Editor’s note: What follows is extracted from a storify post . This is a first post in this format for the CTOvision blog. Let us know what you think on any aspect of this, including format in your browser, format in your newsletters and of course content- bg.
The Foreign Policy Research Institute recently held a webinar on Why “Cyber Pearl Harbor” Won’t Be Like Pearl Harbor At All…
I listened in.
First: I expressed some skepticism at the flashy premise of the webinar, as WWII metaphors are a tad overdone in security circles
fpri.org/events/2012/20… about to livetweet a webinar on cyber pearl harbor because the future is cut whole cloth from WWII metaphors
— Kelsey D Atherton (@the_boy) October 24, 2012
@the_boy It is always Dec. 6, 1941 or Munich 1938.
— Richard Mehlinger (@rmehlinger) October 24, 2012
The webinar opened with a lecture/powerpoint by Edward Turzanksi, whose name I finally got right on the 10th try. He started describing in some detail the different direct impacts of Pearl Harbor & 9/11, and of US immediate response…
Edward Turzanski now making case for “Cyber 9/11″ instead of “Cyber Pearl harbor” because of uncertainty/lack of unity fpri.org/events/2012/20…
— Kelsey D Atherton (@the_boy) October 24, 2012
…then immediately broke from the flashy title to point out that cyber is very different from conventional war.
Turzanksi “retribution & retaliation usually not possible against cyber threats like they are for other threats” #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Turzanski – “goal of cyber is disruption” Me: so how is this not just SIGINT? #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
The answer to why Cyber isn’t just signals intelligence? Cyber can directly attack infrastructure, not just communications.
Turzanki “Cyber is not MAD but MUD – multilateral unrestrained disruption” – so like criminal networks, then? #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
a bit unfair of me here.^ Cyber attacks, as described for this presentation, have a political goal. Criminal networks don’t; disruptive though they may be, they are less about attacking states and instead focus on being left alone by them.
Turzanski now comparing cyber disruption to bombing factories, EW used against Serbia. #Streeeeeetch? #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Using carpet bombing to describe cyber will always be a stretch, but the actual point of infrastructure being targeted at war holds.
Tuzanski – Al Qaeda directly targeted US economy, cyber attacks aimed at it as well. sure. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Turzanski – we have no single definition for a cyber attack, but we have a list of critical targets! #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Turzanski – off the list of critical infrastructure targets? healthcare, business software, pharmaceuticals, IPv6 itself! #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Turzanski talking STUXNET. Comparing it to a fence that lets coyotes in. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
the book described above? Unrestricted Warfare, published in 1999 but featuring a very misleading cover depicting the 9/11 attacks.
Turzanski talking STUXNET. Comparing it to a fence that lets coyotes in. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Of course, STUXNET itself played with gradual disruption, but the way this was described reminded me of nothing so much as this.
Turzanski talking STUXNET. Comparing it to a fence that lets coyotes in. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Turzanski – treat unknown USBs like this youtu.be/faFuaYA-daw?t=… #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
that clip? Children stomping bugs from Starship Troopers. Turzanski actually recommended stomping unknown flash drives as a way to stop them creating/exploiting vulnerabilities. I recommend we term this “boot-gapping.”
Turzanski – now talking about a malware named Shamoon. Great name, apparently poked around with oil prices for a bit #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Shamoon was targeted specifically at Aramco, and was apparently the work of amateurs.
Turzanski – “no comprehensive approach to cyber security in the private sector.” Maybe the invisible hand swats viruses? #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Husick addressed this later, noting that the invisible hand is really bad at addressing vulnerabilities present in the commons.
Turzanski – “there is no effective way that windows can be secured.” mac users gloat. Linux users cackle from on high #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
The actual problem here was not Windows software itself, which can update and be corrected, but that pirated/unlicensed Windows systems are paygapped from those updates despite those unauthorized copies being, according to Turzanski, 40% of operating systems. Here is a direct example of private sector poorly correcting a vulnerability opened up in the commons.
Turzanski – “how do states respond to cybersecurity attacks?” I think @alexolesker might know ctovision.com/2012/03/what-t…#CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
That above link is to a piece written for CTOVision, about how old-fashioned detective work, human intelligence, and boots on the ground caught a hacker who hid himself well online. Boots & detectives aren’t a quality we usually think of for countering cyber, but they absolutely should be.
Turzanski – Likely US response to cyber attacks? We’ll ignore, like we did when NATO-member Estonia was cyber attacked #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
^last tweet should read “cyber attacks on allies”
— Kelsey D Atherton (@the_boy) October 24, 2012
The possibility of Estonia invoking NATO Article V for a cyber attack was brought up. Estonia has a stronger claim to this than most – incredibly tech-dependent and was clearly under a coordinated cyber attack. But incredibly unlikely anyone will start a shooting war over it, which calls into the question of cyberwar as a concept itself.
Turzanski – “not a cyber Pearl Harbor, not a cyber 9/11, but a cyber Hurricane Katrina!” & then no meaningful change in US #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
as a post-K New Orleans resident for four years, this metaphor seemed to match what I learned of people’s experience: misplaced investment, clear vulnerabilities shoved just a bit too hard, and then a long slow rebuilding in the directly-damaged area with unclear revision to response capability or actual resilience. A clear failure, but a contained failure.
Q: Cyber expertise among our agencies isn’t perfectly distributed. Are our agencies communicating well? A: hahahahahahaha #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
That was not the actual answer. I paraphrased for space constraints, but the gist was the same.
