Posts Tagged ‘cyber warfare’
Tufts Democrats: What did you think?
The Tufts Democrats got an earful from me about how US foreign policy on cyberspace hasn’t advanced significantly in fifteen years. I complained that a whole lot of basic questions haven’t been settled, and drew on some key national documents to verify that is the case.
They were more impressed with my rapid-fire interactive summaries of Hollywood takes on cyberwar and cyber dystopia. Or so they tweeted.
Jumbos: what did you think? Please post in the comments. Thanks!
Current events for Beth’s class
Beth Chalecki asked me to give a talk on cyber security for her course at Boston College. While I won’t post the slide deck here, I will compile a reading list on the blog. I’d like to note that the blogroll at right includes several of the big names in the field: Bruce Schneier, C. Warren Axelrod, Ross Anderson, David Rice, Alessandro Acquisti, and others.
Documents
- National Strategy to Secure Cyberspace (US-CERT)
- Cyberspace Policy Review (White House Office of Cybersecurity)
- Presidential Decision Directive 63 (Clinton via FAS)
- US Cyber Command fact sheet and website
News items
- Stuxnet
- Ghostnet
- Estonia
- Georgia
- Rod Beckstrom
- Howard Schmidt
- William Lynn discusses the cyber domain in Foreign Affairs
Academic works
- Technology, Policy, Law and Ethics Regarding US Acquisition of Cyberattack Capabilities (Owens, Dam and Lin, eds.), full text at Macarthur Foundation
- Proceedings of a Workshop on Deterring Cyber Attacks (National Research Council Committee on Deterring Cyberattacks, Steinbruner, chair) *
- Building Security In (Gary McGraw and US-CERT)
- Cyber Warfare and Cyber Terrorism (Janczewski and Colarik, eds.)
- Cyberpower and National Security (Kramer, Starr and Wentz, eds.)
- Cyberpower (Nye)
- Cybersecurity Agenda (EastWest Institute)
- Commission on Cybersecurity for the 44th Presidency and their final report
- International Guide to Cyber Security (Westby)
* Beth: if you’d like to tackle cyber deterrence, Lukasik’s conference paper in these Proceedings (eds. Steinbruner et al., 2010, pp 99-111) is an interesting departure point for debate.
Full hearing: US Senate on Cyber War Readiness
Highlights from the US Senate panel on cybersecurity 23 February 2010.
Mary Ann Davidson, CSO (Oracle). Required reading! Ms. Davidson masters the subject in bright prose. This is an excellent indictment of the rush deploy smart grid technologies before we’ve had time to harden them from the types of attacks that routinely take computers off line. Thought experiment: what level of unplanned downtime would you be comfortable with for your house’s electrical power? water? energy? Would you try to save 10% on your electric bill if for a system that you couldn’t be sure would work more than 99.9% of the time?
Even better, Ms. Davidson points out a crucial flaw in education. Computer science is applied mathematics, and few departments teach young programmers how to write secure software. If university departments don’t teach secure programming, we will need professional certifications to substitute, as with medical residencies, CFA exams for financial analysts, and professional societies for engineers and architects.
Vice Admiral Mike McConnell (Booz Allen Hamilton). Sound byte: “If there were a cyber war today, the United States would lose.” Some excellent recommendations for training a new class of software engineers, security professionals, and managers. Don’t be distracted by the salacious and unwarranted assertion at the outset. The rest of the testimony is good, and nobody is better informed than the Admiral.
Dr. James A. Lewis (CSIS). A couple of interesting metaphors. He compares cyberspace to a condominium and to a shopping mall, meaning that the space is all privately owned, and that neighbors have a compelling interest in one another’s behavior. Therefore all should be willing to submit to greater regulation. I’m inclined to agree with Borg’s statement (below) that government regulations are unlikely to keep pace with the rate of innovation. Rather than ask the government to certify that buildings are safe, wouldn’t we be better off with private certification of a standard of risk, as we currently do with automobiles, houses, and financial management? Computers and especially software are endlessly complicated, and don’t lend themselves well to the same type of governance as broadcast media and airplane safety.
Lewis also makes a crucial overstatement when he says that there are no rules on the Internet or that the Internet is a wild west. Actually many national and state authorities have control over Internet commerce, fraud, and even transborder crimes. At a more fundamental level, Lewis’ lawless vision of the Internet is fundamentally at odds with Internet governance over every layer of the Internet, from the development of hardware standards and Internet protocol, to the assignment of names and numbers, to the software that runs servers and home desktops. Re-read Lessig, and see if you can imagine the Internet truly without rules.
