Angry Animal 16

Rebuttal: Cyberwar, Part 73

Mon Mar 11 13:50:00 CDT 2013

jericho

This is a rebuttal piece to a series of Tweets by Dan Holden on 2013-03-11 (displayed below). Please note, that @ErrataRob and @DesmondHolden both provided follow-up, which are included below my rebuttal. If you read mine, read theirs. If that isn't acceptable, navigate away now.




I've been pretty vocal about my thoughts on CyberWar in the past. At some point, the amount of FUD and bullshit surrounding the topic became overwhelming, so I teamed up with Josh Corman to give a presentation on the topic. We delivered the presentation last year at BruCON, and will be giving it once more at the upcoming Thotcon. You can download the PowerPoint presentation, full of great images and a lot of additional information and comments in the presenter notes.

Despite our attempt to inject a dose of sanity and rationality into the debate, many people are still spreading FUD and/or making comments that seem to be based on a complete misunderstanding of the topic, or history of computer crime. Today, Desmon Holden made a couple comments and suggested I may offer rebuttal, so of course I felt obligated. I call this "Part 73" because it seems like I have debated and argued and lectured at least that many times.

First, any debate about 'CyberWar' without defining it is a non-starter. We can infer that Dan believes industrial-targeted malware (e.g. Stuxnet, Flame, Duqu) and selling 0-day both qualify as CyberWar. Considering that the term 'CyberWar' goes back as far as 1992, anyone using the term today should stop and give thought to their comments. The term predates Stuxnet by 18 years. Exactly when did 'CyberWar' begin? Oh right, we still haven't defined it. In fact, the last three years have seen many people try to define it, but only the Tallinn Manual appears to have given it serious thought.

Does 'CyberWar' exist? Sure! But as our presentation explains, it isn't what most people think. Amusingly, Dan actually agrees with us in his Tweet above, as we outline in the topic of automation. He is right, that anyone pretending CyberWar doesn't exist is kidding themselves. And it really doesn't matter what definition you use, because any halfway rational definition will include enough components or activities that makes his statement correct. Of course, most of those components or activities are also used in CyberCrime, CyberBullying, CyberStalking, Hacking, Cracking, Phreaking, and just being a dick.

And this is where Dan and I will part ways. Where he was 100% correct in his assertion that CyberWar is happening, and it is stupidly obvious, he falls into the rookie mistake of associating it with the military. One aspect of CyberWar is that essentially, anyone can participate. There are no formal rules that mandate it must be conducted by authorized military personnel of a nation-state. Further, going back to what I said about malware and hacking, that has been around a long time. While Stuxnet started the craze over malware targeting industrial systems, malware had been used to steal information long before that, which is also part of warfare. Hacking goes way back, well over 50 years, so any argument that CyberWar is only conducted by, or known about people that cannot talk about it is ridiculous. RIDICULOUS I SAY.

Pussy. Seriously, why do you even disclaim this? Are you suggesting that someone affiliated with, or profiting from CyberWar cannot discuss, offer opinion, or be right/wrong on the topic? Anyone that takes time to consider the topic, especially one that reads up on it, can offer their informed opinion. Rather than disclaim this, it is better to just cite your sources that led to your opinion, just like any solid research paper.

This is the biggest letdown of your mini-rant Dan. #sadpanda

Who are these "smartest people" in our industry that are so wrong on CyberWar? Call them out by name. Challenge their notions and ideas, attempt to educate them. Start a constructive dialogue on the topic at the very least. If not, they will go on being misguided or wrong. Follow my lead if you need, when I went up to Kenneth Geers after his DEFCON presentation and boldly proclaimed, "you are wrong about all of this". I am still trying to open his eyes to some basic points, but we still have the occasional dialogue on Twitter about it.

After presenting at BruCON, Ed Skoudis had a great sit-down with Josh and I to discuss the finer points of the topic, as he was presenting on the same. Our presentation influenced him to make some last minute changes to his presentation, and his feedback has led to edits of ours when we present again next month.

It is your ethical obligation to battle the demons of stupidity in our industry. And like CyberWar, you will never be without work.


Shortly after this rebuttal, Dan sent a gnarly Word document that corrected some of my mistakes (jerk!) and replied to my comments. Of course, he treated it like a mail list with quoted text, where Rob and I understood the concept of 'blogs'. Ultimately, Dan is the jerk here. #promise That means blockquoted text is MINE, and anything else is HIS.

I call this "Part 73" because it seems like I have debated and argued and lectured at least that many times.

