Cyberwarfare is only a tool for powerful nation states, according to Marcus Ranum, chief security officer of Tenable Network Security. Smaller countries won’t use cyberweapons, Ranum said, because the threat looms that more powerful nation states will retaliate with conventional weapons.
“It’s only a useful technique for a side that was going to win a real war anyway,” Ranum said in an interview with SearchSecurity.com. “Things always tend to work out in the favor of the most powerful.”
Ranum said he is deeply concerned in the “militarization of cyberspace,” but is more troubled by other unconventional tactics, like the use of predator drones and other robotics to attack the enemy. Ranum explains why Stuxnet validates his premise and describes the problems that stem from the use of cyberweapons.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Marcus Ranum on cyberwar, critical infrastructure protection
Michael Mimoso: Hi. I'm Michael Mimoso, and Marcus Ranum is with me today. Thanks for joining me, Marcus.
Marcus Ranum: Thanks for having me.
Michael Mimoso: So, my first question: we're going to talk about cyberwar and cyberespionage a little bit. People seem to be juxtaposing those two terms. Do you see a difference; obviously, there is. How is this contributing to any of the lack of confusion or understanding that's out there in the security community?
Marcus Ranum: There's a huge difference, and I think that the fact that they're getting conflated is probably being done deliberately because there haven't really been, there have been some credible incidents I suppose you could point at and say, "Cyberwar is a big problem," but espionage is a lot more intangible. What's happening is, I think is a certain amount of battle for the budget so people want to say we should be worried about all these things as if they're lumped together. We should be worried about cybercrime, cyberwar, cyberterror, cyberespionage, but actually if you picked them apart you realize that the agenda of a cyber-criminal is very different from the agenda of a cyberspy, which is very different from the agenda of a cyberterrorist, etc. Picking those apart and kind of teasing them separately and approaching them differently, I think, is very important to actually handling the problem effectively. We can say categorically we have a problem with cybercrime. We probably have a problem with cyberespionage, but espionage is an ancient art, and spies have always taken advantage of whatever is the latest, greatest technology, be it wax tablets in the Roman era or CD Roms today. It's all the same stuff.
Michael Mimoso: Your stance on cyberwar is pretty well known; you pretty much think it's B.S. but given Stuxnet and some of the more high-profile attacks on critical infrastructure, how has that changed your view and your stance on cyberwar?
Marcus Ranum: It hasn't changed dramatically, but it's very interesting to me. I actually see the whole Stuxnet thing as validation for some of the things I've been saying. One of the premises that I pointed out when I was going around saying cyberwar is B.S, cyberwar is B.S., is that, it's really only a particularly technique for the side that was going to win a real war anyway. One of the things we started seeing right away after Stuxnet was people making comments along the lines of, “Well, it saved us from having to bomb the Iranians. Oh, very nice,” so the premise is we're already so powerful that we can do pretty much whatever we want to do to you, and we did you a big favor by just attacking you with a cyberattack. I can't call that a legitimate argument but it is true. Yes, if you are the powerful force, you can do that. Now let's flip this around the other way. Imagine that the Iranians had released some sort of a virus that caused the Hanford nuclear plant to have extremely catastrophic failure. 101st Airborne would be on their way right now. It comes back to what I've been saying all along, which is the side that's going to win in a real-world conflict is the only one that can afford to engage in a cyberwar because really, cyberwar is not that asymmetrical. It's useful, but it's only asymmetrical if you're the guys who are going to win anyway.
Michael Mimoso: In the last 12-18 months there has been a lot of talk about the development and the use of offensive weapons in cyberspace. Is this a viable strategy? What are some of the loopholes and pitfalls that you see?
Marcus Ranum: Well, it's going to be viable if you're the powerful. We've already seen some of that, right? There's a conference right now where the U.S., and Russia, and China and so on are trying to talk about, how are we going to handle cyberwar and cyberweapons. One way of looking at that is that you've got a party of concerned superpowers that are saying, “How are we going to protect ourselves against smaller countries using it?” I'm not entirely sure that that's what we're seeing. Many of my peers have interpreted that as, well, the governments are trying to get serious about this problem. I actually see it as the beginning of the nonproliferation organization. The guys who are already in the nuclear club want to make certain that anyone else who tries to enter the nuclear club is going to be punished horribly for doing so. I think what's happening is that the superpowers are essentially getting together, and the doctrine that's going to result from these meetings is going to be, "It's us doing you a favor if we use cyberweapons against you, but if you use cyberweapons against us, we'll send the U.S. Marines." That's how I think it's going to wind up working because, as you understand, we're both adults here, things always tend to work out in favor of the powerful.
Michael Mimoso: Let's talk about Stuxnet. What was your take on Stuxnet? Did you find it as sophisticated as it was hyped? Is it the game changer that people are talking about?
Marcus Ranum: I don't know how sophisticated it was. It's very interesting. I will say that. It sounds like some of it was based on research from Idaho National Labs; these were problems that our own government agencies were identifying. There was some exploit code that was fairly known. There was some malware. It doesn't sound like it was that difficult of a project really. Then the other question is how was this stuff actually injected? My father is a historian, one of the things he said a lot when I was a kid growing up, that I didn't understand, is that history isn't written until 50 to 100 years after all the bodies are buried. I really don't think that we're going to know enough at this time to really know what we would like to know about the whole Stuxnet thing. It sounds like possibly the initial infection was through some German workers who were working on the plant. One way of thinking about it is maybe this is a virus that got loose in the wild and replicated and found its way into the reactor. The other possibility is that is all a cover operation and that it was injected by an agent, and then when you release it into the wild so that people can go, look it must have gotten in there from the wild ala plausible deniability, no big deal. I don't think we know enough yet to know what we don't know. That's a huge problem again, for the whole cyberweapons notion. Because who do you retaliate against when all the facts aren't known? That's really kind of the interesting aspect of all this. Of course what we've seen is that if you're a superpower, you can go, well sure, Iraq really didn't have anything to do with September 11 but we're just going to go crush them anyway. The Iranians can't do that.
