The big cyber news event of the week is the just released report by McAfee. In this report the security industry giant asks if the age of cyber warfare has arrived. The thirty-seven page report has several very provocative statements about cyber warfare. Upfront, they present three key finding in the report and they are as follows:
Although there is no commonly accepted definition for cyber war today, we have seen nation-states involved in varying levels of cyber conflict.
If a major cyber conflict between nation-states were to erupt, it is very likely that the private sector would get caught in the crossfire.
Too much of the debate on policies related to cyber war is happening behind closed doors.
One topic in the report that gave rise to lively debate in a meeting I attended was, “The line between cyber crime and cyber war is blurred today in large part because some nation-states see criminal organizations as useful allies. Nation-states have already demonstrated that they are willing to tolerate, encourage or even direct criminal organizations and private citizens to attack enemy targets.”
This creates an interesting dilemma about who is in charge of cyber attacks when you really don’t know who is behind it! While this has been discussed many times behind closed doors, it has rarely been argued this openly in public.
Towards the end of the report they stated that international cyber conflict has reached the tipping point where it is no longer just a theory, but a significant threat. While these are not new, the attention this report is drawing has placed these issues before the security industry, military and government leaders.
If the tipping point has been reached, how will the computer security industry respond to this international issue and what does this mean for the private sector?
Cyber is the one way our enemies can realistically be able to hit the one part of America that no country has been able to ever hit since the U-boats on both World Wars. That is our industrial and manufacturing sectors. The private sector has always been able to run with an air of impunity since our enemies have been so far from our shores and lacked the physical or technological ability to strike at us like we can do to them.
A killshot in the cyber realm lays on being able to do lasting damage to another's networks and exploit them. There is no Sun Tzu or Clausewitz here that has done any true writings for how to fight a cyber war.
The first battles in the cyber realm have already been fought and they show one thing, the ability to strike and then outflank your enemy. The russians "possibly" used nationalists to attack Georgia during their border war in South Ossetia. The Georgians flanked them by moving their assets to Servers in the United States, in the State of Georgia to give their enemy at most a tactical victory. They took them down, only for them to pop up in an area that they couldn't attack without political repercussions.
I predict that VERY little will be done on cyber defense until a major attack happens, after which it will become "the next big thing". Lets just hope that the first major attack to hit will be big enough to wake people up, but small enough to be contained.
@Ed: all the principles outlined by Sun Tsu & Clausewitz still apply to cyber-warfare, all that is missing is a translation step from men & chariots to programs & networks. Things such as "attacking with fire" still apply, but instead of using physical fire, you are using a self-replicating virus which, once released, will continue to grow, spread and cause damage on its own without requiring external guidance or command orders.
P.S. If I were a cyber-soldier, my first target would be the electrical grid, specifically one particular node which has the ability to cause a cascade effect, thus causing a nation-wide blackout. Not only does it cause major financial damage, but it has a major psychological impact as well.
Warscientist:
You do not want to fire a self-replicating virus. IF it gets on one computer with access to an outside network, then it's all over the place. Besides, self-replicating viruses are indiscriminate. When you are doing cyber warfare, you target specific networks, or specific infrastructure, or institutions. It's the difference between dropping a nuke, and dropping a MOAB, both tactically and strategically.
You've just outlined the major drawback of the "attacking with fire" strategem. because of its nature, fire (or in this case a self-replicating virus) cannot be bargained with, appeased or controlled, and once released will continue to spread without any regard as to who owns what.
This potential for self-harm (haha i set my neighbours house on fire…..oh crap now my house is on fire too!) needs to be carefully weighed against the damage you could do to your opponent, but in certain situations it could a valid strategy.
What i was really trying to do is outline how strategy for conventional warfare can still be used in cyber-warfare, it just needs to be translated from bows & arrows into bits & bytes.
It looks like the NSA is getting more active in this area too.
NSA assists Sun, Red Hat, and Apple harden their OS:
http://intelfusion.net/wordpress/?p=693
Nidi:
You are close in your analogy. However the self replicating virus is the tool of the average hacker capable of writing viruses. Them doing that is akin to spray and pray. Fire off the round and hope it hits the target. The adversary with nothing to lose or without the technical knowledge for more precise attacks will certainly use this method.
You are correct in them wanting pinpoint strikes, but MOAB would still go to far. The best of them will do strikes that will do the most damage for the shot. They will be more akin to a sniper rather than a MOAB.
The trouble is there are statments on record from US military chiefs stating they will physically attack those who do these attacks, yet they, the US continue to get hacked and nothing gets done about it.
I honestly think hackers have a free lunch when attacking American systems with the exception of that English kid with assburgers Gary McKinnon who went looking for UFO files on Pentagon computers and got caught.
Jimbojones:
The old rumor used to be that the hackers that succesfully got through DoD systems, once found were given the deal. The work for us or go to prison deal. However did we stop doing that? The other part is that we missed what other countries are doing, making it a specific trade craft akin to being infantry or a tanker or a truck driver. Make a job in the military that is Cyber. Have offensive and defensive specialties and start growing our ranks. Maybe even add that as a segment to the ASVAB so we can identify the most likely candidates.
We have the talent here in the states to be the most formidable, we just need to harness that power.
Great, there goes my evening. Thirty seven pages? Uhg, better get to reading….
LOL
There is a fair amount of white space
(!) Good read. Thanks for the link
Aviation week hosted a cyber security seminar with Lockheed Martin and the NCOIC recently that was actually pretty interesting. Some very good points were made:
The US is not the #1 internet user, China currently has 360 Million connected users. That is more than the entire population of the US combined. And this is no where near the amount of users that they can and will have. The attackers are more hidden than 10 years ago and less technical hackers are using more and more sophisticated tools.
The Cyber expert for the DHS said that we are behind in this war and currently the bad guys are winning. It was also mentioned that the government and private sector needs to work together to form an active defense. The government is taking steps, but we are still in the catching up stage…
Ptsfp
I don't see much happening on this front until software companies are made legally liable for the damage that the exportation of bugs in their software can cause.
Until then software vendors will have little or no incentive to ensure that their initial releases are bug free as possible. So most consumer software will riddled with bugs and vulnerabilities.
–Aygar
Hey all, I came across this cyber-security related link I thought you guys might like:
http://www.dodbuzz.com/category/cyber-security/
Enjoy,
Philo