For fear and profit I give you cyber war

I make a lot of money talking about cyber security and cyber warfare so I most assuredly have a dog in the hunt over whether cyber warfare is a real or a made up threat. I try and be honest about my biases so a reader can make a decision early on whether my argument is valid.  Consider the argument though of others closely and then whether I make my case that cyber warfare is a real and truly strategic threat to the nation state. I took a few moments to jot down some notes looking at whether cyber war is real or not.

Lately Tate Watkins and Jerry Brito have been saying the threat of cyber warfare is over hyped in various places.  I would state the summary of their argument is that there is profit in continuing the problem rather than actually creating a solution, the problem is overstated without evidence, there has never been a cyber war, and they associate the issues with the current hype. My apologies to the authors if I over generalized their arguments.

First I must agree with the authors that the hype is over stated. That is people running around yelling “cyber war” then “give me money” are part of the problem. Those complaining that there is no evidence due to the event having not happened are also engaging a pro forma logical fallacy. You haven’t been shot by a gun yet, but do you really not want to protect yourself if you know an adversary is holding a gun? You don’t need the government to declassify threats or capabilities just go to BlackHat or DefCon and discover the myriad security issues. The contrarian argument also hinges on an amateurs understanding of war which is fairly normal. Regardless of the framework, the instruments of national power are significantly more than simply military kinetic assets. There is diplomacy, economic and information assets at the disposal of nation states.  A key to remember is that nation states have the ability to compel which gives them significant power over connections to other nations infrastructures.

I am more than aware that the Internet and the various technologies that the Internet supports help the cause of dictatorship as much as democracy. This is discussed much more eloquently by Evgeny Morozv.  Mikko Hypponen discusses this problem in a much more sideways allusion but still powerfully.  So  I will let the argument by Brito and Tate stand that in some cases nations are just trying to centralize power and control the Internet. The Balkanization of the Internet has been happening for a long time. Only fools think the logical nature of the network trumps the physical presence of the cables and infrastructure. The ability to compel when it comes to the network is a significant form of national power. You can argue whether nations do it well, but that is a matter of ability rather than capability.

What about evidence? It is interesting that Watkins and Brito published in Wired on the pages of Threat Level.  Wired through the FOIA process was able to get a copy of the FBI produced video detailing the events of “Solar Sunrise”. Regardless of the criticism of the video through the glasses of 15 years of experience you have some interesting evidence of the strategic consequence related to the intrusion. Situate yourself to the events of Solar Sunrise in 1998 by thinking about this:

1. The World Wide Web is relatively new, firewall technologies are infantile, network intrusion detection systems haven’t even been fully formed, and most systems are directly connected without any kind of perimeter defenses.
2. In 1997 in an exercise called Eligible Receiver 97 the NSA red team which is a signals intelligence group (not networking) was able to supposedly use common vulnerabilities to change, corrupt, deny, or degrade communications. This is well known to the military leadership.
3. The Defense Information Systems Agency (DISA) had only had data networks as a tasking since 1991 and most of its efforts were directed towards inwards capabilities rather than external protection.
4. In summary there was no “command authority” in charge of information technology systems and very little legislation or approval for these kinds of authorities.
   1. FISMA was signed in 2002.
   2. Clinger Cohen was signed in 1996 but was primarily acquisition related.
   3. The Computer Fraud and Abuse Act was enacted in 1984 and amended several times because it couldn’t keep up.
   4. The Internet Boom or Dot-Com Bubble didn’t really get started until 1995.

Look at Solar Sunrise through that lens and you have an intrusive technology, with very few people who understand it, being utilized for purposes that may not be aligned with the security principles of previous technologies. Though we might look back on Solar Sunrise, and giggle at the size of Scott Charney’s beard, this was an event of strategic consequence perpetrated by a non-state actor in a time of pending hostilities. What were the consequential elements?

Military command and control systems had been compromised giving a potential adversary significant advantage in preparation which equates to possibility of American lives lost.

1. Military transportation systems which are the “beans, bullets, and boots” of military power had been compromised possibly creating issues with the integrity of data and usefulness of that data.
2. Collaboration and coordination tools of the military could not be used degrading and disrupting command controls capacity.

It is the small-minded person that looks at that and says, “Well we shouldn’t have been preparing for war in the first place..”, or that “…the military over reacted.” The fact that it was a foreign national running juvenile actors as assets against a nation state should be a pattern of behavior that warns us even more of the consequence of this event. What is missing in most people’s calculus as they focus on the technical aspects of the intrusion is the consequence to strategic military power projection. The evidence after the investigation informs of how trivial the attacks against the network were. The evidence as seen through the decision focus of military commanders as details unfolded are crystal clear and exceptionally well restrained.

