Summary of this post by Marcus Ranum: This series is based on a lecture I presented at RSA Conference in March 2012. In it, I will attempt to isolate some of the strategic elements of the “cyber” battlefield so that we can better understand the inner dynamics of its components. This is important to do, because cyberwar frequently combine elements of the battlefield in ways that are confusing and perhaps even contradictory. In order to incorporate cyberwar into grand strategy, it is important not to do it in a way such that we step on our own toes, so I believe that a better understanding of the problem will be valuable to attacker and defender, alike.
Article deleted at author’s request.
(7) Next Up
In the next part of this series, I will describe some of the deeper synergies and conflicts that may arise between these subtypes of cyberwar. In the final part, I will offer some high-level analysis of our response strategies in those areas and where we can expect defensive or offensive capabilities to overlap.
Parsing Cyberwar: the series
- The Battlefield
- The Logistical Train
- Synergies and Interference
- Patch #1 – Lessons from the Gauss malware
- The Best Defense is a Good Defense
(8) For More Information
(a) For a lengthy bibliography
See the FM Reference Page about Cyber-espionage and Cyber-war!
(b) Some ather articles:
- Winn Schwartau, “Information Warfare” – (wikipedia)
- “Cyberwar is Coming!”, John Arquilla and David Ronfeldt, Comparative Strategy, Spring 1993 — republished in a RAND report (pdf)
- The Farewell Dossier – (wikipedia) Economic spoiler operation or counter-espionage?
(c) Other articles by Marcus Ranum:
- Obama knows how to lead America by exploiting our fears, 5 June 2009 — About cyberwar
- Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
- About Attribution (identifying your attacker), 21 October 2011
- You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
.
.
Look forward to more, lots to think about. But if enemy pulls router, then he has done your work for you, one of the objectives in a cyber war is taking the enemy off line.
I don’t think you need massive numbers of troops, just massive numbers of bots, from sources I’ve found reliable in the past confliker is NSA weapon, theoretically could be run by one person. Before stuxnet there was a mapping recon program, so Irans networks theoretically maybe already mapped. Its possible cyber IED’s have already been planted, awaiting a specific date/time, in which case taking your router off line is ineffective.
Cyber war may not be an adjunct of a meat war,a force multiplier but its only component. Stuxnet/flame have the capability for multiple war heads, Banking, phones,C2,Army,Air force, electric etc there in lies the potential to erase a cultures data base. Restricting every thing to snail mail, Stuxnet/Flame have finished large-scale preparations.
“fall-back/redundant systems in place, or prepared to sequester their systems when they were brought under attack.”
If stuxnet/flame has already planted cyber IED’s redundant, back up systems may have already been breeched. Sequestering a system with cyber IED’s already implanted could be a signal to trigger the munition.
With these considerations Iranian culture can be set back to 1950s — snail mail for everything, deleting key data bases, money, finances,stock exchanges could drop them back to 1860’s.
At any rate turn Iran blind deaf and dumb in a military sense while the Air Force pounds nuke facilities at their leisure.
I suspect we are about to see a whole new application of combat in the newest domain.
Look forward to rest of your articles. Thanks.
Gerald, Internet Anthropologist, ad magnum
Thank you for your thoughtful reply. It will be interesting to see what Ranum says.
The history of military innovations suggests that the current state of cyberweaponry is far less advanced than you suggest (returning Iran to 1860’s). Perhaps the most apt analogy are the bomber-gurus, who as early as the early 1930s said that a nation could be destroyed from the air. They proved correct, even with conventionals — but far exaggerated bombers capabilities, as the large numbers of heavy bombers necessary to do so were not available until 1944. And even then the resources necessary (trained men, materials, industrial capacity) were so great as to make them an inefficient use.
Also — given what you’ve written about EMPs, you might find these of interest:
Maybe, maybe not. It’s important to understand that some attacks might involve taking critical systems offline, whereas others might simply make them unavailable. In some cases, making the system unavailable would be a “win” and in others it might be a horrible “lose.” Let’s take, for example, a manufacturing process: if I’m under attack and I take it off the internet, then I can continue to manufacture unimpeded. In situations like the Estonia cyberattacks, where you’re attacking the civilian-facing aspects of government service, then, yes, it’s a disruption. But, still – there is a gigantic difference between, say, making the IRS’ website unavailable to taxpayers and taking down the database servers behind it.
I will address that in the second part of the series, but the short answer is “not quite.” Massive bot-fleets are useful for disrupting service but military useful activities require direction. Botnets are like having a massive number of infantry with no initiative whatsoever. So, unless you tell them what to shoot at, they’re just going to stand around. When it comes to exploiting an attack in a militarily useful way, you need human decision-makers (and highly technical ones, at that) in order to decide what to do next. That’s the difference between a blitzkrieg breakthrough and simply bombing your enemy to keep their heads down.
What I’m saying is that botnets actually aren’t that interesting.
I don’t trade in undisclosed sources, but I find the idea that Conficker is an NSA weapon to be highly highly doubtful. First off, it’s childishly easy to detect, and it was initially fielded to grow. It’s much more likely that Conficker was a commercial botnet – someone wrote it and deployed it so as to take over a huge number of machines with the intent of cashing out by selling the entire structure to some cybercrime group who would exploit the systems that had been taken over. That’s an important point which we will revisit in Part 2: you can take over a lot of systems but you have a huge logistical problem in exploiting the results usefully.
