The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace.

Summary: Why defense experts obsess about the relative advantages of different military hardware (e.g., the A-10 vs the F-35), the US has unleashed the tools of cyberwar on Iran. We can expect more in the future, begun by friends and foes. So let’s learn the rules. Today Marcus Ranum explains the nature of attack and defense in cyberwar, and the advantages of each. 

Article deleted at author’s request.

Cyber Warriors


Marcus Ranum

About the author

See Marcus Ranum’s impressive profile on the page About the Authors of the Fabius Maximus website.

For More Information

See all posts about cyber-war, cyber-espionage, and cyber-crime., including those about the Sony hack plus series by Edwin Covert and Marcus Ranum.

10 thoughts on “The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace.”

  1. Does anyone even have solid evidence about who hacked Sony? AFAICT, no one is even sure who the perpetrators were, long after the fact. That’s nothing like conventional warfare or even 4GW.

    The NSA’s ongoing efforts to subvert the internet are now leading to discussion by other nations (and many individuals inside America) about creating an alternative internet, or internets, without the vulnerabilities engineered into the current infrastructure by our surveillance-mad government. If fundamental encryption algorithms like the elliptic functions used in the deliberately flawed NIST cryptography functions are being weakened on the sly by NSA subversion of the U.S. National Institute of Standards, the main result here is not going to be the U.S. “winning” a so-called “cyberwar” against other countries.

    Instead, the main result will most likely be a wholesale loss of faith by other countries in institutions like the NIS and standards like NIST encryption. This suggests that we’re likely to see a Balkanization of global digital communications protocols and encryption standards. At worst, this might lead to a situation where, if you want to view internet content in (say) Europe, you need a different browser running on different hardware using different encryption protocols than Google Chrome running on an Intel or AMD CPU with NIST-certified encryption. The implications for global economic and scienitifc activity seem dire.

    I’m not quite on board with the conspiracy theorists who claim that Google is a fun graphical front-end for CIA-designed digital panopticon surveillance systems — but the way things are going, I’ll get there eventually.

    1. Thomas,

      “Does anyone even have solid evidence about who hacked Sony?”

      Here’s a detailed analysis of what (little) we know about the Sony hack. As several posts on the FM website have explained, determining attribution in cyberattacks is difficult at best.

      “the main result will most likely be a wholesale loss of faith by other countries in institutions like the NIS and standards like NIST encryption.”
      Perhaps so. But it’s not evident yet. Much like the expected outrage and protest by Americans at the news about NSA surveilance, the reaction so far has been quite muted. Time will tell.

    2. There are a lot of things about the Sony attack that are very interesting, but I don’t think that any of us know enough to offer anything more than abstract analysis — facts are short, and if you’re trying to attribute an attack, it takes facts.

      It appears that the US Government was premature in pointing the finger at North Korea, but then leaked information that indicates that the NSA (presumably) has deeply penetrated North Korea’s networks, and – presumably, nudge nudge wink wink, that intelligence would provide convincing attribution but “we can’t show you or we’d have to kill you.” That is actually a fairly plausible argument; it is not at all unlikely that the NSA has penetrated North Korea and more likely the networks that the North Koreans use to jump into the internet. That would be an intelligence problem to talk about since it would probably mean disclosing that South Korean, Japanese, or other pac rim networks are also deeply compromised. So, when I say the US Government was “premature” in pointing the finger at North Korea, I mean that they miscalculated the public and experts’ willingness to believe the story without any supporting evidence. There is still no supporting evidence.

      The lack of evidence, coming from the FBI, deeply disappoints me. The FBI is a branch of the Department Of Justice, and is supposed to deal in evidence and know how to present a case in court. The FBI should not rely on hearsay, finger-pointing, or leaks. They should have let the accusations come from The Pentagon, or The White House, or some other branch of the government, rather than sacrificing their credibility to protect the NSA’s secrets. The US Government has a serious credibility problem when it comes to making accusations regarding, well, practically anything, given that both The Vietnam War and The Iraq War were begun under false pretenses; the US has literally killed millions based on false accusations – North Korea was wise to take the US’ accusations seriously whether they were simply bluster or not, for the same reason that I’d take it very seriously if Mike Tyson accused me of stealing his wallet even if I was nowhere in the vicinity. Violent thugs accusations get special attention.

      But, back to Sony: there is a crucial piece of the whole story that the media (which was largely playing out the story distributed by the US Government’s PR arms) ignored. And it’s a piece of the story that is utterly bizzare to omit. Namely, that Sony has been being hacked by varieties of hacker crews on and off for years.

      Remember 2 years ago when Playstation Network was offline because of hackers? Or last year when hackers were (apparently) inside Sony? So this is a company that is repeatedly, nay, constantly targeted by various hackers, and suddenly it’s North Korea?

