Security Experts:

Putting Cyber Warfare Into Perspective

The Greatest Problem With the Perception of Cyberwar is That it is a Separate Thing to Conventional Warfare. That is Just the Novelty Factor.

As we celebrated what would have been Alan Turings one hundredth Birthday this year, much focus was placed on his contributions to computing. Google’s homage on June 23 cites his work on the Turing Machine and the Turing Test in particular. Yet the impact of his work at Bletchley Park during World War II was summarized with “His work deciphering secret codes drastically shortened World War II”.

This pattern was repeated in many of the blogs, articles and obituaries that were published in honor of Turing. There seemed to be a definite bias in the industry and community on the technical details of his mathematical and computing work, as opposed to their actual impact at the time. I am not sure if many of his compatriots that lived through and fought in the war would have agreed with this value judgement. His efforts not only saved countless lives – but may have actually contributed to the allies winning the war. It is difficult to assess how history would have played out without him, and although such speculation is beyond the scope of this article, it is worth mentioning as it highlights a bias in the information security community regarding war and warfare. Most of us are not war nerds; we are techies at heart.

This is most visible when the topic of Cyberwar is discussed. The majority of us operate in business security. By necessity this leads to a world view where cost, efficiency and topics such as regulatory compliance are the main drivers. The remainder works in the sphere of pure security theory – vulnerability research, best practices; all of the stuff that rarely actually survives business realities and trickles down to the ground level. Essentially, we are stuck with our heads between Silicon Valley and the financial section of the news. This has left us woefully under-equipped for the accelerating trajectory towards sophistication and scale of damage that cyberwar has taken.

As a community, we condemn cyberwar for the most part, making it out to be a moral or ethical choice. Morals and Ethics are important – but need to be kept in context. There are few examples in history, when something that could give an edge in warfare was not added to the armory. Once one side does this, everyone has to. This is how arms races are started, of course – an indirect example of the tragedy of the commons; If I don’t, my neighbor will. Idealists will of course have very strong opinions and ideas on whether this is the inevitable outcome. I will not agree or disagree with that position, but rather focus on what is actually happening in the world.

One of the main criticisms that opponents of the Cyberwar Meme raise, is that much of the reporting on the subject is sensationalist, or worse, war- or fear-mongering. Aside from the implication that anyone warning about the dangers of cyberwarfare is accused of having ulterior motives, it also implies that there is no real danger. As with Turing, the debate soon turns into a technical one – admittedly unrealistic hypothetical scenarios drawn up by the non-technical media are debunked and declared hyperbole, and with that the entire topic is labelled as unrealistic. The debate rarely seems balanced.

At the same time at the army, intelligence and political policy level, the end of that discussion has long concluded and decisions have been made. The question is, who are you going to believe? Most Security Vendors and professionals have little experience that applies to the realm of military, intelligence or terrorist operations. No offense intended, but someone who has spent the past decade analyzing malware and dealing with cybercrooks from Eastern Europe has most likely not developed the necessary mindset to think in those terms. Trying to apply what was learned there on a technical level beyond that is fraught with danger. There is no real parallel.

Even the concept of what constitutes cyberwar is hotly debated. Most people imagine a direct assault on main infrastructure components such as electricity and water, leading up to or facilitating a physical attack. That reflects only a very basic understanding of warfare and how it is conducted – people think of official war declarations and armies facing off against each other. That is a common misconception that is not reflected in reality. Asymmetric warfare is by far more common, especially when dealing with insurgencies, militantly radical minority groups and terrorists. Even in times of peace, most nations are still actively engaged in intelligence operations and covert activities – it is, after all, also their duty to avoid direct conflict if possible, and to pre-empt any possible attempts of third parties to do them harm, not to mention further and safeguard their interests. This leads to what is often termed “Shadow War”, and it goes on all around us pretty much at all times. What has changed are peoples’ awareness and expectations in this regard.  

The greatest problem with the current perception of Cyberwar is that it is a separate thing to conventional warfare. That is just the novelty factor.

Cyberwar is not war in and of itself. It is not even another battlefield. Nor is it as novel as some people claim. It is just a logical conclusion and evolution of the widespread adoption of computers and technology in modern culture. When computers are as widespread and omnipresent as they now are, it’s not just one of doing war, it is the only way.  It is integral to it. For the same reason, there is little evidence in historical records that when firearms became prominent, it was ever called “gun warfare for very long, ” instead of just plain “warfare”.  The aims, goals and intentions have not changed much, not even the general theory behind them – just the medium and available attack vectors, and the environments where it takes place.

Cyber Combat

Modern Warfare now relies on computerized drones, precise targeting systems, computer-assisted visual enhancement equipment, encryption-capable smart phones, computer-regulated  exoskeletons and a whole plethora of other gadgets and high-tech tools that were only to be found in science fiction a few decades ago. This change in how we wage war will be in flux in the years to come.