Yes, though, most botnets are designed to be run by one person. That is their whole value.
It’s possible, but that would be stupid for an attacker to do. I will explain why in Part 3.
The “potential to erase a culture’s data base” is science fiction, says this former system administrator and DBA. Until and unless a society manages to make a horrible mistake such as putting almost all of its data in a single repository and forgetting about data redundancy and basic system administration.
By the way, you mentioned banks and phones – are you considering civilian infrastructure as a morally acceptable target in such an attack? I’m just curious.
In the immortal words of Rich Rosen: “Many things are possible, but very few actually happen.”
It’s certainly possible that “cyber IEDs” could be planted but that would be foolish on the part of an attacker! Think about it a little bit harder and perhaps you’ll figure it out. Either way I explain it in Part 3.
By the way, I do not like your “cyber IED” terminology. There is nothing “improvised” or “explosive” about cyberweapons. Besides, there is existing and ample terminology – you’re talking about what we’d term a “trojan horse.” Let’s not confuse ourselves by making up lots of new terms because then we go off into a rathole arguing about what they mean.
You appear to be advocating states attack civilian targets. While I understand that that’s been the prevailing form of war for a long time, let’s not mince words: you are talking about serious war crimes.
A minute ago you were saying that cyberwar might not be a force multiplier but might be the war in and of itself. Now you’re talking about it as a force multiplier. Reality is not that flexible. For one thing, even in an absurdly best-case scenario a cyberattack is not going to disable military antiaircraft systems. You might (if you’re dealing with an exceptionally stupid enemy) be able to disrupt some battlefield communications. But real-world armies do not configure their SAMs so that they’re only operable over the web! I suspect they never will, because of the obvious problem.
Your suggestion of turning any country “blind deaf and dumb” in a military sense is absurd, in a technological sense. Let’s stick to real-world scenarios.
I find a lot of the claims overblown … at this moment. But if you look at the trends you do see increasing vulnerability, particularly in western societies. For example: I remember being a network admin when companies had dedicated lines, even one that had its own private microwave link from HO to an oil refinery. Now these were difficult to penetrate or hit and even if you did it only was one company.
But in our relentless drive to ‘cut costs’ more and more organisations and systems ‘piggy back’ on the existing internet infrastructure. Cheaper yes, but far more vulnerable. As a general point this seems to be the mantra of western society right across the board at the moment (of which the GFC is the poster child). Save money by making things more fragile and vulnerable. So the scope for damage (I’m concentrating on the attack side) is steadily increasing.
Now here is the overall strategic bit. We in the west have flagged that will will use cyber attacks and use them quite often. so just about everyone else out there (who is not a complete moron) now knows that they have to protect their vital systems. So I’d expect lots of ‘paddling under the water’ in all sorts of places (and naturally Russia and China where the gun sight is steadily tracking towards) will be hardening their key stuff.
While at the same time we are making our stuff more vulnerable. Hmmm, what could possibly go wrong with this scenario.
Note that to really cause disruption in a country there are many simple ways to do it (noting that FM is a specialist site and unlikely that any ‘bad guys’ read it, or more likely haven’t already thought of this) such as take out the ATMs. You could cause a lot of damage in a very short period of time.
Note also, backing up my original argument, that penny pinching by banks (must keep those bonuses going) means that most of those systems are hanging in by their fingernails already. Crashes are becoming more and more frequent, without any attacks.
In fact in the US, taking another example, the electricity grid is so close to the edge that an ‘Indian’ experience is going to happen anyway within the next 10 years or so. BUT, and here is the scary part, it makes a very attractive target. Again, ‘saving money’, far too many (but not all of course) monitoring and control systems have been ‘piggy backed’ onto the existing internet infrastructure. Now If I was (say) Iran and thinking ‘thank you so much for your wonderful cyber attacks’ I’d be thinking ‘how can I really hit them if I need to’? Oops, stuxnet might not have been such a clever idea after all.
Strategically, shooting up someone else’s little greenhouse is not such a good idea .. if your greenhouse is 20 times the size of theirs.. might give them nasty ideas after all.
Conceptually, OldSkeptic mirrors my thinking on this. But then I was a cutting edge techie in 1980, not so much since then. My secretary had one of the first iPods; I told her it was clever, but not a mass market device. Now my kids laugh at my lack of tech savvy.
So I’d convert Oldskeptic’s comment in to questions for Marcus about vulnerability (which he has discussed before). How accurate are these statements?
This is a serious problem. It seems to me that there is a class of IT managers/executives who seem dead set on doing the stupidest possible things in the name of “cost savings” or “keeping up with the joneses!” I have spent the better part of my career fighting that particular battle and only got onto the topic of cyberwar when I noticed that a huge amount of money was being pulled away from sensible, practical, security and pushed toward glib beltway bandits telling tales of WMD-like national collapse.