Scott Borg (US-CCU). Focuses on 3 central problems: (1) the conflict is already here; (2) cyber conflict threatens future American prosperity; (3) fixing markets is the key to improving cyber security. I agree with Borg, but then I’m biased.
Rear Admiral James Arden Barnett, Jr., Ret. (FCC). An interesting point of view. I don’t have any problem with DHS assisting the country with situational awareness, but the philosophy of defense is extremely centralized. The greatest specific policy errors of homeland security in the last ten years have been efforts to provide one-size-fits-all information and requirements from a central national office: the national threat level scale, vastly increased expenditures on passenger screening at airports, and advice on creating a safe room for chemical gas attacks inside your home. There are too many computers, and too many businesses to expect that federal marshals can secure their IT infrastructure for them. Effective homeland defense will require businesses and individuals to have cheap, effective, and secure choices to accomplish the things they already know how to do: run their businesses and their households.
Another failed attempt to resurrect deterrence for cyber war
Cyber war creates far more than its share of Maginot strategy. How is it that we can hope to make deterrence work without the three elements that supported it during the nuclear age? McConnell’s article dated this coming Sunday (2/28/10) [sic] outlines three conditions, and then claims that the failure of these conditions isn’t really a problem. It’s a giant problem. Future cyber warriors will not suffer from our empty threats to respond with catastrophic cyber or conventional weapons.
During the Cold War, deterrence was based on a few key elements: attribution (understanding who attacked us), location (knowing where a strike came from), response (being able to respond, even if attacked first) and transparency (the enemy’s knowledge of our capability and intent to counter with massive force).
All three of these conditions fail.
60 minutes covers cyberwar
Steve Kroft of 60 minutes covers cyberwar from the perspective of computer network operations and critical infrastructure. It is a welcome change from the usual fare of robotic weapons, web defacement, and online chat group flame wars. The video and transcript are available at 60 minutes. Well worth the watch.
Space is a terrible metaphor for cyber space
Physical metaphors for cyber space create pernicious mistakes of intuition about strategy. The lay of the land determines a great part of battlefield strategy. Cyber space is as unfamiliar and surprising as a trip through the looking glass, frustrating many efforts to understand cyber strategy by way of analogy to physical space. Writing about cyber strategy would be greatly improved by careful attention to the shape of the battlefield. The battlefield is a vast, multi-layered network and not a physical terrain.
Problems with the metaphor of space for cyberspace
- Single physical location fails in two directions. One actor can be located in more than one location. One location can exist in more than one physical jurisdiction, or in the global commons (e.g., satellite Internet link to offshore platform).
- Perimeter defenses doesn’t work.
- The analogy to physical movement and distance yields poor intuition about movement in cyber space, e.g., velocity, acceleration, time to penetrate defenses, and maneuver.
- Control of physical objects is a particularly poor metaphor for cyberspace analogs, which requires neither direct physical access nor the attention of an individual. In physical space, individual agents control only those objects within reach; creation of new objects requires logistics, procurement.
- Crucial capabilities for control: autonomy of maneuver, force projection over a territory.
- Changing the physical landscape is time-consuming, expensive, and hard to conceal.
Concepts for cyber security
- Network locations. IP address, physical layer, hardware within the machine (MAC, SIM), organization providing Internet access (ISP, cell network, satellite link), states with governing authority over telecoms.
- Access control, difficulty of forging authentication, multiple factors of authentication, time-based security.
- Network measures of distance. Servers mediating access to a target system. Physical barriers mediating access to a system.
- Manipulation of remote systems is cheap, automated, replicable. Millions of poorly protected machines are widely available.
- Crucial capabilities for control: IT control policies and procedures, jurisdiction, surveillance, and collaboration in law enforcement, counter-intelligence.
- The network topology is a policy choice. Control over topology is shared between governments, business, civil society, and individuals. Topology is actively controlled by actors before, during, and after conflict.
Just as the domain of air warfare required new strategy, so does the cyber domain. The air domain vastly increased the reach of a few actors. Air operations prioritized the defense-industrial base, which could replace assets lost in battle. Together, air and naval power permitted the projection of power at previously unimagined distances.
