Recently in Cyber Warfare
Filed in: CyberWarfare
A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.
In the Strategy section of the essay, Lynn mentions a concept called active defense. This is a government euphemism for Offensive Cyber Operations. He basically says that you cannot be effective in cyber space if you are only playing defense. Lynn said,
"In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun."
This is a basic tenant of regular warfare (Look up quotes from any famous general or military expert like Napoleon, Clausewitz, McArthur, Patton, etc). To win, you have to take the fight to the enemy. This is not different just because we operate in cyberspace. The basics tenants of warfare do not change simply because you are in a new medium. They are the same on land, in the air and on the sea. If we fight in cyberspace, we have to go on the offense.
This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference:
"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
But developing and deploying a framework for these kinds of operations is hard and must be done in advance. You don't want to be making this stuff up on the fly during a crisis. Working out the legal and civil liberties issues is tough. Lynn agrees,
"The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy."
Also, just saying the Army will conduct offensive operations sounds so clean and precise. It is not. It will be messy. Unforeseen consequences will happen. The enemy will react. As civilians, we like to think that just because the Army will hit back, the enemy will wither and run away. That will absolutely not happen. It has not happened in Iraq and in Afghanistan, and it will not happen in cyberspace. I had an old commander of mine who always use to say, "The Enemy gets a vote." Most likely he will not vote to quit.
General Alexander and Deputy Secretary of Defense Lynn know this. They have been around the block a few times. They know what is in store when we start down this path. That is why it is imperative that the framework is in place before the crisis occurs. We must have a general game plan in place that is transparent and generally agreed upon before the first cyber digit is fired in anger; transparent to the good guys and yes to the enemy. The enemy must know what we are likely to do before they cast their vote. This will all influence the shape of the battle space.
I believe that all of this is years away, but we have started down the path. The DOD must still negotiate many obstacles; but Secretary Lynn has outlined a strategy and General Alexander has committed to it. It is just a matter of time now.
(No Comments)
Filed in: CyberWarfare
I attended the Intelligence Squared debate on Cyber Warfare on June 8, in Washington, DC.
Those of you who read my blogs regularly know that I am an avid podcast listener (I have a one-hour commute each way to work). One of the podcasts in my regular rotation is the Intelligence Squared debates. The organizers use an Oxford-style format where two sides debate an issue and the audience decides the winner. Before the debate, the organizers ask the audience to vote on the motion. After the debate, the organizers ask the audience to vote again. The winner is the team that changed the most votes. Intelligence Squared has debated many interesting issues during the last year: "Organic Food is Marketing Hype," "America cannot and will not succeed in Afghanistan," and "Blame Washington more than Wall Street for the Financial Crisis," just to name three.
The debate itself was a hoot. It was a beautiful night in the capital and the debate was well attended even though it was competing with several high-end entertainment extravaganzas at the same time including the Washington National's debut of their phenom pitcher Stephen Strasberg and a family concert by Carly Simon and her son Ben Taylor.
This was the motion: The Cyber War Threat has been grossly exaggerated.
On the left side of the stage (for the motion) was Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) and Bruce Schneier, my former boss and general pundit for the security community.
On the right side of the stage (against the motion) was Jonathan Zittrain, co-founder of the Berkman Center for Internet & Society and Mike McConnell, executive vice president for Booz Allen Hamilton and a former US Director of National Intelligence (DNI).
Let me just say that the Zittrain/McConnell team spanked the Rotternberg/Schneier team and the star of the show was Zittrain. He was funny and articulate and every time the Rotternberg/Schneier team tried to make a point, Zittrain bumped them right back into their corner. Here are the results:
Before the Debate:
For the Motion (Rotternberg/Schneier): 24 percent
Against the Motion (Zittrain/McConnell): 54 percent
Undecided: 22 percent
After the Debate:
For the Motion (Rotternberg/Schneier): 23 percent
Against the Motion (Zittrain/McConnell): 71 percent
Undecided: 6 percent
Like I said, this was a spanking. Throughout the debate, the Rotternberg/Schneier team never debated the issue. They were more concerned about what the US Intelligence apparatus might do to US citizens' privacy rights if the US government ever considered the threat of Cyber War to be real. Rottenberg repeatedly came back to the point that the NSA has been trying to take control of the Internet since the early 1970s and this is just the latest salvo in that effort. The Zittrain/McConnell team challenged this argument by agreeing that it was a concern, but it does not really address the question at hand.
Schneier pointed out that Cyber War is a theatrical metaphor similar to other metaphors we use to add emphasis to important issues; like the war on drugs or the war on terrorism. The Zittrain/McConnell team countered with the idea that this is not a metaphor; that it is possible to disrupt and destroy in cyber space just like it is in the real world and that we should prepare to defend against those contingencies. McConnell explained that the US economy is annually valued at $14 trillion. In just one day, two high-end US banks transfer more than $8 trillion alone. If a nation state made it impossible for bankers to track that dollar flow, the result would ruin the country. From my point of view, we can all come up with our pet "Doomsday" scenarios that a nation state might use against our respective countries. If we went to war with another country, do we really think that the other side would not use cyber space as a vector? The Rotternberg/Schneier team said yes; they did not think that another nation state would use Cyber War as a vector.