I am slightly optimistic, however; as I hope this series will argue successfully, cybercrime acts a fairly strong reinforcement system and negative feedback against lameness. Let me put that another way: imagine how bad the DoD’s networks would be if it hadn’t been demonstrated over and over again the 15-year-olds could break into them. I’m not saying “thank the 15-year-olds” but clearly there’s a problem! And the 15-year-olds helped give the right people some semi-realistic perspective. As I have written in other articles on this site, I think that the US Government is pursuing some very ill-advised policies. I’m confident that the Anonymous collective, Romanian hackers, Russian Business Network and – yes – lots of “useful idiots” from China – are going to continue to force improvement with their “voluntary 24/7 penetration testing.”
Me too. But a lot of those dedicated lines went through AT&T, which screwed them up often enough that we had to develop fall-backs, dial-up failover, etc, etc. I agree that a lot of stuff is getting centralized and may be more vulnerable, but there has always been lots of centralized stuff. Back in 1985, for example, a friend of mine was subjected to a “service cancellation attack” – someone called AT&T and told them that all their T-1 circuits would not be needed any more. AT&T trusted the circuit numbers and – poof – my friend had a short disruption. And, now we see that the systems at the carriers have responded so that those attacks are harder. Not impossible, but much, much harder. As the situation gets worse, so it gets better – and it seems to me to be at approximately the same rate.
There are broad trends which you correctly observe and they should scare you. I discuss a few of them here if you want to know what keeps me up at night. It’s not “cyberwar.”
Yes. I’ve been referring to it as the inevitable balkanizing of the internet, as a consequence of US treating it like a private colony. Any nation’s leaders with any sense should be thinking about this problem – and, yes, it’s very very hard. It starts with having your own DNS but what next, your own Google? Ow!
(I am not saying that a country cut off from Google will collapse into anarchy; but their civilians are going to be mighty inconvenienced!)
Maybe. But you could surely cause tremendous damage with ordinary state-sponsored terror attacks. Remember how much damage the DC snipers did? And they were just two idiots with no agenda other than mayhem. Yes, there are cyberattacks that could be damaging and cost a lot of money and make some system administrators extremely unhappy. But why not just shorten the sentence and say that any country our size that is an open society is extremely vulnerable to all kinds of stuff? Because that’s how any rational attacker is going to look at things.
If I wanted to do massive economic damage to the US, I wouldn’t waste my time with cyberstuff at all. I’d have a bunch of guys with deer rifles and bows fire arrows trailing heavy-duty copper wire over transformers all over in communities more or less at random. And when the power crews came to try to fix it, shoot a few of them. That scenario is about comparable in ridiculousness to some of the cyberscenarios but it requires virtually no skills to carry out and all the gear could be sourced one-stop-shop at WAL-MART. Etc.
We can all hypothesize all kinds of stuff, but as Rich Rosen says, “Many things are possible but very few things actually happen.” That’s why security people worry about the stuff that is most likely to happen. And in cyberspace, that most likely attack is a kid in Romania who’s bored and looking for a credit card database or an HR database.
I strongly disagree. One of the side-effects of a lot of agencies outsourcing or moving to the cloud is that businesses and government agencies that suck at IT have given that problem over to people who categorically Do Not Suck. The systems administrators at Amazon are some of the best fire-breathing badasses in IT today. The NOC team at General Dynamics, which oversees a lot of the DoD networks, is vastly more skilled than the disparate, uncoordinated teams that they’ve replaced. What we’re seeing is constant change and change is always scary to us old farts. We need to remember that sometimes it’s good and sometimes it’s bad and most of the time it’s a wash.
It’s already happened! But it happened because businesses like Cal Edison were squeezing too much profit out and deliberately let the system fail so they could ask for a rate-hike. Which is more likely – an external enemy or a good old capitalist looting of the till?
I agree, and have said that here before. What I think is going to happen is that the DoD is going to try to establish cyberwar as a weapon of privilege: we can do it to you but don’t you even dream of doing it to us. That has worked with nuclear weapons but only because the US has shown that it is willing to expend vast amounts of money and kill freely in order to preserve its monopoly where it can.
I hope that doesn’t happen with cyberwar but when I read comments like Anthropologist’s I worry.
I appreciate your reply, we are looking at the same elephant, but different parts.
Stuxnet has been running Iran’s networks since 2008, we ran into it in 2009 during a joint Anonymous operation against Iran. “Our surveillance of Stuxnet starting 2009“, 13 June 2012.
Stuxnet, Flame, Duqu and Mahdi are but payloads of overall programs designed through the work of intelligence.The preparation is done, 5 yrs of espionage and sabotage. I agree they are “trojan horses.” but thats like saying USS Regan is a boat, hense ‘cyber IED’s’
“You appear to be advocating states attack civilian targets.”
No I am not, exploring capabilities. But is taking out WWW, which confliker could do in Iran, taking out an civilian target? Cyber war also presents the possibility of an almost bloodless WMD. If you take out the WWW that alone would put them back to 1950’s, using snail mail.
Your example of missile bases not connected to www, maybe true, but C2 is. The orders could be changed, intercepted, coordinates changed en route by just one integer.
And the possibility of NULL values is a huge monkey wrench, the trojan gets root and justs reports “system down”. No actual damage, the key system just wouldn’t be used. That scenario was used very successfully by @JohnBumgarner in practice cyber war. Key data would not even have to be destroyed, just encrypted, so Iran wouldn’t have access till the regime changed.
