Cyberwar Is Harder Than It Looks

Internet vulnerability to attacks exaggerated, says new report.

Modern life is made possible by sets of tightly interconnected systems, supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, telecommunications, finance, and emergency response. In wartime, combatants have traditionally sought to disrupt their enemies’ supply systems, generally by blowing them up. Nowadays, many of these systems are increasingly directed and monitored through the Internet. Would it be possible for our enemies to disrupt these vital systems by “blowing up” the Internet?

The Obama administration is evidently worried about this possibility. In May 2009, the administration issued its Cyberspace Policy Review [PDF] which declared, “Threats to cyberspace pose one of the most serious economic and national security challenges of the 21st Century for the United States and our allies.” A year later the U.S. Cyber Command was launched with the aim of protecting U.S. information technology systems and establishing U.S. military dominance in cyberspace. A new market research report identifies the cyberwar sector as “single greatest growth market in the defense and security sector,” forecasting that global spending on cyberwarfare will reach $12.5 billion this year.

A new report, Reducing Systemic Cybersecurity Risk, [PDF] by British researchers Ian Brown and Peter Sommer for the Organization for Economic Cooperation and Development (OECD) evaluates threats to the security of the Internet and other aspects of cyberspace, including hacking, viruses, trojans, denial-of-service, distributed denial of service using botnets, root-kits, and disruptive social engineering techniques. Such weapons have become ubiquitous and already used in government and industrial espionage, identity theft, web-defacements, extortion, system hijacking, and service blockading.

The recent denial of service attacks on Estonia and Georgia give us some sense of the effectiveness of cyber attacks. As James Lewis at the Center for Strategic and International Studies noted, [PDF] “These countries came under limited cyber attack as part of larger conflicts with Russia, but in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services.”

Brown and Sommer conclude, “It is unlikely that there will ever be a true cyberwar.” By cyberwar, they mean one fought solely over and with information technologies. Why? Because it takes a lot of effort to figure out new vulnerabilities in already protected critical systems and the effects of an attack are difficult to predict, including blowback on the perpetrators. More importantly, they note, “There is no strategic reason why an aggressor would limit themselves to only one class of weaponry.” In a real war, cyberattacks would be an adjunct to conventional efforts to blow up critical infrastructure.

Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare because the target for retaliation is unknown. This means that resilience is the main defense against cyberweapons, a combination of preventive measures and contingency plans for a quick post-attack recovery. If cyberwarfare against infrastructure was easy, terrorists like Al Qaeda would have already tried the tactic against us and our NATO allies. 

Brown and Sommer observe that the Internet and the physical telecommunications infrastructure were designed to be robust and self-healing, so that failures in one part are routed around. “You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet,” says University of Toronto cyberwarfare expert Ronald Deibert in the January/February 2011 issue of the Bulletin of the Atomic Scientists. “There is a lot of redundancy in the networks; it’s not a simple thing to turn off the power grid.” In addition, our experience with current forms of malware is somewhat reassuring. Responses to new malware have generally been found and made available within days and few denial of service attacks have lasted more than a day. In addition, many critical networks such as those carrying financial transactions are not connected to the Internet requiring insider information to make them vulnerable.

While not everyone uses up-to-date malware detection, most government agencies, major businesses, and many individuals do, which means that would-be attackers must take the time and effort to find new flaws and develop new techniques. For example, the success of the Stuxnet worm that attacked and disabled Iranian nuclear centrifuges required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive.

Brown and Sommers urge governments to ratify the CyberCrime Convention. The chief treaty holdouts are Russia and China, countries from which many recent cyberattacks appear to have originated. “We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control,” notes James Lewis. “The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were cut off, his door was smashed down and his computer confiscated.” 

Another fruitful way to address emerging cyber threats suggested by the authors is to strengthen connections between national Computer Emergency Response Teams (CERTs). CERT experts operate as a kind of early warning system who also devise software fixes to stop the spread of new malware. And they think that public policy, including procurement, can be used to encourage the development of properly tested hardware and software.

While blowing up the Internet probably won't happen, espionage, hacking, and malware will be with us always. Whatever we do to defend against them, will also defend against the threat of cyberwarfare. 

Ronald Bailey is Reason's science correspondent. His book Liberation Biology: The Scientific and Moral Case for the Biotech Revolution is now available from Prometheus Books.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • ChicagoSucks||

    Security is expensive and nobody wants to pay for it.

  • ||

    Security is expensive for deranged killers like the americans (and similar imperialists)

  • Virginia||

    http://willusingtheprefixcyber.....idiot.com/

  • Almanian||

    Also, ^^ this!

