Slashdot Mirror
The Next Arms Race: Cyberweapons
Harperdog writes "Scott Kemp writes about the similarities between the nuclear arms race and the use of cyberweaponry for offensive purposes. As the article points out, offensive cyberwarfare leaves a nation's own citizenry vulnerable to attack as government agencies seek to keep weaknesses in operating systems (such as Windows) secret. Quoting: 'In the world of armaments, cyber weapons may require the fewest national resources to build. That is not to say that highly developed nations are not without their advantages during early stages. Countries like Israel and the United States may have more money and more talented hackers. Their software engineers may be more skilled and exhibit more creativity and critical thinking owing to better training and education. However, each new cyberattack becomes a template for other nations — or sub-national actors — looking for ideas.'"
government agencies seek to keep weaknesses in operating systems (such as Windows) secret.
God forbid you simply keep these machines offline.
Nope, gotta keep them open for people to find and attack.
What do I know, I'm just an idiot, right?
And push out an update installing a govt operated backdoor to all Windows computers
That update can be disguised as some benign functionality
Similarly buy Canonical for Ubuntu and a few more major players
the criminals are winning so far.
The plus side is, that creating cyber attacks is very cheap. Learning the low level instructions is not so easy, but the advent of the internet makes things easy to find. Hell, I have never coded a graphics device in my life but I can find a great number of header files that know the calls.
In the US, this is going to be extremely difficult in a year. The new NSA supercomputers will be on line spying on everything being done. They will be able to track you pretty quickly. Outside of the US, tracking someone down will be much harder. I.E. We can determine now that a great number of attacks come from China, but unless China cooperates we have no real person to address/charge/etc..
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
The problem I have with the "cyber weapons" terminology is that they are weapons which do not kill anyone. Not that that is a bad thing.
But it places them more in the "vandalism" category rather than than the "weapon" category.
Now it may be technologically advanced vandalism delivered by double agents ... but it's still just vandalism.
The same as pouring sugar into gasoline tanks would be.
...is that some scrounging businessmen with friends in government have "Cyberwar tools" to sell, and they want to suckle on the teat of Uncle Sam and his New European sibling governments.
. . . because both sides were scared enough not to even think about using them. Just a few isolated tests here and there in underground isolated places. No, or very limited, collateral damage.
With the Cyberweapons arms race, it seems to be like the wild west. Cyberweapons are being deployed and tested everywhere, and affecting innocent bystanders. Imagine having nukes tested in your backyard. Or Cyberweapons tested live on your Internet.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Next thing you know, a malicious piece of code will "go viral" and a twelve year-old kid will outgun every government on earth.
Or how about asking how many people would consciously and knowingly allow code to run on their PC (unobtrusively in the background, of course) that would disrupt or cause harm to their perceived enemies. Lots and lots, I bet.
Governments want to keep vulnerabilities secret so they can hit the enemy, but the enemy has the same equipment and setup as ours. If you increase resistance to attacks locally, the same happens remotely.
So the decision to be made is, what's more important: Our offensive capability, or our defensive capability? It's a zero sum equation, but with a twist: Every offensive action creates a corresponding signature which can be used to increase defense against that action next time. Effective surveillance increases the chance of detection and remediation. So the tipping point is the ratio of exploitable vulnerabilities (think of this as army size) each party possesses. If you have more than your enemy by a considerable margin, your enemy is unlikely to attack. Conversely, if you don't have sufficient resources to discover and refine vulnerabilities and the intelligence capabilities to know where to use them (and when), your best response is to form alliances with others, so that when a vulnerability is used on their infrastructure, they share their surveillance with all parties; thus creating a force multiplier in favor of defense.
I guess my point is that the problem can be framed using conventional military tactics, rules of engagement, etc.; But I would hesitate to equate it to military action. Otherwise you wind up in a legal quagmire: That would be turning that guy who keeps trying to run Reaver against my router to hack his way onto my network into an enemy combatant or a private citizen into an arms dealer for having a copy of TrueCrypt.
#fuckbeta #iamslashdot #dicemustdie
I'd say this is a bit more like biological weapons, and less like nuclear - more likely to spread, more likely that a single individual or small group can successfully develop and deploy them, some chance that once deployed, it will come back to attack its creator-state, because you can't be completely sure you can control it. (That is to say, once a given nuclear device is detonated, it's gone and can't attack again, but biological can cyber weapons can be harvested, tweaked, and re-deployed against you).
ya virii trojans , rootkits , process hiders ya ....like its new and ok for corporates and govt ....i swear i ought to unite 1000 good people and wipe every govt page off the earth for being retards....