Funny enough, part of the reason why I began commenting on Cyber war is partially due to a talk that Jericho and Josh Corman did which I suggest anyone watch for very good background and historical context to this long running discussion. The other pieces of inspiration are Bruce Schneier's comments on the dangers of Cyber war terminology as well as Rob Graham's. Again, extremely important pieces to read to gain full context of all sides ramblings across Twitter and that of this page.

Of course, most of those components or activities are also used in CyberCrime, CyberBullying, CyberStalking, Hacking, Cracking, Phreaking, and just being a dick.

Defining ones terms is the very basis of a philosophical discussion and picking apart terminology is the foundation for many successful debate outcomes. You will notice this behavior not only with Jericho's response but in Rob Graham's blog as well. I too am a student of philosophy and wouldn't ask Jericho to publicly share his thoughts if I wasn't open to and hungry for the debate. (although it would be far more fun doing so on a panel than via Twitter or an adhoc blog) However, I disagree that one can.t debate this issue or that of APTs without everyone agreeing on the terminology. Quite honestly I don't have the patience for the rest of the world to come to agreement on terminology that was generally made up on the fly by someone not thinking that a term might stick indefinitely. I leave this type of activity to Josh Corman because he really enjoys it, I don't. So, what position do I represent? That of the common man/idiot that reads the newspaper, magazines, Interwebs, and the Twitters. Stating that a term or condition has been around since Moses is simply elitist and again is a debate tactic that is meant to intimidate and show historical expertise in a given area. It's nice and all, and everything Jericho and Rob states is correct! However, I'm unwilling to swim upstream at every moment of the day to re-educate a public that is pretty sure they understand what Cyber war and APTs (just using this term as an example) are after reading so many "experts" discuss in the press, blogs, etc. My point here is that the general public and their visibility, and therefore understanding, has been shaped by the last 3 years, not 18!

Hacking goes way back, well over 50 years, so any argument that CyberWar is only conducted by, or known about people that cannot talk about it is ridiculous. RIDICULOUS I SAY.

Pretty funny that you refer to me as the rookie here. Spoken like someone that has never held a clearance or had to sign a contract restricting knowledge of offensive security related transactions. Talk to me when you have. My point here is that folks that are actually close to this stuff legally can't discuss much/most of it. These people likely have careers on the Federal side or work for the gov or a gov contractor and you aren't going seem them jabbering all over Twitter, writing books, or speaking at cons about such activities.

As it relates to Stuxnet, yes malware has been around since the big bang, but again, this type of statement does nothing for your argument. Allied countries developed Stuxnet with a significant investment in very deliberate development and lawyers. Most malware doesn't have this type of focus on such complex targets or ensuring that international agreements on warfare are followed.

Rather than disclaim this, it is better to just cite your sources that led to your opinion, just like any solid research paper.

You make me a #sadpanda, name-calling isn't nice. I simply put this disclaimer because of Bruce's ending comments in his piece, which I have to say are dead on. I wanted to insure that you and others don't think I profit from such business as others we know in the industry do. Not saying it's wrong or right, just saying I'm not currently a part of it. Obviously the business you are in at a given time can and generally does shape your opinion and thoughts on a given topic.

"stop believing the propaganda from those who profit from this Internet nationalism. Those who are beating the drums of cyberwar don.t have the best interests of society, or the Internet, at heart." - Bruce Scheier

It is your ethical obligation to battle the demons of stupidity in our industry. And like CyberWar, you will never be without work.

Completely agree and this type of activity is what continues to move the ball forward in this industry and also makes it fun as hell. Oddly enough I think that is what I was attempting to dowith my comments and asking for your thoughts? I provided my inspiration for the rant at the top as background.

Quite honestly I.m certain that you and Bruce have put far more thought into this topic than I have. However, even with my limited experience in the space I know that many sides are not well represented.

A few years ago the ivory tower consisted of a debate that "cyber war doesn't really exist". We now know that Cyber war does in fact exist and now the ivory tower seems to be that it exists but .you all are using the term wrong and we have to be careful how we talk about it.. I say bullshit to this train of thought, and yes I realize I'm likely in the minority.

The fun will continue with a rebuttal from Rob Graham ...


Like a refined gentleman, Robert Graham (@ErrataRob) replied to our comments with a blog of his own, that cn easily be linked to, rather than edited to account for Word .docx retardation and standard 90's HTML that is my crutch.

Read Robert's full reply to my rebuttal, then wait a day or so as I will no doubt rip into him. By that, I mean largely agree with him because we see mostly eye to eye.


As the discussion was on Twitter, others have chimed in. I won't link to all the Tweets because I don't care enough to. I will however link to proper replies, such as the one from refined gentleman, Tom Cross (@_decius_).

Errata Security: Cyberwar: you lack imagination.


main page ATTRITION feedback