It had to be said. My inbox lately has been filled with vendors' emails, news articles, blog entries and papers on this concept of "cyber war"... but please, people - think this through before you start building the bomb shelter.
I want to take this in two parts. The first half of this post will be looking and analyzing what the current definition of cyber war has come to mean in the mainstream media and even permeating the security luminaries. The second half of this post focuses on what cyber warfare really could be and frank and sane analysis I feel like we're just not getting. Before I get too deep into it I want to make sure I give RSnake credit for starting this seed of thought in my mind with the conversation we had back at SecTor in the fall of last year. He's got some great ideas and I think he's one of those rare people looking at this sanely.
--- Part 1: Analysis
If one is to believe modern media (mainstream press, bloggers, etc) you'd get this image in your mind of a cyber war where two sides square off against each other in battle. Each side, in this case, has an army of uber-geeks and super-hackers ready to devastate the other side's military might and cripple their country. Essentially if you really blow through the smoke and hand-waving panic it boils down to a large-scale DDoS attack concentrated against military networks or some war-related entity.
Now, I read all these types of articles and ask myself ..."Really?"
Let's take the two countries which we know are at obvious public odds in modern day politics - the United States and China. We know that the Chinese have been trying to infiltrate our military networks, our sacred Google, and other institutions which raises the eyebrow. This is all good, and I'm sure much of it is very real - but this is not a cyber war... by any stretch of the imagination. Dropping the search terms "cyber war" into good 'ol reliable Google yields some mind-blowing results that I just have to wonder what the authors were thinking... or even if they were! This one from our kiwi friends down under makes me chuckle - and then slap my forehead because if the source is Reuters then someone needs to have their head examined...
"Chinese hackers have struck Iranian websites in a burgeoning nationalist cyberwar, media reports say.
Hackers calling themselves the "Iranian Cyber Army" hit the main webpage of Baidu, China's largest search engine, yesterday morning, covering the page with an Iranian flag and other symbols.
Chinese blogs quickly erupted in calls for retaliation, and Chinese flags and patriotic slogans soon began to appear on websites registered in Iran, Britain's Financial Times reported.
In December the "Iranian Cyber Army" hacked popular microblogging website Twitter, replacing Twitter's home page with the same headline and an anti-American message."
Wow, just wow. You know, before the term cyber war became inflamatory and drove clicks we used to call this hack-tivism, and before that cyber-graffiti. Big deal, a bunch of Iranian computer nerds defaced (maybe even hijacked the domain of) Baidu.com, China's search engine. How is this a declaration of, or an act of, war?! Someone please explain it to me, I'm at a loss.
Even our good friends at El Reg (the Register) got in on the loonacy... They make comments like this one to make people angry, or afraid ... or...
"The South's cyberwar centre can also be seen as a response to a rumored cyberwarfare unit already operating out of North Korea. Rumours have it the unit is staffed by around 100 including graduates from a military academy in Pyongyang. Whatever the truth of thesereports it's probably fair to say that cyber-paranoia is rife on both sides of the 51st parallel."Again, wow. You mean there is now state-sponsored hacking? Wait, didn't we used to call this espionage? Hasn't this been going on since, well, the dawn of nations? I guess it's cyber war now because the term is cool and makes people take notice... and we do it over computer, right?
If you believe what you're currently reading in the mainstream, you're likely to believe that there are little teams of super-nerds on both sides of the cyber trenches, looking across the cyber battle-field at each other, trying to figure out how to defeat the other in cyberspace. Honestly... really?
Forget this involves computers just for a moment. Is theft of military information by a hostile nation-state an act of war? If it is then we have a much bigger problem on our hands because we've been at war with just about every hostile nation-state/government for ...forever. Yes, it's a clear act of defiant espionage, maybe even an attack - but it's nothing new.
--- Part 2: My Take
First, let me say that I think the idea of a cyber war is very real, but it's not what the media is selling us on. Cyber warfare is just queuing up... and despite what you're hearing in the press it's not going to be one army vs another in a fight for nerd supremacy. It's going to be all-out digital destruction. Let's take this topic sanely. First take a breath and visualize packets streaming across the wires of the Internet ... how do these little packets cause physical, real, and serious damage? Does a DDosS against a military network really cause irreparable and serious damage? Only if that attack causes a loss of life, or other catastrophic event. Has the light bulb gone off yet?
I mention loss of life or catastrophic event because rarely do hacks cause either of those. You'd have to be able to do something like wipe out the nation's power grid, or poison the water supply, or kill millions - in the scenarios we're being fed today in the media none of that is going to happen. To cripple or destroy a nation you have to go after resource that are vital for survival. What are these resources?