Michael Mimoso: Is it worse, in that there seems to be a lack of public oversight over these kinds of operations, whether Stuxnet was or wasn't a sanctioned offensive attack from the U.S. and Israel, and whoever?
Marcus Ranum: Yes. For the record, it's going to sound a little bit bizarre but I'm a peacenik. I personally feel that governments are far too free to engage in wars on our behalf already. I have a big problem with that. I personally see no value to myself for doing regime change in Afghanistan or Iraq or something like that; they did nothing to me. They can do their own thing as far as I'm concerned. So I'm deeply concerned by the militarization of cyberspace but I'm not deeply concerned enough about the militarization of cyberspace that I'm running around talking about it. Because we should be much more concerned about the fact that our government is carrying on robotic warfare in ostensibly friendly states and committing murder and assassination using predator drones. We should be much more worried about that. The fact that everybody goes, "Oh yeah, part of your strike kills 19 people today, some school kids, so what." Didn't we learn anything from Vietnam? What bothers me about Stuxnet and the whole cyberwar thing is that we're even talking about it at all. Where's the outrage about the real problem, which is that we're carrying on assassination missions in friendly countries. We're killing women and children who've got nothing to do with anything that's going on. Then the whole cyber-war thing seems like you'd be doing people a favor if we fought a cyberwar against them. I don't know about you but I would much rather have my World of Warcraft access get screwed up by cyberninjas than have someone blow my house and my family apart.
Michael Mimoso: With a drone.
Marcus Ranum: Yes, and that's what is happening. Part of what bothers me about all of this is it's got kind of the flavor of a sideshow, and it makes me wonder how much of it is, here watch the flashy thing while there are some really horrible human rights abuses taking place in the real world. Why should we possibly care about the cyberworld?
Michael Mimoso: Right. What is the motivation? It seems like the timing is a little strange. We're here at RSA, last year the Aurora thing happened a little bit before RSA, you've got this thing coming to light before RSA. Is somebody looking for some funding?
Marcus Ranum: Does it happen to track budget cycles? Absolutely. One of the things we saw with the last huge media run-up surrounding the Chinese cyberwar against the United States. Then there was this huge ramp-up of people talking about it being a problem, and then there was a budget allocated of billions of dollars. The people who happened to be complaining about the problem the most stood in line to get their turn at the trough and then they stopped talking about it, probably because their mouths were full. Yes, it's milking the budget.
Michael Mimoso: Let's talk about critical infrastructure protection. Why has security of our critical infrastructure fallen down so hard? Where are they coming up short, and what can be done about it?
Marcus Ranum: I think that what we're seeing is some chickens coming home to roost there. Because there were a lot of cases where people would come along and say, "We can save all this money, we can let Homer go, and we won't have to pay Homer to sit and watch a dial, because Homer can't do it as well as a computer that we do over a virtual network from someplace else. We can have a call center, and we can have one Homer watching 10,000 dials." What I think is happening is we're seeing a bounce-back effect, where cost savings were sold to people all over the place, and they're not coming true. They're not coming true because actually doing the cheaper thing correctly cost more than having done the stupid thing that the cheaper thing replaced. I think in a lot of those cases there's some buyers' remorse; I find this fascinating. I was talking with some people about smart grid systems the other day and they said, we really can't afford to secure a smart grid correctly because the customers wouldn't want to pay to do that. I said, what don't you understand about the fact that you did the smart grid stuff ostensibly to save money? What you're really saying is, we screwed up, so start by saying, we screwed up, now how much is it going to cost to fix it? Then the next question is, why should I give you more money to fix it given that you're a screw-up? That's one of the problems I've got, by the way, with a lot of the DoD cyberwar nonsense because you've got guys like, just to pick on specifics, you've got guys like Mike McConnell who was part of the problem when he worked for the agencies. The agencies bad security happened during his watch. So now he goes out, and he's working for Beltway Bandits saying, give us billions of dollars and we're going to fix the problems that I helped create years ago. This is good, if you give money to the same people who caused the disaster, you're not going to get a solution, you're going to get a bigger, more expensive disaster. I think what we need to do with all this smart grid stuff. Critical infrastructure is a real problem. We need to ask ourselves, how did it get this way? Let's go back and do a root cause analysis. Because if you simply throw money at the problem you need to ask is that money going to be correctly thrown. No, is the answer. The same guys who built an insecure smart grid are the people who are saying, if you give us more money we're going to fix it now. No, no, no. The question we need to ask ourselves is, what was the cost justification that caused you to fire Homer in the first place? Take a human out of the loop and build an automated system that's vulnerable to attack. How did you justify that, and how do we prevent those kinds of mistakes from happening again?
Michael Mimoso: Can they ever catch up?
Marcus Ranum: I don't know. At a certain point what I'm afraid is happening with a lot of these things is it's becoming one of those "too-big-to-fail" scenarios. We've already spent so much money on this, we can't back out. Now what we're going to do is... What is it they say? The first rule of holes is when you're in one, stop digging. Well, let's get a steam-powered backhoe and see if we can dig this hole all the way to the bottom, that's going to fix it. I think, unfortunately, that's kind of where we are right now; we're in a hole and just too stupid to stop shoveling.
Michael Mimoso: Alright. Thanks for joining me today, Marcus.
Marcus Ranum: Thanks for having me.
Michael Mimoso: For more information go to SearchSecurity.com