Wow, -1? I was thinking exactly the same thing, but you beat me to posting.
Parent should have been +5 informative
When you drop a nuclear bomb on an enemy, is there a warhead left to analyze? Exactly. That's how cyberweaponry should be designed...one time use only, and it destroys itself, whether it's successful or not. Not only does that keep the enemy guessing, but it also keeps the minds behind the attacks active and creative.
Where's the profit for the cracker in a dead machine?
But if that machine can be turned into a zombie ... lots of money making opportunities.
This is stupid. Microsoft has already stated that it won't allow future ARMs platforms
to run both Windows and Linux. You can't haz your war if that's true, can you?
CAPTCHA = reawaken
I have been hearing about the next war about cyber weapons for several years. Seems the same old tricks keeps geting them time and time again.
Actually, there is enough left to analyze. The decay products can tell you a lot about the material in the warhead. Arguably, enough to identify not only the nation state, but possibly even the location where the material was enriched or processed.
Which is a rather good parallel to cyberweapons. If too much of the target starts falling apart for no apparent reason, the bad guys start poking at the computers, and eventually find the root cause. A good cyberweapon wipes itself out, but much like the nuke, there's a significant risk that it will leave enough traces behind to enable its opponents to learn something about its construction. A great cyberweapon operates below the threshold of detectability both during infiltration, during its active phase, and after its mission is accomplished.
If there are great cyberweapons out there, by definition, we don't know about them. And hopefully will never find out until 25-50 years after the fact.
Wow, -1? I was thinking exactly the same thing, but you beat me to posting. Parent should have been +5 informative
Seconded, and with the cajones to say so without going AC.
Granted, OP could have gone about it much more elegantly, but I think they got the point across.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Ok, so you work with the Israelis and Brits/Germans/French to sneak some viruses into the computers of Iran, Russia and China. You pop a couple of beers and celebrate as the targeted computer systems lockup or crumble.... --------> Two years later. Iran, Russia and China pull off a successful cyberattack against computers in the U.S., Israel, Britain, Germany, France. Now the "Allies" have to deal with computers that lockup, fuckup, or crumble. Of course, the "Allies" will regroup and launch another cyberattack against Iran, Russia, China. ----------- And so on and so forth... -----------> The NET GAIN from this back-and-forth is what exactly? NOTHING. Cyberwarfare should probably best be left alone. There is nothing to gain from it, and potentially much to LOOSE on all sides.
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
This is exactly accurate.
"cyber" claims are purely hype and designed to turn a profit about something that isn't even a real threat. May as well say "cyber epsionage" is some magic new threat as if you know, espionage had never existed before it went cyber.
Except that once you go down that route EVERYTHING becomes a "weapon" and the term "weapon" becomes meaningless (since it means everything).
And while "weapon" CAN mean something else, the term that more correctly describes that action is "vandalism".
Why is it that almost every single article I've read lately thinks I'll like Rand Paul's story?
More like biological weapons than nuclear, I think
Nucular. It's spelled nucular.
A cyber-what?
http://www.acetonestudio.com
I'll keep it short & simple:
One more crippling cybershell hit the already beleaguered cyberdefense community when CyberIDC confirmed that cyberwarfare rates have risen yet again, now up to more than 100 percent of all servers. Coming on the heels of a recent Cybercraft survey which plainly states that cyberdefense has lost more cyberbattles, this news serves to reinforce what we've known all along. Cyberdefense is collapsing in complete cyberchaos.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
..and knowing is half the battle!
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
When you drop a nuclear bomb on an enemy, is there a warhead left to analyze? Exactly. That's how cyberweaponry should be designed...one time use only, and it destroys itself, whether it's successful or not. Not only does that keep the enemy guessing, but it also keeps the minds behind the attacks active and creative.
Cyberweapons come in two main flavors: code that runs internally on the target system (malware such as Stuxnet, Flame, Duku, etc.) and attacks that are run external to the target (Distributed Denial of Service DDoS attacks from tools such as LOIC, disabling the routers that serve the target, disrupting their DNS, etc.) External weapons remain safely out of the hands of the target. The only thing the target gets is the SYN packets, or the RST packets, or a dead router. An analogy would be that nothing in physics says you get a copy of the gun that's shooting at you - you only get the bullets.