  • anarch||

    one of the most serious economic and national security challenges of the 21st Century

    How accurate could such a pronouncement about the twentieth century have been in 1911?

  • ||

    Depends. If you said it about the Kaiser's push to challenge Great Britain on all fronts internationally, you'd have been right. Fucked up the whole century.

  • anarch||

    Stop harshing my mellow with retroactive prescience. ;-)

  • ||

    Just one dude gave us two world wars, multiple totalitarian states, mass slaughter. . .and denied us the use of luxury zeppelins. One dude!

  • -||

    He should have his own Godwin.

  • anarch||

    "One Dude, Two Wars" in Stereopticon?

  • herp||

    ... One dude?

    Derp.

  • Almanian||

    U.S. Cyber Command

    I so am picturing two guys in a bunker wearing green Army helmets, with a banks of 5 1/4" floppy discs stacked around them, and a bank of dusty, off-white IBM XT's (now with 512K RAM!).

    "Murphy, we are the last, best chance of a hopeful nation...."

  • Almanian||

    Guy1: "God DAMN IT! Pass me that Norton Utility disc! I've got to unjam the....Murphy!!! Murphy?! MURPHY!!!"

    *sees Murphy's dead*

    "NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!"

    *unloads disc, types format C:/*

  • ||

    I'd agree with you, except that the OS should be CP/M.

  • Predicador||

    *unloads disc, types format C:/*

    Like any historical fiction, this does not pay attention to detail :)

    a) DOS used backslash, not forward slash to separate file address elements;
    b) format c: did not require any slash anyway.

  • Ebeneezer Scrooge||

    Hey, don't rain on his parade. He's probably too young to have ever seen a real DOS prompt.

  • Zeebs||

    Ian Brown is a researcher at OECD now? He's come a long way since he was the frontman for the Stone Roses.

    (I got nothin'.)

  • dunkel||

    Well, their second album was a colossal turd. Better to accept that and move on...

  • ¢||

    So what you're saying is "Cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber."

    Interesting.

  • Shaft Backup Singers||

    Shuh cho mowf!

  • ||

    Whatever happened to cybersex?

  • ||

    People realized that a USB dildo and force-feedback gloves do not a hot Saturday night make. It always sounded better than reality of it was.

  • ||

    So you're saying heller's Saturday nights aren't hot?

  • ||

    I'm sure they are just as hot as heller wants them to be.

  • ||

    I'm sure the friction makes the dildo mighty hot.

  • ||

    You know what else is "harder than it looks?"

  • Fatty Bolger||

    Sudoku?

  • Fatty Bolger||

  • omg||

    Are you saying "Live Free or Die Hard" was inaccurate?

  • ||

    Let's see: what's the least regulated environment in the developed world? The internet. So, of course, the government declares that the greatest threats of the next 90 years will come from there. I wonder why they would do that?

  • ||

    Gosh, they do hate freedom and unpredictable consequences, don't they? It explains the latent Ludditism in many statists.

  • ||

    I'm being serious here. Why the sudden "OMG alert level red" talk about "cyberattacks"?

  • .||

    Stuxnet has been in the news lately is maybe why.

  • ||

    WIKILEAKS!!!!!!1111WON

  • herp||

    Because Israel is doing it. The USA has finally come around.

  • ||

    Because it's a technology and capability they can't control. And, of course, one that presents a real, if in practice limited, threat.

    There's also just the "it's in vogue" answer. Like harping on cyberbullying or some other such nonsense.

  • sarcasmic||

    They want to regulate the internet and need an excuse.

    That's all.

    They need to convince the general public that the world is going to end so Congress can create ten regulatory agencies to control every bit and byte that travels through cyberspace.

  • Ebeneezer Scrooge||

    Consider the fact that 1,000 years ago, the Eurasian Steppes was one of the least regulated environments in the world. Every so often, a Mongol horde would come screaming out of there and raise hell in Europe, China, or both.

    When living things (like even governments) smell a potential existential threat, they tend to react to it. It's just what living things do.

    The Turks and Mongols were not brought to heel until the advent of decent field artillery. But until then, the barbarians were periodically able to wreck havoc and and sometimes conquer entire civilizations.

    What we have here is a technology venue that could -- sooner or later -- give the little guy a big advantage in a fight. We could have "barbarians" taking over from BF Egypt.

    I personally don't think things have evolved to quite that point yet. But a) the potential is there, and b) computers/internet is a place where big nation-state actors could conceivably do one another some real harm, already today.

    There's a certain very large nation in Asia that has invested vast sums of resources, with the intent of sooner or later being able to do just that.

