Friday, June 07, 2013

If we can shoot them, we can cyber them

The latest Greenwald/Guardian leak is a Presidential directive covering offensive cyberwarfare. As someone with some experience in this field, I find nothing particularly interesting.

All the document says is that "cyber" is the same as "kinetic" warfare. Any rules that apply to shooting somebody also apply to hacking them. It means, for example, that the CIA or military can't go off on its own and hack a foreign country without going through the chain of command.

Consider what would happen if Iran comes to the President with conclusive proof that it was hacked by the United States military, but that the President knew nothing about it. He wouldn't like that. He, quite rightly, wants to be in the loop on any such thing.

What you should understand from this is that it doesn't make the United States a potent enemy in cyberspace. Quiet the reverse.

The #1 rule about hacking is that it's opportunistic, not deterministic. What that means is that hackers hack what they can, not what they want to. The high-profile hacks performed by Anonymous/LulzSec didn't happen because those (except for maybe Sony) were the specific targets. Instead, Anonymous chose a hacking method first, like phishing, SQL injection, or password theft, and then used those techniques against any target that was available. When they came across interesting victims, like Stratfor, they hyped the heck of it, making it look like that was the intended target all along.

That's why China is just a potent hacking force. Unlike Obama's directive, their hacking isn't controlled from the top down. Their leaders set goals like becoming the #1 manufacturer of turbines, and leave their underlings free to accomplish those goals, which may involve hacking U.S. turbine manufacturers.

It  that Chinese hacking is more opportunistic than deterministic that they more successful at it than the United States.

It isn't that the United States is impotent in cyberspace. We have an enormous lead in technical capability and investment in cyberwarfare. This balances out our insistence on deterministic hacking rather than opportunistic hacking.

That we are weakier cyberwar than our potential is probably a good thing: adherence to the rule of law is what makes us different than bad countries like China and Iran. For all the bad revelations about NSA spying on American citizens that came out recently, we should keep in mind that it's still done (however wrongly) within the rule of law.

1 comment:

Richard Steven Hack said...

Did someone forget who developed Stuxnet?