Summary: In the previous part of this series, Marcus Ranum dissected the various subtypes of cyberwar into four specializations: cybercriminals, cyberspies, cyberterrorists, and cyberwarriors, so that we could begin to compare and contrast the practical problems faced by each specialty. I paid particular attention to explaining which are strategic processes that require long-term planning and execution. Briefly, they break down as follows:
- Cybercriminal: tactical profit
- Cyberspy: strategic surreptitious
- Cyberterrorist: tactical high-profile
- Cyberwarrior: strategic destructive
- The Geopolitical Logistics Train
- Attacking The Boardroom
- Next Up in this series
- For more information
(1) Geopolitical Logistics Train
One of the reasons cybercriminals are so successful is because they require nothing outside of their own operations. Indeed, they are self-funding! I sometimes wonder whether, someday, a nation-state will do the equivalent of issuing letters of marque and reprisal, supporting the actions of cybercriminals and cyberterrorists as long as they were directed against a specific target nation’s assets. That’s a fantasy scenario, really, for reasons we’ll consider shortly, but it might make a fun theme for a novel.
Both cyberwar and cyberespionage require geopolitical top-cover in order to be effective, or, in fact, to be valuable at all. That is implicit in their nature as strategic activities. In cyberwar, it becomes explicit: there’s no point in launching one arm of a combined-arms attack unless there are additional forces arrayed and prepared to exploit any advantage it confers.
Another way of putting it is: if you don’t have a force to multiply, a force multiplier is utterly pointless. Ten times zero is zero. Even if there are forces to exploit the advantage, there must also be a valuable strategic target and the attacker presumably has to be confident that they will survive any retaliation or achieve immediate victory outright. This is one of the most serious objections to the full-on cyberwar scenario, namely that cyberwar is only valuable to the side that would win in a meatspace war anyway. Because, otherwise, they’d simply be inviting a devastating meatspace counter-attack.
Consider a hypothetical situation in which Iran launched a cyberwar attack on the US to collapse the US power grid and disrupt commercial aviation. That would be foolish since it virtually guarantees a US military counter-strike. On the other hand, we can easily imagine the US launching cyberwar attacks against Iran. I’ve referred to this elsewhere as cyberwar being a “weapon of privilege” – we can use it on you, but don’t you even dream of using it on us.
Cyberespionage requires a different type of geopolitical top-cover. If the espionage is strategic/military with the intent of improving a nation’s ability to win a war against a specific target power, it only adds value for the side that would win in a meatspace war anyway. Economic espionage is much, much more complicated: to effectively use any economic or technological secrets that are acquired by espionage, you need the ability to safely exploit that information without economic blow-back.
In fact, this is not a new problem, at all. The entire global regime of trade barriers, punitive import duties, import restrictions and international lawsuits for copyright/patent/counterfeiting exists because theft of trade/technical secrets has been a problem for as long as people have been making valuable technologies. In ancient times, such as when the Japanese went and captured (“imported”) Korean potters to jump-start their clay-working process (late 16th century) there was not much that could be done about it. Historically, military technologies have been stolen and sold and restricted for as long as there have been military innovations. It has always been the case that the higher-tech power that wishes to remain higher-tech and powerful must protect its technological edge, or it gives away its advantage.
The problem we face in today’s globally integrated manufacturing system is simply that some nation-states are in denial, or are suffering seller’s remorse after they realize that their internal capitalistic pressures caused them to sell too much. For all that we hear about economic cyberespionage, the fact remains that economic espionage is only valuable if you have the logistics train and top-cover to exploit what you have learned.
For example, building a fission nuclear bomb is a matter of expensive and complicated engineering, but it’s not exactly a secret how it’s done, anymore. Building an iPad is also a matter of expensive and complicated engineering, and it’s only practical to do it if you’re Apple, because of the economies of scale that Apple has achieved in its manufacturing process. For that matter, I hope none of my readers are surprised to learn this: the secret of how to build iPads has leaked to the Chinese. Well, it didn’t really “leak” – it’s just that Apple exported those trade secrets to Foxconn as part of their manufacturing process. Only an utter imbecile would later voice surprise when they discovered that some technological know-how had been transferred as a consequence. Further, as we see from the lawsuits between Apple and Samsung, there are ample well-established mechanisms for dealing with what happens if trade secrets are transferred (or, I suppose stolen) and used.
(2) Attacking The Boardroom
How do you engage in economic espionage against a capitalist? You ask their board of directors for the secrets in return for something, of course. For another example, Microsoft gave the Chinese government the source code for Windows – the corporate “crown jewels” of intellectual property – because the Chinese government asked for it and threatened to block sales of Windows in an important emerging market (announcement here, February 2003). This is an example of how having enough economic top-cover equates to having the clout to simply demand access to trade secrets. And, it’s how the most significant and potentially damaging leaks occur. I recall a number of years ago, there was a great deal of groaning that Huawei, a Chinese data-communications equipment company, was producing routers that were competing against Cisco – one of the darlings of the US stock markets and the crown jewels of Silicon Valley. Was the know-how for router-building stolen? Of course not! Huawei was a joint venture between the US company 3COM and the Chinese Government. That’s a lot of economic top-cover and a very effective logistics train.
