Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki

[Marsh Ray <marsh () extendedsubset com>]

Go back in time to the second half of the 20th century:

Is it the Cold War? ... Yeah, I suppose you could call it that.

Is it World War III? ...No, I notice a distinct lack of me being vaporized.

Both of these terms are useful, but one is more political and the other 
more usefully technical. My view is that we need a rather strict test 
for 'cyberwar' if it's going to be a term with any meaning.

* Industrial and military espionage: not cyberwar
* For-profit crime or extortion rackets: not cyberwar
* Coordinated DoS attack on government, political, or social media 
websites: not cyberwar

Based on wild speculation and unscientific extrapolation from public 
information, I suspect that when it really is cyberwar you won't find 
yourself in doubt.

In the first 24-48 hours we might expect:

* Banking networks and ATMs will go out.
* Phone and internet will be severely degraded or down.
* The power will become unreliable or go down entirely.
* Traffic lights may go out, water may go out.
* Malware which spreads wirelessly between every car of some very common 
model induces brake or accelerator failure, causing a massive number of 
nearly-simultaneous accidents which shut down major traffic routes.
* Gas stations and grocery stores will be functioning on mostly cash and 
have minimal resupply.
* People don't go to work. Financial exchanges dill not open.
* Various industrial systems may be permanently damaged but you may not 
know the extent of it at the time unless they emit visible flames or 
other hazardous material.

Together, these things sound like a bad made-for-TV movie about Y2K. But 
most of us on this list know that they are all technically plausible 
individually.

These are the things that separate modern society from the third world. 
After a just a few days of this, densely populated areas will look like 
post-Katrina New Orleans or post-tsunami Tōhoku just without the soggy 
destroyed buildings.

At this point, even the most restrained of nations will be going all-in 
with whatever kinetic response they can muster. Any distinction 
remaining between cyber- and non-cyber- war will seem ridiculously 
academic. But given the difficulty of rapid accurate attribution, the 
retaliating country may have to resort to picking some usual-suspect 
adversary almost at random and attempt to make him pay. (Notice how 
quick most are willing to accept the attribution of the Comodo CA 
compromise at face value because it appears to have been sourced from 
Iranian IP address space?)

Post-Stux, most major nations are right now said to be allocating 
big-program military resources for offensive cyber capabilities, the 
result of which will likely be some cavernous command center with big 
screens on the wall and cyber-cadets tapping touch screens to click 
buttons on some PHP app which pwn preconfigured targets.

But it seems like in many cases an accurate post-attack assessment will 
rely on the function of the same network systems that are disintegrating 
under attack. Obtaining real time feedback beyond "yep, it's off" will 
be difficult and will be further enhanced by any countermeasures and 
counterattacks the other party may deploy. So, much like in a nuclear 
war where a "use em or lose em" principle was expected to encourage 
rapid escalation, in a cyberwar the commander may soon find himself in a 
"use em _and_ lose em" scenario which eventually degrades to clicking on 
the attack buttons blind.

So perhaps a true cyberwar is when the order is given to "push all the 
buttons", or the point at which it becomes a near-certain eventuality. 
Interestingly, this point may be obeservable only in retrospect.

On 03/23/2011 02:37 PM, Yiorgos Adamopoulos wrote:
> Oh but it gets better: If a cyber warfare action is an act of war,
> expect missiles pulling the plug in return. After all "cyber" is just
> another (the newest) dimension of battlespace.

Perhaps the inherent qualities of one kind of cyberwar are that it is 
low-level, very limited in scope, targets those with weak deterrent 
capability, and impossible to attribute with a high degree of 
confidence. This seems to fit the handful of observed events that are 
mostly agreed to represent real nation state cyber-conflict.

Alternatively, it may be just the opening round of an all-out conflict. 
But if it starts cyber and finishes kinetic, it probably won't be 
remembered as a cyber-war any more than Iraq war I or II is remembered 
as an air campaign.

> Which brings me to a question: If one physically takes out a
> datacenter, or its power suppliesr (all of them), or its connecting
> cables (all of them) and thus rendering it non existent in cyberspace,
> is this a cyber warfare action or a hybrid?

I bet someone refers to it as a "dynamic and evolving situation". :-)

Probably wishful thinking on the part of the one planning such a 
retaliation. Big attacks don't have to come from big datacenters in the 
same way that big bombers have to take off from big runways. Any 
cyber-weapon buttons that still remain to be pushed when the command 
center goes dark will simply be pushed from backup locations or will 
have previously been armed for dead-man operation.

Unfortunately, this may imply that mil-spec cyberweapons will require an 
effective dead-man capability. Given the reliability of complex software 
in general it raises the real possibility that such a conflict could 
start by accident and escalate almost all by itself.

- Marsh
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave