Cyber-warfare threat or hype?

Center of gravity constructs look at the strategic, operational, and tactical elements of an adversary to identify weak points in the over all capability of resistance. Cyber-warfare attacks the computing and communication infrastructure of the adversary through a variety of means(Denning, 1999). The term cyber-warfare is a bit misleading. It does not denote the tools used to wage war but the space in which the conflict exists. Much like land war would call upon the assets of infantry, artillery, and close air support cyber-warfare can utilize anything appropriate to the task within the military arsenal to gain advantage on the adversary. Cyber-warfare is the place of the battle not the type of battle.

Cyber-warfare and cyber-terrorism have been maligned by experts for being euphemistic and tacking on “cyber” or “terrorism” (Ilett, 2005) when there is only war or only terrorism and the actual strategies or tactics have little to do with the state of conflict. There is some validity in the criticism as to often popular culture does place the word “cyber” in a title instead of “new fangled”. When we talk about cyber we need to make sure we’re talking about the same things. In this case we’re talking about the computing infrastructures and assets of the defender or adversary. Warfare is the application of power for political ends through the “sanctioned” use of diplomacy, military, or economic tools. Cyber-terrorism has been well defined by several authors though Denning did it best in discussing the attack by state or non-state actors to create fear and terror through destruction or manipulation of the computing infrastructure (ed. poorly paraphrased by me) (Denning, 2000).

Cyber-warfare and cyber-terrorism can be understood if we take a common framework and examine them. Flipping the model slightly we can look at the security service first discussed by John McCumber and then added onto by Maconachy (et .al.) later. Confidentialy, integrity and availability make up the first three security services(McCumber, 1991). Maconachy (et. al.) added non-repudiation and authentication to the model. For this discussion we’re going to ignore the other dimensions of the cube model they suggested.

Confidentiality is the “privacy” or ability to keep information in any of it’s forms away from others. We can accomplish this through encryption, physical security of computing systems, physical destruction of computing assets, and superior transmission methods across networks. Violation of the confidentiality element occurs when spies or “traitors” access information and transmit it to entities that are outside the organization. We see this occur when back up tapes are stolen off the UPS/FedEx (Collett, 2005; Lemos, 2005) truck, laptops are stolen from homes or businesses, data is accessed inappropriately

If for instance a spy were to attack and attempt to garner intelligence about military secrets that would be considered a hostile act if they did so by breaking into the Pentagon building and sneaking through security. The same act done through cyber-space is maligned and ignored while rarely considered in the same level of hostility (“China denies Pentagon cyber-raid,” 2007; “China spying ‘biggest US threat’,” 2007; Luard, 2005; Thornburgh, 2005). This is a direct attack against the confidentiality of the target nation.

Integrity is that data hasn’t been changed. The transposing of a few grid coordinates when calling in artillery missions might have catastrophic consequences. We’ve all misdialed a phone number at some point in time. The integrity of the data was not the same as the actual data required. The active manipulation of information or data by hostile third parties could result in substantial error or “just enough error”. An attack on this security service could take any of a hundred methods. Common mistakes such as giving an adult dosage of medicine to an infant would be a violation of the integrity security service (Harvey, 2007).

Availability as a security service is the most common vector of attack on the Internet. The common distributed denial of service where a server or client is swamped by requests for information and in the deluge fails to be able to handle any of the requests. This can happen without evil intent. Common high volume user derived content sites such as Slashdot.com and Digg.com create effects where when a new web story is published the crush of users attempting to access that content creates a de facto denial of service on the target. It doesn’t take an uber hacker in mysterious foreign lands to create a problem for companies or organizations. The common and often maligned backhoe can rip telephone lines and just as effectively violate this security paradigm. A large bomb dropped from a very fast airplane into a telephone company would also be an effective violation of the availability service.

I wanted to introduce the common vectors that are attacked. By flipping the model and looking at how the security services are attacked we can consider strategies for protecting them. Any introductory information assurance and security course is going to introduce these concepts early in the curriculum. Few are going to discuss them as a model for attacking a target. When looking at these three services we can see the methods for waging an adversarial campaign. But, can we call it war? I think the reason cyber-warfare doesn’t get the attention is that the metaphor and model describing it has not been explained well enough. The policy makers and decision makers can’t see the spies sneaking through the halls, the planes dropping bombs on their data centers, and their operational orders being changed. If you believe the computer and somebody else controls that computer then you believe what they want you to believe.

Bibliography

China denies Pentagon cyber-raid. (2007, September 4, 2007). International Version. Retrieved November 16, 2007, from http://news.bbc.co.uk/2/hi/americas/6977533.stm

China spying ‘biggest US threat’. (2007, November 15, 2007). International Version. Retrieved November 15, 2007, from http://news.bbc.co.uk/2/hi/americas/7097296.stm

Collett, S. (2005). Precious Cargo. Retrieved November 17, 2007, from http://www.csoonline.com/read/080105/cargo.html

Denning, D. E. (1999). Information warfare and securty. New York: Addison Wesley.

Denning, D. E. (2000). Cyberterrorism. Retrieved November 1, 2007, from http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html

Harvey, R. (2007). Third baby dies from drug overdose. Retrieved November 17, 2007, from http://www.wthr.com/global/story.asp?s=5432058&ClientType=Printable

Ilett, D. (2005). Security Guru slams misuse of ‘cyberterrorism’. Retrieved November 1, 2007, from http://news.zdnet.com/2100-1009_22-5685500.html

Lemos, R. (2005). Backup tapes are backdoor for ID thieves. Retrieved November 17, 2007, from http://www.theregister.co.uk/2005/04/29/backup_tapes_are_backdoor_for_id_thieves/

Luard, T. (2005, July 22, 2005). China’s spies come out from the cold. International Version. Retrieved November 16, 2007, from http://news.bbc.co.uk/2/hi/asia-pacific/4704691.stm

McCumber, J. (1991). Information Systems Security: A Comprehensive Model. Paper presented at the 14th National Computer Security Conference, National Institute of Standards and Technology. Baltimore, MD. October.

Thornburgh, N. (2005, August 25, 2006). Inside the Chinese hack attack. Retrieved November 1, 2007, from http://www.time.com/time/nation/article/0,8599,1098371,00.html

1 comment for “Cyber-warfare threat or hype?

Leave a Reply