Waging cyber warfare is seen as a technology problem by technologists, a policy problem by politicians, and a profit problem by businesses. This confluence of concerns is likely due to the prevalent nature of technology in our daily lives. The media hype of “war” and over the top language describing even small events has not helped the understanding of this unfolding domain. As I’ve been studying and writing about computer security and offensive information exploitation for about two decades I notice being reasoned and considered in my responses has nearly zero effect on the media dialog. So if you’re looking for over the top keep marching.
I do find that there are a few key issues involved in this dealing with information technologists. I keep seeing self professed hacker types declaring that the low barrier to entry, the distributed nature of the attack surface, and such allow them to wage war on nation states. That leaves me looking at senior leadership in the military and government who actually believe that and at the neophyte hacker types thinking taking down a website is an act of war. That is rubbish. The low barrier to entry and the substantial capacity to disrupt and degrade command and control has been proven.
There is something there that an unsophisticated adversary could disrupt society significantly. What most people don’t realize is that regardless of the Al Qaeda or other terrorist organizations whims to create chaos the noise level of security vulnerabilities and active attacks is so high it is hard to get noticed. We saw a version of this when Amazon was attacked by Anonymous/LulzSec and was apparently unaffected.
There is a substantial difference between information security and cyber warfare/defense. Most government agency and corporate information organizations might like to look “sexy” engaging in cyber warfare but what they do and are defending against is simply information security issues. It isn’t war and if it were war their defenses would melt like butter in the Texas summer sun. Though self-described cyber adversaries can create havoc they are missing one element of the equation to wage war. Nation states can compel corporations and private entities to assist and prepare an environment for operations. We’ve seen this with telephone companies, search engine companies, and run of the mill Internet service providers.
Government and the rule of law
The PATRIOT act and other laws are filled with provisions to allow for this kind of legally mandated compel and assist. When you look away from the United States many of the countries around the world own their telephone company completely.
A friend that served in the Pentagon once said that the difference between a hacker denial of service and a government denial of service is scope and speed. A letter of cessation of activities served on the big four or five telephone companies would cripple a hacker organization. We have seen the federal government as a law enforcement action take a site off the Internet in minutes. It is a matter of debate whether the solution would be worse than the problem. It isn’t just government though. We’ve seen when telephone companies have accidently black holed (taken of the network) organizations or groups primary communication conduits. There is a big difference between a nation state and an individual going to cyber war.
The narrative though isn’t reasoned or considered in this debate and there is a lot of political purpose in keeping the cyber hype higher. Espionage and exfiltration of information from a network has a gloss of being the defending entities fault. Much of what appears to be the current hacker ethos is proving that systems are insecure and then determining that poor coding practices or configuration controls mean the system administrators are idiots. This is a juvenile and immature position to take if any evidence-based analysis is attempted. There are over 50K vulnerabilities in the MITRE CVE, the Open Source Vulnerability Database has more like 70K vulnerabilities. Software on any sufficiently large system is likely to require specific versions, types, configurations, and may not allow for patching against those vulnerabilities. Large amounts of software are legacy code and updating or creating new versions is cost prohibitive. So exploiting a system that serves society, business, or peoples needs is going to be likely trivial at best. Defending though is incredibly hard. There is a lot of discussion about responsible disclosure, but I haven’t seen anywhere that kicking somebody’s door down or even going through it if unlocked is an appropriate practice. The “they suck” form of blaming the victim is neither ethical nor practical.
Consider though this when you put that same scenario against the advanced capabilities of a nation state. You are even more likely to see a corporate or government agency fold before the onslaught of an attack. Some would say that we haven’t had the first cyber war and I would be in that group. Though we see large-scale espionage actual use of the Internet to kill people and break things has been minimal or undetectable from other vectors of attack.
The blind spot
An element that needs to be understood by corporate, government, and political entities is the blind spot. As we focus on the Internet as the primary threat vector an entire set of systemic disruption points are being ignored. When looking at the Internet as a threat vector it is a network centric or signals kind of worldview. There are other vectors that can be exploited.
The supply chain from point of creation through updates and retirement of equipment is a vulnerability that a multitude of threats could act upon. We have seen over time counterfeit equipment, egregious software patches, and hardware that might have been tampered with (picture frames, etc.) in the supply chain.
Current architecture and engineering practices are filled with a significant number of operational threat vectors. Basic assumptions and expectations of current networking engineering “state of the practice” is filled with errors and omissions based on vendor designed curriculums.
Sit down and look at a common networking engineering textbook and you’ll see terrible engineering principles. Resilient, hardened, prepared network instantiations are taught after students have made traffic flow. The standard is to make it “work” (pass traffic) and then layer security, which suggests security, is a state that “doesn’t work”. It is a fundamental bias found in all of the curriculums. Many network engineers will argue this is the way it should be and never understand the errors, omissions, and bias it injects into a security curriculum.
Software programming courses are no better and since the early to mid 1980s significant chunks of courses have been dropped and coding strategies abandoned. In the effort to push more students through programs and pack those curriculums with more material defensive coding has been allowed to languish. The difficulty of programming languages like C++ have lead to interpreted languages, which obfuscate errors and problems. Wrapping these highly interpreted languages in compile time security wrappers is one step, but it fails to address the issues of logic and interface errors that are so frequent.
The technology stack most assuredly over a long time period is a risk and inherently effects security. Few if any are really ready to start addressing information security issues so new models and methods of operations need to be talked about. We’re starting to see that kind of discussion in concepts like “assumption of breach” or resiliency engineering. One thing we need to see is looking at the information security realm without all the “war” garbage and taking care of systems with well-engineered solutions. This is not something that happens quickly, and the organic growth of networks has been a barrier to upgrading towards secure systems. Some government agencies have tried the replace it all but basically only replaced it with the same faulty assumptions.
Policy is a risk too
Public policy is a set of incentives and disincentives that are in place to create certain types of behaviors. If you look at the narrative surrounding all things cyber it is a conflict narrative. Inherently conflict of civil and military type is a government owned and controlled behavior. In a country based on the rule of law the state is the arbiter of conflict. If the Internet is a conflict domain it no longer is a benign tool but a place where government has an inherent interest in control mechanisms. Every person who pushes that agenda forward is impacting negatively the future of the Internet.
Poor policy has reconstituted previously mitigated threats as laws and rules are put into place that instantiate poor security practices. Societal control mechanisms are not necesarily the best information security mechanisms. The suggestion from pundits is that the FISA and law enforcement APIs were used by China to “hack” Google is a good ezample of this in action. Other examples follow the trend of the supply chain discussed earlier. The federal rules of acquisition create a preponderance of homogenous network functions even though heterogeneous and resilient structures are much more secure. The principle of single sourcing to the lowest bidder has instantiated a significant vulnerability that can be associated to threats.
The mixture of information security and cyber warfare topics and the associated abandonment of actual security practices has created an onerous situation. To much security is about static compliance concepts bent towards creating stable secure enterprises in highly dynamic environments. Check list mentality you would think might be the first casualty of cyber warfare. The threat though is not well understood and conflict is really misunderstood. In mixing these two topics neither is served.