Monday, June 07, 2010

Cyberwar is fiction

I'm reading various articles about the Russia's proposal, with support from the UN, for a "cyberwarfare arms limitation treaty". What astounds me is that nobody seems to realize that "cyberwarfare" is a fictional story, and that "arms" in cyberspace don't exist.

"Cyberwar" and "cyberweapons" are fiction. The conflicts between nation states in cyberspace are nothing like warfare, and the tools hackers use are nothing like weapons. Putting "cyber" in front a something is just way for people to grasp technical concepts, the analogies quickly break down, and are useless when taken too far (such as a "cyber disarmament treaty"). Unfortunately, it's the clueless people who believe in these analogies that are driving national policy.

I can disable the national power grids of half the countries in the world using nothing more than an iPhone. There is no such thing as "cyberweapons". Sure, there are tools that make this easier, but it's the person using the tools, and not the tools themselves, that are important.

What makes special forces (like the Green Berets or Navy Seals) so much better than the average soldier? Is it better weapons? No, it's better training. These guys are trained to kill you with their hands, or with a knife, or with anything that's available. The same is true with hackers: all we need is some crappy computer and a network connection, and we can hack into anything. (During a "pen-test", I've had my finger on the "off" switch for an entire country's power grid from a mobile phone).

Hacking is very technical, so we use analogies to explain how it works. The thing to remember is that these are just analogies. Any conclusions you might draw from the analogies could be wrong.

For example, let's say that you want to attack a castle. You use catapults to hurl rocks at the walls, but the walls are too strong. So, you get bigger catapults to hurl bigger rocks.

But then somebody comes to you with a better idea. He has a trained dog that can sniff out secret tunnels. You send the dog out, he finds a tunnel, your soldiers sneak in, and take control of the castle.

So, the next time you attack a castle, you send the dog out to find tunnels. However, the dog comes back without finding anything. Therefore, you conclude, you need a bigger dog. The "dog" is analogous to a "catapult", and if a bigger catapult does its job better, so must a bigger dog. (I'm assuming at this point the reader understands the foolishness of this analogy, and that the size of the dog is irrelevant).

The same is true of "cyberweapons", an analogy used to describe tools like "exploits". An "exploit" is a program that you aim at another computer in order to take control of it. Most people in our military think that if an exploit doesn't work against a well-defended computer, then you need a more "powerful" exploit. This is wrong, in exactly that same way that a "bigger dog" won't help. (Like finding secret tunnels to sneak into castles, hackers find programming bugs, then exploit them to sneak into computers).

This is why the military will never understand cyberspace. Their idea of attack and defense is based on the idea of "brute force": just throw more resources at it, such as bigger bombs, more soldiers, higher tech airplanes. Defeating enemies in cyberspace is different, means outsmarting them, and the military doesn't do smart.

Moreover, the military is very goal driven. They want weapons that have a specific effect. That's not how hacking works. Hacking is opportunistic. For example, let's say that you want to attack Iran. You might give your cyberwarriors the task of taking out their radar. That's not something the cyberwarriors could do: chances are good that the exploits they have will have no effect on Iranian radar computers.

Instead, the correct thing would be to assign your cyberwarriors the task of doing anything they can, attack any Iranian computers vulnerable to the exploits they have. It's hard to predict what the outcome would be: maybe a crash of their financial markets, disruption of their military communications, or massive blackouts.

This is why a nation's army will not be involved in a true "cyberwar": hacking just doesn't fit into the military model.

It's also why China and Russia are winning a cybewar against the United States: because it's not their armies conducting the war.

Totalitarian governments, like China, Russia, or Iran, need dirty work done, but without getting caught. They need "plausible deniability". Unfortunately, this is essentially impossible: you really can't have big conspiracies without leaking information.

To fix this, these governments sponsor nationalistic youth groups, like the "Nashi" in Russia, or the "Basij" in Iran. These groups are sympathetic to the government, but not technically under control of the government. These groups love their national government, and tend to do things that government would want, without being told.

Thus, when journalists in Russia says something critical of the government, they are beaten up (or murdered) by the Nashi. The government never tells the Nashi to beat anybody up - it just happens. At most, the government will instruct police not to investigate the crimes too heavily. As a result, Russia is one of the most dangerous countries for journalists, but without a national policy to kill journalists.