The Rotternberg/Schneier team also denied the two examples that everybody trots out, including me, to prove the point that cyber war is real: Estonia and Georgia. They said they were done by kids and therefore not an act of war and they failed to see how denying access to government websites qualifies as a war. The Zittrain/McConnell team countered with the fact that, at least in the Georgia incident, the attacks were deliberate, rehearsed and executed with impeccable timing. For my part, I would make the argument that anything that adds to your adversary's "Fog of War" only helps your cause. If you can't communicate with your staff electronically just before the tanks roll across your border, I'd say your pucker factor would rise exponentially. Moreover, just as an aside, kids conduct many of the conflicts going on today; it does not make them any less lethal.
In the end, both sides agreed that the policies the US adopts around cyber warfare should be open to everyone; that there should be no secret planks hidden in the bowels of the Pentagon. McConnell suggested that we need to get the law right before there is a crisis. Everybody agreed.
From my perspective, this is a no-brainer. Of course there will be a cyber warfare component in any future war. It is the great leveler. For relatively little cost, a small country could easily compete with a big country in terms of affect in cyber space. Compare that to trying to outspend the US in building an aircraft carrier fleet that can travel unopposed in five oceans. Does the press over hype the phrase "cyber warfare" sometimes? Absolutely. Does that make the threat of cyber warfare grossly exaggerated? I don't think so. I am not the only one who thinks that either. The debate audience definitely thought that at the end of the festivities, but so do a lot of governments around the world. In iDefense's 2010 Trends Paper, published in December 2009, we talked about a shift in the center of gravity away from enterprise IT departments and toward governments in terms of cyber security policy, money spent on cyber security programs and the cyber security personnel that governments hire. Part of that shift concerns itself with cyber warfare.
In the end, I had a great time. I got to see some cyber security super stars square off on a very important issue and witnessed the crowd shift their viewpoint from one side to the other. I'll admit, it was a little geeky, but hey, the geeks of the world need entertainment extravaganzas too.
(1 Comment)
Filed in: Cyber Arms Control
Before the holidays, I stumbled into a
blog
over at defensetech.org regarding the subject of Cyber Arms Control.
The word "stumbled" is one of those euphemisms I use when I am surfing
the net instead of doing real work.
From Bruce Schneier's
blog,
the Russians and the Americans have started discussions about how a
treaty might be arranged that might "strengthen Internet security and
limit military use of cyberspace". From what I have read, the Americans
are not that interested in a formalized treaty, but in a break from the
previous administration, the Obama administration is at least willing
to listen.
It is not quite time to gloat yet because there are many years of
negotiations ahead of us before this gets any closer to reality. But,
this falls right into line with something I suggested in an SC Magazine
essay
back in August. This is the idea that nations could agree to take on
individual security issues together. The particular issue I suggested
in the SC Magazine essay was the Botnet issue. I suggested that nations
might authorize an international team of Botnet Terminators to pursue
and destroy Botnets wherever they may lead. If we could just get the
Chinese, the Russians and the Americans to sign up for that program,
other nations would surely follow. The result would be a game changer.
Pernicious Cyber Security Cartels from around the world would have to
refit and reconfigure their entire operations in order to avoid the
Terminators.
As I said, it is not time to gloat yet. There are many reasons why
nations will not want to participate in my Botnet Terminator program or
other similar Cyber Arms Control Treaties. I am encouraged though that
at least some leaders are talking about it. That puts us a lot closer
to the possibility then we were back in August and way closer than I
ever thought possible when I wrote the original essay.
I guess I need to stumble around more often. If I could just convince my boss then I would really have a reason to gloat.
(2 Comments)
Filed in: CNA, CND, CNE, CNO, Cyber Warfare
I have been watching the hype regarding cyber warfare these past few
weeks and thought it was about time to step into the fray. There have
been a number of gloom and doom articles published (
McAfee,
CNET,
InformationWeek,
National Journal and
CSIS)
about how governments are just now cranking up their cyber warfare
programs and how we can expect the first stand-alone cyber war to begin
within the next decade.
All I can say to that is this: hogwash.
First, governments have been dabbling in cyber warfare for more
than 10 years. McAfee's report highlights that the US, France, Israel,
Russia and China already have strong offensive capabilities. That is
true; however, what is more precise is that these countries have strong
computer network operations (CNO) programs with computer network attack
(CNA) and computer network exploitation (CNE) components. Both are
offensive in nature for sure. Each also has a very precise purpose. A
CNA is what laymen would consider to be most like warfare - cyber
attacks directed at the enemy's infrastructure to support a larger
mission objective.
National Journal's
example of taking out Iraq's cell phone infrastructure to cripple the
enemy's ability to explode road side bombs is a good example of a CNA.
CNE is closer to what James Bond might do - sneak into a cyber
system to steal information, present misinformation to the enemy or
plant tools that might be used at a later date.
InformationWeek's
example of Israel's successful air raid against Syria is a good example
of CNE. Pundits have speculated that Israel bypassed the Syrian radar
systems by dismantling them through some sort of cyber attack.
