Category Archives: Cyber-warfare

Rise of SaaW?

There are a couple of interesting articles on Stuxnet out recently. This article poses the astonishing possibility that it was a directed attack at the Iranian Bushehr nuclear plant. The arguments given, however, are highly circumstantial.

This article also puts forth the notion that Stuxnet was likely created by some government.

Is this the first instance of SaaW, software as a weapon?


Nico Popp suggests that incidents such as the recent Google hack may lead to governments and large corporations adopting a form of Mutually Assured Destruction cyber defense.

On one hand there is a lot of sense in this, especially for governments. However I suspect retaliation would be more of a economic (or worst case military) nature.

At some level that’s exactly what is going on with the Google case. Google obviously believes that the Chinese government is behind the attack and Google has retaliated by threatening to stop censoring content in China, even at the risk of getting thrown out of the country. Of course now they seem to be backing down and both sides are now looking for a face saving compromise.

But one problem with the MAD theory of cyber-warfare is that you most often don’t have any idea who to retaliate against. At least not with sufficient degree of certainty.

So for now, MAD looks pretty unlikely in the cyber-warfare game.

What’s not being said

I usually find what’s not being said far more interesting than the platitudes that are uttered. According to this article Google and China are negotiating a face saving compromise to allow Google to remain in China. What is being said is that this is about the level of censorship. What is not being said, and what is probably really the truth is that this is really all about the Chinese government hacking Google.

I mean seriously. Google China censored content from day one and now it all of a sudden decided to “do less evil”? As Corporal Nobbs likes to say “pull the other one, it has bells on it”.

No, what changed is that the government has hacked Google and gotten caught doing it, and probably affected some high-level Google execs.

Here is my prediction; the face saving compromise will involve a little easing of the censorship rules, a promise not to hack Google any more, and Google quietly giving some sweetheart deals to some high-level Chinese officials.

The big kill switch

There is a troubling bill being drafted by Sen Rockefeller that would give the US government the power to essentially kill the internet (at least the US corner of it). The bill would give the government the ability to order all private systems deemed “critical” to be disconnected during an “emergency”.

I am simply not confident of the governments ability to properly define “critical” and “emergency”, much less make the proper decision as to whether or not throwing the big kill switch will make matters better or worse. I think the government needs to demonstrate much more core competency in the computer security space before they are entrusted with this kind of power.

Those darn kids

Bruce Schneier dismisses North Korean government involvement in the recent DDOS incident, as well as some others in the past:

It was hyped as the first cyberwar, but after two years there is still no evidence that the Russian government was involved. Though Russian hackers were indisputably the major instigators of the attack, the only individuals positively identified have been young ethnic Russians living inside Estonia, who were angry over the statue incident.

Poke at any of these international incidents, and what you find are kids playing politics. Last Wednesday, South Korea’s National Intelligence Service admitted that it didn’t actually know that North Korea was behind the attacks: “North Korea or North Korean sympathizers in the South” was what it said. Once again, it’ll be kids playing politics.

Oh those darn kids.

I would point out that absence of evidence is not the same as evidence of absence. True, there is no smoking gun linking the Nork military to the recent attacks, but it certainly would not be inconsistent with the recent spate of insane saber rattling by them either.

I also find it curious that Mr. Schneier does not mention the cyber-attacks against the Republic of Georgia that happened in exact timing with the military invasion by the Russians. Boy those darn kids seem to be Johnny-on-the-spot when it comes to backing the actions of dictatorial regimes.

Counter argument on cyber-security

This is an interesting article by Evgeny Morozov that posits a counter argument on cyber-security. The gist is that the cyber-warfare drums are being beaten by those with much to gain by the user investing in cyber-warfare capability.:

The age of cyber-warfare has arrived. That, at any rate, is the message we are now hearing from a broad range of journalists, policy analysts, and government officials. Introducing a comprehensive White House report on cyber-security released at the end of May, President Obama called cyber-security “one of the most serious economic and national security challenges we face as a nation.” His words echo a flurry of gloomy think-tank reports. The Defense Science Board, a federal advisory group, recently warned that “cyber-warfare is here to stay,” and that it will “encompass not only military attacks but also civilian commercial systems.” And “Securing Cyberspace for the 44th President,” prepared by the Center for Strategic and International Studies, suggests that cyber-security is as great a concern as “weapons of mass destruction or global jihad.”

Unfortunately, these reports are usually richer in vivid metaphor—with fears of “digital Pearl Harbors” and “cyber-Katrinas”—than in factual foundation.

While the author makes some good points, there are some disturbing phrases such as this one (emphasis added):

Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand. But what about genuine cyber-warfare? The cyber-attacks on Estonia in April-May 2007 (triggered by squabbling between Tallinn and Moscow over the relocation of a Soviet-era monument) and the cyber-dimension of the August 2008 war between Russia and Georgia have reignited older debates about how cyber-attacks could be used by and against governments.

I find it interesting that the Russian invasion of Georgia would be described in such terms. It says a lot really.

The article is worth reading and we should be careful not to get carried away by the hype. Skepticism is always warranted. But I feel the complacency suggested by the author is unwise. The time to prepare defenses is when there is not an immediate danger. For when there is one, it may be too late.

The genie is out of the bottle. Cyber-warfare will happen to someone. To not prepare for it is to invite it to happen to us.

The tweet revolution?

If the people if Iran ultimately win their freedom, will this be the tweet revolution? Twitter is apparently playing a critical role in the resistance effort:

The U.S. State Department even reportedly weighed in, with an unnamed official telling Reuters Tuesday that it had asked Twitter not to “shut down its system in Iran.”

Early on Monday, bloggers outside Iran began posting and tweeting links to Web proxy servers that Iranians could use to dodge censorship — and others put up how-to guides for setting up even more proxies.

