Thursday, September 05, 2013

Cyberwarfare is like sniping: "If you don't have DOPE you don't have a shot"*

I disagree strongly with this article by Jason Healey in The Atlantic. To put a finer point on my disagreement: I am against the “demystifying” of cyber weapons to show they have humanitarian value.

Cyber weapons do not have peace keeping or humanitarian value. The inconsistency of cyber weapons means that they are not integrated into an order of battle; meaning, to be effective they have to be in use all the time and the results gained can be used to plan operations.

If an operations commander were to go to a cyber warfare group and ask for something that a kinetic team could accomplish, perhaps turning off the lights in a city at midnight tomorrow to send a message or support a planned operation,  the likely answers would be:

1. “Let me see if we already own something there.”
This means that the target has been compromised in the past and a rootkit may have been left behind. Of course there is no guarantee because the rootkit could have been discovered, the machine that was infected could have been replaced or even egress firewall rule changes could block access. 
2. “We can attempt to gain access, but no promises.”
This means the cyber warriors will have to collect data on the target and attempt a cold notice infiltration.** Unless there are servers with sql injection or easy to hit buffer overflows, exploitation will not work. 
3. “We can deploy some high speed commandos to place a key logger on someone's computer, and nab a password that will hopefully get us access to the important systems.”
Think about the game "Splinter Cell." This could work -  but you would already need operatives in the area briefed and ready to breach the facility.***  
"Hey buddy, whats you PGP passphrase?"
4. “Don’t you have guys for that? I keep reading about these JSOC commandos...”
This equates to “we cannot get the job done in the allotted time, please look for other solutions to your warfighting needs.” 

The “demystifying” part is what really gets me. Cyber weapons rely on secrecy to work. The POTUS can’t go on TV and say “We will go with a cyber solution utilizing rootkits we have intalled over the years in their military network.” That just sounds bad. It confirms the now widely-held notion that we are the world's Cyber-overlord and we're constantly looking for ways to put the rest of the world under our Cyber-thumb. Announcing the intended use of Cyberwar tools ahead of time is just bad strategy: the target would suddenly start scrubbing critical machines, changing passwords, and tightening firewall rules.

Do you remember the first Gulf War where plenty of jokes were made about Iraq getting all of its useful intel from CNN? A repeat of the fiasco would occur if the government tried to demystify its cyberwar capabilities.  It isn't hard to imagine a scenario where a forewarned adversary will prepare systems to observe an infiltration, and thus gain invaluable knowledge of Tactics, Techniques, and Procedures used by friendly forces. In the "cyberwar" world, giving away your methods is a good way to see them turned back on you.  It would also invalidate your DOPE.

"I wouldn't be here if people just ignored patches and clicked on everything in email...but noooo..."

* DOPE is an acronym used by trained marksmen around the world, meaning Data On Previous Engagement. This means the operator of a kinetic weapon system, such as a sniper and his rifle, have prepared ballistic data on the effect of his projectile on a target at a predetermined range and with consideration for atmospheric conditions, as well as target attributes such as movement and vulnerability.
**In cyber warfare a "cold notice infiltration" means you don't have any prior data on the target so you do everything from footprint and recon to exploitation in one step often in a very short timeframe. This is opposite of a "hot notice infiltration" which means all the steps to infiltrate a target are done individually and with a lot of prep time.
***We could also talk about the usefulness of a kinetic option to deliver a cyber payload but I feel this blog post has already hit the point of over thinking.

No comments: