How to wage cyber warfare: Barriers to entry, Part 2

There are large numbers of people who are all for the new thing called cyber warfare. Whether you are interested in waging cyber warfare for a nation state or are considering a corporate company on company engagement the realities are the same. Cyber warfare is the tool of non-state actors and as such nation-states have a hard time even considering responses. In the United States the expected response to a cyber attack is likely a purely kinetic response such as a missile. Within the United states there are some specific barriers to the national body entering into cyber conflict.

The amendments to the constitution are about restricting the power of the government. Where the United States under the articles of the Constitution through the federal powers vested in interstate commerce has the power to regulate. The ability to take action of an offensive nature against anybody utilizing the civilian infrastructure is not so obvious. Regulation and defense when that defense results in collateral damage to Americans is far from a sure thing.

An impediment and barrier to entry can be found in the nation state base of law. During the Korean War the president through the cabinet seized the steel mills. The seizure of property during exigencies of war is specifically protected against according to the Supreme Court of the United States. In the Steel Seizure Case as a test the government was stopped. Legislation surrounding Iran-Contra affair also provides some understanding of the legislative hurdles. Though some very basic fundamental rules can be found in the constitution itself.

Consider the Third Amendment:

#3 Conditions for quarters of soldiers  – No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.

Though strictly consider quartering of troops as housing, it could be also said that the use by the military of civilian infrastructure for any purpose without compensation even in time of war shall not occur.  If the legal precedents being created by computer forensic cases continue to be inclusive of private property using a model of the house rather than the human mind run unabated the construction of this argument will be nearly full proof under case law. In other words the strict court interpretation will be that the computer infrastructure is like a home or business and government action will be restricted. This is the law of unintended consequences.

#5 Provisions concerning prosecution  – … shall private property be taken for public use without just compensation.

I’ve only quoted the last and relevant part of the Fifth Amendment. This coupled with the Third Amendment strongly indicates that offensive/military action that might be against the rules of a backbone carrier like AT&T or Verizon could result in a terms of service violation and the military being kicked off the networks. Imagine AT&T disconnecting the Air Force for engaging in an activity that might destroy or destabilize the network.  This is one of the nails in the coffin of large-scale offensive cyber warfare as a metaphorical third generation warfare model.

#9 Rule of construction of Constitution – The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

This amendment is about the people. If something was not given in the way of a tasking in the articles of the Constitution then it should not be construed to give that right rather that right is retained by the people. In other words since cyber was not specifically mentioned it can’t just be considered part of the equation. People have specific rights. Supreme Court Chief Justice Roberts during confirmation mentioned the Ninth Amendment as specifically giving privacy and control to the people.  It would be interesting to see how offensive government action in cyber space might impact people and the law base.

#10 Rights of the States under Constitution – The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

Though heavily eroded over time in the fight between federalists and anti-federalists the Tenth Amendment still says that the states have reserved rights and even under the various militia acts such as the Dick Act of 1903 and federalization acts of the 70s the states are the primary force for protecting themselves in times of war. In other words when a state is specifically attacked they are the responsible entity.

Now I am not an attorney and I am writing a BLOG POST about topics that are challenged in the halls of power consistently. Nobody is going to agree with everything in the government and most will agree with nothing written above. Yet still between the Constitution, various international treaties, the federal laws explicitly making offensive action illegal (even by government agents) and the nature of the privately owned network any action by the department of defense is a legal nightmare. Though there is always sovereign exemption from tort action the legal implications are astounding.

The non-state actor though doesn’t have to be concerned with all of that legal stuff. In taking action they are either acting under letters of Marquis with immunity from prosecution or they are acting outside the scope of nations borders. For example an attack against country X by country Z is generated in country Y by country Z. Where did the crime if any occur? How would prosecution commence? When borders become meaningless only good will protects the different entities. With the engagement in cyber warfare we can assume the erosion of goodwill. Then the barriers of entry are knowledge, skills, abilities, and tools. If we can come to an agreement that cyber warfare is more like guerilla warfare and less like maneuver warfare other patterns emerge. Country Z attacks country X by using the infrastructure, tools, and capacity of country X to harm itself. Yet there is no direct link back to country Z.  

The knowledge needed by a cyber warfare adversary is found in the goals and mission objectives. If the over all goal is create chaos and destruction then a series of seemingly random soft targets like power plants, water treatment (lift plants), dams, refineries, and chemical processing plants can be targeted. The perfect target is a dangerous industrial process where humans have been removed from the plant and replaced with automation. Look for industries that have gone through a modernization process resulting in layoffs of low level workers or have had large expensive industrial accidents caused by human error. Developing intelligence on a target can be as simple as a though exercise as difficult as modeling the attack vector in a simulation and visualization environment. Much of the knowledge needed to successfully exploit a target can be determined by reading a stock prospectus of annual report. As such the knowledge barrier to entry is often tied to the skill level of the cyber adversary.

