Last week, at the Hack in the Box: Malaysia conference, Marcus Ranum, CSO of Tenable Network Security, gave a keynote speech titled "Cyber War is Bullshit". Slides from the speech [pdf] are available from the HITB materials page. To be fair I wasn't actually at the speech so everything I say in the following post is based completely off of those slides and the few quotes that were posted in this article from The Star online (which could end up being very unfair).
The presentation attempts to break down the various forms of cyber "attacks" that can take place across a network. Ranum attempts to clarify the differences between crime, terror and war as they apply to actions on the Internet (cybercrime, cyberterror, cyberwar) or any other network. He also draws out a piece of cyberwar specifically for digital spies (cyber-espionage). The crux of the presentation seems to be that cyberwar is so ineffective and far-fetched that spending money on researching it is beyond a waste of that money, which could be used for conventional warfare research. His argument is that the cost is so high, and the return on investment so low, that cyberwar has no substance, and that cyberwar is utterly useless because the only people using these tactics are the people that would win a conventional conflict anyway.
Ranum's argument is based on 5 paradoxes he's identified in the underlying concepts of cyberwar. I've written about aspects of cyberwar on this blog before, but I'm not above saying that it's bullshit. In fact I think that much of what many people envision in cyberwar is more bullshit than not, and much more centered in science fiction than reality. While I respect Mr. Ranum's achievements and technical knowledge, I think he's completely missed the mark on the military aspect here.
Paradoxes
par*a*dox [par-uh-doks] - noun:
- a statement or proposition that seems self-contradictory or absurd but in reality expresses a possible truth.
- a self-contradictory and false proposition.
- any person, thing, or situation exhibiting an apparently contradictory nature.
- an opinion or statement contrary to commonly accepted opinion.
Ranum's Paradoxes
- The disarmament effect
- The cost factor
- Packets don't hold ground
- The "Blind Mike Tyson Effect"
- The "who'd win anyhow" question
Common usage tends to lean toward the 3rd definition in the list above so, I think, is that each of these things exhibits an aspect that is inherently contradictory to what cyberwar attempts to achieve.
The Disarmament Effect
From the presentation:
- The disarmament effect
- Imagine what happens if you're the commandant of the cyber-strike force
- ...and D-Day is patch Tuesday?
I'm sure the last line was said to be somewhat humorous, but the point is still valid: cyberwar depends on exploiting software vulnerabilities in your targets. If you go to launch an attack and, suddenly, you realize that the target's machines are patched and your attack is ineffective then what do you do?
Of course, this happens in conventional warfare, as well. What if you send a special forces team in to an area to demo a building, and it turns out there are 50 guards instead of 15? Are special forces teams an ineffective warfare option because they aren't 100% effective against all targets? What if you call in an airstrike on an area that's been called secure and someone in the area has a Stinger? Does this make aircraft a useless warfare accessory?
Tactical warfare operations aren't static. Troops aren't fire-and-forget. Missions are drafted, people are sent to complete the mission, and if variables within that mission change then the mission can be adapted to fit the new scenario or the mission can be aborted, and nobody has to know.
The Cost Factor
From the presentation:
- To attack a network, you have to have effective management control over it (unless you’re just DOSsing it, in which case your attack may be deflectable)
- Therefore: cyberwar == involuntary remote system administration
- So, we need, what, a combat version of UniCenter? See where this is going?
I think the real problem I have with the main bullet point is the word "effective". To attack a network you certainly have to have management control over it, but his other points seem to evoke other ideas like reliable and consistent. Involuntary remote system administration is just a euphemism for gaining access, and the effectiveness of my control depends on my objective. I don't need complete control over an asset to take action on it.
We completed ICE II (a cyber exercise) in Las Vegas a couple weeks ago. We put 50 hackers (over the course of the game) into a room, gave them target networks and told them that were no rules. Over 3 nights the Red Cell generated 120 billion events on a commercial IDS sensor. Hackers got in numerous times and defending teams scrambled to shore up their systems. When the hackers got in did they have effective system control? Frequently they didn't even know what they had, they launched blanket attacks to hit any and every target they could reach.
ICE II isn't a vision of cyberwar, it's more a look at what Georgia or Estonia saw from Russian hackers, but even with all the chaos the attackers still stole database information, shut down services, and rebooted systems at will. All without anything resembling consistent or reliable control of the systems.
Packets Don't Hold Ground
From the presentation:
- Before an attack is launched it needs to fulfil some useful military objective (to take or hold ground or destroy physical materials)
- Taking and holding ground implies tactical and strategic superiority for the follow-through
- Therefore cyberwar only makes sense to the side that is likely to win anyhow
Attacks need to fulfill some useful military object: True. The only useful military objectives are taking or holding ground or destroying physical materials: False.
A raid is a military operation that has no intention of holding ground. A raid uses troops to move into a location, complete an objective, then leave the location. Are those troops taking ground? In an extremely literal sense, but not in the tactical meaning of "taking ground". Are they destroying physical objects? They could be, or they could also be rescuing a hostage, for example Jessica Lynch. Her rescue was a raid by special operations forces, an operation that took or held no ground and didn't destroy physical materials.
