tag:blogger.com,1999:blog-37798047.post2807886553387202341..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Cyberwar is fictionDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-37798047.post-19340836071588717542020-11-16T14:45:25.151-05:002020-11-16T14:45:25.151-05:00This comment has been removed by a blog administrator.Ehirehackerhttps://www.blogger.com/profile/01675917362857209752noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-55474596053290271032010-06-12T11:41:02.303-04:002010-06-12T11:41:02.303-04:00Excellent thoughts - a few points to share on the ...Excellent thoughts - a few points to share on the conundrum of leading edge thinking from the military (a gross generalization to be sure) from a retired Army officer.<br /><br />With all due respect to those engaged in national defense there are two aspects to share with the general public about the military involvement in the cyber arena. <br /><br />The first is that the services collectively are a representation of our society at large, and as such have very rapidly adapted the use of many computers, networks, and net centric decision making into their daily (and warfighting) lives. As such the military, like any other large endeavor, has a crucial interest in defense of their networks. This defense cannot be adequately outsourced due to the sensitivity of much of the information and the often dangerous field environment in which much of this work is executed. That said the involvement of the military in the cyber defense aspects is a necessary effort to protect our troops in the field.<br /><br />The second thought is on the paradigm of military control of the cyber offense. A better analogy might be seen in the difficulties encountered at the start of OEF (Afghanistan) by the "special operators" (Green Beret and the other services special warfare elements) as they fought for funding and support in an Army that has traditionally been focused on conventional warfare. The Army has focused on the most dangerous (but least likely) warfare scenario as the best way to ensure the National Defense. The "special operators" are also a group that does not fit with the Army's traditional line thinking and struggle for operational freedom and flexibility. (Cerrtainly the Army realized and acted on this need after OEF opened up, but it was an effort to reorient and not in the normal way of doing things). <br /><br />This is why the military has set up a seperate command to try to deal with the self-acknowledged flexibility issues of a traditional line organization. <br />I would also note that the military uses a number of security cleared outside contractors to try to get around the innivation issue by using our good old capitalist system to seek the best tools for defense of the nations military infrastructure.Tankerhttps://www.blogger.com/profile/06525163089838679339noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-61503021488013307572010-06-11T09:11:35.498-04:002010-06-11T09:11:35.498-04:00Cyberwar is a racket, fiction or not. Cyberwar is ...Cyberwar is a racket, fiction or not. Cyberwar is the return to cold war status, a war of espionage. Calling it 'cyber' just makes it sound futureistic and loosens purse-strings.<br /><br />been covering this for a while at sovasec.comUnknownhttps://www.blogger.com/profile/03508694740493150534noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-28431146419157204972010-06-10T05:47:54.080-04:002010-06-10T05:47:54.080-04:00Speaking of penetration attacks, I think you have ...Speaking of penetration attacks, I think you have a look at your post. One of the cross referenced images has been vandalised, and a rather unflattering message left.Donal Laffertyhttps://www.blogger.com/profile/03774394152075726159noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-41344312447585915922010-06-08T17:01:14.054-04:002010-06-08T17:01:14.054-04:00"This is why the military will never understa..."This is why the military will never understand cyberspace. Their idea of attack and defense is based on the idea of "brute force": just throw more resources at it, such as bigger bombs, more soldiers, higher tech airplanes."<br /><br />Not so much. I'll grant your claim to expertise in your chosen field, but you no nothing about mine. Might want to study up before you put such silly claims into print.Unknownhttps://www.blogger.com/profile/15935545192276949937noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-64420983551661802482010-06-08T16:44:26.224-04:002010-06-08T16:44:26.224-04:00"Defeating enemies in cyberspace is different..."Defeating enemies in cyberspace is different, means outsmarting them, and the military doesn't do smart."<br /><br />This comment alone shows a terrible lack of understanding and an absolute sideline perspective. I agree this statement needs rethought. By this line of thinking, I suppose that it would be safe to say that cybercrime doesn't exist either. Criminals steal things and hurt people. Not play computer games. After all it's all just ones and zero's, right? How can someone be hurt by that? Tell that to the FBI.<br /><br />"It's hard to predict what the outcome would be: maybe a crash of their financial markets, disruption of their military communications, or massive blackouts." Sounds like a plan. Just a guess, but I would say it's one that our military (that doesn't do smart)trains on and practices on daily (if not hourly), both offensive and defensive.<br />I agree that the term cyberwar is one that is regularly hyped up by those that benefit from it. As is every other word in the English language. "Weapons of mass destruction" is another, although it would be foolish to believe that the over-hyping of the term impedes their actual existence. (Although I will defer to Hawking or Aristotle in matters such as these.)