You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?)

Summary:  This is an interesting yet puzzling week for cyberwar-watchers. There are several news stories that paint a gruesome picture of the US’ intents and capabilities.  Let’s look at them and see what they tell us.  Or you can wait.  Eventually this weaknesses will become front-page news, followed by the inevitable blue-ribbon commissions.

Article deleted at author’s request.

 

 

Other publications by Ranum:

(5)  For More Information see the other posts in this series about cyberwar

The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

  1. Cyberwar: a Whole New Quagmire.  Part 1: The Pentagon Cyberstrategy, 2 September 2011
  2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  3. Conflating Threats, 14 September 2011
  4. About Stuxnet‏, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
  5. Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
  6. About Attribution (identifying your attacker), 21 October 2011
  7. You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011

.

.

30 thoughts on “You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?)

  1. Do you feel the Iranian claims are true about how the drone came down? Im sure Russian and China are involved in this as well.

    1. I said “alleged” – it’s possible the Iranians are lying. But I think it explains one puzzle, namely how the drone landed more or less intact.

      You’re “sure” the Chinese and Russians are involved? Based on what? Because Washington says they are sneaky and red and yellow? Methinks someone has been listening to propaganda again.

    2. Considering Debkafile as “no worse” than the Economist is sad. Pitiful, disconnected from reality.

      My post gave a long list of made up stories on Debkafile. Perhaps deliberate disinformation by Israel intelligence. Perhaps just for fun and profit. Anyone paying attention could write similar posts every month, sometimes every week.

      The Economist did not become one of the world’s leading news magazines by writing such stuff. They make errors, like everybody in the news and analysis business — but at a low rate.

  2. Well Im sure they are providing Iran with expertise in the cyber warfare arena that and to steal our sensitive technology like they have been doing since the Cold War began.

    1. In the previous thread about drones you also made such assertions and showed similar certainty. But you’re not offering any facts (other than that you are “sure”) Argument by repeated assertion is unconvincing and I’m not going to keep asking you about the basis for your being “sure”.

  3. Most of the discussion about this drone incident has revolved around whether Iran could use this drone as a prototype to develop drones of its own.

    I find how they brought it down to be far more important.

    And now that they have it, they can they presumably can probe it for further flaws which might enable them to develop additional attacks against other drones.

    1. I agree. For example, if the drones are using the same encryption key for their command/control, then it may have been compromised (depending on the version of the drone it may or may not use encryption for its video-feed, but supposedly they all encrypt the command channel)

      In the previous drone-thread I posted (http://fabiusmaximus.wordpress.com/2011/10/08/29486/) “OldSkeptic” offered an important comment, namely that eventually a hunter-killer drone will be developed, and then the large slow drones will disappear fairly quickly from the skies. I think he is correct; we can wonder whether the current flaws in the drones really matter, if they are rapidly obsoleted.

  4. Marcus-

    I need to urge a little caution about accepting the Iranian version of the drone loss without more evidence. I don’t think your scenario is impossible. I think more testing needs to be done to determine how our drones might be jammed or hacked.

    But the simple fact is, drones crash… a lot. Anyone can read USAF Accident Investigation Board accounts of Class A Mishaps and get an idea of how these missions are run, and why crashes occur. Mostly its pilot error, but communication module failures do happen. In the case of a total comm failure (no send or receive), Predators are programmed to go into a spin and crash. I don’t know if the same is true of the RQ-170, but it seems plausible. Engine and flight control failure could also precipitate a spin. Why that might matter: The Sentinel is a tailless flying wing, poorly damped in yaw and prone to flat spins. If the rotational velocity is high enough, the aircraft might descend like a maple seed and land mostly intact… probably very badly damaged, but good enough for a photo op.

    Another point, briefly: We don’t actually know what level of technology the RQ-170 contains. People assume it must be advanced because its “secret.” I have doubts.

    The Iranians do have a reason to lie about this. They may have done much less than what they claim, or nothing.

    I enjoy your posts a great deal in any case, keep em coming.

