In a discussion with a senior official of the Air Force he made an off hand comment that perhaps the day that an individual non-state actor working independently could use cyber means to injure a nation-state has passed. According to him only another nation would be able to have the requisite kinetic effect through a cyber channel to injure or alter a balance of power. The creates a conundrum in that to effectively prove the thesis that a non-state actor could harm a nation through cyber means would require an empirical experiment that few are going to be willing to attempt.
We have examples in other areas where the effort had little representation to the actual effect that something has and as such altered the spectrum of conflict. I would suggest that cyberspace as a growing element of conflict has existed for a long time and even though there seems to be some issues with defining it to restrict the scope artificially cyberspace as a terrain of conflict is nothing new.
Consider the historical model of the introduction of nuclear weapons. Pound for pound the expenditure of nuclear weapons in World War 2 was trivial. Just to balance the numbers as restrictively as possible we will only consider aerial bombs dropped by the allied powers, in the Pacific Theater, during World War 2. A graph of the conventional armaments versus the nuclear armaments would look something like the following figure.
Figure 1: Pie chart of atomic weapons over all aerial conventional weapons in the Pacific theater expended by the allied powers during World War 2.
Yet we know from history and the nature of atomic weapons that the effect is much larger than simple poundage. There are orders of magnitude involved and as such we can draw a graph comparing the yield of the weapons using the highest level possibly reported in the literature and provide a better picture of effect. In figure 2 the yield of the two nuclear weapons expended in World War 2 by allied powers are shown based on their effectiveness or yield.
Figure 2: Pie chart of atomic weapon yield (2 weapons) in comparison to the total expenditure of allied powers aerial conventional weapons expended in the Pacific theater during World War 2.
Cyberspace creates an environment where the actual cost, weight, or drag upon action is negated and allows for an incredible increase in yield over the amount of effort required. The weapons system is the target. The cyberspace terrain is both the battle space and the weapons system. It is imperative that thought leaders in the military adopt the holistic view of the cyberspace terrain if they are truly to understand the capability.
So perhaps we can define a thought experiment and define a set of assumptions that can be transferred and provide a vision without resulting in fear mongering. I am a fan of the Popperian dictum or refutation, but I also enjoy the Socratic syllogism from time to time as a logical derivation. I do not know if I can get to that point here but we can work through the assumptions and look at some other characteristics of conflict to derive whether a cyber threat is real or imaginary. This is a blog post not an academic paper.
The first rule for this effort is that the discussion is about a non-state actor. The non-state actor my be sympathetic to a nation state, work in concert with those goals, but the non-state actor is primarily ideological and not effectively supported by a nation state. The second rule or dictum is that the nation-state being opposed through cyber means is a technological networked society. It is assumed that the more network centric and technically sophisticated a nation the more likely that a cyber form of attack would be an avenue of altercation.
A cyber threat is inherently an asymmetric attack
The larger the nation-state infrastructure the more likely that any attack against that structure is going to be measurably more effective. The threat can be from singular entities but unlike infantry the entity can hold a limitless number of rifles. The cyberspace realm can become an unlimited force multiplier. If the nation state creates a better tool the adversary can adopt/adapt the tool relatively quickly for their own use. The battle and technological sophistication such as stealth and electronic warfare jamming of signals is shared as it is created by the adversary. In a strange synergy methods of protection are often turned against the victim as quickly as they are sprung on an antagonist. In the past the implementation of firewalls centralized the vector of attack and provided a specific target that once exploited allowed for unimpeded intruder access.
When considering the adversarial relationship the goals and outcomes can vary depending on the ideology and sophistication of the adversary. There is an inherent draw to the chaos engineer to simply strike and tear down without compunction. There is also a certain element discussed in the literature of narcissism to be found in the destructive nature of cyber criminals. There is nothing new here as it is no less pathological than the arsonist or violent thug. The primary area is that the terrain has been moved from a physical setting to a human created technological terrain in cyberspace.