But it's the internal weapons that deliver the real value. They don't just deny the target from using their systems, they are weapons that do the spying, damage centrifuges, take out oil pumping stations and pipelines, shut down electric grids, etc. But to do their work, they must be delivered all the way to the target, where they are they are subject to interception and copying, and are even subject to modifications that would enable them to be used by the target against their enemies. Metaphorically speaking, in a cyber-war, every cyber-hand grenade thrown comes with a blast-proof set of blueprints for making more hand grenades. You don't get to make statements such as "weapon, destroy yourself" because they can always be intercepted and copied.
John
i'm all for escalation of weapons that can only do as much damage to me as i want.
To be more explicit.i think the term cyber is essentially used to gain more money for US companies.
Europe recently budgeted 53 million hard earned tax payer euros for cyber defense. For a system that is to be completed by 2012. What can you possibly build in just one year that is of value of 53 million? I'd like to know, how much of this money goes to European companies and how much to US companies. And by European companies I don't mean UK owned fronts that are owned by the US.
My sentiments exactly. Cyber-BS is the new red, apparently. At least it makes identifying the nonsense-stories easier.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Cyber Attacks cannot be controlled once released the same way poison gas could not be controlled once released. As any idiot could foresee, and as has already been demonstrated in the first "International Warfare" "deployments". Like poison gas cyber-weapons go whichever way the wind blows, linger in low areas, in still pockets and under inversions. Their remnants continue to wreak havoc on the more sensitive, as "dispersed" gas did the pigeons used in WWI to carry messages. And, like mustard gas, and DDT, their remains, and effects, will linger in systems, to arise unexpectedly when accidentally or unknowingly triggered.
The difference will be, will it do any good to outlaw cyber-weapons? Or are cyber-attacks too easy for the able and the recipe-follower to put together from common ingredients, once they know how to?
I don't care about their arms race.
I just want to know:
is nmap and wireshark protected by the second amendment?
... tax revenue is like a piñata for some people*, fear- and warmongers in particular.
* = read 'unscrupulous bastards'
Geez, it's like something out of Doctor Who.... ... ...Oh wait. Cool!!! How long before we have actual Cybermen fighting our wars, stomping around yelling "DELETE, DELETE!"?
Our (that is, the US's) Cyberweapons threaten ourself more than any other target. We are the most dependent on the internet We have the most to lose. We wave these weapons of self-mutilation around in the hopes that our intimidated foes will not force us to destroy ourself.
What could go wrong?
ALL Praise Irony and His Prophet Mel!
Miles
So-Called "low-tech" nations and parts of the world supply the "high-tech" nations' of the world the bulk of their Low-Level coders. Learning the boring basics is a way up and out for the bright and ambitious of the third world.
This means that it is the so-called "low-tech" parts of the world who have the best pools of people having practical familiarity with code and languages, and so the talents most needed to analyse at the levels malicious elements are slipped in. This means that it will be high-tech nations whose populations will be most vulnerable to cyber-attacks, for having more dependence on computer technology, and who will have fewer who are expert in reading at the levels they will need to to discover malicious elements that have been introduced..
My sentiments exactly. Cyber-BS is the new red, apparently. At least it makes identifying the nonsense-stories easier.
Count me in.... (even though I have no id)
This cyber crap is killing me.........
Countries like Israel and the United States may have more money and more talented hackers
Valid to the extent that almost everything Israeli is basically rebranded American equivalent.
You'd be hard pressed to use more than one hand to count Israeli original developments (or to mention Israel without inserting America into the discussion).
Not saying they can't, just saying they haven't.
I'm going to have to write an OS, based on capability based security. Even if it sucks, it'll be the only thing left running after skynet becomes self aware, infects everything, then gets paranoid, then kills itself in a case of mistaken identity. (Total time, 4 hours, 9 minutes, 2.3 seconds)
This contradicts the argument that the US is running out of skilled people in technology. AFAIK, hackers come from wherever there is a progressive mentality in terms of technology and a connection to the nets.
Scott Kemp ( the author) must be living in 1992... And he probably believes that the movie Hackers is based on a true story.
What are Cyberweapons? How to use them?
I really love club dresses ,
Mythbusters disprouved that : http://en.wikipedia.org/wiki/MythBusters_%282004_season%29
.. a Cyber Gap ?
"Cyber Attacks cannot be controlled once released"
Just because there exists malware which will attack anything it is compatible to, does not mean much. You could very well write malware which would attack only computers with a very small set of IP addresses, with a very specific config, in a very specific subnet or DNS domain. Your argument is the same as the pope lamenting the use of longbows. "distance weapons are dehumanizing like nothing before. The bad guy with the horns on the head must have created them. They are not haram".
Already, dozens of millions of Windows machines are pwned. Because Windows is insecure by design (or lack of thereof).
