After writing the article “Cyberspace and 4th Generation Warfare – A Marriage of Convenience” I received many questions and comments that really stirred the conversation. I’d like to further clarify some points and make some more links based on (among other things) observations stolen directly from John Robb’s blog. I hope mr. Robb doesn’t mind my poaching his IP too much as I make my way forward in linking his theories to how I see the future of cyber conflict.
“Terrorists won’t use cyber…”
The first comment I received, and one that is likely to persist for some time, was that terrorists prefer -and will likely continue to prefer- the more kinetic approach to critical system attacks. I agree. However, my article was about the fact that those who wish to disrupt critical systems and services could (also) do so through cyber attacks. I will grant that these are unlikely to be the same people who are now attacking through kinetic means. This does not mean that cyber attacks to critical systems won’t happen. It is easily conceivable that online collectives such as Anonymous and LulzSec, who are known to harbour militant types, will eventually get bored with relatively innoccuous attacks and start targetting digital weak points to critical infrastructure to bring their point across. The fact of the matter is that collectives such as Anonymous have, despite the nuisance they have caused thus far, barely scratched the surface of the power they could wield.
The Diginotar attack, that is claimed to have been perpetrated by a single attacker calling himself ComodoHacker, is a prime example of how powerful cyber attacks can be when applied against critical infrastructure. This is asymmetric warfare at its finest. By cracking the security of a Root CA he managed to undermine all the systems (blindly) depending on it. Windows Update -thus bringing all Windows based systems within reach of compromise- and the entire Dutch governments’ digital ID system for citizens to name but a few. Whether this was a state-sponsored attack by Iran or the act of a single individual is still a matter of debate. The CEO of Comodo apparently believes that it was state-sponsored, the attacker himself claims that it was retalliation for the Dutch involvement at Srebrenica. Either way, the attack was a massive success and demonstrated the weak points in the CA system.
“How is Open Source a good example?”
I received some comments that made it obvious my reference to the Open Source community missed its mark a little, probably because I had to cut some corners left and right to keep the article from bloating into a whole thesis. I was referring to the underpinning philosophy from Eric S. Raymond’s Cathedral and the Bazaar, not to any endproduct, individual, group or community specifically. To be more specific, the following points have served both the Open Source community and the Global Guerilla community very well. Im sure it will do the same for cyber conflicts:
- Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.
- Given a large enough pool of co-developers, any difficult problem will be seen as obvious by someone, and solved. Eventually some participant of the bazaar will find a way to disrupt a particularly difficult target. All you need to do is copy the process they used.
- Your co-developers (beta-testers) are your most valuable resource. The other guerrilla networks in the bazaar are your most valuable allies. They will innovate on your plans, swarm on weaknesses you identify, and protect you by creating system noise.
- Recognize good ideas from your co-developers. Simple attacks that have immediate and far-reaching impact should be adopted.
- Perfection is achieved when there is nothing left to take away (simplicity). The easier the attack is, the more easily it will be adopted. Complexity prevents swarming that both amplifies and protects.
- Tools are often used in unexpected ways. An attack method can often find reuse in unexpected ways.
“But what’s with this Bazaar business?”
In his book, mr. Robb points out that you can essentially outsource Terrorism. There is a whole black “Terrorist Market” -or Bazaar- out there where you can buy or hire virtually every individual piece of a terrorism-puzzle, from engineers specializing in crafting IED’s to the people willing to plant them at a road or intersection. This has also been the case in cyberspace. You can visit a carder website to get yourself set up with a whole batch of stolen creditcard and/or social security numbers, attend 0-day auctions to get the latest hacks or approach hacking groups to outsource the entire attack; everything is possible online in the Cyber Bazaar.
“Exactly what are our problems in Cyber Security?”
This paragraph was surprisingly hard to come up with, because for the most part “Cyber Security” is just a fancy way of saying “IT Security”. In other words: Most issues we see now are not new. They’ve been around for a long time: IT-clueless managers, poorly trained technical staff, snake oil security vendors, misconfigured systems, lack of insightful security strategy et cetera. Most of these topics have been debated on and written about ad nauseam -I’ve written quite a few myself- so I won’t be addressing these in this article. The trouble for me was to define what the difference really is between IT Security and Cyber Security, and to pluck out the issues specifically related to the Cyber part of Security. Surprisingly, not many remain. Because most ‘cyber issues’ are arguably just IT Security issues and a matter of scale, it is my belief that the remaining issues specific to Cyber are Societal or Organizational. In fact I couldn’t think of any particular IT issue that wasn’t an issue when we still called it IT Security.
Societal Cyber Issues
When I speak of Societal Cyber Issues, I refer to the effects on society when certain critical cyber systems go down. For instance: What happens in society when a hacker brings down the powergrid? Im strictly limiting this section to the philosophical side, not the resolution of detected issues because these are Organizational issues (next paragraph). There are Master degree programmes specifically for writing scenario’s such as these and hiring these specialists will probably yield very valuable results. Of course, running (multi)nation-wide cyber scenario’s are a great method for uncovering the societal and organizational issues too.
Organizational Cyber Issues
The organizational cyber issues are essentially the resultant “how do we fix this” issues derived from the aforementioned scenario’s. Many organizations are -for instance- not at all prepared to respond to major, prolonged power outages. It is my belief that many companies will go belly-up entirely in such an event. Furthermore, these kind of issues tend to stack so multiple major problems can arise from one root cause. Good examples of relevant Organizational Cyber Issues can be found in environmental disasters such as Hurricane Katrina hitting New Orleans. Due to organizational failures, this major US city still hasn’t fully recovered.
Looking for solutions
Essentially we need to start thinking more in the terms of individual platforms. In his book mr. Robb uses power generation and power distribution as an example. Currently we see “the power grid” as one big piece of critical infrastructure. In reality this can be separated into two concepts: Power Generation (powerplants) and Power Distribution (power cables, transformer substations etc). Right now the system is heavily centralized, with power being generated at large concentrated plants and distributed one-way over the power distribution network. This system contains multiple weak points that can bring down large parts of the grid when attacked because of its centralized nature. Take down a major power plant or simply cut the right cable and you may black out an entire city.
In this scenario, major weaknesses can be eliminated by allowing individual homes to power the grid with their surplus energy generated from solar panels and windmills. This decentralizes the powergrid by creating thousands of miniature power plants. This is only possible if you redesign the current power distribution network to accept two-way distribution. This is further eased by using Open Standards that enable everyone to ‘plug in’ their home’s power generator(s) using easily obtainable, non-proprietary hardware. This idea is not new. You can actually find several places that already have such a powergrid, and citizens get paid for power they deliver to the grid (their meter simply spins backwards).
It is ideas such as these that we must explore if we wish to become more resilient against attacks on our critical cyber infrastructure. I would love to hear of examples, so if you know of any please contact me.