Collateral damage in cyber warfare
The John Markoff and Thom Shanker recently covered collateral damage in cyber conflict for the NY Times. Unfortunately, collateral damage in cyber conflict is extremely difficult to distinguish from (a) chance and (b) the intended effect of offensive operations. From their article featuring John Arquilla:
In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops….
But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.
Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.
Geographic Location of Attack Servers: UK
In yesterday’s post, I pointed out that escalating a cyber conflict was not in the best interest of the United States. Here is the scenario: based on the identities of the sites under attack and the nature of the code being used, a number of allegations surface that North Koreans are behind the attacks. US Congressmen call for a show of force in cyber space.
What are the problems with this scenario? We don’t actually know who actually carried out the attacks. We certainly don’t know who gave the order to do so. We don’t know why the order was given. And we don’t know whether, by retaliating against the target du jour, we are hurting (or, at worst, actually helping) our true adversary.
Wired’s Kim Zetter reported yesterday that the master server is located in the UK. (Cheeky URL: Brits Attack US.) So what do we learn from that? Should we add the UK to the list of potential adversaries? Should we quarantine all web traffic from the UK until they have cleaned up their act? Should we launch a show of force against the UK in cyber space to demonstrate that we mean business? Imagine if the same server had been located in Hong Kong, or Tehran, or Somalia. The howls for retaliation would be far louder.
Danger of Inadvertent Cyber War
America’s failure to reach consensus with foreign powers on what constitutes an act of war in cyber space presents the danger of an inadvertent war. Expert opinion is split on the question of whether cyber attacks can ever reach the level of an act of war. Bruce Schneier recently pooh-poohed web defacement as a truly unserious national security threat. Richard Clarke has been a tireless advocate for the flip side of the argument, namely that cyber attacks are a completely new type of threat to national security that require new policy and new capabilities. Peter Singer writes and recently gave a TED talk about the increasing and mechanization of conventional force-on-force conflicts.
At least one US Congressman is eager to escalate a cyber conflict with purported North Korean botnet commanders.
US President Barack Obama has been urged to launch a ‘show of force or strength’ against North Korea following allegations made of distributed denial-of-service attacks.
Congressman Peter Hoekstra, the lead Republican on the House Intelligence Committee, told the Washington Times’ America’s Morning News radio show that it was time for America, South Korea, Japan and others to stand up to North Korea.
Hoekstra claimed that if action is not taken, the next time they attack “they will go in and shut down a banking system or manipulate the electrical grid either here or in South Korea. Or they will try and miscalculate, and people will be killed.”
His claims were quickly dismissed however, with Alex Eckelberry, president and CEO of Sunbelt Software, claming that Hoekstra’s claims are based on nothing. He said: “We have not heard or seen a credible shred of evidence that North Korea is behind these attacks.
“We learned a harsh lesson not so long ago on military action based on flawed intelligence and hysteria. Let’s not repeat the same thing again.”
Battlefield focus ignores strategic cyber attacks
The focus of most reporting on cyber attacks and cyber security in military circles continues to distract the debate away from campaign level cyber attacks. Rather than discussing what a skilled nation-state adversary would do with currently available, known cyber attack strategies, coverage tends to focus on battlefield applications of information technology.
Take, for example, this story (excellent reporting, by the way). The headline calls attention to espionage, but the focus of the article is clearly on narrow tactical applications of information technology in urban warfare.
The impetus to establish rebuild the Army’s electronic warfare capability came as a result of Radio Controlled Improvised Explosive Devices (RCIED), said Lt. Col. Fred Harper, a key analyst for the TRADOC Capabilities Manager Computer Network Operations Electronic Warfare (TCM-CEW) Division under CDID.
“At the initial stages of our involvement in Iraq, the Army found itself fighting against insurgents who were using relatively simple electromagnetic devices with great effect to attack our Coalition forces,” said Harper.
Almost immediately after the Sept. 11, 2001 attacks against the U.S. mainland, President George W. Bush, ordered troops into Afghanistan and shortly thereafter into Iraq. Subsequent events on the battlefields began to highlight the vital importance of controlling the EMS. Determined insurgents in Iraq began building large numbers of roadside bombs from salvaged ordnance left behind by the Iraqi military which were then detonated in highly effective attacks against U.S. convoys and personnel using off-the-shelf commercial electromagnetic-based devices such as cell phones or garage door openers. This was followed by similar attacks in Afghanistan.