    1. Thanks for your comment. A couple of my friends were involved in the early designs of some of the drones so I know a fair bit about them – enough to make the Iranian story sound like it was possible; certainly there are plenty of reasons on both sides to lie.

      One of the interesting questions I had was why the encrypted military GPS wouldn’t have been used; that would have made the claimed attack impossible. It’s possible, however, that the drones were not using P/Y code receivers for fear that the keys might get exposed. That’s actually plausible, as well – I suspect more information will come out over time.

      I’ve heard some truly bizzare theories on the other side – that perhaps the drone was deliberately lost, in hopes that it could be used to carry software viruses into Iranian military networks when the Iranians try to analyze it. That particular plot-theme sounds suspiciously like “Independence Day II” and I’m skeptical. I’ve also heard concerns that the Iranians will reverse engineer the drones – which would be rather pointless since capitalism is working on the market and there is already a lively market for drone-mongers.

      As Rich Rosen used to say: “many things are possible, but very few actually happen.”

      At this point the one thing I am fairly sure of is that someone’s got a lot of egg on their face, and it isn’t the Iranians. We should expect to see various face-saving gestures and probably demands for (what else?) more money to improve our drones.

    2. Re: Those bizarre theories- They struck me as being like the squealing you’d hear if you told a gym full of kindergarteners that Santa got eaten by a bear. Technology and especially “stealth” are religious icons to the military fanboys. But it got me thinking about “Operation Mincemeat” i.e. “The Man Who Never Was,” and I have a technical question:

      More than just encrypting important stuff on these easily-lost machines, why not include some false information and booby traps in the software too? Or is that already done? Mincemeat was so successful that the Germans wouldn’t even believe the real information that dropped in their laps afterwards.

    3. There really isn’t any interesting information that could be stuck into a drone that would make much sense for disinformation, other than crypto-keys for the command/control channel and/or military GPS. But for those to work, they’d have to be actual useable keys, which would make them valuable property indeed.

      If one wished to attempt disinformation, it sounds like the best place to plant it would be by putting it on one of the DoD’s top secret networks. That way you could be pretty sure it would eventually leak into hostile hands. (wince) And it would be somewhat credible, that way.

  5. re: (1) worms in the military bureaucracy – poorly designed legacy network?

    not a surprise that a dysfunctional bureaucracy has been incapable of designing and implementing good network security architecture.

    according to analysis on public IT security blogs, some of the big defense contractors, such as Lockheed, are doing much better.

    the problem of how to take the IT security success of the Lockheeds into the government side is of course a human/political problem. given the dysfunctional organizational characteristics typical of government bureaucracies, one has to ask if any tendency toward “reform” leadership is being demonstrated along the lines of epistemic sophistication? or, are greed, turf wars and ego inflation driving the paradigm?

    the USA is a declining empire. the culture spreads rot and spiritual-psychological pathologies (Habermas “systems colonize lifeworld”). the military has long served the interests of that decline, increasingly to the detriment of honoring the original mission of the defense of a democratic republic. the increasing prevalence of careerism and other organizational psychopathies within the defense establishment have been previously documented on the FM blog.

    it seems unlikely that the defense establishment will become agile or adaptive to the threat of attacks on its IT security infrastructure at a high level of sophistication in the near future.

    (oversight/accountability is compromised due to the usual political corruption and dysfunction in congress, etc., as both liberals and conservatives slide toward totalitarianism.)

    re: “not a surprise that a dysfunctional bureaucracy has been incapable of designing and implementing good network security architecture. ”

    similarly, the military bureaucracy has been incapable of designing proper financial and accounting systems. one sees regular stories in the mainstream media about how the DOD does not know where large amounts of money are being spent. Or why articles of clothing made in China are being issued by the military to soldiers. etc.

    1. “2014 Audit Requirement Removed from Defense Policy Bill”, Congressional Quarterly, December 2011

      Senate negotiators quietly stripped out a provision in the annual defense policy bill that would have required the Pentagon to complete a full financial audit by 2014, three years ahead of schedule. The move came after pressure from the Pentagon and amid opposition from House members negotiating a compromise version of the $662.4 billion fiscal 2012 measure (HR 1540).

