Recently Jeff Carr wrote a short piece on his blog (Blogspot so no access from DoD) talking about why cyber space in the web 3.0 world really is far from the foundations held by the Department of Defense who states that cyber space is a man made domain. This is a passionate point for me and I’ve been working up a series of diagrams to show the fallacy of the man made domain in pictures (or slides for PowerPoint ranger types). If you don’t have fifteen minutes keep moving, as what follows is likely to long didn’t read (TLDR). I’m never sure what will resonate with people, but this is to be sure draft work that I’m trying to get my own head around. The argument and information is as follows.
The network is cyber space
Cyber space is as much a cognitive domain found in the personality of the listener and communicator as it is in the technology that provides that communication. Depending on the maturity and flexibility of the thinker this discussion takes a couple of twists and turns. First there are the traditional networking types who define the network by the word Internet, but that isn’t large enough to be cyber space.
Click on image to see larger.
In this example you see that an example attack is generated by a human agent that is then prosecuted through the technology stack against the agency or entity that is another human being. This is using the technology to attack the human institution that represents a human interest, or other example of human emotions. A technical attack of this type could be a distributed denial of service. The primary take away being that the technology facilitates the attack.
The human is cyber space
Then on the other side of the equation you have the information operations people who talk about cognitive processes and engage in message shaping and psychological operations. This is where the famous Kevin Mitnick earned his l337 stripes socially engineering people too. Yet this is also to limiting for our take down of the myth that cyber space is only a man made domain.
Click on image to see larger.
As stated the attack shown represents a human agent exploiting another human and in this case to get at the technology. We’re being very personal computer specific but let me caveat here that these attacks can be represented totally in non-personal computer examples. In this attack the human perhaps receives a phone call from a fictional help desk and enters data into an information system or discloses information. The attacker is never required to access the technology stack due to the human component.
The system is cyber space
There is another position that says that all attacks and exploits (the two are also not the same thing) are done through a hybrid to the previous models depicted. Humans create software and implement the software so they are inherently part of the system. The technology stack is actually only parts that have been created by human agency and that the attacks as prosecuted are actually reaching all the way back to the programmers who created the original software. This is a bit of a big pill to accept at face value. So, you can take the easier task of the attack being against the system administrator at the implementation phase or operations phase of the technology stack. Yet the target is always an element of the information system in question or the tools and technologies of a technology system.
Click on image to see larger.
This attack as depicted is a likely scenario. There are a lot of specific strategies that could be shown across a wide variety less traditional cyber space technologies. Changing the cost of an item in a store so that another item is purchased thus driving another company into bankruptcy (sure less than likely but go with the example) and thereby engaging the entirety of the system.
How big is cyber space?
For some reason there is a substantial effort to try and keep the cyber space discussion on the Internet. Even Mr. Carr in his recent blog post is sticking to the idea of web 1.0 through web 3.0. Just as a point of definition and not to take Mr. Carr to task, but the web is a subset of the Internet. The Internet basically being defined by the technologies using the Internet Protocol address and the long haul systems (e.g. ATM et al.). The web is that space that exists within the domain name server system addressed to the Internet Protocol space. The richness and expanse of the human usages of web technologies as social expanses have become so important is a deep and important project. My cyber space is a bigger than the web or even the Internet. Much bigger.
Cyber space is bounded by the cognitive resources and technology resources expanding and contracting as entities exist within cyber space. Now some would say that this is contradictory to my previous personal definition of cyber space that “Cyberspace is the terrain of technology mediated communication.” I could understand the criticism but the ideas are not mutually incompatible and the second denotes the first only as an aspect from a persistent perspective. I won’t mention the fact that I’ve started writing cyber space as two words again.
Even the National Military Strategy for Cyberspace (sic) Operations (U) in 2006 stated under threats that policy was a threat vector that could be exploited by adversaries. Cyber space is inclusive of the elements that define it no less than the land, air, or sea. The argument that cyberspace is somehow different because it is man made forgets that it is built upon natural wave forms, human emotions, electrons, protons, and neutrons just like the ocean, land, and air. We can’t fly very long without an airplane. The attempt is usually called falling. Submarines and tanks are human extensions used in domains to extend our awareness. No less than computers let us do the same. If at some point cognitive awareness is transited through the technology stack the argument will be further eroded. If you think that last point is pure science fiction consider the ramifications of soldiers who control their new prosthetics through neural interfaces. Cyber space isn’t about fantasy but it most assuredly requires the cyber philosopher to abandon concrete thinking.