The military has historically been a strong driver in the invention and adoption of new technologies, especially in regards to standardization, mass production and ease of use. It is not far-fetched to imagine a semi-intelligent automated “hacker-in-a-box”, for example delivering a targeted 0day to a specific location in the form of a small USB or other hardware device that a soldier only needs to connect to the target network. The same method could also be used to deliver a remote-access device for a security specialist to remotely access a location otherwise too dangerous or inaccessible for him.

Cyberwar is merging with the discipline of Electronic Warfare and electronic Countermeasures. It’s all computers now.

But cyberwarfare truly comes into its own off the battlefield. The image of pitched battles between vast groups of army hackers on the internet is just not realistic, just as there are no recorded reports of large-scale confrontations between spies or secret agents.

It is in the covert arena though, where offensive cyber-operations can have a really huge impact.

Assassinations, kidnappings, extortion, and surveillance of individuals and organizations can all be greatly aided by something as simple as having access to someone’s calendar schedule, financial and medical records, or their email and such methods are a staple of covert activities.

These are direct threats to individuals and very targeted, but there are also soft targets that can affect a greater amount of people. While they do not do any physical damage, they can still cause attrition none the less. The recent Royal Bank of Scotland Computer outage, that affected millions of customers and left them unable to access their accounts for several days, supposedly caused by a simple computer error, caused a substantial amount of chaos and financial damage.  If a simple computer error can have such calamitous effects, so could a cyber breach. Internet Connectivity is not necessary to reach these systems either.

The security of the IT supply-chain is not just threatened by the possible inclusion of back doors or logicbombs (if ever there was an argument for Open Source Software, this is it), but also due to the widespread,  just-in-time production methodology. This, combined with  the way the supply chain has evolved to favor production hotspots over recent years , also provides valid and concerning vectors of attack. This was highlighted by the 2011 Thailand Flood hardrive shortage fiasco. A targeted attack like Stuxnet against the manufacturing plants in Thailand would cause the same amount of pain in the supply chain as a natural catastrophe, and is technically feasible.  A targeted attack against Foxconn just before a new Apple Product Launch for example, may not just harm Apple, but could also have a direct impact on US GDP.

Then there are the Stock Markets and Commodity Exchanges, the nerve centers of the modern world economy, that also make excellent targets.

Let’s not delude ourselves into thinking that these are soft targets – at least when thinking of the more obvious potential attacks. Whilst directly manipulating the stock data itself could have huge implications, it would prove very difficult, but it is also not necessary. There are far easier  targets to choose from. From DDoS’ing an Exchange itself, to DDoS’ing many of the smaller Businesses that facilitate the exchange of all of the financial instruments.

For a real financial nightmare scenario, reflecting on the Knight Capital High Frequency trading incident, what damage could a nefarious agitator inflict if they were able to get their digital hands on one of those systems and manipulate trades directly?

For those doubters that claim that a cyber attack could not interrupt infrastructure, the claim sounds hollow when a faulty network switch can cause traffic chaos for an entire city. We are not being imaginative enough in seeing the risks and dangers that our infrastructure and dependence on technology entails – and that will make it easy for any potential adversary to inflict damage.

I use these examples to highlight that what is possible by accident, can also be engineered by design. Complicated, farfetched and convoluted schemes are more at home in an Oceans Movie, but in the real world inspiration for attacks are far more simple to come by if you follow world events. Even though examples such as these may seem limited in their effect and impact, in combination however, they can cause a death through a thousand little cuts. With the right fortuitous (for the attacker that is) timing, they can also be the coup d' grace. Combine the above example with a concurrent terrorist attack, or other physical world components, and we are talking big time detrimental impact. Similarly, attacking a stock exchange simultaneously with the concerted manipulation of some major media news streams and the consequence could be quite grave, especially if timed to coincide with another major event, such as an election.

Before cyberspace, and on a more mundane level, those were the methods by which the cold war was waged, and according to some analysts and historians, won. It is also the favored tactic of insurgents, militants, terrorists and criminals. It is not the direct damage that we need to fear or concern ourselves with most – the obvious attacks are unlikely, precisely because they can be identified as such, and are, for the most part sufficiently secured. Much as is the case for Privilege Escalation and APT’s, the collateral damage of cyber-attacks, and the combination of multiple low-severity weaknesses yield a critical flaw, and are the greatest challenges we face. These will be less obvious for us to discover, assess and secure.

Of course, this is a difficult change. As humans, we expect things to stay the same. But when something has ahad such a universal impact as the computer age, we must also understand that it will impact the way we wage war, no matter what the sub categorization or motivation.

Subscribe to the SecurityWeek Email Briefing
view counter
Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.