The problem with these youth groups is that since they aren't being controlled by the central government, they don't always get the right results. Sometimes the wrong people are killed, or the right journalists are ignored. It's the price the government has to pay in order to keep its hands clean.

This is what happened in the "cyberattacks" against Estonia and Georgia. The attacks were carried out by nationalistic hackers working independently from the main government. The government doesn't tell these hackers what to do; they just know that in any conflict, nationalistic youths will hack their enemy. The price Russia pays for this, though, is a lot of cybercrime within the country. (Russian hackers aren't just a problem here in America, they cause a lot of problems within Russia as well).

Our own military and intelligence organizations do not believe in this. They can only believe in conspiracies run by government - they cannot deal with the fact that the attacks coming from China and Russia are not being directed by those governments. But both Russia and China understand this. This is why Russia is pushing for a "cyberspace disarmament treaty". It would only hindered American military and intelligence services, but wouldn't affect nationalistic youth groups. American has no nationalistic youth groups. Indeed, in America, such youths are more concerned about attacking our own government and corporations ("fighting the Man") than they are about fighting foreign adversaries.

The basic truth in cybersecurity is that you don't have to build products/services that outwit hackers, you only have to outwit your customers. As long as you know a tiny bit more about hacking than your customers, they will buy anything from you. I'm seeing that a lot lately, such as the recent case of Booz and Allen hyping fictional stories about the power grid in order to secure a $34-million contract from the government. Another example is the "Center for Strategic and International Studies" (CSIS). It's a lobbying organization that produced a document that has become a blueprint for cybersecurity regulation that threatens our liberties in cyberspace. This sort of cluelessness is a bigger danger to cyberspace than Russian hackers.

The military has set up a "cyber command" to coordinate all offensive/defensive operations in cyberspace. Its commander, General Keith Alexander, gave a speech at CSIS recently. I don't know what to make of it. On one hand, he said things that demonstrate cluelessness, but on the other hand, he said things that demonstrate competence with the subject. Generals tend to be geniuses, so I would be a fool to assume Gen. Alexander is clueless, so I'll have to assume he was simplifying things for a clueless audience. I'm worried nonetheless.

So, to summarize, the idea of nation states waging cyberwar with powerful cyberweapons is utter fiction. It's an analogy we might use to describe some things, but it's not what really goes on in cyberspace. The conflicts between nation states in cyberspace are nothing like warfare, and the tools hackers use are nothing like weapons. However, this fiction is what is driving national policy, and that worries me a lot. I feel this cluelessness is a bigger danger to cyberspace than foreign hackers.

UPDATE: I just thought of another way to describe this: The military tries to make cyber fit within normal military practices, rather than changing military practices to fit in cyberspace.

BIO: The author of this blog post invented the "intrusion prevention system", a popular product for defending against attack. The author has done many "penetration tests", hacking into networks (for hire) in order to discover weaknesses. The author has created many tools that are part of pen-test/hacking toolkits. The author has reverse engineered code, discovered vulnerabilities, and written exploit shellcode.

21 comments:

silvakreuz said...

After I read your blog post (props for a very insightful piece, BTW), I read an article entitled "Computers are battlefield for AFIT students" from the Air Force Times. You may want to check that out if you haven't yet, then perhaps you could share with us your thoughts about it later on. :)

Also, as those in the security industry, I wonder what kind of role we should be playing in the fiction world of cyberwar that is beginning to be played out in real life...

Mark said...

I think you should broaden your view of warfare. A major part of military operations throughout history has been psychological warfare. Hacking could be utilized in PsyOps in several ways. On one hand, you have the obvious: hacking commonly used websites within a target country to get your propaganda to the people. On the other hand, you might have a different approach: hacking to give oppressed citizens of that country free access to media without the restrictions of their own gov't - such as China or North Korea.

Add the aspect of PsyOps to the common thought of hacking to affect infrastructure, and you could absolutely say that hacking can be a major part of warfare.

Also, as a side note, I think you might want to rethink "the military doesn't do smart." If you want to say that military policy makers are out of touch, that's one thing. To say the military as a whole lacks intelligence is just ignorant.

Jesse said...