      Defense Secretary Leon E. Panetta recently told lawmakers he wants the Pentagon to get its books in order faster than currently planned, and has set 2014 as a goal. But backers of the Senate language said defense officials told them a firm requirement was too stringent.

      John McCain of Arizona, the top Republican on the Senate Armed Services Committee, said there was a “huge” effort by defense officials to strip the language from the final bill amid concerns they could not meet the 2014 deadline.The final bill requires the Defense Department to send Congress a plan by May 2012 on how it will complete an audit by Sept. 30, 2014. The provision specifies that the plan must include interim objectives and milestones for each military department and the defense agencies, and also requires a semiannual follow-up report to Congress.

      But the language in the compromise measure falls short of making 2014 a firm deadline, calling it a “goal” set by Panetta. “Obviously the Pentagon weighed in and didn’t want the legal requirement,” said New Hampshire Republican Sen. Kelly Ayotte. She sponsored the amendment to the Senate bill, which passed on the Senate floor by unanimous consent.

      Congress first required, in a 1994 law (PL 103-356), the Pentagon to pass an audit by 1997, but lawmakers have agreed to push back that date each time the department has failed to meet its deadline. The current target is 2017, and top Pentagon officials have said as recently as this summer that they are only cautiously optimistic they can meet the deadline. …

    2. “according to analysis on public IT security blogs, some of the big defense contractors, such as Lockheed, are doing much better.”

      Their marketing departments say they are. The big beltway bandits are the ones who are building the government’s networks – they’re certainly more competent than the government agencies.

      In the case of the contractors, however, they are tasked to do what their customer wants. So what do you think happens when an agency tells the contractor to do something ill-advised? Yep. The problem with outsourcing is that in order to effectively manage an outsourcer, you have to have the skills in-house to do the work in-house, otherwise the outsourcers will front-load unnecessary tech into the solution, or the client will make unreasonable demands.

      Just for one example (perhaps this has changed since 2007 when I got this information…) some tremendous percentage of the USMC network’s traffic was porn. I personally don’t care about that, but the situation is telling – I think it was General Dynamics running the USMC network at the time – they could have done a lot to cut back on that – but were told not to, “for morale reasons.” Again, I don’t care about porn, but there’s a security problem with it: a lot of malware drive-bys are on porn sites since they tend to be poorly managed and people who get tagged by a drive-by from a porn site tend to not run to their IT department saying, “I was surfing at mosteroticteenboys.com and my computer blue-screened then booted up and acted funny.”

      If you can’t do a thing, you cannot manage someone else doing it for you. Unless you know at least the bare-bones of a problem-space you can only rely on trusting your provider, which always means you’re more vulnerable than you otherwise would be.

  6. Don’t know about marketing. Lockheed was tageted in an advanced persistent threat (APT), and the attack failed. For other readers: background on APTs in general {see Wikipedia}

    In that case, Lockheed was protecting its very high value internal assets, which it is motivated to protect because they are sold to the government(s). So Lockheed is considered to be the “hardest” target in the world according to analysts in the IT security blogosphere. They have the organizational and technical sophistication necessary to thwart APTs to a high degree of success. Transferring that sort of capability to a highly dysfunctional government bureaucuracy (which is part of a crumbling national “state capitalist” imperium) seems somewhat hopeless and futile. But, as you say, as long as a lot of money is involved, a great rumbling will commence as the vast “beltway bandit” contracting machine lurches forward into oblivion.

    It would be interesting to know if any legitimate IT security reformers exist on the government side of the defense establishment, and if so, have their efforts been allowed the thrive?

    My guess is that the atmosphere created by appalling anti-whitsleblower controversies such as the Thomas Drake/Thinthread “espionage” case is such that there is little motivation for reforms within the system.

    The Secret Sharer – Is Thomas Drake an enemy of the state?“, by Jane Mayer, New Yorker, 23 May 2011 — excerpt:

    Jack Balkin, a liberal law professor at Yale, agrees that the increase in leak prosecutions is part of a larger transformation. “We are witnessing the bipartisan normalization and legitimization of a national-surveillance state,” he says. In his view, zealous leak prosecutions are consonant with other political shifts since 9/11: the emergence of a vast new security bureaucracy, in which at least two and a half million people hold confidential, secret, or top-secret clearances; huge expenditures on electronic monitoring, along with a reinterpretation of the law in order to sanction it; and corporate partnerships with the government that have transformed the counterterrorism industry into a powerful lobbying force. Obama, Balkin says, has “systematically adopted policies consistent with the second term of the Bush Administration.”

    Also see: “The Espionage Act: Why Tom Drake was indicted“,CBS News, 22 May 2011.

  7. Private companies have now gotten into the game of designing and deploying surveillance trojans and rootkits. Indeed, they appear to be doing it for governments. Of course it’s only a matter of time before private parties (gang members? white supremists? terrorists?) get their hands on these things and reverse-engineer ’em and start infecting the government’s communications to surveil them.

    See FinFisher: For all your intrusive surveillance needs.

    FinSpy is a “Professional Trojan Horse” that has been used “for years” to facilitate placing under surveillance targets that move about regularly, encrypt their communications, connect anonymously, “and who reside in foreign countries” (FinFisher’s emphasis). FinSpy takes control, remotely and surreptitiously, of any computer using “the major operating systems like Windows, Mac and Linux”. None of the 40 most widely used antivirus systems are able to recognize it, and thus can not block it.

    Once installed, FinSpy allows the client to spy “live” on the user or users of the infected computer (by activating, without their knowledge, the user’s webcam and microphone). It can also geolocate the computer, extract all of its data, intercept mail exchanges and other conversations, including calls and file transfers carried out over Skype. For the even stealthier, the connection passes remotely through anonymous proxies which prevent tracing back to the spies’ computers.

    A version of FinSpy also exists for mobiles, to help authorities “who do not have a telephone interception system” to spy on communications (voice, SMS, MMS, emails) coming from mobile phones (BlackBerry, iPhone, Android or Windows ), even if those communications are encrypted. FinSpy also allows the client to access data (contacts, calendars, photos, files) stored on the mobile devices, and to geolocate them in real time.

    Of course, the real killer app for this sort of software is…Orwellian surveillance of all of a government’s own citizens. Viz., the German police trojan and of course the Carrier IQ cellphone rootkit which the FBI now admits is uses for “law enforcement purposes” but the details of which the FBI declines to dilate upon.

    Yet another example of how nation-states are getting hollowed out and rendered impotent in the face of increasingly super-empowered corporate entities and private individuals. How long before political campaigns start deploying reverse-engineered Carrier IQ rootkits and FinSpy trojans against their political oppositions and leaking the results during political campaigns…?

  8. 2012 Predictions: Defense Dept. Shows its Cyber-Attack Cards; Hackers Penetrate Hardware“, National Defense magazine, 28 December 2011 — Opening:

    What good is deterrence if potential adversaries don’t know what you’re capable of doing?

    The year 2012 may be when the Defense Department stops being coy about what it can do in the cyber-offense realm, network security firm McAfee said in its annual Threat Predictions report released Dec. 28.

    “Will this be the Year of Cyberwar, or merely a showcase of offensive cyberweapons and their potential?” McAfee researchers posit in the report.

    There are ongoing discussions about cyberwar: What is the definition? Does it even exist? What is an act of cyberwar? Dave Marcus, director of security research at McAfee Labs, said in an interview. “All the discussions are setting the stage for potential conflict,” Marcus said.

  9. Color me shocked: DoD discloses that the drone captured by Iran was not flying in Afghanistan at all; it was a CIA drone monitoring Iranian nuclear activities. A straightforward lie or bureaucratic confusion, which do you think?

    Crashed drone was looking at Iran nuclear sites“, CNN, 15 December 2011 — Excerpt:

    The Sentinel drone that crashed in Iran last week was on a surveillance mission of suspected nuclear sites in the country, U.S. military officials tell CNN. Previously, U.S. and NATO officials had said the drone was on a mission to patrol the Afghan-Iran border and had veered off course.

