Slashdot Mirror
The Next Arms Race: Cyberweapons
Harperdog writes "Scott Kemp writes about the similarities between the nuclear arms race and the use of cyberweaponry for offensive purposes. As the article points out, offensive cyberwarfare leaves a nation's own citizenry vulnerable to attack as government agencies seek to keep weaknesses in operating systems (such as Windows) secret. Quoting: 'In the world of armaments, cyber weapons may require the fewest national resources to build. That is not to say that highly developed nations are not without their advantages during early stages. Countries like Israel and the United States may have more money and more talented hackers. Their software engineers may be more skilled and exhibit more creativity and critical thinking owing to better training and education. However, each new cyberattack becomes a template for other nations — or sub-national actors — looking for ideas.'"
The nuclear enrichment site at Natanz was kept offline. That didn't keep stuxnet out of there.
The problem with security in general is that no matter how many protections you put in place humans are still the weakest link. We will always make mistakes.
I interpreted that statement differently: it's not that government agencies seek to keep weaknesses secret in order to avoid being attacked, it's that they want them secret so that they can use those weaknesses to attack others.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
. . . because both sides were scared enough not to even think about using them. Just a few isolated tests here and there in underground isolated places. No, or very limited, collateral damage.
With the Cyberweapons arms race, it seems to be like the wild west. Cyberweapons are being deployed and tested everywhere, and affecting innocent bystanders. Imagine having nukes tested in your backyard. Or Cyberweapons tested live on your Internet.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Governments want to keep vulnerabilities secret so they can hit the enemy, but the enemy has the same equipment and setup as ours. If you increase resistance to attacks locally, the same happens remotely.
So the decision to be made is, what's more important: Our offensive capability, or our defensive capability? It's a zero sum equation, but with a twist: Every offensive action creates a corresponding signature which can be used to increase defense against that action next time. Effective surveillance increases the chance of detection and remediation. So the tipping point is the ratio of exploitable vulnerabilities (think of this as army size) each party possesses. If you have more than your enemy by a considerable margin, your enemy is unlikely to attack. Conversely, if you don't have sufficient resources to discover and refine vulnerabilities and the intelligence capabilities to know where to use them (and when), your best response is to form alliances with others, so that when a vulnerability is used on their infrastructure, they share their surveillance with all parties; thus creating a force multiplier in favor of defense.
I guess my point is that the problem can be framed using conventional military tactics, rules of engagement, etc.; But I would hesitate to equate it to military action. Otherwise you wind up in a legal quagmire: That would be turning that guy who keeps trying to run Reaver against my router to hack his way onto my network into an enemy combatant or a private citizen into an arms dealer for having a copy of TrueCrypt.
#fuckbeta #iamslashdot #dicemustdie
I'd say this is a bit more like biological weapons, and less like nuclear - more likely to spread, more likely that a single individual or small group can successfully develop and deploy them, some chance that once deployed, it will come back to attack its creator-state, because you can't be completely sure you can control it. (That is to say, once a given nuclear device is detonated, it's gone and can't attack again, but biological can cyber weapons can be harvested, tweaked, and re-deployed against you).
Where's the profit for the cracker in a dead machine?
But if that machine can be turned into a zombie ... lots of money making opportunities.
Humans are the problem and chuck norris is the cure.
A weapon does not have to kill someone or indeed even be able to kill someone to be a weapon. The two definitions are "a thing designed or used for inflicting bodily harm or physical damage" and "a means of gaining an advantage or defending oneself in a conflict or contest." Cyberweapons fulfill both, except, of course, it's "cyber" damage, not physical (hence the name, which of course is stupid but effective).
What Anonymous does is effectively vandalism, yes. Stuxnet, however, was a weapon.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
"Loose chips sink ships."
The same as pouring sugar into gasoline tanks would be.
Your saboteur just "poured sugar" into the tank of every HMVV, jeep, tank, and vehicle on the eve of your invasion on the base nearest to your entry point. The defender is going to have a mighty hard time forming an effective defense with no mechanized infantry and armor. Even harder if the power grid and water pumps suddenly go down in a major city that necessitates the Army's assistance in supplying and policing the area (most countries armies double as disaster relief too). Oh, and factor in that the communication relays are suddenly transmitting garbage and white noise.
To add insult to injury, you now have the blueprints of their newest tanks, so even if they manage to clean out the turbines and get them running again, your gunners will know exactly where to shoot to take them out in one hit, and you know exactly how long their air superiority fighters can stay in the air, how high they can climb how fast, etc.
And for a final "Fuck you", your hackers broke into the enemy's central bank's network, along with a few other major banks in his country, and 'diverted' most of the country's funds, including all the foreign currency stockpiled on the central bank's accounts, to you a day or two after the first shot rang out, so the state as a whole is left penniless and unable to pay its army.
As a wise man once said, "Knowing is half the battle". Infrastructure is good 25% or more, so you're left with 25% at most that constitutes military might. Far fewer casualties on your side, and possibly fewer on the target side as well if the leaders recognize early on that they have lost the war before the first shot was fired (since they can't mount a proper defense due to the chaos and lack of funds). Cyberwarfare can certainly kill, but it need not do so, for the objective is to cripple the target so the army encounters less resistance.
Hyperbole: I use it liberally!