If you think about it, there are three things which, if catastrophically affected, can bring down a government or nation. Food, energy, and financial resources are the only things, in my humble analysis, that will cause the collapse of a government or nation today. How does a hostile nation wishing to wage cyber war affect those three things by sending out packets across the wire? That's an altogether different question. Allow me to work through these in order of importance. Keep in mind the aim of war - to force the other side to surrender - in the physical world.
- Financial Resources | A nation can be crippled and reduced to nothing in a matter of weeks without financial resources. The ability to conduct commerce, trade currency, work in the global stock markets, and bank are paramount to the health of a nation. If you take this vital ability away you can implode an economy thus inflicting untold pain on the inhabitants. It's fairly easy to see what kinds of things happen when an entire country's economy collapses ... crime goes up, chaos ensues, and order is quickly brought to chaos. Waging a cyber war in which an attack against a nation's financial resources is successful isn't simple. This type of attack requires tremendous effort, tremendous amounts of coordinated effort. Modern networks are resilient to failure, DDoS, and other attack mechanisms... but what if you could just cause enough chaos to throw the US stock market into a tail spin. What would that take, you ask? Silently, and I stress silently, dropping minor glitches into the whole network of inter-connected ordering systems, banks, clearing-houses, and traders will cause chaos in short order. I stress this has to be done silently because once people know it's happening you lose the element of panic and chaos it causes. If you know someone's attacking the NYSE and your responses are down you don't panic as much as if you're trying to make trades and every one is off by just a millisecond, affecting your profit/loss margins by potentially billions. Crippling a nation's financial means is a complex task and takes significant insider knowledge, lots of planning and incredible amounts of resources ... and I will go out on a limb and say having 100 Koreans locked into a basement somewhere exploiting 0-days isn't going to cut it.
- Energy | The energy problem is much more difficult to solve, although it can have a much more cataclysmic effect much faster. If someone could trigger catastrophic conditions at nuclear facilities across the country simultaneously it would achieve the goal of killing millions and bringing the country to its knees ... but that's not going to get the US president to sign a surrender of the country. Crippling oil pipelines, energy delivery mechanisms, research and power grids can be used as a mechanism to support an invasion of actual troops - but again... unless you're going to have infantry on our shores you're not going to achieve much beyond devastation and chaos. Can it be done? Can a cyber war achieve the goal of a nation's surrender by crippling its energy supplies and delivery? Maybe, but it's not likely. It is far more likely that this kind of attack would be leveraged in a troop-based military assault. Funny thing though, even though much of the nation's energy grids are pushing to be inter-connected, at least today, you would still have to do a lot of manual work. Most of these systems aren't Internet-accessible so infiltrating them requires much more than pasting your nation's flag on their search engine's homepage ... idiots.
- Food | The nation's food supply is a key ingredient to its health. Ask anyone who's watching people starve to death in Africa or elsewhere... there is no order when your inhabitants are dying of starvation. It's hard to envision such a situation in the United States because we're such a huge exporter of food stuffs to the rest of the world - but elsewhere it could work. The problem with this, of course, is how to you use packets streaming through the Internet to destroy food supplies? Some possible ways are messing with food-transport and causing delays, mis-routes, etc which could lead to spoiled food. Infiltrating food-production networks isn't fruitful because many of these networks operate on the old conveyor belt methods, and it's not like the cheese-plant in Wisconsin is going to be hacked into and all of the sudden produce deadly cheese ... at least I would hope not. Thinking sanely the food avenue seems to fall out of the pictures for many reasons but the biggest is that food is such a physical endeavor from growing, to processing, to transport, to sale.
I would agree that some of the things going on lately, including the discovery of GhostNet (originating from that cesspool we call China) may be hostile nation-sanctioned attacks and state-sponsored espionage but this in itself is not cyber warfare folks. If you look up the definition of war:
"War is a behavior pattern exhibited by many primate species including man, and also found in manyant species. The primary feature of this behavior pattern is a certain state of organized violent conflict that is engaged in between two or more separate social entities. Such a conflict is quite often an attempt to resolve a dispute over various commodities such as territory, resources, or other material advantages. Such disputed commodities are usually perceived by the parties engaged in the conflict as being available only in a limited or insufficient supply. In addition to the violent and obvious physical goals of securing various material advantages that war agendas often include, war agendas often also include certain more subtle, yet often more compelling, psychological goals of attempting to alter or reaffirm previous relationships of social domination/ submission/ or equality between two or more social entities" (Wikipedia ref)...you will realize that hacking... while destructive, is not war. Cyber attacks are a component of, but not in themselves, war. War is hell, hacking (in mainstream context) is a nuisance.