Wednesday, July 28, 2010

making sense of the cyberwar debate

if you follow the security blogs you've probably realized that there's some considerable disagreement about the subject of cyberwar. while i did touch on the subject once before, i don't think that really served to clear up anything.

making things more clear is actually rather important because, although us average folks may not be directly targeted in the course of a cyberwar, the consequences of one would affect us as surely as the consequences of a regular war would. sorting out the cyberwar debate is important because we need to know whether we have cause to be afraid, so that we can act accordingly.

there are basically two opposing viewpoints to this debate. on the one hand you have people like richard bejtlich saying cyberwar is real, and on the other hand you have people like bruce schneier saying the threat of cyberwar has been grossly exaggerated or robert graham who outright says that cyberwar is fiction.

the difficult thing is that both sides actually make excellent, compelling arguments - and if you're like me you probably feel like both are correct. but how can they be when they seem to be contradicting each other?

evidence is usually a good determining factor in a debate and bejtlich presents some compelling evidence in the form of online attacks (repeated security breaches of the joint strike fighter program) probably leading to a military outcome (advantage of the military hardware in question being lost and then the US scaled back their plans for it). that seems pretty convincing to me.

schneier expresses the doubt about cyberwar the most eloquently in a video of a debate he participated in - in order to have cyberwar you need regular war. cyberwar doesn't make sense without regular war. that's really hard to argue against, it makes a lot of intuitive sense.

the schneier debate video is interesting to me because as i watched it something seemingly obvious struck me and i was amazed that none of the participants seemed to come to the same conclusion i did. schneier himself came closest when he wrote about two different meanings of 'war'. later, as i read yet another cyberwar post from bejtlich, specifically the quotes from the DoD joint publication 1, the idea that i was on the right track was reinforced.

the reason both sides can seem to be right is because they're talking about two different things. i mentioned that schneier pointed to two different meanings for 'war', and i suppose you could leave it at simple ambiguity of the term (though it seems strange to think of 'war' as being ambiguous), but sometimes ambiguity arises from the fact that there's actually a better/more accurate term.

it turns out there is a word that is similar to 'war', that describes a concept very much related to 'war', that is often used interchangeably with 'war', and often is replaced with the word 'war' simply as a mental/verbal shortcut; and yet a word that actually means something different than 'war. can you guess what that word is?
as closely related as 'war' and 'warfare' are, there are important distinctions to make between them, and in this context specifically it's that warfare can exist outside the strict confines of a formally declared state of hostilities between two or more nation states (aka. a war).

warfare is going on all the time in the form of activities meant to prepare for war - and not even necessarily a specific war, but just war in general. espionage is one example; though it's not generally considered an act of war, the use of spies is so critical to warfare that sun tzu dedicated an entire chapter of "the art of war" to that very subject. there are any number of military exercises that also qualify as warfare, as does the development of new/better tools, techniques, and means of attack. peace-time cyberwarfare could reasonably be understood to include the ongoing enumeration of weaknesses, probing, and (hopefully) non-disruptive breaches and theft of secrets in a wide variety of one's adversaries' networks and systems. war-time cyberwarfare would, by extension, be the disruption of those systems and networks using what was previously found at times that are most advantageous.

from a north american perspective there is no currently ongoing cyberwar because there is no accompanying war to associate it with (at least none where there's compelling evidence that the adversary has included the 'cyber' theatre of combat). furthermore there's nothing i'm aware of to suggest that such a war is anywhere on the horizon. as such the threat of cyberwar can be considered to not be credible at this time. that said, there's no reason to believe that peace-time cyberwarfare isn't going on right now. nation states that intend to enter the 'cyber' theatre during war-time at some unspecified point in the future need to first be prepared to do so, which means gathering information on weaknesses and gaining access beforehand (ie. now). should we be concerned about that? sure, but only to the extent that we would be concerned about any military build-up, and even then we should temper that with the realization that at least part of the build-up is due to the new-ness of this sort of offensive capability (ie. they'll be starting more or less from scratch as opposed to a build-up above and beyond some established baseline) and not take it as a sign of impending attack.

we don't want an opposing nation state to be able to launch a debilitating attack successfully and so finding and eliminating the weaknesses they would try to take advantage of is certainly important, as is developing the abilities to detect attacks and recover from them. but there's no reason to believe they'll be trying to disrupt critical infrastructure anytime soon. as such our reaction shouldn't be characterized by fear, but rather by purpose and informed direction. being prepared is always preferable to the alternative.


Rob Lewis said...

Hi Kurt,

Yours is actually one of the better posts on this topic that I have come across because you disect some of the nuances between the lines.

I have noticed that often in these discussions that it is a matter of degree. Sure industrial espionage may be a battle for livelihoods as opposed to lives and has always existed, but how much can an economy be nickel and dimed on such a grand scale until at some point they can no longer afford the price of admission to the main event? The break-up of the USSR was helped along by economic factors stemming from an arms race, for example. There is a economic cost to espionage, and winners and losers.

It is also well known that the motivation for the Chinese is to use "cyber" techniques as an equalizer against adversaries that currently would overwhelm in conventional warfare, hence we have other forms of espionage re: APT and for the enablement of influence peddling etc..

I suppose things get get even murkier if we tried to define suppression of people's rights within a single country as a form of cyberwar (Iran-cyberwar fared on democracy and freedom of speech) with on-line censorship used as a form of "cyber" douchery.

Anyway, I enjoyed the post.

kurt wismer said...

glad you enjoyed the post. it seems there's yet another angle to the cyberwar debate that has come to light recently.

it appears some of the public facing folks in the military are so out of touch with common computer threats that they'll attribute a simple USB worm spreading over their systems due to profound negligence as if it were the result of some foreign intelligence agency targeting their systems.

when these sorts of folks cry cyberwar it's almost exactly like chicken little running around exclaiming that the sky is falling.