And push out an update installing a govt operated backdoor to all Windows computers
That update can be disguised as some benign functionality
Similarly buy Canonical for Ubuntu and a few more major players
Https://en.wikipedia.org/wiki/NSAKEY
That's not a given. What about a malware which causes a nuclear power plant to blow up? What about one which just opens all gates at a major dam, causing a flood downstream? Or more subtle, what if some malware in a hospital is used to kill people by making machines emit too much radiation, by making life-support machines to switch off themselves, or even simply by slightly manipulating the medication plan? That may even be used for targeted killing. Not to mention the fact that cyber weapons could also be used to gain control over real weapons.
The Tao of math: The numbers you can count are not the real numbers.
The problem I have with the "cyber weapons" terminology is that they are weapons which do not kill anyone. Not that that is a bad thing.
They could be made to kill people. Your local hospital is probably still running WinNT/2k on a lot of their equipment. Think of all the trouble one could cause for a nation if you infected their hospitals. Talk about a terror attack...
Military doctrine states very clearly that the best weapons do not kill people at all. The best weapons will cause damage that takes people off line, so that your killers have less targets to deal with. This is why your first targets in a war are the command and control centers, radio towers, and major transit routes. The first targets are never a "Kill". This is also why the 5.56mm round is designed to wound, not kill (by no means does this mean that the round does not kill, however the size and shape are designed to do do damage without killing. If we intended to kill the round would be much larger and heavier).
In the case of espionage, this is much more complex. Gaining information on movements and targets, locations of C&C, and lastly impersonation. How many of those statements released by Egypt's leaders, or Libya's leaders were really from them? That last game is played much more often than you would guess.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Recently a vulnerability was found in a pacemaker / defibrillator that reported stats about the patients heart via bluetooth. The attackers found that they could alter the users heartrate and induce the device to attempt to defibrillate the patients heart on cue.
Likewise, vulnerabilities have been found on devices connected to CAN (Car Area Networks) were attackers could over the cellular link to the car (via something like on-star) do things like disable the air bags, engage the cruise control, etc.
Imagine the mayhem a terrorist group could cause if say they took an ultra small device and buried next to the road that randomly would insert malware into peoples cars as they drove by that after some random number of miles, locked the doors, disabled the brakes and air bags and then set the cruise control to 100mph.
[http://isutech.wordpress.com/2012/03/11/all-your-devices-can-be-hacked-2/]
Yes Francis, the world has gone crazy.
I never really thought of G.I Joe as a wise man...
One more crippling cybershell hit the already beleaguered cyberdefense community when CyberIDC confirmed that cyberwarfare rates have risen yet again, now up to more than 100 percent of all servers. Coming on the heels of a recent Cybercraft survey which plainly states that cyberdefense has lost more cyberbattles, this news serves to reinforce what we've known all along. Cyberdefense is collapsing in complete cyberchaos.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
And I need to re-read my Art of War if I attributed that to Sun Tzu...
Although I'm sure he said something to the same effect too.
Hyperbole: I use it liberally!
Indeed. Were I in the military, I'd personally ensure that any computer connected to anything remotely important did not even have an Ethernet connector.
The sad part is, the military probably thinks we are joking when IT people tell them "No, really. Just don't connect anything important to the internet. It will be cracked, no matter what the security vendor / sales guy is telling you." It can be running the most harden variant of Unix you know of, with all sorts of security schemes; but if you put it on the internet, it will be found, with people lining up to try and get in.
But I digress. The entire computer 'security' industry that has sprouted up over night is headed by people who couldn't make it as network admins, but want the same rights and privileges. Whole corporations following the advice that is found on page 209 in most 'Welcome to {insert name} Operating Systems: An Administration Guide'
I guess they need to see it from our stand-point: it's a triple face-palming (when it's so bad, you need a friend to lend you a hand) event. However, they probably just hear cursing that would make a sailor blush, and think it's those 'discontent' tech people.
I am John Hurt.
When you drop a nuclear bomb on an enemy, is there a warhead left to analyze? Exactly. That's how cyberweaponry should be designed...one time use only, and it destroys itself, whether it's successful or not. Not only does that keep the enemy guessing, but it also keeps the minds behind the attacks active and creative.
Cyberweapons come in two main flavors: code that runs internally on the target system (malware such as Stuxnet, Flame, Duku, etc.) and attacks that are run external to the target (Distributed Denial of Service DDoS attacks from tools such as LOIC, disabling the routers that serve the target, disrupting their DNS, etc.) External weapons remain safely out of the hands of the target. The only thing the target gets is the SYN packets, or the RST packets, or a dead router. An analogy would be that nothing in physics says you get a copy of the gun that's shooting at you - you only get the bullets.
But it's the internal weapons that deliver the real value. They don't just deny the target from using their systems, they are weapons that do the spying, damage centrifuges, take out oil pumping stations and pipelines, shut down electric grids, etc. But to do their work, they must be delivered all the way to the target, where they are they are subject to interception and copying, and are even subject to modifications that would enable them to be used by the target against their enemies. Metaphorically speaking, in a cyber-war, every cyber-hand grenade thrown comes with a blast-proof set of blueprints for making more hand grenades. You don't get to make statements such as "weapon, destroy yourself" because they can always be intercepted and copied.
John