“Your suggestion of turning any country “blind deaf and dumb” in a military sense is absurd, in a technological sense. Let’s stick to real-world scenarios.”
Sorry I wasn’t limiting myself to only technology, if you get C2, you could issue orders effectively making them impotent. If you can take down their WWW, CYBER or real world cutting cables,
cut www ^ intranets, including phones, they are in effect blind deaf & dumb.
I sincerely appreciate your valuable time in responding, I seldom get an real expert to bounce my hypotheses on. Keep up the excellent work.
Gerald, Internet Anthropologist
Some of our more interesting work.
http://warintel.blogspot.com/2008/10/exclusiveal-qaeda-knew-341-lbs-nuke.html
http://warintel.blogspot.com/2008/11/taliban-webmaster-ips-location-pakistan.html
“If you take out the WWW that alone would put them back to 1950’s, using snail mail.”
That makes no sense to me, if WWW = world wide web. It’s widespread growth began in 1993, with the introduction of Mosiac (see Wikipedia).
Also, although I don’t see data on internet penetration & use in Iran, it’s probably lower than Turkey’s (from memory about 1/3 of ours, depending on the metric). It might be similar to that of Russia and China, who are roughly half that of Turkey. Almost certainly they’re not sufficiently dependent on the internet or WWW so that crippling that pushes them back 60 years.
These are bold claims, which IMO require some heavy support to be taken seriously.
There are many databases on this topic. See here for data on OECD use of broadband. For a borader range of data, see Internet World Stats.
I’ve written about Stuxnet elsewhere on this site. It’s based on some techniques that were published in spring 2007. It’s not that complicated code; if a small team of 2 or 3 engineers worked on it, it would have been ready to field in 6-9 months, so the time-frame you’re talking about seems right.
Hyperbole doesn’t impress me much.
Why yes, yes it is. What about the world-wide web is military? Last time I checked it was a vehicle for e-commerce, online libraries like wikipedia, online education, citizen of the world to citizen of the world communications, stock trading, banking, telephony, telepresent surgery in hospitals, civilian power-grid control systems, home automation, music, etc, etc, etc.
The military tunnel their traffic over it in many places, using inline encryptors, virtual wires, and multiplexed optical pathways. Nobody but a fool would claim to be able to take down just the military networks and have no impact on civilian communications. Now, before you start talking about how acceptable collateral damage is, I suggest you read the Geneva Conventions – not the US DoD’s statements about what the DoD considers acceptable collateral damage. As I argued here: it can easily be argued that the military are hiding behind human shields by embedding their infrastructure inside civilian infrastructure. I probably won’t convince you of that, but I encourage you to think hard about this topic, and to do so with your reciprocity hat on.
Again, as Rich Rosen says, “Many things are possible but very few of them actually happen.” First off “bloodless WMD” is kind of a contradiction in terms. What about “Mass Destruction” does not involve, uh, mass, er, destruction?
Be that as it may. Now are you advocating that the US again unilaterally use WMD against noncombatants? Are you some serious? That’s monstrous!
When you say things like that, you sacrifice all credibility with me. For one thing, I was building Email systems in the early 1980s and managed UUCP between 1985 and 1989. This was well before the invention of “WWW” and it provided perfectly good infrastructure over dial-up. By today’s standards it’d be clunky but any semi-competent system administrator would be able to start setting up a point-to-point alternative infrastructure – completely bypassing web protocols – in under a day. But that’s almost beside the point; your comment shows that you not only don’t understand data networking, you don’t understand the web, either.
What does it even mean to “take down the WWW”? Google is in the US and serves a gigantic amount of the world’s email. If you take down whatever country I’m in’s internet infrastructure, I’ll have a PPP account on earthlink and be checking my email in 20 minutes. Ever hear of a modem? Oh, sure, you can take down the telephone network, too. For how long? It’s farcical to say that a country would be back in the stone-age; they’d firewall off the main avenues of attack, set up temporary links, and be back in operation in a couple days, tops. Sure, some critical services could be knocked off line, but I hardly imagine that a US cyberattack is going to also knock off Amazon’s cloud services, google, Savvis, etc. Guess what? Those are used by more than just US assets and they’re all mixed together – good luck figuring out which chunk of what data bucket at Amazon S3 is is holding which data for what government. Really.
Besides, money would be made! One of my friends who works datacomm made a gigantic assload of money setting up alternate links when the UAE’s underwater links got cut. That disruption lasted, what, a couple weeks at most? How long was Estonia inconvenienced? Do you somehow have the weird idea that when a data link goes down, the routers on both ends can’t be configured to fail over to something else, by a competent system administrator? Have you ever heard of satellite communications and gasoline-powered backup generators? The first ISP in your target country to get enough bandwith purchased on a Chinese communications satellite would make an assload of money, for sure. China Direct Broadcast Satellite Co., Ltd.’s investors would be very happy indeed.
I’m not saying you couldn’t inconvenience the hell out of a lot of people – especially innocent civilians that are not legitimate military targets – but this kind of “back the the horse and buggy era” rhetoric is simply not credible.