A rational assessment of innovation in computer and software tech will show everybody who is interested that Norway (with their 5 million people) is doing more software innovations than India and China taken together. "Rich" countries actually have done lots and lots of systematic and basic security research (think of kernels with 100% correctness proofs, SE Linux, Sandboxie, AppArmor, type safe programming languages, 100% correctness proofs of compilers). The Computer Science Intelligentsia knows how to make very secure systems - it is just the Computer Science Whores (those whose first priority is DOLLARS) who constantly deliver insecure crap.
The world (including the rich world) could move to BSD-Jailed Abiword word processors in no time (if someone pwns Office thoroughly), if we simply moved our lazy, fat asses. The pain is not hard enough to leave the soap opera and stop eating fat, unhealthy chips. We are so rich we simply don't care about these issues at the moment. The others are poor and don't care either. Nor do they even theoretically know how to do strong computer security. We know, but we are still too lazy to yank Windows+Office+Adobe into the trashcan.
And surely America invented everything from the Diesel engine to Ballistic missiles ? Keep eating your oily shit and continue to live in Hillbilly county. Don't join the army, because that why your ignorance might be reduced by you being shipped to a place were men do not mate with their nieces.
Linux already contains all the infrastructure. It is being used by AppArmor, but you can of course use wholly different concepts, or you could fork AppArmor. I guess a playing with AppArmor source code would be a good starting point.
Formal Verification. Proof your code correct. Works on small pieces of code
Sandboxing. Google Chrome is doing it conceptually very well and could be applied to many more systems
Behavioural Analysis at network chokepoints such as firewalls and fileservers. Malware will be challenged to make its extraction and C&C traffic look like legitimate traffic. Requires competent analysts who actually parse logfiles instead of playing WoW. Must also be capable to write their own Perl analysis programs.
Type-Safe Programming Languages. Conceptual examples are Java, .net, some Ada variants and a language called Sappeur which I created myself.
Appstores with known code authors. Google's Android appstore does not qualify
https://en.wikipedia.org/wiki/Type_safety http://sourceforge.net/projects/sappeurcompiler/
> The nuclear enrichment site at Natanz was kept offline. That didn't keep stuxnet out of there ..
When your centrifuge can be broken by plugging in a USB stick maybe you should consider using a different Operating System, platform, ecosystem :)
They surely can burn through billions every year and deliver some nice powerpoint slides and heaps of useless prototypes and unworkable specification documents in no time. Actually, it would hurt business to attack the problem at the root. Instead, created hugely expensive and complicated band-aids while knowing that Microsoft. Oracle and Adobe are a fountain of security holes which will flow forever. That means selling band-aids forever !
..smart cyber weapons could be inserted by a microwave transmitter into the target's signal processing software and from there fsck with some critical data displayed to humans.
Or, inject a virus directly into a sigint system, because by definition that system is listening promiscuously for other people's data streams.
Inject malware by a laser triggering some sensor's automatic gain control rapidly, triggering a buffer overflow.
Basically, the sky is the limit when it comes to hacking modern weaponry, as the latter cannot work without software, FPGAs, ASICs and so on. Electronic warfare has been going on since the 1930s and malware is just the logical extension of all this. The fine points of whether malware is the same as jamming are pointless when you can achieve the same effects with malware as with "real electromagnetic power in the air".
..cyberweapons are banking on the incompetence of the victim. Because that works most of the time and on the interesting targets, that is Good Enough. Stuxnet only succeeded because the Iranians were more or less completely incompetent. A Belarus company (!) had to do it for them. Belarus is a little tyranny with little resources, except brains left from the soviet union. Much larger Iran could not do it because their software engineers are so bad.
Your nasty few words nicely display why half the world hates Americans - you are saying that soldiers can kill criminals just like the KGB eliminated their (real or perceived) opponents.
I think that would be the proper label for "Flame". Some middle east nation choked their opposing nation's weapons procurement official to death in Dubai, recently. They got his travel details from a recce virus in the guys computer. You "betcha" it was Flame or Brethren Of Flame. So the malware did not kill immediately, nut facilitated the killing.
The nation in question also disabled some russian-made airdefence system in a bombing raid on enemy territory (to take out a suspected reactor) and the rumor mill says the radar operators saw nothing. It is entirely plausible that they did this by some means of malware. I have no secret sources, but enough layman's knowledge to think of at least two major ways of doing it (networked or by directly sending a proper pulse sequence into the enemy radar system and telling it to go to sleep for the next few hours, essentially). Don't tell me russian radar software is flawless.