The use of war as a term of conflict has been over used and restraint would be nice to see within the media. I hear the term “cyber war” used by others and myself within the discussions of the topic rarely. We’re talking about conflict and information assurance and security. In a time of shrinking capacity and budgets few people are looking to take on new tasks. To make things worse “war” actually has legal and treaty implications that few people seem to realize.

What I do see is a thread of the impacts of espionage, missing capacity and capability to resist active intrusions, and clearly contrarian incentives of information technology owners. The architectures and expectations of those architectures dealing with information assets and intrusion sets are changing. I see the flexibility to resist intrusions by some corporations as significant leaps forward. The evidence I see in mass media through my focus shows a significant pattern of espionage and evidence of significant sophistication. I have no doubt I will look back in 15 years and wish my problems were so simple as the ones of today. I’ve been around long enough to see the cycles of media attention wane and return a few times.

Since network intrusions are technological incursions there are no sexy pictures of smoking holes or scattered body parts. That begs the question of cyberspace being a conflict domain. Yet nation state and non-state actors can exhibit conflict across a much larger spectrum than kinetics alone.

We are only talking about something that happened in 1998. If you expected me to disclose current threats (as if I know any) you’re sadly mistaken. I do worry about the current critical infrastructures though and have examined a few events so I could situate myself around their failure modes.

Unfortunately I have a lot of detail about one that happened in 1999 that I could reflect on because I was there. Luckily I could just watch and I was not the one who created the problem.

I saw in post 1999 Y2K ramp down a lot of stories that the whole Y2K vulnerability had been over blown. Much like we see the hysteria starting to rise about cyber threats being over blown. Yet proving the negative is very hard and most people don’t understand the absurdity. If you do your job nothing bad happens, but if you screw up well obviously it is a good investment. This is a logical paradigm that information assurance and security professionals have to live with every day. So, if I’m doing my job I’m not needed, but if I screw up you need me? Y2K discussion is filled with that kind of logic.

What could have happened in 1999 on the turn of the clock? We actually have a pretty good case study to work from. There was an actual Y2K outage that we can examine and see what would have possibly occurred had we not taken Y2K seriously. On August 5^th 1999 a Lucent Engineer working for MCIWorldcom testing patches uploaded software mistakenly to the production network of The Chicago Board of Trade network.  By 9:21 PM trading was halted. The software patch had propagated through the frame network of MCIWorldcom causing routers and network traffic to halt of be seriously degraded.  Trading did not resume until August 11^th but was sporadic for weeks. A ComEd transformer interrupted the Chicago Board of Trade again on August 12^th but the fix in that situation was to install a SCADA device to make it easier to manage. So what was the strategic consequence of this event?

1. Financial trading was halted or severely degraded for a period approaching two weeks. The cost to traders was incalculable but cost MCIWorldcom in excess of $200 million.
2. Over one third of the total frame network of MCIWorldcom was degraded or ceased functioning.
3. Though stories of the event are starting to evaporate from the Internet numerous ISPs were harmed as they were customers of the backbone provider.
4. It was suggested at the time if the same configuration error mechanism had been done to other areas of the backbone routing system it could have taken months to rehabilitate. Regardless the actual impacts were significant.

We have numerous events that we can analyze for possible scenarios of what an event might look like. We don’t have to actually run around shooting people to know the effect. We can blow away some watermelons or ballistic gelatin to get a pretty good idea. We have had some pretty traumatic events already and nobody really wants to light the fuse on purpose. Like the Doctor Strangelove Doomsday Machine this may be a button we simply don’t want to push.  To make things even stranger I am fully aware that Dr. Strangelove is satire of the hysteria of the cold war. I am also fully aware that Wired Magazine in 2009 did a great story on Dead Hand showing that satire might unfortunately be prescient.

Like I said earlier the critics of the industrial military cyber complex have a few good points in how the hysteria has unfolded. I am likely not helping that hysteria cool as I try and look at the issues. I am in no way comparing nuclear war with cyber war, but the hysteria and historical records are similar products. Most of the people looking at cyber war are technical aficionados who focus on the network aspects. A few political scientists piece out the strategic and social issues. I wish I could help set the record on the actual cyber issues, but much like a foot soldier in World War 1 looking at airplanes I’m not exactly sure what the risk is currently. Somewhere is the cyber Billy Mitchell who likely isn’t working for government, is not on anybody’s RADAR, fully understands the tactical and strategic impacts, and is going to be pilloried by the current establishment.

If there is anything to leave a reader with it is this. War is a political process between people. A technical construct or mechanism can be used to inhibit an adversary’s action or increase the lethality of action. When used appropriately for defense or offense such technical constructs can be force multipliers. The global information sphere is a tool, a terrain, and nothing more than another aspect of conflict between humans. It is only news today because people have noticed it. When it is no longer news it will still be vector for threats to operate against vulnerabilities.  The capacity for damage is only bounded by the adversary’s imagination and the defenders capabilities. This is much the same as in any other form of conflict.