To understand why it is important to expand our consideration of cyber space let us talk a bit about threats.
Threat Vectors
Recently an employee of an automobile dealer who had been fired used the password of another employee to log into a system and disable the ignition systems of several vehicles sold by the dealership. He also caused the cars to honk their horns and other forms of harassment of the former employers customers. This was widely reported as hacking, but there was no “hacking” involved. He used the system exactly as designed for a purpose that was never expected or within the design specification. The fact that many of the vehicles owners didn’t know that the dealer had installed the system on their cars and the dealership wasn’t exactly being forthright. That would be another human component. There is nothing about this example that is inherently an attack on the personal computer or even the web.
Consider another example. General Motors was running a series of advertisements for the OnStar system. One of these advertisements had a police car following an SUV and talking with OnStar (YouTube video on how it works). They tell them they are going to blink the lights, and upon confirmation from the officer, OnStar then disables the ignition system. OnStar has a multilayered (defense in depth) strategy to keep people from doing bad things. However, this is a classic place where the system of command and control to many vehicles is subject to human malfeasance. The implications if you game out the paths of exploitation are fairly unreasonable. None of the threat vectors are within most definitions of cyber space yet they most assuredly live there.
Commentary
I’m told Coleman has a list of threats via cyber space that are fairly extensive. I’ve never seen his handbook so I can’t comment on what they are. I will say that the implications of considering a broader, deeper, and richer definition of cyber space are imperative. Understanding that cyber space is also more than man made, but accessed through man made tools today is also imperative. Why the concern? The first reason for concern is that adversaries are not hampered by restrictive definitions that create seams in organizations and functional silos.
The second reason for concern is that attacks coming from vectors inherent in the technology do not have to target the exploited technology. An attack against a router can be used to exploit a server that has the medical information for a high value target.
The third reason for concern is pushing the envelope of risk outwards so that resources that are appropriate to the problem space are allocated based on a reasoned and logical assumption or risk. Merely pandering to fear, uncertainty and doubt may be one way of gaining resources, but they do not define the problem appropriately.
So, now you have my research notes and ideas from one of the hundreds of projects I haven’t finished. I don’t know if there is any value in putting this kind of information into the public sphere. Though I have no desire to be rich and famous (well I’ll take rich) I do want to add to the discussion. I’m concerned that my ideas will be used without credit and I’ll end up looking at a bunch of rich people while I’m living in a single wide somewhere in Appalachia.
Great thoughts here. I have recently been thinking about cyber space in the terms of philosophy/psychodynamic psychological theory, namely that there is a constant (“the Real”), and various domains that interact with this but are always unable to fully express it. The reality is the people on either end of the technological spectrum, whether they are communicating via a fiber-optic cable or a string with two cans attached to the ends. For this reason I fully agree with your statement that “Cyber space is as much a cognitive domain found in the personality of the listener and communicator as it is in the technology that provides that communication.”
But cyber space isn’t limited to just the Internet, as you’ve made clear. It can involve lots of technological systems that may or may not be connected to the Worldwide Web. The bad guys are more than happy to use threat vectors that exist outside of government agencies’ jurisdictions due to nearsighted policies. McCumber shows how precluding other aspects of a full information assurance model (critical information characteristics, states, etc.) in your security measures (policy) effectively ties responders arms behind their backs when it comes to dealing with threats that exist outside of the legal spectrum defined in policy.
This becomes a vulnerability in and of itself, especially when opposing nation states begin researching the best attack vectors on a targeted nation. Plausible deniability and exploits that exist outside of conventional jurisdictions as defined by myopic policy are great weapons in their back pockets.
This became a blog post linking to this article 😉
Oh yeah, have you seen this yet? http://www.thehackernews.com/2011/07/war-texting-hackers-unlock-car-doors.html
They hacked a car with a text message, undoubtedly using call spoofing after determining what signal needed to be sent to which number by which other authorized number. Services like Telespoof make this possible… for free!