<br />"It's also why China and Russia are winning a cyberwar against the United States: because it's not their armies conducting the war." This comment seems to be nothing more than personal speculation presented to the readers as fact. "Totalitarian governments, like China, Russia, or Iran, need dirty work done, but without getting caught. They need "plausible deniability". Unfortunately, this is essentially impossible: you really can't have big conspiracies without leaking information." These are not "conspiracies". They are what would be considered military operations. To believe that a foreign government cannot conduct operations without leaks is... the word that strikes me is "clueless".<br />There are many different actions that can be considered an "act of war". It seems that the best definition would be something along the lines of "when one nation attacks another". That, to me, seems as entirely plausible in cyberspace as it is in outer space.<br />Also, to say: "During a "pen-test", I've had my finger on the "off" switch for an entire country's power grid from a mobile phone" seems to be using the same types of hype tactics that the Author decries in this piece. While the hand held device may have been the trigger to that particular exercise, the statement implies that it was the ONLY tool involved. No mention of what would need to be an entire network (satellites, relays, etc)to facilitate such an attack, nor of the multiple computers and networks involved in researching and preparing the actual infiltration. To perpetrate that kind of breach with ONLY a mobile phone would take a long time (like hundreds of years)and at least a wall outlet, unless the Author is in possession of a solar powered cell phone with a processor capable of a petaflop. I would suspect if that is true, Steve Jobs would want his phone back.<br />When the US Navy broke the JN-25 code during WW2, under Commodore John Rochefort, while I would not consider the IBM punch card machines used to be "weapons" it would be a long stretch to believe it wasn't "warfare".Rush--https://www.blogger.com/profile/05849472422048143173noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-46752568101499795242010-06-08T14:20:28.857-04:002010-06-08T14:20:28.857-04:00The castle metaphor doesn't translate into war...The castle metaphor doesn't translate into warmaking. I've done consulting for apps on SIPRNET. There is only one recipe for the warmaker, laid out long ago, and perfectly congruent with cyberwarfare. It is by Sun Tsu<br /><br /><i>Therefore, one who does not know the intentions of the rulers of the neighboring states cannot secure alliances. <br /><br />One who does not know the mountains and forests, gorges and defiles, swamps and wetlands cannot advance the army.<br /><br />One who does not use local guides cannot take advantage of the ground. </i><br /><br />War is information.BlaisePhttps://www.blogger.com/profile/00890630028015025979noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-15708546411417103652010-06-08T02:22:44.370-04:002010-06-08T02:22:44.370-04:00Uh, 4x4 laptop might still be out of reach today, ...Uh, 4x4 laptop might still be out of reach today, but I meant to say 4-core. ;)Unknownhttps://www.blogger.com/profile/01338530422469554222noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-65807686852933790062010-06-08T02:20:52.091-04:002010-06-08T02:20:52.091-04:00The arms race in military is about fuzzers and exp...The arms race in military is about fuzzers and exploit-frameworks. <br /><br />The new owner of Metasploit is definitely targeting military as key market. Also Immunity Canvas running on N810 looks like a weapon to me, at least it is difficult to think of any legal use for such tool.<br /><br />Commercial fuzzing tools that run on small laptops or PDAs like Beyond Security and Codenomicon Defensics are definitely dangerous tools if given to a smart offensive guy, although fuzzers are quite useless in direct fire as they are too noisy. Some of these fuzzing tools also do tens of thousands of attacks per second on a regular 4x4 laptop if you want that stupid brute-force approach.Unknownhttps://www.blogger.com/profile/01338530422469554222noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-3326871276624531032010-06-07T22:43:06.346-04:002010-06-07T22:43:06.346-04:00But the military suffers from "diseconomy of ...<i>But the military suffers from "diseconomy of scale". The organization is stupider than the individuals in it.</i><br />Stupider in what way? I think you are thinking more in terms of reaction time and decisiveness than actual intelligence. <br />The military as a whole definitely takes longer than an individual to change direction and to make decisions, but that is because it is huge. Generally, it does these things very quickly for an organization of its' size and complexity.<br />Organizations within the military like SAMS (School for Advanced Military Studies) and CALL (Center for Army Lessons Learned) work hard to make the organization smarter. The various training centers work hard to put that information into practice.<br />The main area where the military has problems is in procurement and that's a tough nut to crack with all of the money involved.<br />I'm trying to see your perspective and I'd love to hear some examples of the military as a stupid organization.Unknownhttps://www.blogger.com/profile/07022751748822198905noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-63836695328119653402010-06-07T17:09:40.372-04:002010-06-07T17:09:40.372-04:00horia314: That's a really interesting topic [c...horia314: <i>That's a really interesting topic [colonels smarter than Ph.D.s]. Could you elaborate on that a little? I find it somewhat counter-intuitive. I don't want to dismiss the army, but I never associated officers with the kind of intelligence you'd find in a scientist.