  • Almanian||

    While blowing up the Internet probably won't happen, espionage, hacking, and malware will be with us always. Whatever we do to defend against them, will also defend against the threat of cyberwarfare.

    CYBER BULLIES!!!

    *shakes fist*

  • EscapedWestOfTheBigMuddy||

    Cyberwar may be hard---even very hard---but it seems that someone is getting to understand it pretty well.

  • Fist of Etiquette||

    What is it cybergood for?

  • Hooha||

    Abcyberlutely nuthin'!

  • Heroic Mulatto||

    But...but...CHINA!!!!

  • ||

    Does this mean my plan to download all the gold in Fort Knox won't work?

  • Ebeneezer Scrooge||

    Well, Reasons is still at it, claiming that computer security (or cyberspace or whatever you want to call it) is a "Nothing to see here, move along" kind of issue.

    Wasn't it Katherine who put out an article on this general subject several months back? Which was so bad I had to give her a D- at best. This one is at least better, I'll give you a C- this time. Keep trying and you might get there.

    Think for just a second -- you can't buy a piece of military hardware today that's any more sophisticated than a .22 shell, without it's got some kind of software running on it, and a data link to the outside world.

    Anything that runs software is vulnerable unless you encase it in a 55 gallon drum of concrete.

    Anything with a data link is vulnerable unless you stomp it to death beneath your feet.

    There is an issue here with "cyber-security" (coin your own term if you don't like the pop term) and it does need to be addressed. From a libertarian perspective, the real threat is the fact that so many people in government today have no respect for what we used to call "inalienable rights".

    But I guess that wouldn't make for as many neat headlines. Anyway, this article in itself is an excercise in "I really have no evidence to back up the position I'd like to take but let's plow ahead anyway."

    Brown and Sommer conclude, “It is unlikely that there will ever be a true cyberwar.” By cyberwar, they mean one fought solely over and with information technologies.

    That much is true,

    Why? Because it takes a lot of effort to figure out new vulnerabilities in already protected critical systems and the effects of an attack are difficult to predict, including blowback on the perpetrators.

    but by this time we've already lost the trail. Do you think there are no governments out there with the resources and the will to carry out this kind of "perpetration"?

    C'mon, we can do better than this. Oh wait,

    For example, the success of the Stuxnet worm that attacked and disabled Iranian nuclear centrifuges required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive.

    I see. We do get it. Governments with the will and resources to develop this class of software must in fact exist, somewhere on planet earth.

    Though I will add, we are assuming here that Stuxnet actually did do the damage that the NYT article claims was done. That Stuxnet exists, we can believe. That it succeeded in messing up Iran's facilities? Maybe. Or maybe it's to Iran's benefit, for whatever reasons of state, to let the world believe it is so.


    "If cyberwarfare against infrastructure was easy, terrorists like Al Qaeda would have already tried the tactic against us and our NATO allies. "

    Uh, no. AQ wants suicide bombers, it's part of their whole M.O. Besides if they were willing to do things "the easy way" there are many, much easier ways to wreck destruction than cyberwar. Not to mention the fact that while nation-state governments can manage the resources necessary to pull off something like Stuxnet, Stuxnet class software is very likely beyond the capacities of an organization like AQ.

    It's way easier to teach people how to build bombs than it is to develop a Stuxnet class piece of software.


    To finish this out, tell me how it is that we do not have an utter contradition between these two statements:

    1) Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare because the target for retaliation is unknown."

    2) The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept.

    And this comes straight from the primary source that you're basing your case on. I call your primary source "highly susupect".


    I'll give you what's genuinely intended to be a friendly piece of criticism. Ron is more likely to get his arms around this topic than anyone else currently on the Reason staff. But computer and internet security is no simple subject to get your arms around. If you really want to go into this topic area, I'd give serious consideration to a) hiring someone who actually knows what they're talking about or b) give this particular topic a pass.

    Don't underestimate the depth of the water. To understand computer and internet security, you just about need someone who eats, sleeps, and breaths this subject, day in and day out. It just isn't armchair philosophy. I see real prospects of Reason making itself look not so good by putting out articles that are misinformed.

  • asdf||

    Awesome a response as long as the article, I'm sure everyone will read it.

  • Jonathan||

    The inability to identify an attacker is the primary technological limitation in applying conventional legal doctrine to cyberwar. This limitation is technological, though, so it can be solved technologically.