I have been managing UNIX systems and data networks, some large, some small, for 25 years, and I assure you that any competent system administrator is going to shrug, boot the system off an emergency drive, figure out what’s wrong, and get busy fixing it. They will not simply sit there wringing their hands asking “what do I do!?” while the food in their refrigerators runs out.
“NULL values” means nothing to me other than dereferencing address 0 errors in C code. Reference please?
All of which has happened before, without any WMD-like effects. You are making a lot of assertions about the power of these potential attacks, but they don’t sound to this old system administrator like anything that a decent systems team at an ISP or large company couldn’t handle in a day or two.
(7) As far as Al Qaeda knowing about transportation of weapons-grade material… Um. So? There are plenty of books (one of my favorites is Thomas Reed’s At the Abyss which has a lot of horror stories about poor custodianship of nuclear material in the former USSR. So what? And as far as the IP address of a Taliban webmaster, again, so what?
Attack on the 13 internet nodes could slow everything way down, I meant taking down Irans connections to the WWW, which I thought was implied maybe not. And your right it might not be back to1950’s maybe 1985,I’m not sure what date to apply if land lines and cell phones are out too.
“null values”
I’m referring to is just the paradigm of having their PC’s report something isn’t working,
“I assure you that any competent system administrator is going to shrug, boot the system off an emergency drive, figure out what’s wrong, and get busy fixing it. They will not simply sit there wringing their hands asking “what do I do!?”
Exactly what they did during the cyber exercise, repair, fix, replace something that wasn’t BAD, over & over. Because of the expense @JohnBumgarner finally told them it was a ruse before exercise was over. And there is a balance here, I think the 13th Imam paradigm is motive for Iran to push the nuke button, MAD is an incentive for that paradigm. The question maybe come does US turn off WWW & phones in Iran to stop nuclear conflagration. In WWII US carpet bombed German cities as they did GB cities.Thank God for that paradigm shift.
And your playing semantic games with me on WMD, a cyber attack presents the possibility of WMD TYPE effects to infrastructure with out massive loss of human life, even possibility of the WMD effects being temporary/reversible.
After the Iran strike we both will have a better view of the actual use of cyber weapons, You have focused on possible short comings, while I have focused on possible maximum effects, there is lots of middle ground.
Even after the strike the Russian forensics may take months to answer our questions. And see what worked and what failed. Again implied w/dates, we spotted AQ recon of nuke material notified Intelligence comm. then they moved it, CIA loved Taliban IPs??
I have much respect for your years of professional IT service, But we need to look outside the “IBM” box too. You have been most informative, & helpful, thank you again.
Gerald, Internet Anthropologist, Ad Magnum
“I think the 13th Imam paradigm is motive for Iran to push the nuke button”
That statement contains several layers of misinformation and wild conjecture. It’s too off-topic to pursue here, however. If you’re interested, you can post a link to your of your posts — or you might pick up the comment thread on one of the many posts discussing these issues, listed below.
These points are supported by many dozens of expert citations, from both government agencies, ngo’s, and independent & academic experts:
OK, so I’m going to assume you’re talking about the peering points {see Wikipedia}.
Here’s what a peering point does: where there’s a telecom company or some massive networking business that’s located in a technology corridor, it’s cheaper to get some data center space, have all those businesses run some bigass fiber links to the peering point, and then they can exchange data extremely quickly without having to drive the data across someone else’s infrastructure. Imagine how well it would go over if Verizon decided to tunnel all of its traffic to Apple’s iTunes store over AT&T’s network! 1) it would suck 2) AT&T would be biblically wroth. So a peering point is basically a gigantic switching center between huge internet businesses.
First off, an attack on the peering points couldn’t slow them down because there’s nothing that can get data into a peering point faster than the peering point can switch it back out. That’s what a peering point is for. Secondly, if you disrupted the software in the switches, or whatever, some very annoyed system and network engineers would reload them from trustworthy media. If that didn’t work they’d realize real quick that something was wrong with their media and there would be glee and excitement about all the amazing fun they’d have figuring that out – meanwhile a sneakerminion would run to FRY’s and someone would call people at Cisco and cars would move with DVDs and USB keyfobs and it’d all be back and running in – I’m guessing – less than a few hours. Generally when a competent network administrator provisions a football-field-size room full of systems, they’re all running slight variations of a single master image (great system administration is a perfect combination of hubris and laziness, as Larry Wall also says about programmers. There wouldn’t be a scenario where people were reloading operating systems on thousand of machines – some sysadmin would take a slug of Rockstar and tell the thousand machines to revert and reboot.
The potential for attacks on peering points is something that has been discussed at NANOG every year since 1994 (i.e.: they year it was founded). “Well, duh!” is the usual response. There have been people hypothesizing blowing up one of the peering points – which would really really piss a lot of people off, but the kind of networking guys we’re talking about would be hanging fiberoptic out windows and tie-wrapping it to streetlights and the lights would begin coming back on in hours. I’m pretty sure they wouldn’t step over the bodies of their dead; they’d walk around – network engineers are generally pretty thoughtful. Fiberoptic cable is expensive but not compared to downtime at the scale we’re talking – FRY’s supply might run low but believe me, I know guys who’d think it was COOL to drop line all over the place or try to go rooftop to rooftop with armored fiber.