“Q: will airgapping work? A: Iranian nuclear program was airgapped. STUXNET got in.” – thanks, #HUMINT! #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Husick – we should make sure that only things that need the internet are connected to it; operational controls aren’t that #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Here an example was given of a 2003 rail failure, as one freight company linked it’s operational control computers to the internet proper and subsequently suffered a malware attack that left them blind, stranding all trains east of the Rockies for I believe he said 13 hours.
Husick – print company logo on USBs, mix up at team building exercise, watch execs plug into own computer. BAM compromised #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Redteaming: it works.
@the_boy USB memory sticks are an extremely effective virus/malware vector. Always crossing air gaps…
— Tristan Bergh (@tristanbergh) October 24, 2012
Maybe bootgapping is a viable strategy?Next we went to the Q & A, which was surprisingly infomative, despite it being a Q & A session.
Q: but like Ocean’s 11/EMP? A: sure, it could be done, but that’s kinetics & we know how to respond to it. With bullets. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Also mentioned in the response above was a modified nuke designed to EMP. Either would destroy solid-state drives, making it a destructive attack for which kinetics are a perfectly appropriate response, but also outside the realm of cyber security proper. This seems like the fundamental problem with terming Cyber things cyberwar – when they clearly cause war-like damage, that’s just war. When they don’t, they are crime or covert action. “Cyberwar” seems to be so thin a line that it is nonexistent.
Farraday cage! drink! #DrinkingGameEverything #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Besides responding with overwhelming force, Farraday cages are a way to protect something from an EMP. Here’s instructions on a DIY version.
Q: if internet knocked out in cyber attack, could attackers still communicate? A: yup. Darkweb. other pathways available. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
As a category, dark web is just what can’t be found conventionally online. In the above context, it refers to internet channels that won’t be effected if something like Google goes down.
Husick now talking about the tragedy of the cyber commons. Getting Mark Vail flashbacks #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
The tragedy of the cyber commons was alluded to earlier – it makes little economic sense for anyone using the commons to devote resources to securing it from cyber attacks, and is especially unlikely for everyone to do so at once. (The second part of that tweet? Academia tangent: Mark Vail was a former professor of mine, whose work focused a lot on how European welfare states sought to solve the problems of the commons)
Husick – returning profit to shareholders for a power company conflicts with adopting good cyber security practice. #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Husick – attacks on complex systems lead to complex vulnerabilities, which is something that individual actors can’t see #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Husick – “we have have reached a point in the US where even a major destabilizing attack will not motivate us to attack” #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
This lack of motivation to fix the problem is perhaps the best reason to start using “Cyber Hurricane Katrina” instead of “Cyber Pearl Harbor.”
Husick – extends this to the Katrina metaphor. We’ll invest in the wrong solution first, then crisis, then indecision #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Q: do we need a Geneva Convention for cyber attacks? A: negotiation happening, but everyone developing cyber in secret #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
It’s really, really hard to negotiate an arms treaty (of sorts) or a rule of battlefield ethics (which is what this would be) when the arms are rapidly evolving, can be designed and wielded by nonstate actors, and the actual battlespace is as broadly defined as any computer that could potentially be exposed to an attack. Compounding this are nations justifiably wanting to develop weapons in secret. My guess for a Cyber Geneva Convention? Only after a major problem reveals them to be both deadlier and less useful than anyone wants, like post-WWI chemical weapons.
Husick- problem: Saudi & states like it will label transmitting anything anti-Islamic as cyberwar. Broadens def to useless #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Husick specifically mentioned that Saudi would label Pat Robertson’s website itself a work of cyber war. Layer that on top of the problems already expounded above, and Cyber Geneva Convention seems nigh-impossible.
Q: how much should we fear Chinese cyber? A: econ dependence & theft of US intellectual property by CCP cyber keep us safe #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Here we should be looking at cyber as covert action/spycraft/crime, where the channels of communication are important to maintain. The follow-up to this was that the US might expect cyber attacks on our allies, as China is less worried about severing economic ties with them. And, yes, the continued ability to steal US intellectual property was given as a reason for why China would not cyber-attack the US.
Husick – information poisoning in subtle ways will cause people to “question integrity of systems we rely upon” like banks #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
This led really well into the next point – STUXNET was able to disrupt Iranian centrifuges in a way that made Iran question it’s own equipment until they figured out, months and months and months later and after actually sitting around watching the centrifuges, that it was a virus at work.
Husick: “objective is disruption. The way to counter disruption is resilience.” This holds over everything.
— Kelsey D Atherton (@the_boy) October 24, 2012
Husick – STUXNET was clever enough to disrupt & then sleep for months. Took a long time to figure out what was happening #CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Q: is there any nation that serves as model of cyber defense? A: non-state actors on cybersecurity are actually better#CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
Point referenced here is one from Gartenstein-Ross’s book Bin Laden’s Legacy, and very subtly illustrated by the burning dollar bill on the cover. An attack that yields a massively disproportionate expenditure in response is one that has succeeded in causing economic harm, whatever else it’s objective.
Q: is there any nation that serves as model of cyber defense? A: non-state actors on cybersecurity are actually better#CyberPearlHarbor
— Kelsey D Atherton (@the_boy) October 24, 2012
…and that’s the webinar. Main takeaway: Cyber Hurricane Katrina, not Cyber Pearl Harbor, and expect just as competent a response.
— Kelsey D Atherton (@the_boy) October 24, 2012
Leave a Reply
You must be logged in to post a comment.