Good points and I agree with much of it, but not all. There are plenty of State "sponsored" groups that are given specific targets and then turn over access, intell or control to the "sponsor". To say it doesn't exist is naive. It doesn't exist to the state that many are blowing it up to be and it isn't a threat to many people/organizations, but it is a threat to some.

Brian said...

I disagree. If for example the US military designed and deployed a large BOT-net with the specific purpose of being able to use it to disrupt another government or military's communications this could be considered a weapon. Call it a cyber-weapon if you want. If cyber-weapons could exist a cyber-attack could exist, and if two sovereign nations exchange attacks like this I think it could accurately be described as a cyber-war.

Kevin said...

You make a lot of great comments, but your comments about the military show that you are clueless about how warriors work.
It's a really crappy general who just wants bigger and bigger weapons. Who doesn't understand targets of opportunity and that the goal is to find the enemy's weakness and exploit it. Sure, we've had really terrible generals, but you just defined the "military" way as being oriented on the direct application of brute force.
Some times brute force works. It's a tactic. It's used in hacking too, isn't that essentially how a DDOS attack works? Just applying the brute force of a LOT of processors?
The smart soldier knows that's only one tactic though. Just like in hacking, there are many ways to defeat the enemy and bigger isn't always better.
For example, the primary development in military weapons right now is for smaller explosives that can be directed more accurately to their target.
I agree there is a lot of clueless talk about how to fight "cyberwar." It's very different, but perpetuating a stereotype of soldiers as idiots who just know how to bang on something until it breaks just demonstrates your ignorance. Go read the basics of military science: Sun-Tzu; Clausewitz, etc. Or maybe just go find "Fighting By Minutes" by Robert Leonhard (former US Army officer). You might learn something that will make you a better hacker.

Ryan said...

Very insightful post.

Given the difficulty of integrating cyber attacks into traditional military structures, it seems to me that we should look to an older, more opportunistic military tradition: privateers.

It would work something like this: The government announces it is issuing cyber letters of marque against country X in support of its war effort there. Interested hackers sign up, are given official documents denoting precisely what they can legally do, and are allowed to attack targets at their discretion. The government guarantees immunity from prosecution for acts within the predetermined scope of the letters, and the hackers are allowed to keep and/or sell any data they seize as a reward.

This system would preserve the rule of law by providing a clear distinction as to when hacking is permitted and when it isn't; hackers would face prosecution by their own governments if they attack without authorization. It would create a publicly verifiable way of determining who is attacking whom, while still allowing governments to wield cyberattacks against their enemies. And it would provide a great way for the US to develop its own pool of hacker militia.

David Dennis said...

You have a lot of great comments, but I think you underestimate a lot of military minds. The essence of successful warfare has always been to find thte enemy's weaknesses and exploit them in the most efficient manner at your dispoal.

One thing that is often overlooked in these discussions is the difference between the evaluation of military capabilities and arms control diplomacy. The former can be very free flowing and opportunitistic while the latter must define systems that are verifiable.

The problem with many weapons today is that they use many dual-use components. Consider all the problems we have limiting NBC weapons. Computers could be considered the most dual-use weapon of all. Some technologies may never be adequately controlled because of their civilian use. i guess that's why we've never been able to ban the use of internal combustion engines for military purposes.

Robert Graham said...

Mark: I think you should broaden your view of warfare...

Well, yes, hacking should be used in warfare. My point is that the analogies like "cyberweapons" aren't valid.

Mark: To say the military as a whole lacks intelligence is just ignorant.

Individuals are brilliant. The military as a whole is stupid.

The average colonel I've met is much smarter than the average Ph.D. Generals are even smarter.

But the military suffers from "diseconomy of scale". The organization is stupider than the individuals in it.

xpda said...

"Most people in our military think", "the military will never understand", "Our own military and intelligence organizations do not believe in this. They can only believe in conspiracies run by government"

There are a lot of generalizations here. The cybercommand has a lot of competent young brains in it, too, complete with experience.

horia314 said...

The average colonel I've met is much smarter than the average Ph.D. Generals are even smarter.

That's a really interesting topic. Could you elaborate on that a little? I find it somewhat counter-intuitive. I don't want to dismiss the army, but I never associated officers with the kind of intelligence you'd find in a scientist.

