Wednesday, April 22, 2009

Why "cyber commands" fail

Defense Secretary Gates has announced that he wants offensive cyber warfare capability.

It's not going to work. Hacking is "asymmetric" warfare. The military is trying to shoehorn it into traditional "symmetric" warfare.

Hacking doesn't work the way it's portrayed in the movies. In the movie Swordfish, the villain puts the hero in front of a computer open to a website, puts a gun to the hero's head, and tells the hero to hack into the website in 60 seconds "or else". That's not the way hacking works, the best hackers in the world could not do that.

However, you could tell a good hacker to break into any website in 60 seconds. In hacking, it's difficult accomplishing a specific, narrowly defined goal. The broader the range of goals, the more likely the hacker will succeed at one of them.

What the military wants is a hacker squad that they can give a specific objective, and have the hackers carry out that objective within a specific timeframe. For example, they might tell hackers to take out Iran's radar at midnight so that fighter jets can enter their airspace a few minutes later to bomb their nuclear plants. That's not going to work.

What you could do is tell hackers to go after Iran and do whatever they can to disrupt their nuclear developments. One hacker might find a way to shut down safety controls and cause a nuclear meltdown, another might jam the centrifuges, another might change the firmware on measuring equipment to incorrect measure the concentration of U238.

Or, you could give the hackers six months to infiltrate Iran's computers, then come back with a list of options. Maybe disabling the radar system will be one of them, maybe not. But that's not the sort of thing the military is tasked to do - that's more an intelligence operation the CIA would be doing.

I use this scenario as an example because something similar happened in the first Iraq war in 1990, where our "hackers" were able to disable their radar by hacking into their phone network. This happened because of circumstance and luck, not because it was a carefully laid out plan to disable their radar that way.

China and Russia understand this. They don't directly employ hackers or tell the hackers to accomplish certain goals. They let the hackers have free range to do whatever they want. If the hackers come across something interesting, such as plans for the Joint Strike Fighter, the government buys it, but no government official ever told the hackers specifically to steal those plans.

The reason China and Russia can do this is because that's already the way totalitarian regimes work. A good example is the Russian "Nashi" organization. This is a militant, nationalistic youth group encouraged by the government. Among the things these thugs do is beat up journalists critical of the central government. They also show up at anti-government demonstrations to rough up the demonstrators. In this way, the government gets what it wants (suppressing dissent) without having to do the dirty work itself.

I mention the Nashi because it appears that youths affiliated with that group were also responsible for some of the cyber attacks against Estonia in that dispute in 2007. It is probable that no Russian government official directed the attacks - that's the entire point. By encouraging nationalistic groups, things like this happen without the government having to direct anything.

There are problems with this technique. Sometimes the youth groups don't do enough, sometimes they get out of hand. China props up Japan as their primary adversary, and last year, riots demonstrating against Japan got out of hand, and the Chinese government had to back down on their anti-Japan rhetoric. Whatever the costs, though, it allows the government to keep their hands clean.

So how can the United States get in on this sort of asymmetric warfare action?

The first thing is that you have to stoke some sort of nationalism in the way that Russia and China do. I'm not sure this is in our character (especially under the current president), however, so we'd probably have to find some alternative. Instead of pro-USA nationalism we could instead focus on human rights activism. The government could spend a lot of time talking to the press about the sorts of human rights abuses that go on in Russia and China. Get our own USA hackers thinking about human rights as their own causus belli.

The second thing they need to do is create a climate where our own hackers can operate. I would gladly hack into Iranian computers, but I'm not sure how this fits into US law. (I don't mind breaking Iranian law, but I'm a stickler as far as US law is concerned).

This would be similar to the "letters of mark and reprisal" used by governments during the 1700s. In those days, national navies were too small to patrol the entire ocean. Therefore, governments licensed privateers to prey upon a hostile nation's shipping. The privateers kept half the booty, and gave the other half to their respective government. This is essentially what China and Russia have done.

A third thing our military would need to do is train our hackers in the target language. Foreign hackers usually learn English, but American hackers rarely learn foreign languages, especially Russian, Chinese, or Farsi (Iranian). If we want to encourage our hackers to go after those countries in the same way they come after us, we need to encourage them to learn those languages. The military runs an excellent school in Monterey. They should recruit people at conferences like Defcon to take their language aptitude tests (right there at the conference), and for hackers who score well, pay them to attend their 6-month high-intensity language courses.

The fourth thing our military would need to do is fix their horrid purchasing processes. I experienced this when selling BlackICE to the military: it almost cost us more going through the byzantine purchase process than we got in money from the purchase. Let's say that you found a robustly exploitable Windows server vulnerability. It's worth $100,000 to our military. There is no way they could buy it. If you tried selling it to them, it would cost you more than $100,000 to go through their obstacles.

Note that I think the individuals who run our military are very, very smart. I've met several generals and colonels who understand this. The problem is that while individuals are smart, the organization is dumb as a rock. The organization crushes precisely the sort of creative thinking need to have a successful "cyber" offensive capability.


Anonymous said...

I completely agree with your sentiments. I have expanded quite at bit on the offensive side of info war at my blog

However I would disagree that you cant have a balance of the two. you can control talented strike teams with focused goals, you just have to have a moderate timeline. ANYTHING can be done with money and time. Usually the problem is the WILL and the BALLs.


Rhonda said...

An interesting concept. I think you would have many Americans ready to "sign up" and hack for their country...legally!! As a bonus, you get to learn another language or two. Maybe someone in the military will listen.


Anonymous said...

You make some very good points that many people do not understand about hacking. Most hacks are the result of circumstances and while you can create a repeatable process to identify those circumstances that facilitate a good hack, if the circumstances do not exist you cannot simply create them.

There are certainly always methods to get what you want, but using social engineering to infiltrate an Iranian data center - or simply running a bulldozer into it - are not on the table most of the time. And those methods can't be employed while sipping a latte at the coffee shop down the street.

I'm also not sure the government should give hackers carte blanche to find vulnerabilities in these foreign computer systems because it may generate too much noise and tip them off to what's going on. Certainly our own government has been tipped off by all the noise generated by foreign hackers, their inability to do anything about it is another matter.

Our government probably already has some sort of semi-covert operation that employs a group of hackers to function in the manner you describe, with at least some oversight to prevent tipping off the foreign governments to what is going on. This effort could probably be expanded upon, altho I am wary about the government's ability to attract and retain the talent necessary.

Unknown said...

I enjoyed this post, thanks!

Promoting nationalistic groups to do things may not run aligned with what the essence of the US is (or what the world sees us as), but I agree with your points about trying to horn cyber "warfare" into traditional military terms and expectations. Cyber "warfare" can be valuable, but only insomuch as your friendly hackers shake out and what digital assets they maintain over time or at that moment in time.

It should be something the CIA secretly does, and the rest of this "cyber command" should really be geared around defense and support.

Anonymous said...

"They recruit people at conferences like Defcon to take their language aptitude tests (right there at the conference), and for hackers who score well, pay them to attend their 6-month high-intensity language courses."


Robert Graham said...

"They recruit people at ..." source?They SHOULD recruit people this way, I meant to say. I edited the post and added this word.

Eric said...

On offense, you're correct. It would be difficult to hack on command, but it could be somewhat successful. The one big feature would be a targeted DDoS attack. It worked for Russia...

On defense, we really need a central cyber command. There are too many agencies doing different things. There needs to be a push for software security and increased auditing of contractor facilities.

Anonymous said...

are you scared???