Summary of this post by Marcus Ranum: This series is based on a lecture I presented at RSA Conference in March 2012. In it, I will attempt to isolate some of the strategic elements of the “cyber” battlefield so that we can better understand the inner dynamics of its components. This is important to do, because cyberwar frequently combine elements of the battlefield in ways that are confusing and perhaps even contradictory. In order to incorporate cyberwar into grand strategy, it is important not to do it in a way such that we step on our own toes, so I believe that a better understanding of the problem will be valuable to attacker and defender, alike.
- The Battlefield
- Next up
- For More Information
(1) The Battlefield
I entitled this series “Parsing Cyberwar” because that’s what we need to do – “parsing” a phrase is the process of analyzing its components and grammar and checking to see if it’s correct and comprehensible; that’s exactly the problem we have with cyberwar today. Since it first became a popular term in the computer security landscape in 1996 with the publication of Winn Schwartau’s science fiction novel, Information Warfare, cyberwar has served primarily as a hold-all encompassing cyber-crime, cyber-espionage, cyber-terror, and cyber-war. I have seen the term used to describe everything ranging from tactical use of computers in battlefield command/control to strategic economic spoiling operations.
I credit a great deal of this to the time at which the term was introduced, and the way in which it was first presented. When Schwartau wrote his book, the intelligence community and DoD were still in the throes of re-orienting their missions (and budgets) for a post-coldwar world: cyberwar appeared first and foremost as a whole new problem that needed research – lots of research. It presented a good opportunity for both the expansion of agency missions and beltway contractors’ portfolios of offerings. Between 1996 and 1999, it was pretty much a given that any research proposal sent to DARPA needed to have “cyberwar” in the title, and it took the better part of the remaining 15 years until now for a bit of sanity to set in.
In the intervening time, perturbed violently by post-9/11 realignment in the intelligence community, cyberwar has simultaneously been a cherished bailiwick and a hot potato. One agency after another stepped forward and announced that they were going to spearhead the US’ cyberdefense efforts, then discovered that it was a hard problem, and was replaced by another. Today, there are a half-dozen agencies ranging from Department of Homeland Security to the National Security Agency which claim the turf. Meanwhile, according to every agency involved in cyberdefense, the critical electronic infrastructure remains at risk and there hasn’t been a great deal of progress made in spite of the tremendous amount of money spent.
Under the umbrella of cyberwar are four main components:
Each of these components is a problem domain in its own right, and has very different properties of attack and defense. It’s my opinion that these problems are often conflated because – simply put – it’s easier to scare your customer out of their money using the following argument:
You know for a fact that hackers and cybercriminals seem to be able to penetrate our systems at will; therefore, imagine how bad it could be if state-sponsored actors decided to do it also.
It’s a reasonable argument if left unexamined, but it avoids the deeper questions such as: “would a cyberterrorist use the same methods as a cybercriminal?” and “would a state-sponsored cyberespionage program look and act like a cybercriminal’s bot-net? This is a reasonable question, by the way, to ask a security products vendor: “is this thing you’re trying to sell me designed to foil the casual hacker, the professional criminal, or the state-sponsored spy?”
Now, let’s look at the agendas and tactical/strategic operations of the four subtypes of the cyberwar battlefield.
The cybercriminal acts purely for short-term profit. In a sense, they are parasites on commercial systems and networks – they want to take advantage of the lifeblood of the cyber-age without killing or significantly harming their hosts. Because they are not organized and coordinated on a large scale, their activities will be purely tactical; they’ll hit where the money is, grab what they can, and move on.
The cybercriminal’s methods will co-evolve rapidly against the defenders’ attempts to block them (an important point we’ll come back to later in Part 2) and they’ll prove impossible to eradicate. If one group of cybercriminals is shut down, another will occupy their niche as long as its profitability outweighs the risk of capture and punishment. At present the asymmetry between that risk and the opportunity for crime is so great that we can only look forward to the activities of the cybercriminals getting increasingly professional and creative. Cybercriminals’ operations will remain entirely tactical exactly because of the pressure to innovate – the ones who make the most money will be the ones developing new scams, tools, and techniques. They will shift stance rapidly to where the money is and, because of their generally non-ideological nature, every possible target represents an opportunity; they will steal from everyone including each other.