RU_Trustified said...

You make some good points about the nature of adversaries but also make some questionable assumptions that other commentors have spoken to. It may be a mistake to lump all gov/ DoD leadership together. Sure there are some really uninformed, clueless dorks, but there are many dedicated, brilliant officers who are seeking guidance on what works. Since the industry as a whole in regarded to be in its infancy, is it really that fair to expect DoD to be any further ahead?

Definitional confusion aside, civilian disruption by attacking the other side's critical infrastructure is not an unreasonable assumption and rather than focus on adversaries that one has no control over, a move to inherently secure systems to maintain a last man standing in a cyber shoot-out is probably a good strategy. This and the problems with deterrence as a strategy are discussed in the following white paper:

Cyberwar and Cyberterrorism

http://cybersecureinstitute.org/docs/whitepapers/Habiger_2_1_10.pdf

Robert Graham said...

horia314: That's a really interesting topic [colonels smarter than Ph.D.s]. Could you elaborate on that a little? I find it somewhat counter-intuitive. I don't want to dismiss the army, but I never associated officers with the kind of intelligence you'd find in a scientist.

Your perception of the military comes from movies and TV shows that show military men as bumbling idiots. Mine comes from personal experience dealing with the military.

The military is meritocracy. Every few years, officers are either promoted or kicked out in order to make room for the next set of officers below them. Those that survive to became Generals are the cream of the crop. They are highly capable leaders and enormously intelligence. Indeed, most Generals also have a Ph.D. -- they don't mention it much, because "General" is a much more prestigious title than "Doctor".

The process isn't perfect; there is a lot of politics and smoozing involved, but even the worst of them deserve our respect.

Kevin said...

But the military suffers from "diseconomy of scale". The organization is stupider than the individuals in it.
Stupider in what way? I think you are thinking more in terms of reaction time and decisiveness than actual intelligence.
The military as a whole definitely takes longer than an individual to change direction and to make decisions, but that is because it is huge. Generally, it does these things very quickly for an organization of its' size and complexity.
Organizations within the military like SAMS (School for Advanced Military Studies) and CALL (Center for Army Lessons Learned) work hard to make the organization smarter. The various training centers work hard to put that information into practice.
The main area where the military has problems is in procurement and that's a tough nut to crack with all of the money involved.
I'm trying to see your perspective and I'd love to hear some examples of the military as a stupid organization.

Ari said...

The arms race in military is about fuzzers and exploit-frameworks.

The new owner of Metasploit is definitely targeting military as key market. Also Immunity Canvas running on N810 looks like a weapon to me, at least it is difficult to think of any legal use for such tool.

Commercial fuzzing tools that run on small laptops or PDAs like Beyond Security and Codenomicon Defensics are definitely dangerous tools if given to a smart offensive guy, although fuzzers are quite useless in direct fire as they are too noisy. Some of these fuzzing tools also do tens of thousands of attacks per second on a regular 4x4 laptop if you want that stupid brute-force approach.

Ari said...

Uh, 4x4 laptop might still be out of reach today, but I meant to say 4-core. ;)

BlaiseP said...

The castle metaphor doesn't translate into warmaking. I've done consulting for apps on SIPRNET. There is only one recipe for the warmaker, laid out long ago, and perfectly congruent with cyberwarfare. It is by Sun Tsu

Therefore, one who does not know the intentions of the rulers of the neighboring states cannot secure alliances.

One who does not know the mountains and forests, gorges and defiles, swamps and wetlands cannot advance the army.

One who does not use local guides cannot take advantage of the ground.


War is information.

Rush-- said...

"Defeating enemies in cyberspace is different, means outsmarting them, and the military doesn't do smart."

This comment alone shows a terrible lack of understanding and an absolute sideline perspective. I agree this statement needs rethought. By this line of thinking, I suppose that it would be safe to say that cybercrime doesn't exist either. Criminals steal things and hurt people. Not play computer games. After all it's all just ones and zero's, right? How can someone be hurt by that? Tell that to the FBI.

