: lots was taken. The Director’s statement says “we have not yet determined its scope and impact”. For a more precise answer see…

Continue reading

Prepare for cyberwar: today’s are small compared to what’s coming

Summary: Here’s a brief look at the state of cyber-conflicts. The first ones have run their course; from them we can guess at the outlines of the larger ones to come. As with nukes and drones, America has laid a path for others to follow. We’ve been bold and innovative, but lawless. We might regret this when others imitate us.  {2nd of 2 posts.}

Cyberspace: a global dynamic environment created by interlocking networks linking people and computers for communication, control, and trade. Like other human domains, it consists of multiple levels — from purely conceptual (e.g., laws, designs) down to the hardware and people that are its material substrate. The term coined by William Gibson in his 1982 story “Burning Chrome“.

cyber war

Contents

  1. Battlefields of the future.
  2. The first cyber conflict.
  3. Playing defense.
  4. Are we beleaguered in cyberspace?
  5. For More Information.

(1)  Battlefields of the future

We have entered a transitional period in the art of war much like that between WWI and WWII, when a new form of war (the 3rd generation) slowly emerged, but military institutions kept their eyes turned to the past. Many armies were slow to develop innovative tactics for their new internal combustion driven engines. Their cavalry units were symbols of this retrovision. Navies lavished their greatest attention on battleships, not the submarines, escorts, and carrier-borne aircraft that would dominate WWII (e.g., aircraft were the “eyes of the fleet”, not its teeth). Communications technology rapidly improved, but the senior officers paid relatively little attention to cryptography and signals intelligence.

Today war-as-usual continues in the emerging nations, but in the developed world it has moved into new realms — with the cutting edge in cyberspace. It’s the age of 4th generation war, waged among state and non-state actors in shifting coalitions, taking many forms…

  • Hacking: probes and parries by people exploring the nature and uses of cyberspace, rapidly expanding in scale, sophistication, and consequences.
  • Raids: the Sony hack and Stuxnet.
  • Conflicts for control: Pirate Bay and the Silk Road.

Continue reading

Bitcoin, the deep web, & the big conflicts of the 21st C

Summary:  The e-conflicts have begun with the development of e-currencies, e-markets, and even e-wars. History tells us that people often don’t see the major trends of their time, either lacking perspective or distracted by more cool but less important phenomena. So it is today, as bitcoin gets the most attention while dark e-markets change the world. But governments and corporations see their challengers, and marshal their power to push back.

The deep web

Contents

  1. Dreams of freedom
  2. Bitcoin, the first e-currency
  3. Dark markets
  4. The corporate wars
  5. For More Information

(1)  Dreams or freedom

Fantasies of radical personal autonomy, an independence from governments, have been common in western civilization since Daedalus’ dreams of flight. Modern tech has given them new life, with dreams of independent suburbs in the sky — the L5 orbital habitat — and of seasteading — floating nations of makers and their servants, free of the takers.

Private currencies are another expression for this search for autonomy.  Currencies provide a storehouse of value and medium of exchange.  Gold served as a currency for millennia, providing a relatively good store of value but too cumbersome for a medium of exchange in the modern era, so people seek to create privately issued currencies.

In American history we had government-regulated privately issued currencies from the State-chartered banks which issued dollars during the 1837-1862 free banking era (more info here) and the Federally chartered banks that issued dollars after the National Banking Acts of 1863-66. These had many problems, most notably a tendency to fail from bad luck, mismanagement or theft (by insiders or outsiders) — making their currency worthless. The need for more a stable currency led to the Federal Reserve Act of 1913 that created our current currency.

Now we have a new era as tech makes possible private e-currencies, in theory perhaps beyond control of governments.

There are many types of non-State currencies, aka alternative currencies. Digital currencies are currencies based on the Internet. A virtual currency is an alternative digital currency. A cryptocurrency is a digital currency using cryptography to secure the transactions and create new units.

Bitcoin was the first major crypto-based virtual currency. Satoshi Nakamoto published his design in 2008, and released its open-source software in 2009. It got great attention but little commercial traction for two reasons: a weakness of implementation and a conceptual flaw.

Continue reading