Other than the official boardroom-level economic espionage, is there more? Of course there is. You’d have to be crazy to imagine otherwise. In fact, in order to live in a world in which there was not, global economic integration would have to be significantly rolled-back and companies would have to almost entirely in-source all manufacturing. Yet, consider Apple, again. Here’s a company that is able to manufacture an insanely complicated widget, in which the manufacturing process is largely out-sourced to another country, and virtually nobody in its target market has any idea what the next Apple product’s specs are until it’s released on the open market. Clearly, it is possible to produce something in which a high degree of confidentiality is maintained while many potential competitors are part of the supply chain. Samsung, while engaged in lawsuits with Apple today, used to provide crucial components like LED displays for iPods.
Perhaps what is going on is that some companies appear to be pretty good at keeping their secrets, and others appear to be pretty bad at it. Those that are bad at it, complain. My opinion is that they’d be better off if they got good at keeping secrets. Acknowledging that economic cyberespionage is a problem that’s here to stay (since circa 200AD) ought to direct our strategic efforts in that area toward protecting technical secrets where possible and appropriate, rather than complaining about it.
With regard to military secrets, the US may be a superpower on the battlefield but its information security practices are seriously lacking. US Government information security looks good in movie theaters thanks to features such as Mission Impossible, but the reality bears no resemblance to what comes out of Hollywood. Consider Bradley Manning as the canary in the coal-mine: here we saw that a 20-something nobody was granted unfettered access to NIPRNET’s data warehouse (Unclassified but Sensitive Internet Protocol (IP) Router Network; see Wikipedia). That was bad, but the implications are worse, when we discover that apparently there was no detailed record of what information he stole -– in other words basic precautions such as access logging were not used.
You would have hoped that the intelligence community would have recognized this problem after having to negotiate with Aldrich Ames to get an idea what he sold to the KGB – apparently the CIA didn’t believe in access logging either. We see a pattern of not only failing to learn from mistakes but repeating them on a grand scale. Further, there are (depending on who you ask) somewhere between 100,000 and 300,000 users with access to SIPRNET (Secret Internet Protocol Router Network; see Wikipedia). It is absurd to assume that everyone one of those users is trustworthy. Obviously, Manning wasn’t.
Additional problems appear in programs like the Joint Strike Fighter, which allegedly suffered a detailed design leak including CAD files. Is this surprising, really? It’s a programme that has thousands of people involved in accessing those data-sets, from multiple countries, and hundreds of subsystem providers. Even Apple would have trouble keeping a collaboration of that scale under wraps; the very process by which mega-scale programs like the JSF are designed guarantees that virtually any nation-state that wants the data needs to compromise it at one of the other countries involved in the collaboration. It is my opinion that the US government’s complaints about being a cyberespionage target are both true and pointless. Of course the US is a target, now it’s time to stop complaining and take information security seriously. The alternative is to accept the status quo that has held since the invention of the bow: military technologies are the shortest-lived secrets, and always have been.
No strategic activity is worth undertaking if it has been defeated in advance by an inability to execute a follow-through. Sun Tzu did not say this, but, “It is not worth reading Sun Tzu if you do not have an army that is worth taking into the field, or you will be a mere spectator at every battle.” Many of the public discussions regarding cyberwar sweep the strategic questions under the carpet. That leads me to believe that cyberwar, which is cast as a strategic tool of great value, may simply be a tactical fad that will eventually be absorbed into operations and command/control, eventually becoming a historical footnote.
(4) Next Up in this series
In the next part, we will look at the agenda mis-alignment between subtypes of cyberwar, to better understand how they might interact in a strategic context. That will lead us to be able to assess whether there are any synergies (or mis-alignments) in defensive strategies that can be used to counter these threats.
Parsing Cyberwar: the series
- The Battlefield
- The Logistical Train
- Synergies and Interference
- Patch #1 – Lessons from the Gauss malware
- The Best Defense is a Good Defense
(5) For More Information
(a) For a lengthy bibliography
See the FM Reference Page about Cyber-espionage and Cyber-war!
(b) Some articles about cyberwar:
- Wikipedia entry on Huawei
- Global participation in the F-35 Lightning program, Lockheed Martin website
- Microsoft and China Announce Government Security Program Agreement, February 2003
- Chinese Hackers Stole Plans For New US Joint Strike Fighter, April 2010 — I’ve heard from credible sources that the data leak occurred through a non-US partner
- Microsoft Opens Source Code to Russian Secret Service, July 2010
- SIPRNET: Where America Stores Secret Cablesm, November 2010
- Samsung Makes More Than 1/4 Of the Parts In An iPhone, August 2011
(c) Other articles by Marcus Ranum:
- Obama knows how to lead America by exploiting our fears, 5 June 2009 — About cyberwar
- Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
- About Attribution (identifying your attacker), 21 October 2011
- You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011