By the way, the third leg in the CNO trifecta is computer network
defense (CND). Most enterprise security people are quite familiar with
this operation. It represents all of the tactics, techniques and
procedures you put into place to defend your networks.
Second - you thought I would never get to my second point - is the
notion that nations will at some point stand toe-to-toe in cyberspace
and conduct warfare operations in a vacuum and that sometime soon, we
might fight a war without tanks, infantrymen, artillery, air power and
special forces. This is just silly. McAfee quotes William Crowell,
former deputy director of the US National Security Agency: "Over the
next 20 to 30 years, cyber attacks will increasingly become a component
of war. What I can't foresee is whether networks will be so pervasive
and unprotected that cyber war operations will stand alone." I have to
agree with the former deputy director. I wrote a
blog
last year that basically explained the same thing. James Lewis from
CSIS agrees: "Militaries now have the capability to launch damaging
cyber attacks against critical infrastructure, but serious cyber attack
independent of a larger military conflict is unlikely."
It is time to reboot this discussion. CNO is not a new concept. We
need to stop talking about it like it is. Further, it is unlikely that
we will witness a pure cyber war between nations without a conventional
military component in our lifetimes.
(No Comments)
Filed in: Cyber Warfare
At the Hack in the Box conference in Kuala Lumpur, in October, Marcus
Ranum made some pretty bold assertions about the efficacy of
Cyberwarfare. He said, "The billions of dollars spent on researching
cyber warfare can be put to better use because cyber war is never going
to be as effective as conventional war."
Ranum is the Chief Security Officer at Tenable Network Security and
has been, for many years, one of our community's "rock stars" as a
spokesman for the security industry and important security issues. His
"The Six Dumbest Ideas in Computer Security" is still classic reading, and should be mandatory for all security people. But he is wrong on this issue.
It is not his assertion that cyber war is never going to be as
effective as conventional war that is a problem -- that is a no-brainer.
The problem is the assumption that cyber warfare will be conducted in a
vacuum; that, in the future, we might see nations fighting each other
only on the cyber battlefield. I don't think I'll see that in my
lifetime.
According to Ranum, "Cyber attacks aren't a good force multiplier in an actual war." That is just incorrect.
Wikipedia
defines a "force multiplier" as a military term that refers to "a
combination of advantages which make a given force more effective than
another force of comparable size." It refers to a factor that
dramatically increases (hence, "multiplies") the effectiveness of an
item or group. The reason that Ranum is wrong is that he does not
accept that cyber warfare will aid (or multiply) the effectiveness of a
physical attack occurring simultaneously on the ground. Talk to the
Georgians if you agree with him. The denial of service attack conducted
by Russian sympathizers this year against government locations in
Georgia preceded the Russian tanks rolling across the Georgian border
by days, if not weeks. As an old Army guy, I call that prepping the
battlefield. If I am going to war, before I roll the tanks, I am going
to soften up the targets with artillery, air force bombs, special
forces and yes, cyber attacks. I want the enemies to be so dazed and
confused when the tanks roll, that they don't know which end of their
rifles to point when the tanks park in their driveways. Using cyber
warfare to help accomplish that aim just makes sense.
Ranum said that, "Many people talk about cyberspace as if it can be
a new form of battlefield but this is not possible because you can't
occupy and hold cyberspace as you would a piece of enemy territory." I
agree that you don't hold territory with cyber warfare. But, you also
don't hold territory with the air force, the navy, and the artillery.
The only thing that holds ground is the infantry and the marines. But
ask any infantryman or marine if they want to go into battle without
those "wussy" services that can't hold the ground. I believe the answer
would be a resounding "No!" As the military figures out what works best
in cyberspace as a force multiplier, I believe those infantrymen and
marines will add cyber attacks to their lists, too.
Ranum also said that "You're talking about bringing military
operations into cyberspace to potentially commit acts of war and other
countries may retaliate in ways that you may not be prepared for."
Though true enough, that is true for any kind of warfare. I am not
suggesting that we take cyber warfare lightly. I am just saying that
Ranum's reason for not using cyber warfare is the same argument that
you can use to not go to war at all -- a noble thought indeed. I will
leave that discussion for the great leaders of our nations. But, if the
leaders do decide to go to war, leaving the cyber angle out of the
equation is just silly. You know that our adversaries are going to do
it. In fact, the Chinese have been studying that very subject for the
past 20 years. Their own doctrine says that they do not want to take on
the US in a straight-up tank fight. They are preparing to go after the
US asymmetrically (that's a fancy way of saying that cyber warfare is
on the table).
Our friend, Richard Bejtlich, over at,
Tao Security,
has a similar opinion. "Combatant commanders approach the problem this
way. If you're Stormin' Norman Schwarzkopf in 1991, and you want to
remove the Iraqi army from Kuwait, you'll want to blind the Iraqi radar
grid. If you can do so electronically instead of risking the life of a
pilot or running down your missile stocks, would you want to? Most
commanders I knew wanted to be 100 percent sure that their decision
would work. Not all warfare is about holding ground."
Yeah, what he said!
So Marcus, I love ya man, but come back to the fold on this one.
(No Comments)