To understand the effects of cyber warfare history once again can provide examples of first and second order effects. First we must agree for at least the time being that cyber space is more than the world wide web, much more than the simplistic view of the Internet, and includes the many varied sensor systems, command and control, and channels of coordination. Whether the military or any agency agrees upon this as a terrain is less important than the fact it will be used by adversaries.
For example consider the first order effect of a transformer blowing up in a Canadian province causing a debilitating cascade failure rendering the entire northeastern power grid in-operational. The current thought is that the physical attack has no relevant cyber analog. Yet the result of the failure of the keystone was to drop large sections of the Internet and create orders of magnitude cost in lost time, wages, etc.. This is an important consideration of how cyber warfare can have severe secondary and tertiary effects when a key component is removed/destroyed. The systems of systems approach is not unknown to the military leadership. What does appear to be the case though is that the military leaders apparently do not think highly enough of adversaries to realize “systems of systems” is an attack vector against them. A relatively unsophisticated adversary can reverse engineer a nation states systems. The primary effect of an attack is not the interesting part. The secondary and cascading tertiary effects are the true effects of a cyber attack.
Cyberspace is more than the Internet
When considering the effect of a cyber attack there is a bit of a misnomer. The “hack” or network intrusion is more analogous to maneuver than it is to pulling a trigger. Entering a sovereign territory is an act of war but the violence has not began yet. For example entering a telex or telephone system and recording the phone calls of all the generals in the pentagon is a first order effect of a cyber attack. Unfortunately most cyberspace advocates in the military services completely forget about such attacks. The second order effect is the publishing of the voice conversations to Youtube or sending the information to a hostile nation-state (or hostile ex-wives). The tertiary effects are the generals all getting fired. Though a relative silly example the logic holds for a variety of confidentiality attacks.
In cyber warfare the attacked entity provides the operational effect. In our previous example the relative risk to the assailant was minor, the attack is scalable, and the barrier to entry costs are nearing zero. Kevin Mitnick in “Art of deception” discussed how he could manipulate caller identification features on programmable telephone exchanges. Relatively few people considered that the same level of permission could be used for a variety of different types of access including recording from the system. To this day telephone exchange systems, home land line telephone systems, and cellular telephone systems are relatively unprotected from an assailant. Yet current definitions of cyberspace curtail or turn a blind eye towards this form of entrance. Further aspects of the attack vectors through the plain old telephone system (POTS) are not as sexy to the snazzy cyber fuzz.
In cyber warfare the non-state actor can draw upon the nation states resources for replenishment and armament. In a classic example of kinetic and non-kinetic controversies mixed with guerilla warfare nation states are not prepared to deal with individual entities. The political will and the necessary treaty agreements are not in place. The Westphalian version of the nation-state is woefully unprepared for the legal, tactical, and political stresses of cyber conflict. The tenets of the nation-state repudiate the power of the nation bearing on the individual citizen. In the interests of brevity a polarized example of excess bears mute witness to this truism.
Should tomorrow the Russians hold a news conference and say that the day after tomorrow the entire weight of their computer assets and national cyber warfare weapons would be employed against a single identified American citizen. Should the nation of Russia then act on this informing the world community that they would extinguish the life of this American person. Should they destroy and steal the Americans identity, hack into the auto management system of his car. Should they cause the elevator system to fail. Perhaps arrange for the wrong medicine to arrive. Should the American die.
In our example it would be nice to see the American public and nation respond to this utter breach, but the reality is that nothing would happen. Another nation can strike with impunity against Americans because the nation-state system is entirely incapable of dealing with such a targeted attack. Nearing on assassination as a result what is the actual crime? Each individual transgression of computer systems if detected could be charged. The murder though would be hard to prove and in what form would the evidence take root? Where is the evidence? What form would the forensic investigation of international nature take? This example though controversial and of course quite over-the-top by choice brings to light a harsh and glaring truism. The nation-state is not capable of responding in a limited manner to protect their own citizens.
Outside the scope of this discussion but mentioned is that the issue is not new. In the past as a method of providing for specialized talent to operate without censure by the host nation state Letters of Marquis have been awarded to strike at this devolving nation-state on non-state actor problem.