Espionage, whether economic or military, has always been a strategic activity, if only because of its generally long-term targeting. Classical espionage involves building networks of agents-in-place, suborning the targets communication systems, and embedding within their infrastructure. Whether this is done electronically in the “cyber-“ context or using traditional trade-craft, espionage remains a slow-moving process: immediate payoffs are generally less significant than long-term results, which means that the grand strategy of a nation-state does not make for particularly nimble espionage.
Consider, as an example, the disruption in the US intelligence community’s mission at the collapse of the USSR: a brief scramble to find a new enemy to focus on that found the intelligence community caught on the wrong foot when Al Quaeda volunteered itself for the role.
Cyberespionage consists of multiple levels: useful idiots, long-term operations, and economic intelligence gathering. The useful idiots may be legions of government-associated hackers who troll the internet and engage in smash-and-grab data collection where data is poorly secured. One would assume that any competent nation-state’s intelligence apparatus would have a process for collecting, cataloging, assessing, and winnowing through such information. The useful idiots are useful because they are highly deniable and can be operated at arm’s length. Economic and technology intelligence gathering is generally a matter of collecting information that, for all intents and purposes, is practically lying about.
High tech first world societies rely so heavily on exporting parts of their technological processes to capitalize on low-cost labor, that it has long been a strategic economic activity for less technologically advanced nations to make technology transfer a condition for gaining access to their labor pool. In cyberspace, both the useful idiots and economic intelligence gathering have almost the properties of “open source intelligence.” The problem is not so much a matter of how to collect the intelligence as how to evaluate it, sort through it, and find the important megabytes in the terabytes that are harvested.
Long-term operations, whether in cyberspace or meatspace, will continue as they have since the dawn of human history: finding out who has access to important information and convincing them to reveal it. This process can take years and is high risk for the controllers of agents in place, but pays off tremendous rewards since the people providing the information generally have an idea of the location and value of what is being collected. There will be some change in long-term operations thanks to computers and networks but it will mostly have to do with the expansion of the target’s threat-surface. Nowadays you no longer have to go after the person who generates a desired piece of intelligence, you can go after the system administrator or the person who rotates the backups. This is really nothing new – the history of intelligence operations is replete with secretaries who were suborned, or photocopier machine technicians who embedded a little extra something in a copier.
We shouldn’t expect the advent of cyberspace to do much to long-term operations other than to scale with Moore’s law – Aldrich Ames sold incredibly damaging information from the CIA on floppy disks; today it would all fit on a single USB thumb-drive. Copying things has gotten easier; getting the right person in the right place to do the copying hasn’t.
When we’re talking about cyberterrorists it’s arguable whether or not we’re dealing with a myth. Terrorism is the process of attempting to influence a political process from outside, using threat, intimidation, and damage. As such, terrorism is inherently ideological or nationalistic and therefore will focus on subtargets of opportunity within a specific target.
In other words, unlike the cybercriminals who’ll go after anything profitable, the cyberterrorists will only go after a specific target, but might hurt it in any way possible. Critical potential subtargets within that target, however, can reasonably assume that they may be targeted, and increase their defenses appropriately. Power, water, oil, shipping, vehicle control, financial system, and other high-value subtargets should “consider themselves warned” if the nation or culture they are part of is experiencing terrorist attacks. Like with meatspace terrorism, cyberterrorism is especially problematic because of its inherent asymmetry: the attacker needs to find a single poorly defended subtarget of opportunity, whereas the defender must defend all subtargets consistently.
State-sponsored cyberterrorism presents us with a more complex problem. We’ve already seen instances of state-sponsored cyberterrorism in the Stuxnet attacks against Iran. The Stuxnet attacks, however, were not targets of opportunity; they were part of a long-term planned attack that occurred on an approximately 3-year time horizon, due, in part, to the fact that the target was carefully chosen and the cyberweapon used was customized specifically for that target. Broader-scale state-sponsored cyberterror attacks against a nation’s power grid or communications infrastructure, might or might not require such a long-term horizon; probably it would be considerably shorter.