And please stop being so parochial and assuming that them poor dumb Iranians don’t know how to build data networks if they have to. It’s not rocket science! And there are always con$ultants standing by to make things work extra quick for a price.
If it’s not working enough to cause a disruption, then it’s going to stick out like a sore thumb. If it’s working well enough that it’s not causing a disruption, then it’s not not working. I.e.: it’s working. Figuring out what’s not working is one of the core competencies of any system/network administrator and when something’s not working it’s really easy to triage.
No lights on the router? It’s the router. Lights on the router, no blinky lights on the line? It’s the line. Call the guy on the other side, “Hey, Joe? Blinkycheck me?” If the blinky lights are blinking and traffic’s not getting through it might take a networking engineer 3 whole minutes to go “Hey! WOW! the blinky lights are wrong!” A novice might take 20 minutes, to be fair.
You’re talking about the virtual simulations? In a simulation you can have a Martian attack, or Cthulhu getting into your fiberoptics. I’m familiar with the kind of scenarios they run in simulations and they have all the usual hallmarks of DoD scripted money-justifying exercises. Many of the scenarios’ premises are absurd.
What kind of idiot would repair and fix something that wasn’t bad over and over? If it works it’s not bad. If it doesn’t work then you know your repair process is bad. This is basic basic stuff.
No, I am not. You are playing semantic games, first by attempting to establish a false equivalency to WMD and then moving the goal-posts by later adding “WMD TYPE“. So it seems to me that your opening position was asserting that cyberwar could cause massive damage, and now, uh, maybe not so massive. To the point where it’s temporary and reversible, which is hardly massive. Maybe only highly irritating.
We agree, there.
“a cyber attack presents the possibility of WMD TYPE effects to infrastructure”
I wonder how much of this comes from propaganda from DoD (written by the same people writing pr about the F-35), and how much comes from people relying on repeated watchings of Live Free or Die Hard.
Here’s an excerpt from a review from “a programmer and IT professional”:
If I may: argumentum ad xkcd: Devotion to Duty
.
Gauss: Nation-state cyber-surveillance meets banking Trojan, GReaAT (Kaspersky Labs), posted at SecureList, 9 August 2012
This raises some interesting points that I’ll be commenting on in Part 3: the difficulty of keeping overlapping attack techniques secret over time. When an organization knows that it is under attack from one vector (e.g.: Stuxnet) they may begin to profile certain aspects of their systems and networks and discover closely relateed malware applications. In a weird example of negative synergy, the more you attack some targets the harder they become to successfully attack in the future – this does not map to real-world battlefields cleanly at all.
“Oops!”
A conspiracy theorist might hypothesize, of course, that these are all stalking goats and that there exist other, deeper layers of malware. Indeed, it’s turtles all the way down and finally ends in the kernel, which also came from the USA.
What we do see from this is that Stuxnet was not an isolated incident. The intelligence community and DoD are not only acting very aggressive in cyberspace; they are expanding the scope of their programs and tool-sets. We are moving farther and farther along the path toward turning cyberspace into a weapon of privilege.
Well-known expert Thomas Ria has a post at Kings of War: What War in the Fifth Domain? Marcus is leading a spirited debate in the comments.
Re: Stuxnet etc.
Let me get this straight: our only actual enemies live in caves and mud-brick compounds, and refuse to touch anything high-tech, using couriers instead of telephones. We, on the other hand, are utterly dependent on gismos, especially our military, which has demanded billions of dollars in order to make itself even more dependent on gizmos.
So, we respond to this situation by inventing and tossing around weapons which ONLY work against the gizmo-dependent, knowing that the exact same viruses can be copied, tinkered with, and sent right back. Even the Romans were smart enough to make sure their javelins could not be thrown back at them – making our “high tech” cyberweapons a technological step backwards, by more than 2000 years.
It’s like spending a huge amount of money on a glass house, then spending more to give brickbats to all your enemies.
US foreign policy since 1992 looks like the story of a mercenary company, looking for trouble wherever it can be found, making trouble when it can’t, and switching sides on a dime. (Islamists and secular Arab dictatorships are the new Oceania and Eastasia). The only difference is that in in the 30 Years War etc. the customers paid for the service, whereas today it’s the people with the least use for the mercenaries – We The People – who end up paying.
There’s a huge incentive problem here, when we pay people to deal with problems. We end up with a lot of expensive treatments but no cures and no prevention. Instead we should devise a system that pays people more the less of a problem there is.
What if we paid the military for every year we’re at peace? If our security apparatus was paid more when polling data shows more people feeling secure?
Imagine if prisons were paid a certain amount of money for every year a criminal doesn’t commit another crime. Maybe they could keep a bit of the ex-cons wages, thus giving the prisons a stake in the ex-cons success (it might give the system an incentive to lock go after white-collar criminals too).
What if we paid the health system based on how many people are healthy? (Adjusting for age, of course.)
Now of course there’s variables – more example crime tends to have more to do with the economy and social cohesion than what the police can do – but in the private sector our economic system is based on paying people for success, regardless of circumstances. Better than our current model of paying for failure.
Let me preface by saying that I have yet to read all the comments. Working on the industrial side I have long considered the cheapness of wireless control a false economy. It saves copper and time but puts that factory in a much more vulnerable position. Here is a short bit I wrote in that vein about the “smart” grid.