Various other issues
Moving from the nation state versus the individual to nation-state as victim there are a variety of issues. The telecom treaty structure is set up to specifically create a type of truce on the telecom infrastructure. An attack by any entity would have to traverse a variety of other nations communications systems and could be considered in violation of those treaties. Though this author considers the idea of scalded wires and burned up Internet carrying the kinetic analogy a bit far in cyberspace the secondary effects and attribution problems still remain. The attribution and authenticity of an attack and vector could point at one nation and be actually generated from a third country or even domestically.
Before the break up of AT&T the Internet was a controlled state sponsored medium of communication with all of the associated controls. With the exception of projects like “Community Memory” in California there are few examples of telephone infrastructures not created by the state. The Internet itself was supported and created by the military and academic institutions for the sole purpose of collaboration. Those many bleeding souls crying foul at the taint of the military involvement in the Internet are woefully lacking in their knowledge of telecommunications history, the Internet, and the national telecommunications infrastructures in many countries. It was only as recent as the 1990s that commercialization of the Internet was allowed.
Prior to the 1990s service providers simply created portals to content and the Internet itself was not on the table as a service. Before there was an OSI 7-layer model there was the DOD model. All of those long latent rules, laws, and treaties are still in place. History is alive and recent on the Internet. Those bleeding souls crying foul in the face of democracy should be wary of spastic ignorance of historical fact. Where the Internet began is where it can go again whether we wish it or not.
The command and control systems of a nation state are very interesting as points of attack. As a nation and within the information assurance and security systems the easily understood denial of service attack has been well handled. Of course that is the easiest attack to analogize and create metaphors towards. The attacks against command and control that rely on integrity or confidentiality are relatively ignored or layered with encryption which gets mixed in with no supporting tools. Attacks can be against the confidentiality aspects as much as against the connectivity aspects. This relatively simple platitude needs to become a mantra as we move towards a weaponized cyber space.
Kinetic patterns of conflict are replicated in cyber space by adversaries looking for the best bang for the buck. As with our earlier example of the force multiplier found in atomic/nuclear munitions the cyber munition is inexpensive and has layers of effect beyond the actual “bullet”. It should be noted that this author tends to stay away from specific examples of computer network exploitation as nothing is achieved by giving a cook book of capability. I would note that it is not skill that keeps most of my students from being able to destroy networks and exploit them but their common respect for users and their rejection of narcissism. When kinetic results are desired using a cyber weapon the resultant force is likely based on the exploitation of common weaknesses in systems. Reading through any of the CERT bulletins, BUGTRAQ bulletins or a variety of other sources they usually start with “A vulnerability allows for remote code execution”. In other words the remote entity can use the system the same way the user or in some cases the administrator would use the system. With examples such as the 1999 Chicago Board of Trade outage due to administrator error in mind what would the result in economic real dollars be if the New York Stock Exchange was out of service for a week? This is not some fanciful concept or idea but the exact thing that has already happened. The right keystone prodded from place could create such an event. Understand it has already happened in Chicago.
The brittle security found in many systems where companies and organization lock down users and force simplistic hostile user policies has been discussed at length in the past. Yet once again we see entities forcing authoritarian policies leading to homogenous computing structures that were ridiculed in the 1990s as the Microsoft system swept through and replaced the more resilient heterogenous structures. The enamored of rules and policy system administrators have created the fertile ground that was found in the 1990s and early 2000s that led to the success of Slammer and NIMDA worms. Flexible, resilient, user managed systems that are made up of user centric software packages on a variety of platforms are sustainable in a conflict aware environment. Brittle security allows the plague to wipe out your population when the golden bug creeps through the right spot at the wrong time. History is filled with examples of technologies shifting paradigms and those who failed to adapt. The various policies being enacted by the government and military strengthening the brittle nature and purporting it as security should be realized for the Trojan Horse that it reflects. Linux is not the answer. Variety and the associated structures of differing code bases are the only suggestion worth mentioning.