"It's hard to predict what the outcome would be: maybe a crash of their financial markets, disruption of their military communications, or massive blackouts." Sounds like a plan. Just a guess, but I would say it's one that our military (that doesn't do smart)trains on and practices on daily (if not hourly), both offensive and defensive.
I agree that the term cyberwar is one that is regularly hyped up by those that benefit from it. As is every other word in the English language. "Weapons of mass destruction" is another, although it would be foolish to believe that the over-hyping of the term impedes their actual existence. (Although I will defer to Hawking or Aristotle in matters such as these.)
"It's also why China and Russia are winning a cyberwar against the United States: because it's not their armies conducting the war." This comment seems to be nothing more than personal speculation presented to the readers as fact. "Totalitarian governments, like China, Russia, or Iran, need dirty work done, but without getting caught. They need "plausible deniability". Unfortunately, this is essentially impossible: you really can't have big conspiracies without leaking information." These are not "conspiracies". They are what would be considered military operations. To believe that a foreign government cannot conduct operations without leaks is... the word that strikes me is "clueless".
There are many different actions that can be considered an "act of war". It seems that the best definition would be something along the lines of "when one nation attacks another". That, to me, seems as entirely plausible in cyberspace as it is in outer space.
Also, to say: "During a "pen-test", I've had my finger on the "off" switch for an entire country's power grid from a mobile phone" seems to be using the same types of hype tactics that the Author decries in this piece. While the hand held device may have been the trigger to that particular exercise, the statement implies that it was the ONLY tool involved. No mention of what would need to be an entire network (satellites, relays, etc)to facilitate such an attack, nor of the multiple computers and networks involved in researching and preparing the actual infiltration. To perpetrate that kind of breach with ONLY a mobile phone would take a long time (like hundreds of years)and at least a wall outlet, unless the Author is in possession of a solar powered cell phone with a processor capable of a petaflop. I would suspect if that is true, Steve Jobs would want his phone back.
When the US Navy broke the JN-25 code during WW2, under Commodore John Rochefort, while I would not consider the IBM punch card machines used to be "weapons" it would be a long stretch to believe it wasn't "warfare".

geowash01 said...

"This is why the military will never understand cyberspace. Their idea of attack and defense is based on the idea of "brute force": just throw more resources at it, such as bigger bombs, more soldiers, higher tech airplanes."

Not so much. I'll grant your claim to expertise in your chosen field, but you no nothing about mine. Might want to study up before you put such silly claims into print.

HaroldJRoth said...

Speaking of penetration attacks, I think you have a look at your post. One of the cross referenced images has been vandalised, and a rather unflattering message left.

|FM-76| said...

Cyberwar is a racket, fiction or not. Cyberwar is the return to cold war status, a war of espionage. Calling it 'cyber' just makes it sound futureistic and loosens purse-strings.

been covering this for a while at sovasec.com

Tanker said...

Excellent thoughts - a few points to share on the conundrum of leading edge thinking from the military (a gross generalization to be sure) from a retired Army officer.

With all due respect to those engaged in national defense there are two aspects to share with the general public about the military involvement in the cyber arena.

The first is that the services collectively are a representation of our society at large, and as such have very rapidly adapted the use of many computers, networks, and net centric decision making into their daily (and warfighting) lives. As such the military, like any other large endeavor, has a crucial interest in defense of their networks. This defense cannot be adequately outsourced due to the sensitivity of much of the information and the often dangerous field environment in which much of this work is executed. That said the involvement of the military in the cyber defense aspects is a necessary effort to protect our troops in the field.

The second thought is on the paradigm of military control of the cyber offense. A better analogy might be seen in the difficulties encountered at the start of OEF (Afghanistan) by the "special operators" (Green Beret and the other services special warfare elements) as they fought for funding and support in an Army that has traditionally been focused on conventional warfare. The Army has focused on the most dangerous (but least likely) warfare scenario as the best way to ensure the National Defense. The "special operators" are also a group that does not fit with the Army's traditional line thinking and struggle for operational freedom and flexibility. (Cerrtainly the Army realized and acted on this need after OEF opened up, but it was an effort to reorient and not in the normal way of doing things).

This is why the military has set up a seperate command to try to deal with the self-acknowledged flexibility issues of a traditional line organization.
I would also note that the military uses a number of security cleared outside contractors to try to get around the innivation issue by using our good old capitalist system to seek the best tools for defense of the nations military infrastructure.