In 1998 Bill Clinton ordered a bombing campaign against sites in Afghanistan and Sudan in retaliation for embassy bombings in Kenya and Tanzania. These strikes were all done with cruise missiles launched from ships. While the missiles did destroy physical materials I would argue that the tactical purpose was as a message to terrorists. And these missiles were not as a precursor to a ground assault, so while they demonstrated tactical superiority, the US never had any intention of invading after the strikes.
The "Blind Mike Tyson Effect"
From the presentation:
- Many proponents of cyberwar propose it could be used to temporarily degrade an enemy’s command/control or intelligence for tactical advantage
- Blinding a superpower, even temporarily, invites a massive fear-triggered response
- "Blind me, I nuke you."
- This option only makes sense to the side that is likely to win anyhow
Not to argue semantics, or be pedantic, but command and control (C2) is an old term for the military's command infrastructure. The current command concept is C4ISR: Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance. The military has evolved their command concepts to include communications between nodes, the computers that run everything, intelligence from various sources, surveillance from satellites and drones and reconnaissance from troops on the ground. Each piece of C4ISR is important to coordinating and commanding a modern military.
If the "Blind Mike Tyson" hypothesis were true then the United States would currently be at war with China, Iran, North Korea, Syria, Venezuela and probably several other countries. North Korea sent out weapons inspectors, openly declared they were developing nuclear weapons and launched test rockets, towards one of our allies, into the Sea of Japan. The US response was diplomatic pressure and negotiations.
Thomas Wingfield, in his paper "An Introduction to Legal Aspects of Operations in Cyberspace" [pdf], explains a number of the issues surrounding offensive operations in cyberspace and the transition from cyber to physical conflict.
From the paper:
The first of these questions has been problematic for quite some time. Until recently, the consensus among top legal scholars in the US and abroad was that a quantitative approach to cyber-warfare made the most sense. That is, when evaluating whether an information operation rose to the level of a use of force or armed attack, one should disregard the means and focus exclusively on the ends. Whether an oil refinery is set ablaze from a one-ton bomb or from a line of malicious computer code doesn’t matter. A flaming refinery, they concluded, is a flaming refinery. Any cyber-attack that causes damage indistinguishable from a kinetic attack should be legally indistinguishable as well.
...
Once the determination has been made that a state of de facto hostilities do exist and the law of armed conflict does apply, the analysis turns to the four central principles of the law of war: discrimination, necessity, proportionality, and chivalry.
Considerably more details can be found in the paper but, to stay brief, discrimination means that a commander must differentiate between combatants and non-combatants. Necessity means that an operation can use all the force necessary to complete a mission, but not excessively more. Proportionality means that a commander must balance collateral damage against military advantage. Chivalry simply forbids the use of certain kinds of deception (like launching attacks from vehicles labeled as Red Cross trucks).
And all of that together means that nobody is allowed to get nuked because of some hacker turning off the Internet at the White House and making the President miss an episode of Heroes.
The "who'd win anyhow" question
From the presentation:
- Cyberwar is almost entirely only useful in two situations:
- a scorched-earth defense, in which the defender just wants to inflict damage as they die
- by the side that is likely to win anyhow
- This means the US is the most likely to use cyberwar
Cyberwar tactics seem to be effective in several different areas. For one, information gathering about enemies, by gaining access to their networks and looking into their files and information. The difference between cyberespionage and digital reconnaissance is really just who's on the other side of the keyboard.
One of the quotes in the article has Ranum saying that "cyberattacks aren't a good force multiplier in an actual war". Force multipliers are anything that make your force better than a force of similar size. If you're talking about infantry troops then force multipliers can be things like better weapons or better body armor, but can also include things like the weather, the troop's morale, and how afraid the enemy is of him (possibly via psychological operations).
The overall benefit of a force multiplier is based on how much it costs and how effective it is. If it costs a lot and isn't effective then it's bad, if it's cheap and really effective then it's good, and everything else lies somewhere in the middle. For argument's sake let's say that the benefits given to a force by cyberwar tactics are minimal. The cost of cyberwar tactics is extremely low; you have to train troops, spend money on research and development, but after all that it's still inexpensive compared to new and better weapons or armor.
While the benefits and possible future of cyberwar are certainly overblown by a lot of people, I think writing off network attacks against military computer systems as simply superpowers with too much money playing with their toys is equally naive. And given recent news articles I don't even think the US is the most likely to use cyberwar. China and North Korea are probably years ahead of the US when it comes to effectively utilizing cyberspace for military benefit, and the grassroots mobs that have formed during the Russia-Georgia conflict and in Estonia are definitely effective, albeit not physically damaging.
This post has gotten a bit lengthy, so I'll wrap up with a final thought: I hear your claim of bullshit, and I respectfully disagree.
Comments