Bruce Schneier, Marcus Ranum debate the realities of cyberwar

Cyberwar: Myth or Reality?

This article can also be found in the Premium Editorial Download: Information Security magazine: Comparing seven top integrated endpoint security suites:

Cyberwar: Myth or Reality?


Marcus Ranum

Point Ever since Winn Schwartau's science fiction novel Information Warfare accidentally wound up on the nonfiction shelves in 1994, cyberwar and cyberterror have been embedded in the security zeitgeist. I used to ridicule the idea--and mostly still do--but it's becoming clear we are on a trajectory in which: 1) the security of governments remains truly bad and, 2) we rely on that security more and more.

As we saw in Estonia, a concerted attack can easily disrupt a government's systems. The question is whether an all-out cyberwar is becoming practical. Ten years ago I'd have laughed at the idea, but today I'm less sure. When you hear of someone (allegedly the Chinese) accessing 10 to 20 TB of sensitive but unclassified data from the Department of Defense's NIPRnet, it's clear there's potential for huge problems. What really has me on the fence, though, is the poor security I've seen in SCADA systems. It would be possible to do tremendous damage by attacking civilian infrastructure.

That is the high-value target for a cyberattack, and proponents have always talked of a cyberattack acting as a force multiplier--a way of confusing and degrading command and control, paving the way for a conventional attack. But here's the problem: that's state-sponsored cyberterror, not cyberwarfare.

I don't care how much you pretty it up; you can't crash someone's power grid, kill their phone system and ground their aircraft without causing civilian casualties and damage. I'm still idealistic enough to think it's immoral to first target civilians. In fact, I suspect if a nation-state were to cyber-attack the U.S., Washington would bang the terrorism drum. Cyberwarfare is kept as a gray area, and I worry it's one where our administration considers it appropriate to do unto others what we'd never tolerate being done to us.

As I write this, government spokespeople are making accusations that China is sponsoring penetrations and attacks against U.S. government agencies, including the DoD. I don't think the government has a lot of credibility in this area, but if we're going to start throwing around those accusations, we ought to clarify at what point we're going to start to treat government-sponsored penetrations as more than Internet hijinks. When is it proper to make formal accusations of espionage, and when are you dealing with an act of war? This vagary makes me uncomfortable, because politicians have a long history of making stupid decisions about gray areas.

I am not one to run around yelling "the sky is falling," and I don't think we're yet at a point when we are likely to come under a cyberattack. But, as the world's most technological superpower, and a country whose popularity is on the wane, we're the most likely target. I'd like to see a government policy on how the U.S. will respond in the event of a state-sponsored computer attack, and whether the U.S. will (I hope it won't!) consider other nations' civilian computer infrastructures as legitimate targets. It might help reduce the likelihood of attacks, as our stated policy on the use of nuclear weapons has (arguably) affected other nations' policies on threatening nuclear engagement with the U.S.

It seems ridiculous to equate a silly thing like attacks on computers with use of nuclear weapons, but if we stay on our current curve of computerizing everything and connecting it to the Internet, there may come a time when we'll wish we'd clarified some of these issues back when it wasn't such a big deal. Like now.

Cyberwar: Myth or Reality?

Bruce Schneier

CounterPoint The biggest problems in discussing cyberwar are the definitions. The things most often described as cyberwar are really cyberterrorism, and the things most often described as cyberterrorism are more like cybercrime, cybervandalism or cyberhooliganism--or maybe cyberespionage.

At first glance there's nothing new about these terms except the "cyber" prefix. War, terrorism, crime and vandalism are old concepts. What's new is the domain; it's the same old stuff occurring in a new arena. But because cyberspace is different, there are differences worth considering.

Of course, the terms overlap. Although the goals are different, many tactics used by armies, terrorists and criminals are the same. Just as they use guns and bombs, they can use cyberattacks. And just as every shooting is not necessarily an act of war, every successful Internet attack, no matter how deadly, is not necessarily an act of cyberwar. A cyberattack that shuts down the power grid might be part of a cyberwar campaign, but it also might be an act of cyberterrorism, cybercrime or even--if done by some 14-year-old who doesn't really understand what he's doing--cyberhooliganism. Which it is depends on the attacker's motivations and the surrounding circumstances--just as in the real world.

For it to be cyberwar, it must first be war. In the 21st century, war will inevitably include cyberwar. Just as war moved into the air with the development of kites, balloons and aircraft, and into space with satellites and ballistic missiles, war will move into cyberspace with the development of specialized weapons, tactics and defenses.

I have no doubt that smarter and better-funded militaries are planning for cyberwar. They have Internet attack tools: denial-of-service tools; exploits that would allow military intelligence to penetrate military systems; viruses and worms similar to what we see now, but perhaps country- or network-specific; and Trojans that eavesdrop on networks, disrupt operations, or allow an attacker to penetrate other networks. I believe militaries know of vulnerabilities in operating systems, generic or custom military applications, and code to exploit those vulnerabilities. It would be irresponsible for them not to.

The most obvious attack is the disabling of large parts of the Internet, although in the absence of global war, I doubt a military would do so; the Internet is too useful an asset and too large a part of the world economy. More interesting is whether militaries would disable national pieces of it. For a surgical approach, we can imagine a cyberattack against a military headquarters, or networks handling logistical information.

Destruction is the last thing a military wants to accomplish with a communications network. A military only wants to shut down an enemy's network if it isn't acquiring useful information. The best thing is to infiltrate enemy computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, perform traffic analysis: analyze the characteristics of communications. Only if a military can't do any of this would it consider shutting the thing down. Or if, as sometimes but rarely happens, the benefits of completely denying the enemy the communications channel outweigh the advantages of eavesdropping on it.

Cyberwar is certainly not a myth. But you haven't seen it yet, despite the attacks on Estonia. Cyberwar is warfare in cyberspace. And warfare involves massive death and destruction. When you see it, you'll know it.

This was first published in November 2007

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close