      I know a bit about the techniques used in the most recent round of attacks, and something about what happened at Sony, and it sounds to me like bog-standard hacking. Most interestingly, to me, it was bog-standard hacking for almost a week before the whole stupid movie angle got grafted onto the story and the hackers (who presumably read google news like the rest of us) began playing along with it. I imagine that somewhere there were a bunch of non-North Koreans laughing their asses off over the way that red herring was swallowed: hook, line, and sinker.

      Another part of the story that got grafted on after the North Korea angle was promoted was the “malware is like that used by North Korea” (Pity the poor North Koreans who can’t afford the really good stuff like the NSA has been infecting the whole planet with!) well, the methods used were bog-standard hacking techniques and so was the malware. And now suddenly the North Korea angle is gone and now it’s the Lizard Squad. What if it was the Lizard Squad all along? The methods the hackers used initially, and the way the documents were posted to pastebin, as well as the media manipulation, were more in line with what you’d expect from “Anonymous” than North Korea.

      Lastly, the US Government, via the NSA, Belgacom, Stuxnet, and the FBI’s using the AntiSec hacker crew to attack Brazilian government agencies and businesses, have established that this kind of behavior is apparently acceptable for governments to do. The North Korean government would have been quite justified in shrugging and saying, “so what?” Except I don’t think they likely had anything to do with it.

      In closing, let me reiterate my opening: this is all speculation. It is my opinions and does not reflect the views of my employer, or anyone else. Unfortunately, the people who know aren’t talking and the people who are talking mostly don’t know what they are talking about.

  2. Great article. Very interesting thoughts! I think that the author is correct to identify that the offense is the resource intensive strategy in cyberspace. That is highly relevant and worthwhile to consider in any sort of conflict involving cyberspace.

  3. I would love to hear your view on the fact that the biggest ‘Hack’ and the biggest danger (in my opinion) comes not from an outside source but from a pissed off employee. Edward Snowden at the NSA and the 42 in Israel.
    If the object is to attack a state I would get a spy into Norton or similar antivirus companies. I would do a first strike by getting top workers into legitimate work in the banks, electricity companies and let them sleep till the time came for a first strike.
    I think a combination of cyber warfare and plain vandalism (A bottle of lighter fuel and a match) in a computer block would achieve a lot more than a team of hackers sitting in a building in North Korea.

    1. I would rate insiders as consistently more of a threat than outsiders, because they can learn the “land”scape and are able to target their attacks more precisely. Also, many organizations have trust models that are flat-out bad; consider how The US Department of State apparently felt that “anyone with a clearance” could get at huge amounts of its data – including PFC Manning. In all networks that were designed around a perimeter security model, you’ll find that insiders are a disaster waiting to happen because usually there’s an “inside” and an “outside” and the trust model is 100% trust for insiders. Snowden’s actions indicate that, at least to a degree, the vaunted NSA’s networks may also be fairly lame in terms of their design. When you look at the damage that Aldrich Ames did, and how, it indicates that the CIA may have some of the same problems. At the rate at which governments learn about computer security, I wouldn’t expect any of those lessons to sink in for another couple decades, at the earliest.

      You are correct that plain old vandalism (or covert operations) would be vastly easier and damaging; that’s one of the reasons I have historically been fairly dismissive over the whole “cyberwar” kerfuffle: I see computer security as more of a strategic intelligence collection issue than a tactical one. As I’ve pointed out in other articles, actually damaging a target’s command/control networks damages one’s ability to learn from them.

      A peripheral point in all of this is the notion of guerilla warfare, which is another of the “never fight a land war in cyberspace” issues I want to touch upon later in the series. If you go far enough up the spectrum toward irregular warfare you wind up at something that looks a lot like hacking: a sort of combined intelligence gathering and interdiction/harassment process. There may be a place for that. “Embedding” would be a potentially damaging strategic interdiction process: imagine if a nation state did want to be prepared for a full-on “cyberwar” with the US – the single most damaging thing they could do would be to embed agents at telcos, government contractors, and cloud services. On iDay, those agents would collapse the network and software infrastructure from the inside. We should find it telling that the NSA (per Snowden) targets system administrators; they have probably figured this out. But they’ve only been smart enough to figure out how to use it offensively, not defensively. This is, indeed, asymmetrical warfare. In the same sense that throwing stones when you live in a glass house is asymmetrical.

    2. An interesting discussion. I am reminded of the times when war consisted of overtaking fortified cities, harbors, passes, etc. There are numerous historical accounts of retrenched defenders successfully repulsing sustained assaults by forces at least an order of magnitude more numerous and powerful; well-designed strongholds manned by small vigilant troops could work really well.

      Of course, there are quite many accounts as well of supposedly impregnable fortified places being quickly taken once a traitor or a negligent insider left that kerkoporta open…

  4. Many thanks to Marcus Ranum and FM for an extremely detailed an informative discussion! I wish we saw this kind of thoughtful analysis in the mainstream news, but, alas, we simply don’t.

  5. Pingback: Defender Advantage. Hackers, Dragons and Bears ... Oh-Why!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top