“Smart Grid Security?“, ECN, 14 November 2011
But there are much larger threats to the system that “everyone” (all governments of the world large and micro) knows about. Follow this link — Terrorists Dealing Drugs, August 2012 — to the Catherine Austin Fitts – Narco News articles. What happens when everyone knows those facts? The world system as we know it collapses.
For some reason not clear to me even the losers in wars prefer that the system remain in place – take Japan. Two good searches “Japan Manchuria opium” and “Japan French Indochina”. WW2 in the Pacific was a war for the control of the dope trade. A fact easily discernible if you know where to look. And yet “hidden”. What is the advantage to every country in the world of maintaining a criminal infrastructure? A good question even for CyberWar.
Well I’m going to go OT here:
“The world’s major intel agencies concur that Iran ended its nuke program in 2003.”
Maybe. There is only one worthwhile secret: triggers. And you don’t need a “nuke” program to develop those. In WW2 the computations were done with IBM punch card machines. Feynman has written about running those. A “386” is adequate to cut the time from years (2 to 3) to hours. The big delay is in deciding what the numbers show and altering the inputs for another run.
The choke point is nuclear material. The choke point for that is the electrical grid.
Amusing is comparing the computing power applied to “the bomb” to that applied to “Enigma” and “Magic”. Why? For war fighting – intel timeliness is critical. Back on topic I see. How did that happen?
That’s an interesting comment. Perhaps you’d like to pursue it on one of the threads about Iran’s nuclear program.
Uh. I’m in the middle of developing stuff. I’d like to spend more time but have already far exceeded a reasonable allotment. Maybe in a week or two if I get some slack.
BTW we don’t need a “Smart” grid to make the grid more reliable. There are easier ways to accomplish that without putting every load in the country under the thumb of the grid controllers/government. If I have thought of it so have others. It is cheap. Can be monitored locally and is under local control. Why aren’t we doing it that way? Now there is the real question.
That is one of the products I’m working on. A little bit of intel – a display – and a relay. Everything you need to know about grid health can be read locally without having to know anything about the bigger flows.
Pingback: Cyberwar – Marcus Ranum « ClearSky Cyberdefense Forum
(5) “most of those systems are hanging in by their fingernails already. Crashes are becoming more and more frequent, without any attacks.”
‘I strongly disagree. One of the side-effects of a lot of agencies outsourcing or moving to the cloud is that businesses and government agencies that suck at IT have given that problem over to people who categorically Do Not Suck. The systems administrators at Amazon are some of the best fire-breathing badasses in IT today. The NOC team at General Dynamics, which oversees a lot of the DoD networks, is vastly more skilled than the disparate, uncoordinated teams that they’ve replaced. What we’re seeing is constant change and change is always scary to us old farts. We need to remember that sometimes it’s good and sometimes it’s bad and most of the time it’s a wash.’
Yes, there are some good ones. But here in Australia we have had repeated failures in our internet banking in recent times across a couple of banks. I worked for a couple and trust me, they are just hanging in there at times (including the amusing, where a person got accidentally credited with $500 million, my area detected it and raised the alarm .. result .. I got fired).
And in the UK as well, including their ATMs. Vaguely remember some reports about various bank systems in the US at various times.
Relating to your other points there are several key targets. People’s money, water and power (inc gas). All of those are incredibly vulnerable.
I once was part of a team looking at vulnerabilities of the UK gas system (during the bad old of days of IRA terrorism). We quickly came to the conclusion we could not protect it. Some key areas yes, but that was about all. We used to scare ourselves with basically quite simple scenarios and the havok they could create.
Fortunately most terrorists are dumb, but that is not a good thing to bet the farm on forever. Heck you could bring Melbourne to a complete standstill with a couple of chainsaws (and no I’m not going to mention where). Scares the cr** out of me, especially since we spend all our time and resources on ‘security theatre’ these days.
As for the cyberwar stuff, we are getting more and more dependent on concentrated systems, all ran on the cheap. Now If a was State actor, especially if I was in the target sights of the US (etc), I’d be doing some homework and surveys (ironically most can be done over the internet) and picking some key targets. Hmm reverse engineered Stuxnet, wonder what that could do?
No we are not at the point of being able to be completely collapsed by a severe internet attack, but we are steadily heading that way. But an internet attack combined with a basic physical attack could be really damaging.
Oldskeptic,
(1) “I once was part of a team looking at vulnerabilities of the UK gas system (during the bad old of days of IRA terrorism). We quickly came to the conclusion we could not protect it. … We used to scare ourselves with basically quite simple scenarios and the havok they could create.”
Ranum is talking only about cyberwar. Physical infrastructure is, as you note, another story.
(2) “Banks hanging on by their fingernails”
I worked for a bank briefly in the early 1970s. I too heard those stories (even the $500 million check story. Imagine if she had asked for cash! World ends!). They were probably old when told to newbies in Babylon 3,000 years ago (not enough quality control on those clay tablets; I tell you someday they’ll be an error that will shake this city…).
Commercial systems are built to “good enough” standards, not the “absolutely never fail” level people demand when writing letters to the Editor (of course, imagine the complaint letters if such systems were built — and fees were raised accordingly). Therefore people imagine them all simultaneous failing! It’s the equivalent of going to horror films.