    The officials say the Afghan government was unaware of the use of its territory to fly surveillance drones over Iran, and that the CIA had not informed the Defense Department of the drone’s mission when reports first emerged that it had crashed. One official told CNN that the U.S. military “did not have a good understanding of what was going on because it was a CIA mission.”

    In Kabul Wednesday U.S. Defense Secretary Leon Panetta refused to comment directly on the specifics of the drone’s mission but did not deny that it had been spying on Iran and said the drone program carried out “important intelligence operations which we will continue to pursue.”

    The RQ-170 Sentinel is one of the United States’ most sophisticated drones and flies at up to 50,000 feet. It is designed to evade sophisticated air defenses. One former intelligence official told CNN that it’s “impossible to see” and discounted Iranian claims that it had been brought down by some form of electronic counter-measures. “It simply fell into their laps,” he said – after satellite communication was lost.

  10. Cyberwar Is the New Yellowcake“, Jerry Brito and Tate Watkins, Wired, 14 February 2012 — Conclusion:

    Washington teems with people who have a vested interest in conflating and inflating threats to our digital security. The watchword, therefore, should be “trust but verify.” In his famous farewell address to the nation in 1961, President Dwight Eisenhower warned against the dangers of what he called the “military-industrial complex”: an excessively close nexus between the Pentagon, defense contractors, and elected officials that could lead to unnecessary expansion of the armed forces, superfluous military spending, and a breakdown of checks and balances within the policy making process. Eisenhower’s speech proved prescient.

    Cybersecurity is a big and booming industry. The U.S. government is expected to spend $10.5 billion a year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion a year. The Defense Department has said it is seeking more than $3.2 billion in cybersecurity funding for 2012. Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems have all launched cybersecurity divisions in recent years. Other traditional defense contractors, such as Northrop Grumman, Raytheon, and ManTech International, have invested in information security products and services. We should be wary of proving Eisenhower right again in the cyber sphere.

    Before enacting sweeping changes to counter cyber threats, policy makers should clear the air with some simple steps.

    Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren’t doing real security any favors.

    Declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify the threats rather than blindly trusting self-interested officials.

    Disentangle the disparate dangers that have been lumped together under the “cybersecurity” label. This must be done to determine who is best suited to address which threats. In cases of cybercrime and cyberespionage, for instance, private network owners may be best suited and have the best incentives to protect their own valuable data, information, and reputations.

  11. The US propaganda mills never stop — enemies everywhere, threatening our very survival. Producing this stream of misinformation provides lucrative employment for many of America’s best and brightest. Unfortunately fact-checking and debunking it does not pay well. Or at all. And so we become increasingly ignorant and easiy manipulated.

    Today’s example: “Cyber Attacks Can Spark Real Wars“, Richard A. Clarke, op-ed in the Wall Street Journal, 16 February 2012 — “The U.S. and Israel are not ready for a sophisticated cyber attack from the likes of Iran and China.”

    Mr. Clarke, who served three presidents as a senior White House national security official, now serves on the board of the Middle East Institute. He is the author of “Cyber War: The Next National Security Threat and What to Do About It” (Ecco, 2010).

  12. (1) Think Again: Cyberwar“, Thomas Rid, Foreign Policy, March/April 2012 — “Don’t fear the digital bogeyman. Virtual conflict is still more hype than reality.”

    Thomas Rid, reader in war studies at King’s College London, is author of Cyber War Will Not Take Place.

    (2) Rebuttal: “Cyberwar Is Already Upon Us“, John Arquilla, Foreign Policy, March/April 2012 — But can it be controlled?”

    John Arquilla is chairman of the U.S. Naval Postgraduate School defense analysis department.

  13. U.S. accelerating cyberweapon research“, Washington Post, 18 March 2012 — Excerpt:

    The Pentagon is accelerating efforts to develop a new generation of cyberweapons capable of disrupting enemy military networks even when those networks are not connected to the Internet, according to current and former U.S. officials.

    The possibility of a confrontation with Iran or Syria has highlighted for American military planners the value of cyberweapons that can be used against an enemy whose most important targets, such as air defense systems, do not rely on Internet-based networks. But adapting such cyberweapons can take months or even years of arduous technical work.

    When U.S. military planners were looking for ways to disable Libya’s air defense system before NATO’s aerial attacks last year, they discussed using cybertechnology. But the idea was quickly dismissed because no effective option was available, said current and former U.S. officials.

    They estimated that crafting a cyberweapon would have taken about a year, including the time needed to assess the target system for vulnerabilities.

    “We weren’t ready to do that in Libya,” said a former U.S. official, who spoke on the condition of anonymity because of the sensitivity of the discussions. “We’re not ready to do that now, either.”

  14. Today’s propaganda. Read and fear! “Everyone Should Pay for Cyber Defense “, Wall Street Journal, 22 April 2012 — “The threat to companies and critical public works is grave enough that protection is a national responsibility.” Opening:

    The United States is vulnerable to cyberattacks by unfriendly nations and nonstate actors. Attacks through the Internet are now stealing billions of dollars of intellectual property from American businesses. Internet attacks can also bring down such critical infrastructure as the electricity supply, the air-traffic system and the stock market. Congress can and should act to protect us from this widespread and increasing danger.

    The attackers use computer programs to look for openings in the computer systems of companies. They also send seemingly harmless emails to company employees which, when opened, provide entry to the company’s internal networks. The attackers may be foreign governments or the foreign companies that those governments assist. Governments or terrorist groups that lack the technical capability to mount such attacks can now buy the services of skilled hackers who will do it for them.

    Internet attacks on critical infrastructure can create a threat to national security even before they inflict any actual damage. A foreign enemy that gains access to the computer control systems of U.S. companies can embed malicious computer code by which the hacker can cause that system to malfunction. A foreign government that has planted such malware in the electricity system of a major U.S. city could credibly threaten to trigger it at a time when the U.S. acts to protect interests or allies abroad. That threat could block the use of our military capability.

    Fortunately, the U.S. National Security Agency has the technical ability to recognize most malware coming through cyberspace from around the world. It can block suspicious messages and scan for potentially destructive malware. The NSA’s technology is not foolproof but it could stop a large fraction of the dangerous Internet messages aimed at America. …

  15. Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet“, New York Times, 23 April 2012 — Excerpt:

    Iran disconnected several of its main Persian Gulf oil terminals from the Internet on Monday, local news media reported, as technicians were struggling to contain what they said were intensifying cyberattacks on the Oil Ministry and its affiliates.

    Iranian officials said the virus attack, which began in earnest on Sunday afternoon, had not affected oil production or exports, because the industry is still primarily mechanical and does not rely on the Internet. Officials said they were disconnecting the oil terminals and possibly some other installations in an effort to combat the virus. “Fortunately our international oil selling division has not been affected,” said a high-level manager at the Oil Ministry who asked not to be mentioned for security reasons. “There is no panic, but this shows we have shortcomings in our security systems.”

    There were some reports that the virus had forced widespread Internet shutdowns. “The ministry has disconnected all oil facilities, operations and even oil rigs from the Internet to prevent this virus from spreading,” said another Oil Ministry official who asked to remain anonymous, because he was not authorized to speak publicly about the attack. “Everybody at the ministry is working overtime to prevent this.” His assertion about the extent of the shutdowns could not be independently verified.

    … While officials here emphasize that both production and sales of oil are continuing as normal, the semiofficial Mehr News Agency said that the attack was intensifying and that access to the internal communications systems of most prominent oil and gas companies had been intentionally cut. A special crisis center has been set up where experts from across the country are assisting in the fight against the virus, it quoted one such specialist working for the Oil Ministry as saying.

  16. NATO Faced with Rising Flood of Cyberattacks“, der Spiegel, 26 April 2012 — Summary:

    NATO cyberwarfare experts suspect that Chinese and Russian intelligence services are behind a recent uptick in cyberattacks against the Western alliance. SPIEGEL ONLINE has learned that NATO’s cyberwarfare unit registers up to 30 such attacks each day. Employees have been warned to be on their guard.

Leave a Reply