[Infowarrior] - Collateral Damage (in Cyberspace)

[Richard Forno]

Collateral Damage

http://www.cringely.com/2009/06/collateral-damage/

There was lots of good discussion last time about cyber warfare, cyber  
security, and U.S. policy, but what most respondents seemed to miss  
was the international nature of the IT business — all the outsourcing  
and offshoring that we were told was so great — and its implications  
for U.S. security.  The upshot is that any U.S. cyber warfare czar  
will have to effectively function as a WORLD cyber warfare czar, a  
fact that neither Republican nor Democratic Administrations have yet  
been willing to embrace, at least in public.

Forget for the moment about data incursions within the DC beltway,  
what happens when  Pakistan takes down the Internet in India?  Here we  
have technologically sophisticated regional rivals who have gone to  
war periodically for six decades.  There will be more wars between  
these two. And to think that Pakistan or India are incapable or  
unlikely to take such action against the Internet is simply naive.   
The next time these two nations fight YOU KNOW there will be a cyber  
component to that war.

And with what effect on the U.S.?  It will go far beyond nuking  
customer support for nearly every bank and PC company, though that’s  
sure to happen.  A strategic component of any such attack would be to  
hobble tech services in both economies by destroying source code  
repositories.  And an interesting aspect of destroying such  
repositories — in Third World countries OR in the U.S. — is that the  
logical bet is to destroy them all without regard to what they  
contain, which for the most part negates any effort to obscure those  
contents.

You can have 1000 safe deposit boxes with only three holding anything  
of real value, but that obfuscation is meaningless if the target is  
ALL safety deposit boxes.

To this point cyber security conferences tend to concentrate on  
intelligence (probing attacks to learn about a potential enemy, gather  
information and map defenses) and tactical deployment (using that  
intelligence information to blind, disable, or defend some network  
resources in what’s usually perceived as an encounter lasting hours).   
There is little to no regard for strategic use of cyber warfare as in  
the India-Pakistan example or the nuking of source code libraries.  We  
don’t talk about it because it is too horrific, not because it can’t  
happen.

The result, of course, is that any major power has to be concerned  
about the cyber security of all its technology partners, which over  
the last decade has come to include a lot of Third World nations.  Try  
to do a security audit of Argentina or Bangladesh and see what  
nightmare is unveiled.  Yet this is exactly where major international  
companies are deploying more and more technical resources.

The military answer of course is to isolate network traffic, as many  
readers have suggested.  But how do you enforce that in other  
countries?  And how effective is it at all against a strategic attack  
on essentially commercial resources?  Not very.

This is not a battle but a war and wars take a long time to prepare  
for and wage.  As readers have pointed out we’re not just concerned  
with malware and viruses but even hardware-based attacks. Who knows if  
that flash memory from Malaysia or that router card from Taiwan is  
compromised?  Who CAN know?  And if you’ve found one hardware exploit  
in a product does that mean you’ve found all that are there?  Hardly.

One point of view is that this makes both old tech and traditional  
firepower more valuable.  Analog systems, for example, are unlikely to  
be compromised by digital exploits. And 2000-pound bombs are a pretty  
darned effective response to a cyber attack IF you can clearly  
identify the attacker and figure out where to drop the bombs.  Both  
effects tend to neutralize the effect of advanced systems, making  
Syria a more effective opponent against Israel, AND push superpowers  
toward brandishing their biggest guns — nuclear weapons.

So cyber warfare is internationally destabilizing in whole new ways  
with the world being dramatically less safe as a result.  This works  
mainly to the advantage of the bad guys.

Then there’s the Code God Effect — the potential strategic impact of a  
single programmer with commanding skills.  That very guy or gal who  
typically is the creative heart of an entire company (but they never  
admit it) because he is the equivalent of 100 average coders can be  
the secret weapon in a cyber war, too.  And the distribution of such  
megabrains is random enough that to say one or more aren’t working  
right now in North Korea would be a bad bet — one that a nation like  
the United States would be unwise to make.

We see the Code God Effect happening right now with publicized Chinese  
Internet incursions and those are just amateurs: the real damage is  
being done by much more skillful players we have yet to even detect.

What this means for any major power is that they aren’t as powerful as  
they think they are and that power is even less across borders.  There  
isn’t a U.S. agency I know of — ANY agency — that is prepared to win  
such a war against a clever and determined opponent of almost any size.

If the game is U.S. versus Albania, who wins?  I don’t know.

We need new tools and new weapons.  We need to find ways of changing  
the battlefield to negate opponents (this is HUGE), not just shooting  
back.  We need leadership that understands this.  Maybe President  
Obama understands it, maybe not.  He hasn’t demonstrated yet that he  
does, at least not to me.

Let’s hope that’s just part of an incredibly clever master plan.

Yeah, right.