How to wage cyber warfare: A primer, Part 1

Cyber warfare is fought on a cyber space terrain. The terrain is made up of the communication components of the global spanning information grid. Consider all of the interconnected equipment, components, people, processes, procedures, and other elements that allow for communication. Now most people would think World Wide Web, and be thinking about a quarter of all that “stuff”. If you think Internet you get another quarter of the “stuff”.  At the top of everything is all the people and politics (procedures and rules). At the bottom is the kinetic stuff where SCADA and other forms of controls exist.

In the end the garage door opener is a kinetic device controlled through a communication medium. Simplistic but true for our case. On the other end of this spectrum is the Unmanned Aerial Vehicle (UAV) with a significant amount of networked command and control telemetry. And, in some cases a lot of ordinance. People, working through a network, to control physical actions on the other end. The essence of the entirety of the global information grid.

So if we understand the battle space how do we fight in it? If you are a loose federation of cyber criminals you likely do quite well for short periods of time and then fall apart. Cohesion of effort is hard to maintain over long periods of time. If you are a hierarchical government agency utilizing the latest management models you can spend money rapidly but have about no hope of actually working within this battle space. The Internet is a distributed network, using common protocols, accessed over open connections, representing a communication system, where security is illusory and the business of charlatans.  Hierarchical controls no more represent a valid command strategy for cyber warfare than they do for fighting counter insurgency.

The battle space of cyber warfare is populated by many idiomatic incongruities. A firewall configured to block all traffic is a nearly perfect device for protecting a network. When you open the first port to make it useable it becomes less perfect at security and all succeeding generations of creating usability result in less security. As such firewalls are the epitome of examples why vendor based security is always doomed to fail and security practitioners are charlatans. We can secure devices and networks they are just basically unusable when we are done. This is why cyber warfare based on defense is nearly as stupid as appeasement of Hitler. They are going to attack it is just a case of when.

Another example is intrusion detection systems that are a lot like burglar alarms. You’ve already been robbed when they go off. The intrusion detection system is a passive device defensive device. This issue is symmetric v. asymmetric security. If a firewall is breached, a network switch is breached, and finally a host is attacked the symmetric nature of the network may only detect and protect against the last portion of the attack. Maybe anti-virus on the host detect a Trojan or something else. However the path is not protected against. In asymmetric security the host is attacked and all along the path everything closes down. Much more secure and rarely done. This is the issue with cognitive models like the castle metaphor used to teach computer security. When thinking about cyber warfare we don’t want to be knights tilting at windmills, we want to be insurgents operating inside the population. Cyber warfare is an asymmetric battle space with many different levels. If distributed denial of service is the hooliganism (protesters blocking traffic), attacking SCADA networks is the improvised explosive device (IED) of cyber warfare.

Cyber warfare is a fifth generation warfare paradigm where loose confederations that replicate the battle space populated by non-state actors have the capability of taking on nations states firmly rooted in third generation warfare responses. The Westphalian nation state has legal and moral impediments against waging cyber warfare directly against citizens of another country who may even be an ally. In the United States corporations own the primary infrastructure and targets, and the Fifth Amendment to the Constitution protects those businesses from seizure by the government. In some cases the attack infrastructure for cyber warfare is owned by foreign companies who may not want the United States government attacking their homeland. There are international treaties that forbid militarization of cyber space. There are national laws that are in place to keep the military out of cyber space. From acts that can be set aside by the President of the United States to laws that restrict the actions of the government. There are restraints.

Government pundits offering up hierarchical vested organizations that would attempt to wage cyber warfare have by their own suggestions proven they are ill suited to the task. The cyber warriors need to work much like the Special Forces and counter insurgency forces of the military. Cyber forces need to be outside the normal hierarchies and bureaucracies and as diffused as the forces arrayed against them. When cyber warfare becomes kinetic there needs to be a kinetic response capability. To wage cyber war you need the tools and techniques of taking knowledge of a network and turning it into a weapon.

As an example consider the control and operating systems of a refinery. There are literally thousands of pumps, valves, actuators, and other types of SCADA devices in the refinery. In the need of profit and centralization for control management has moved all controllers onto the information technology network using a common protocol that piggybacks on TCP/IP.  Much of the plant runs on a standard CAT 6 cable plant. SCADA devices require high reliability and really fast networks. So wireless is few and far between for actually controlling the SCADA devices. However, the entirety of the plant is wireless for laptops that are used by engineers around the facility. These wireless access points are using 48 bit WEP. Approximately one minute with an open source tool is required to break WEP.  Since wireless access points sit on the network backbone (makes the network flatter and easier to manage) a few minutes with an open source tool on a switch makes it into a hub. Now an open source tool is used to watch for SCADA traffic. Special filters are used to find the protocol in question quickly. Now comes the specialty knowledge required. Using the public domain documents the attacker manipulates pumps and devices to create a surge of flammable liquid moving toward an overheated pump. Just like the scenario in the disaster recovery plan the company publishes on the web for training. Since SCADA forensics is a nascent science and much of the physical equipment was lost in the epic fireball. The attack won’t even be detected. The loss of ten percent of the nations refinery capacity has a 25 billion dollar impact on the economy.

The cyber warrior does not act within a hierarchical organization. They think sideways. In the above example the “ooh I’m scared factor” is way higher than the actual risk. Any good security practitioner would take it apart. They would ask where the intrusion detection system was, why they were using such a poor encryption standard, and continue ad infinitum.  The wily cyber warrior would giggle because in some cases there is no encryption, there is no intrusion detection system, and the SCADA systems are named so you can tell which ones are dangerous. Much like the insurgent the cyber warrior is going to look for weaknesses and attack those rather than go after the hardened targets.  Cyber warfare is fought inside the realm of cyber space. The effects based outcomes are realized in meat space.