  • ||

    Ebenezer: Someone once defined journalism as getting one's education in public. In the age of internet commenters that is doubly so. Thanks for your comments, but I am puzzled by a couple of them. For instance, I wrote that if it were easy to do cyberwar, then Al Qeada would have already tried it. You appear to disagree and then write: "Besides if they were willing to do things "the easy way" there are many, much easier ways to wreck destruction than cyberwar." Well, yes, that's what I thought I had written.

    One vision of cyberwar that I believe the authors are arguing against is that somehow "pandemic" weapons that could take down all computers and networks in a country might be developed. They give good reasons for why they think that this is implausible. They do worry about EMP as weapon, but that is not by their definition a cyberweapon.

    With regard to nation states, they do have the ability to develop sophisticated cyberweapons, but do they have the motivation to use them? The authors argued (persuasively to me) that nation states would fear blowback from unleashing whatever cyberweapons they develop, and so in some sense are self-deterred.

    In any case, I certainly do take your criticism on this topic as friendly and please keep doing it.

  • Ebeneezer Scrooge||

    Ron, I'm glad you responded. I think I understand what you meant better now, and I think we're a lot more in agreement than I had initially thought.

    Well, yes, that's what I thought I had written.

    My bad on that one.

    Maybe its the color of my glasses. Let's say I have some familiarity with the kinds of problems the police, military, and industry at large face in "cyberspace" (a term I dislike but it works). It would be nuts to even suggest that there are no problems there, because they are legion.

    But the context that matters for security is all out war, when state actors might use everything they've got.

    There is the issue that so much computer hardware is manufactured in China today. Some might like to believe that doesn't matter, but I think they're wrong.

    OTOH, I'm afraid that the people who are going to be addressing these problems (and they will be), are going to trample all over our rights in the process.

    So I think we are largely on the same page after all. That wasn't clear to me on first reading, but maybe I need to take my glasses off first from now on.

  • IT Policy Guy||

    Some of us do eat, sleep and breathe the subject at least a few hours each day, and I think Ron's pretty much on target here. If it were that easy to take down a power grid somebody would have already done so--there are lots of smart, crazy geeks out there.
    Same goes for any other doomsday cyberscenario.

  • Ebeneezer Scrooge||

    As far as smart crazy geeks, you're right.

    Your comment made think -- as this debate unfolds in the public arena, we need to draw a crystal clear line between threats from ordinary hackers, and threats from state actors. They aren't the same thing.

    I sincerely doubt that even an AQ grade hacker network, could marshal the resources to do something like Stuxnet.

    On the other hand, China could. And while they probably couldn't take the whole electric grid down, I wouldn't say that they couldn't do us some real harm. In a real war, I'd expect them to try.

    That's another distinction to be made clear: are we talking about "normal" life, or are we talking about all out war? Under normal conditions yes, state actors will hold back for obvious reasons. During a war they probably won't hold back.

    If we want to preserve our rights, I believe we need to clearly identify the conditions under which "cybersecurity" is, and isn't, an issue that the government ought to be worried about. So that we can draw lines like "Yes, the government does need tanks to defend the country" but "No, they don't need to be using tanks to police shoplifters at grocery stores."

    We should not let anyone blur these lines as the debate progresses.

  • ||

    Personally, my working assumption is that any threat assessment by any government is grossly exaggerated in order to secure funding.

  • ||

    DING! DING! DING!

    We have a winner!

  • Tristan Yates||

    Thanks for injecting some common sense into the debate. Hackers make headlines but any programmer or admin can tell you that software rushed into production is a heck of a lot more frightening.

  • sarcasmic||

    Nobody is better at rushing untested software into production than government.

    I know from personal experience.

    And yes, it is very frightening.

  • ||

    I get the feeling that any "real" attacks on the Internet will come from somewhere other than within the Internet. People are always the weakest part of a security system.

  • ||

    Amen. Nothing like having your highly expensive, perfectly configured firewall circumvented by some jerk with an 8 dollar thumbdrive.

  • ||

    The internet is used for spying on the population, that is why governments move to police it. It gives them an excuse like Y2K to fulfill the arguement that people should be watched all the time.

  • Kirk||

    Right, not everyone uses up-to-date malware detection softwares. Maybe viruses, spywares and other malwares are come from several computer security software company, so clients will buy their products...

  • nike running shoes||

    is good

  • Scarpe Nike Italia||

    is good

  • kangzhu||

    This plan has no merit

  • alipay||

    good

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Progressive Puritans: From e-cigs to sex classifieds, the once transgressive left wants to criminalize fun.
  • Port Authoritarians: Chris Christie’s Bridgegate scandal
  • The Menace of Secret Government: Obama’s proposed intelligence reforms don’t safeguard civil liberties

SUBSCRIBE

advertisement