Skills are necessary to accomplish a cyber attack. Most sophomore and junior level computer science majors should have the associated skills in networking, operating systems, security, and programming to do most attacks. The ability to attack successfully and hide the evidence is an order of magnitude higher. Determining the vector to attack and picking targets can be an associated skill. Though media reports would say that millions of attacks occur every day, what really happens is the same attack is prosecuted a few times a day against millions of systems. The key skill is the ability to pick the correct target, the correct vector, the correct exploit, the correct payload, and all at the same time. A primary skill barrier to entry is the ability to pick locks. To think around how the lock might work and then exploit the common pattern of weaknesses.

The abilities required by a cyber adversary are things like access to networks. The understanding of a wide variety of disciplines., and a generalized conceptual understanding of technology are required abilities. More than just skills the cyber adversary must be able to employ those skills in a fundamental way. The cyber adversary must be able to interact with technology and understand the second and third order effects of their actions (usually where the bang is found). Systemic deconstruction of technological constructs through analysis allows for exploitation and effects based planning. A consistent barrier to entry is the ability to understand the way technologies can be used against the normal pattern. As an example most people turn a light switch on or off. How many have wondered or tried to turn it to the side? Would anything happen? Would it cause a fire? Would it do nothing at all? Would doing something like this create a man-trap to shock somebody unsuspecting of the tampering. That is an inherent ability required to question the use of technology.

The tools required by administrators for network repair and diagnostics are the same tools used by attackers. However there are special tools and though I could list them I would rather categorize them. The tools are translation tools to see network traffic and translate to be understood by people, programming environments, resources such as systems, and network listening devices. All of these tools can be hybridized and used with each other. Tools sets are available for download but the truly skilled attacker will customize and create their own tools. More importantly the gifted adversary will build skills on the sides of the network. The attack vectors that open on the sides of a network are form custom or tailored protocols like those used in SCADA or CCTV.  The barrier here is often the depth of the shelf of tools. Remember that the tools are great but creativity with those tools is the most important. I have seen people do amazing things with Microsoft Paint the cheapest of tools.  The quality of the tools are a sign of skill. Much like the blacksmith the cyber warrior creates his tools as he needs them building upon the previous generation.

The ethos and capability of cyber warriors is gender, age, ideology, and nationality neutral. Assumptions of character and motivation are moot. Attempts to categorize and place cyber adversaries into bins are only somewhat successful. As such it is critical to overcome the homogenous, autocratic, stultifying rationalizations of hierarchical organizations as to bureaucratic and worthless to the final product.  A primary barrier to successful entry is the amalgamation of superfluous bureaucratic miasma to overlay an organization. The autocratic dictatorial controls of an organization working as a business, government, or military are directly contrary to the distributed, and open nature of the battle space.  The United States military is the entity that sent soldiers to the desert in woodland camouflage. A cyber adversary environment should be more like a college campus than a military barracks.

As a barrier to entry organizational structure is often overlooked. The distributed nature of networks and interacting in countering them is understood by only a handful of military thinkers. None of them are in seats of power currently. Countering cyber warfare is more like counter insurgency than interdiction or maneuver warfare. The tools and techniques are under handed and rarely are similar to point a gun. A method of visualizing a successful cyber attack is a Rube Goldberg Machine. Constant interactions and changes leading all over in what appears to be chaos have some definitive result at the end. This is why most people have a hard time visualizing or understanding cyber warfare.  The tools and necessary reactions occur in what can only be thought of as chaos but it is managed chaos. Much of the time the end result is something that nobody would have expected until it is to late. Hierarchical management structures run on management philosophies like return on investment, or run rate, are not going to be capable of dealing with this.  Any attempt by a sitting agency to create this type of structure should be viewed with skepticism.

When considering the issues of waging cyber warfare another barrier to entry is time. A million chimps pounding on keyboards do not write C++ code.  Though they may do a passable facsimile of a commercial operating system. A barrier to entry is the preparation and the likely highly illegal effort of preparing. Using the approach of crippled caterpillar, which is slow, steady, and unnoticed an organization needs to do reconnaissance. There needs to be a sensor and processing network in the realm of cyber space. Tools need to be created that can be used when needed. Research into how protocols can be exploited should be done.  A method of creating a response to swarm attack should be protected against. All of the elements of creating a cyber adversarial team should be bent around the ability to attack without notice. Unlike Pearl Harbor scenarios this form of warfare should be silent, and not easily detected. Guerilla soldiers are only as effective as their ability to operate in the battle space. Exposure is contrary to that need.

There are many barriers to entry for cyber warfare. From the legal arguments, to the understanding of the battle space, to the personnel with knowledge, skills and abilities., all of these when coupled with the need for tools are barriers. Organizational structure and models for offensive cyber warfare that can have a range of effects are counter to government and military management models. Though there are groups of personnel that are capable within the military of waging cyber warfare the organizational structures have kept them from coalescing into a fighting force. Government and scholars have questioned whether the individual non-state actor could prosecute a successful cyber attack against a nation state. That question is moot and proven in many cases as true. The actual question is can the nation-state prosecute a cyber war against the super-empowered individual non-state actor and survive? That last question is far from being answered. The primary barrier to entry is the will to change and adapt to the battle space.