Watch for my column Monday: ECN magazine.
About what happens when you slack on quality control. You get very bad press. A $35 part that didn’t meet spec is going to cost a chip company a LOT of business. Funny thing is – I have indications that they have known for a while that it didn’t meet spec.
“The warning lights are flashing down in quality control…..”
Fix everything you know is wrong that can be fixed. Reduces the chances of cascading failures.
Ranum: ” One of the side-effects of a lot of agencies outsourcing or moving to the cloud is that businesses and government agencies that suck at IT have given that problem over to people who categorically Do Not Suck.”
I’m not going to argue with the companies you’ve mentioned. Everything I’ve heard about them is very good. But there are an astonishing number of companies selling cloud computing services that are extraordinarily bad at them. My company has worked with several and found them to be terrible.
My (least) favorite war story alternates between two companies. The first advertised 99.9% uptime and then had several lengthy failures in the first month. When we asked about their uptime guarantees they doubled their fee without warning or justification. It was a two month contract so we stopped using their services and stopped paying and just walked away when it expired.
The second company (hired after the debacle of the first company) kept switching everything on us without warning. I’m talking support reps, servers, bandwidth capability, RAM, disk space, everything. Sometimes we got a fantastic upgrade at no cost and other times we were relegated to 1980’s level performance. The price stayed the same and the uptime met the contracted levels but we terminated the contract. We still cannot figure out why or even how this happened. It seems to us that the cost of all of that chaos would have been far greater than any benefit they might have received.
Yes; there are always opportunists and bandwagon-jumpers. They don’t last long because they either mature to compete with the real players, or burn through their pool of potential customers and collapse. They’re a problem for the ignorati who look at the marketing literature and think, “Wow! Secure data hosting at only $1 per whattabyte, completely redundant, guaranteed 100% uptime! Sounds legit!”
Two real stories from bankland.
When I investigated the $500M error (yes it was real and on my watch). What I found was a piece by piece disassembly of all the checks and balances within the system. Back in the past each branch used to do daily balances. But that took time and staff. So they moved to weekly, then monthly. At my bank it was .. basically never. The only check was my area’s weekly balance change analysis and this stood out like a real statistical spike, So we started ringing around to find out what happened. No one knew, until we talked to the individual branch and found that a teller had typed in the account number instead of the dollar amount. So, for ‘efficiency’ we had got rid of every check and balance within the system .. except my area. If we hadn’t picked it up then it could have been there for ages .. or until the person checked their balance and were honest or moved it.
I wrote a report, sent to the higher levels about the failures of the system and proposed some simple checks and balances to make sure it didn’t happen again .. basic stuff this. I also picked up another failure. We had (to keep it simple) a main data warehouse. Used for all our reports, monthly reporting, et al. I found that, because of a historical accident, 40% of deposits were not recorded. Yes, no one in the entire bank, all the IT people, all the data quality people, had done a simple exercise of taking the opening balance, taking the transactions then calculating the closing balance and comparing it with the recorded closing balance.
Note this had not been done for 10 years.
Yes the opening and closing ones were correct, they came in from the legacy mainframe systems that ran all the branch and individual account systems. Which was correct. But all the management reporting and marketing systems ran off the data warehouse. Yes all the standard monthly reports, et al, were wrong. Plus all the marketing stuff, including the (very impressive, nice piece of maths but GIGO) complicated point scoring system to market credit cards, mortgages, et al, to customers. Yes, this is why sometimes 5 year old children got offered $20,000 credit cards .. and dogs.
Another report .. result .. boot. Since no one cared, far easier to get rid of the noise than deal with it. Dealing with it would mean spending money. Plus some people admitting they had been mind bogglingly incompetent for years (decades?).
What really scares me is that bankland seems well ran compared to the MI/NS (Military Industrial, National Security) state.
What you’re describing there is a classic example of organizational failure because of tightly coupled systems and complex interactions. I’m reminded of Charles Perrow’s analysis of the Bhopal accident (in Normal Accidents) you have safety mechanisms that misfire and are turned off instead of reset, then suddenly you discover that the entire system has become unsafe without anyone ever making an actual decision to put it into an unsafe condition. This happens everywhere, basically, except for where it’s done deliberately (insert many Wall St references here) for whatever reason.
With regard to the earlier comment about knocking nations off the ‘web: Syria sidesteps sanctions by turning to China for Internet bandwidth, Ars Technica, 21 August 2012 — “And at least one Syrian ISP site finds a home on US servers”
I hypothesized that the Chinese would be perfectly happy to capitalize (‘cuz they don’t communize anymore) on the business opportunities afforded by an attempt to cut off a country. No; I didn’t know this article was already in the pipeline or that Syria was being digitally blockaded. But it neatly illustrates exactly the problem I was referring to.
The harder someone tries to knock a country off the internet, the more money skilled con$ultants and creative ISPs will make fixing the problem.
You might find this of some interest:
http://classicalvalues.com/2013/11/the-smart-grid-is-a-stupid-idea/
We are making ourselves vulnerable to no good purpose.
If you look around the ‘net there is way more on the vulnerabilities the smart grid is introducing.
Pingback: Cyberterrorism after STUXNET | OSINT ZONE