</i><br /><br />Your perception of the military comes from movies and TV shows that show military men as bumbling idiots. Mine comes from personal experience dealing with the military.<br /><br />The military is meritocracy. Every few years, officers are either promoted or kicked out in order to make room for the next set of officers below them. Those that survive to became Generals are the cream of the crop. They are highly capable leaders and enormously intelligence. Indeed, most Generals also have a Ph.D. -- they don't mention it much, because "General" is a much more prestigious title than "Doctor".<br /><br />The process isn't perfect; there is a lot of politics and smoozing involved, but even the worst of them deserve our respect.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-64023233612646787072010-06-07T16:47:59.803-04:002010-06-07T16:47:59.803-04:00You make some good points about the nature of adve...You make some good points about the nature of adversaries but also make some questionable assumptions that other commentors have spoken to. It may be a mistake to lump all gov/ DoD leadership together. Sure there are some really uninformed, clueless dorks, but there are many dedicated, brilliant officers who are seeking guidance on what works. Since the industry as a whole in regarded to be in its infancy, is it really that fair to expect DoD to be any further ahead?<br /><br />Definitional confusion aside, civilian disruption by attacking the other side's critical infrastructure is not an unreasonable assumption and rather than focus on adversaries that one has no control over, a move to inherently secure systems to maintain a last man standing in a cyber shoot-out is probably a good strategy. This and the problems with deterrence as a strategy are discussed in the following white paper:<br /><br />Cyberwar and Cyberterrorism<br /><br />http://cybersecureinstitute.org/docs/whitepapers/Habiger_2_1_10.pdfRU_Trustifiedhttps://www.blogger.com/profile/05287332677529399371noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80163171828606130722010-06-07T16:44:05.098-04:002010-06-07T16:44:05.098-04:00The average colonel I've met is much smarter t...<i>The average colonel I've met is much smarter than the average Ph.D. Generals are even smarter.</i><br /><br />That's a really interesting topic. Could you elaborate on that a little? I find it somewhat counter-intuitive. I don't want to dismiss the army, but I never associated officers with the kind of intelligence you'd find in a scientist.horia314https://www.blogger.com/profile/12405514858485175201noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-6468685718613464822010-06-07T15:01:58.199-04:002010-06-07T15:01:58.199-04:00"Most people in our military think", &qu..."Most people in our military think", "the military will never understand", "Our own military and intelligence organizations do not believe in this. They can only believe in conspiracies run by government"<br /><br />There are a lot of generalizations here. The cybercommand has a lot of competent young brains in it, too, complete with experience.xpdahttps://www.blogger.com/profile/13806348185973730550noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-789221870643927572010-06-07T14:09:21.569-04:002010-06-07T14:09:21.569-04:00Mark: I think you should broaden your view of warf...Mark: <i>I think you should broaden your view of warfare...</i><br /><br />Well, yes, hacking should be used in warfare. My point is that the analogies like "cyberweapons" aren't valid.<br /><br />Mark: <i>To say the military as a whole lacks intelligence is just ignorant.</i><br /><br />Individuals are brilliant. The military as a whole is stupid.<br /><br />The average colonel I've met is much smarter than the average Ph.D. Generals are even smarter.<br /><br />But the military suffers from "diseconomy of scale". The organization is stupider than the individuals in it.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-51693104811274082122010-06-07T13:34:13.475-04:002010-06-07T13:34:13.475-04:00You have a lot of great comments, but I think you ...You have a lot of great comments, but I think you underestimate a lot of military minds. The essence of successful warfare has always been to find thte enemy's weaknesses and exploit them in the most efficient manner at your dispoal.<br /><br />One thing that is often overlooked in these discussions is the difference between the evaluation of military capabilities and arms control diplomacy. The former can be very free flowing and opportunitistic while the latter must define systems that are verifiable.<br /><br />The problem with many weapons today is that they use many dual-use components. Consider all the problems we have limiting NBC weapons. Computers could be considered the most dual-use weapon of all. Some technologies may never be adequately controlled because of their civilian use. i guess that's why we've never been able to ban the use of internal combustion engines for military purposes.Unknownhttps://www.blogger.com/profile/13933358160989425351noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-23791909745401994412010-06-07T12:48:51.746-04:002010-06-07T12:48:51.746-04:00Very insightful post.
Given the difficulty of int...Very insightful post.<br /><br />Given the difficulty of integrating cyber attacks into traditional military structures, it seems to me that we should look to an older, more opportunistic military tradition: <a href="http://en.wikipedia.org/wiki/Privateers" rel="nofollow"> privateers. </a><br /><br />It would work something like this: The government announces it is issuing cyber letters of marque against country X in support of its war effort there. Interested hackers sign up, are given official documents denoting precisely what they can legally do, and are allowed to attack targets at their discretion. The government guarantees immunity from prosecution for acts within the predetermined scope of the letters, and the hackers are allowed to keep and/or sell any data they seize as a reward.<br /><br />This system would preserve the rule of law by providing a clear distinction as to when hacking is permitted and when it isn't; hackers would face prosecution by their own governments if they attack without authorization. It would create a publicly verifiable way of determining who is attacking whom, while still allowing governments to wield cyberattacks against their enemies. And it would provide a great way for the US to develop its own pool of hacker militia.Unknownhttps://www.blogger.com/profile/11546009110718529123noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-30658844360311732152010-06-07T12:32:32.230-04:002010-06-07T12:32:32.230-04:00You make a lot of great comments, but your comment...You make a lot of great comments, but your comments about the military show that you are clueless about how warriors work.<br />It's a really crappy general who just wants bigger and bigger weapons. Who doesn't understand targets of opportunity and that the goal is to find the enemy's weakness and exploit it. Sure, we've had really terrible generals, but you just defined the "military" way as being oriented on the direct application of brute force. <br />Some times brute force works. It's a tactic. It's used in hacking too, isn't that essentially how a DDOS attack works? Just applying the brute force of a LOT of processors?<br />The smart soldier knows that's only one tactic though. Just like in hacking, there are many ways to defeat the enemy and bigger isn't always better.<br />For example, the primary development in military weapons right now is for smaller explosives that can be directed more accurately to their target.<br />I agree there is a lot of clueless talk about how to fight "cyberwar." It's very different, but perpetuating a stereotype of soldiers as idiots who just know how to bang on something until it breaks just demonstrates your ignorance. Go read the basics of military science: Sun-Tzu; Clausewitz, etc. Or maybe just go find "Fighting By Minutes" by Robert Leonhard (former US Army officer). You might learn something that will make you a better hacker.Unknownhttps://www.blogger.com/profile/07022751748822198905noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-6478637732035455272010-06-07T11:50:32.416-04:002010-06-07T11:50:32.416-04:00I disagree. If for example the US military designe...I disagree. If for example the US military designed and deployed a large BOT-net with the specific purpose of being able to use it to disrupt another government or military's communications this could be considered a weapon. Call it a cyber-weapon if you want. If cyber-weapons could exist a cyber-attack could exist, and if two sovereign nations exchange attacks like this I think it could accurately be described as a cyber-war.Unknownhttps://www.blogger.com/profile/00037717450252004186noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-85370632394939716012010-06-07T10:13:05.328-04:002010-06-07T10:13:05.328-04:00Good points and I agree with much of it, but not a...Good points and I agree with much of it, but not all. There are plenty of State "sponsored" groups that are given specific targets and then turn over access, intell or control to the "sponsor". To say it doesn't exist is naive. It doesn't exist to the state that many are blowing it up to be and it isn't a threat to many people/organizations, but it is a threat to some.Jessehttps://www.blogger.com/profile/06599139510962604733noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80141492835988750052010-06-07T08:07:06.476-04:002010-06-07T08:07:06.476-04:00I think you should broaden your view of warfare. ...I think you should broaden your view of warfare. A major part of military operations throughout history has been psychological warfare. Hacking could be utilized in PsyOps in several ways. On one hand, you have the obvious: hacking commonly used websites within a target country to get your propaganda to the people. On the other hand, you might have a different approach: hacking to give oppressed citizens of that country free access to media without the restrictions of their own gov't - such as China or North Korea.<br /><br />Add the aspect of PsyOps to the common thought of hacking to affect infrastructure, and you could absolutely say that hacking can be a major part of warfare.<br /><br />Also, as a side note, I think you might want to rethink "the military doesn't do smart." If you want to say that military policy makers are out of touch, that's one thing. To say the military as a whole lacks intelligence is just ignorant.Markhttps://www.blogger.com/profile/00779876224334392974noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-78712797164298450432010-06-07T07:46:57.358-04:002010-06-07T07:46:57.358-04:00After I read your blog post (props for a very insi...After I read your blog post (props for a very insightful piece, BTW), I read an article entitled <a href="http://www.airforcetimes.com/news/2010/06/airforce_cyber_060710w/" rel="nofollow">"Computers are battlefield for AFIT students"</a> from the <i>Air Force Times</i>. You may want to check that out if you haven't yet, then perhaps you could share with us your thoughts about it later on. :)<br /><br />Also, as those in the security industry, I wonder what kind of role we should be playing in the fiction world of cyberwar that is beginning to be played out in real life...Lhttps://www.blogger.com/profile/07648682177529397779noreply@blogger.com