The crucial issue with state-sponsored cyberterrorism is that it’s a tactic used in a strategic context. Consequently, the target can fairly well assess the likelihood that a given attack came from a particular quarter, whether they can prove it or not. Again, Stuxnet serves as a good example. Many geopolitical analysts and security technologists (including myself) correctly identified the US or Israel as the most likely sources for Stuxnet. Pretty much everyone did. The attackers went to a great deal of trouble to successfully launch their attack, and the attack aligned perfectly with the US and Israel’s stated political positions. Just as with meatspace terrorism, cui bono? is the question to ask, if you want to know the identity of the primary suspect. The implications of that are obvious: any state that sponsors cyberterrorism is going to have to be able to deal with any political blow-back from a cyberterror operation.
Cyberwar is strategic, and consequently a long-term activity. Just as the meatspace military needs to maintain contingency plans for various situations according to a nation’s grand strategy, so does the cyberwarrior. In principle a cyberwar contingency plan would include preparations to penetrate, attack, degrade, and suborn a target’s military command/control systems as well as components of the target state’s civilian critical infrastructure.
This presents the cyberwarrior with a daunting problem: for the attack to have military utility it needs to be significantly large, but most importantly, it needs to be reliable. In the predominant cyberwar scenarios, cyberwar is construed as a force multiplier – i.e.: an adjunct to conventional meatspace operations. This, again, is nothing new; it’s what Napoleon Bonaparte would recognize immediately as another form of combined-arms attack. As such, the coordination between the arms, and their reliability on the field is paramount. The cyberwarrior has to scout a strategic target, map it out, at least partially penetrate its command/control systems without being detected, and maintain its strike capability for as long as it may be needed. In other articles and presentations I have offered skeptical arguments about the cost-effectiveness of such large-scale preparations.
If we look at strategic cyberwarfare, the cyberwarrior’s agenda is the most expensive in terms of effort, and the most likely to fail by being detected. Since the cyberwarrior cannot choose subtargets of opportunity, and has to penetrate and prepare on a long-term time horizon, they need to not only map the target, they need to maintain the penetration capability reliably against all of the deliberate or accidental actions of the defender. The entire costly effort could go up in smoke if the defender had detected some of the cyberwarrior’s penetration attempts and quietly put fall-back/redundant systems in place, or prepared to sequester their systems when they were brought under attack.
Most significantly, the subtargets may be manned by active defenders, unless they are so obtuse that they utterly fail to assess the geopolitical situation and see the cyberattack coming. As I write this in August, 2012, I have to imagine that the Iranian Government has some kind of practical plans in place for dealing with large-scale cyberattacks on their critical infrastructure. They would be crazy not to, and all it would take to block many of them would be to unplug a couple of routers when the balloon goes up. I’ll go into more detail about the reasons for my reservations regarding cyberwar as a practical force multiplier in a later part of this series
Already, you should be able to start comparing and contrasting the different problems in each of the subtypes of cyberwar, and it ought to be intuitively clear that they really are very different things. One of the primary motivations in my writing this series is because I feel that the cyberwar subtypes are often conflated in people’s minds – it’s what I call the “cyberwar hop skip and jump.”
Suppose we want to scare a congressman into spending a lot of money on cyberwar: we show them that cybercrime is a serious problem – after all, there are botnets comprising millions of systems. Then we imply that a million-system botnet argues that taking over a nation-state’s command/control systems is a problem of the same type and scale. It’s not, of course, but a congressman or a voter is not likely to know that.
(7) Next Up
In the next part of this series, I will describe some of the deeper synergies and conflicts that may arise between these subtypes of cyberwar. In the final part, I will offer some high-level analysis of our response strategies in those areas and where we can expect defensive or offensive capabilities to overlap.
Parsing Cyberwar: the series
- The Battlefield
- The Logistical Train
- Synergies and Interference
- Patch #1 – Lessons from the Gauss malware
- The Best Defense is a Good Defense
(8) For More Information
(a) For a lengthy bibliography
See the FM Reference Page about Cyber-espionage and Cyber-war!
(b) Some ather articles:
- Winn Schwartau, “Information Warfare” – (wikipedia)
- “Cyberwar is Coming!”, John Arquilla and David Ronfeldt, Comparative Strategy, Spring 1993 — republished in a RAND report (pdf)
- The Farewell Dossier – (wikipedia) Economic spoiler operation or counter-espionage?
(c) Other articles by Marcus Ranum:
- Obama knows how to lead America by exploiting our fears, 5 June 2009 — About cyberwar
- Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
- About Attribution (identifying your attacker), 21 October 2011
- You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011