Many Twitterers were changing their “location” setting to Tehran and their “time” to +0330 GMT in order to confuse Iranian Web censors seeking to squelch in-country postings.

I am fascinated by the tatic of people setting their Twitter profile to mislead the government thugs trying to track down the resistance leaders.

Cyber-warfare for dummies

There is a strange resistance among many computer security pundits to believe that Russia has engaged in cyber-warfare on its neighbors. This is mostly due to a combination of left-over resentment of US actions in the cold war combined with not wanting to face the consequences of accepting the new reality. Also there is a bit of confusing absence of evidence with evidence of absence.

Apparently this belief system is not shared by the US DOD, according to this Aviation Week article:

It’s a part of a technology race that is already well underway. The Russian attack on Georgia last year showed weaknesses in some combat areas, but not in cyberwarfare, say U.S. analysts.

“The Russians conducted a cyberattack that was well coordinated with what Russian troops were doing on the ground,” says a longtime specialist in military information operations. “It was obvious that someone conducting the cyber[war] was talking to those controlling the ground forces. They knew where the [cyber]talent was [in Russia], how to use it, and how to coordinate it.

“That sophisticated planning at different levels of cyberwarfare surprised a lot of people in the Defense Dept.,” he says. “It looked like a seamless, combined operation that coordinated the use of a range of cyberweapons from the sophisticated to the high school kids that thought it was cool to deface official web sites. The techniques they used everybody knows about. The issue was how effective they were as part of a combined operation.”

In response the DOD is apparent working on a “cyber-warfare for dummies” approach that bundles several attacks into a user friendly console:

This particular network attack prototype has a display at the operator’s position that shows a schematic of the network of interest and identifies its nodes.

“You could be talking about thousands and thousands of nodes being involved in a single mission,” says a second network attack researcher. “Being able to visualize that without a tool is practically impossible.”

A touch-screen dashboard beneath the network schematic display looks like the sound mixing console at a recording studio. The left side lists cyberattack mission attributes such as speed, covertness, attribution and collateral damage. Next to each attribute is the image of a sliding lever on a long scale. These can be moved, for example, to increase the speed of attack or decrease collateral damage.

Each change to the scales produces a different list of software algorithm tools that the operator needs. “Right now, all that information is in the head of a few guys that do computer network operations and there is no training system,” says the first specialist.

Experts are combining digital tools that even an inexperienced operator can bring into play. In the unclassified arena there are algorithms dubbed Mad WiFi, Air Crack and Beach. For classified work, industry developers also have a toolbox of proprietary cyberexploitation algorithms.

Interesting times.

Cyber-attack in Morgan Hill

Bruce Perens has an interesting article about an event that garnered far less attention than it should:

Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported.

That attack demonstrated a severe fault in American infrastructure: its centralization. The city of Morgan Hill and parts of three counties lost 911 service, cellular mobile telephone communications, land-line telephone, DSL internet and private networks, central station fire and burglar alarms, ATMs, credit card terminals, and monitoring of critical utilities. In addition, resources that should not have failed, like the local hospital’s internal computer network, proved to be dependent on external resources, leaving the hospital with a “paper system” for the day.

The attack is as mysterious as it was successful. I suspect that the “disgruntled ex-telco worker(s)” theory is probably the best explanation.

I loved how the local Ham Radio enthusiasts came to the rescue.

The cyber-cassandras vs the cyber-pollyannas

When I blogged here about the recent announcement that backdoors had been left in the US grid infrastructure, I had predicted that many would respond with the standard “hackers with no ties to any government” theory. Well, when you’re wrong, you’re wrong. Instead I saw some interesting reactions that seem to say “what the big deal?”

For instance Joel Hruska from ARS Techinica has this take:

At the end of the day, we’re watching a movie remake. The special effects have been updated, and some of the actors are new, but we’re still talking about security threats from “out there” and the need for a new type of national security. The Internet is merely the latest-and by most measures, the most benign-means by which one country could attack another. Personally, given the choice between ICBMs, chemical weapons, “the bomb”, or V-2 rockets, I’ll take the Internet.

I would point out to Mr. Hruska that these options are not mutually exclusive. Note that recently the country of Georgia was not bombed solely with packets.

And Bruce Schneier writes:

Read the whole story; there aren’t really any facts in it. I don’t know what’s going on; maybe it’s just budget season and someone is jockeying for a bigger slice.

Honestly, I am much more worried about random errors and undirected worms in the computers running our infrastructure than I am about the Chinese military. I am much more worried about criminal hackers than I am about government hackers. I wrote about the risks to our infrastructure here, and about Chinese hacking here.

And from this Evgeny Morozov article titled “10 easy steps to writing the scariest cyberwarfare article ever”:

1. You need a catchy title. It pays to cannibalize on some recent tragic event from the real world; adding “cyber” to its name would usually trigger all the right associations. Studies show that references to “digital Pearl Harbor“,”cyber-Katrina“, and “electronic 9/11” are most effective, particularly for stories involving electricity grids or dams. Never make any explicit attempts to explain the bizarre choice of your title- you need to leave enough ambiguity out there for your readers to “connect the dots” themselves. This is a win-win: readers love solving important cyberspy puzzles – and you could get away without doing any analysis of your own. Quoting real facts would spoil the puzzle-solving experience; plus, the fewer facts you quote, the harder it would be to debunk your story!

Perhaps this is just a tempest in a teapot. Perhaps I am just being a cyber-cassandra. But for all the dismissive rhetoric from the cyber-pollyannas, there is one thing you won’t hear: a reason why these penetrations were attempted. You won’t hear it because the plausible explanations are a bit more worrisome that the cyber-pollyannas want to admit.