Archive | Halfbaked RSS feed for this section

Cyber mongering and semantic misuse

Michael Hirsh at National Journal has a sober article titled “Here, There Be Dragons” on cyberwar mongering

In truth, cyberskeptics abound. They include many independent analysts as well as some of Panetta’s high-level colleagues in the Obama administration. These skeptics say that much of the alarm stems from a fear of the unknown rather than from concrete evidence of life-and-death threats. It is, they suggest, a 21st-century version of the medieval mapmakers who would mark the boundaries of the known world and then draw mythical beasts on the other side conveying the message: “Here, there be dragons.”

(..)

The White House’s own cybersecurity coordinator, Howard Schmidt, pointedly avoids using the term “cyberwar,” saying that most cyberthreats are closer to criminal acts than to military actions. “Words do matter,” Schmidt remarked at a conference in February. “When we start throwing out these things, like we’re in the midst of a cyberwar, or that cyberwar is around the corner, there’s a lot of [those things] that don’t actually apply, so we really have to define what it is that we’re talking about.”

In a recent Takshashila Executive program I made it a point to draw the distinction between cyber events, cyber crime, cyber attacks, cyber war and cyber terrorism. The nature of the audience warranted this, but my belief is that Schmidt is absolutely right that words do matter and that we at large do not overuse the words that have specific meaning and in the process weaken the case against threats that do really exist. James Lewis from CSIS had a similar message in his article Cyber Attacks, Real or Imagined, and Cyber War

Only by adopting an exceptionally elastic definition of cyber attack can we say they are frequent. There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyber attack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities.

(…)

Nations are afraid of cyber war and are careful to stay below the threshold of what could be considered under international law the use of force or an act of war. Crime, even if state sponsored, does not justify a military response. Countries do not go to war over espionage. There is intense hostile activity in cyberspace, but it stays below the threshold of attack.

 

Comments { 0 }

System security and fascination with homegrown solutions

Not long ago, there was the news flash that the India government is in the process of kick-starting a project to build “our own operating system”. According to V.K. Saraswat, Scientific Adviser to the Defence Minister and DRDO Director-General,

We do not have our own operating system. Today, various bodies, including banks and defence establishments, need security. Having our own operating system will help us prevent hacking of our systems.

(…)

With a home-grown system, the source code will be with us and it helps in securing our systems.

Dr. Saraswat seems to have expanded on the plan by going beyond the operating system. At Aero India expo he is reported to have added the network to the plan:

“Cyber security is a major challenge for us as all our operations are going to be on the network centric system, which is dependent on information and communication technologies,” scientific adviser to defence minister V.K. Saraswat told reporters.

Admitting that securing the network centric system would be a major problem, Saraswat said the country would have to build robust systems and platforms with proprietary software to make sure the networks were safe and almost invincible.

The mention of proprietary software is confusing since it is not clear whether Dr. Saraswat is referring to the non-open source software ecosystem that includes the likes of Microsoft and others or whether he means a “made in India” indigenous software. Give the earlier emphasis on home grown operating system, I would venture a guess that it is the latter.

The goal of coming up with a home grown operating system and network defense framework is noble and even commendable, but not for the reason expounded by the scientific adviser. Given the ease with which trojans and traps can be inserted into a software (and hardware), it would seem logical that an internally developed piece of code would be more trustworthy. In a world where few understand the intricate details of the implementation of cryptographic primitives in code, it is not just about whether the code is open source or not, not when allegations like that against the OpenBSD IPSec stack cannot be dismissed easily. Software building involves a lot of reuse and in the case of open source code, it also involves donated code. Granted that these codes are there for everyone to see and audit, there is a dearth of expertise to actually such a meticulous analysis, especially when we are taking in the realm of cleverly hidden side channel attacks.

Given all this, software developed in a relative clean room, like what Dr. Saraswat aims to have, should be more trust worthy. Except that, clean rooms can only be “clean” up to a point. At what point can one safely say that re-using an idea, component or, for that matter, a standard would not destroy the pristine nature of the development? The less one can reuse, the more one has to re-invent and re-develop, the costlier and error prone the whole process is going to be.

This may seem like a lost cause but that is only because one assumes that there is a single silver bullet. In system security, there is never a silver bullet. Instead what we see succeeding in a practical world is a risk assessment based analysis of the systems and the implementation of the simple but powerful concept of defense in depth.

Comments { 3 }

Cyberwar makes NPT useless?

Dr. Kalam, former President of India believes that nuclear non-proliferation treaties (NPT) have been made useless by the advent of cyberwar. He made this remark while addressing the students and faculty of the MGIMO University of International Relations. Cyber war would be more devastating for all the countries with networked financial and economic resources, he says. Interesting twisted logic. More on that later. He goes on to say:

Cyber war, with the speed of light can destroy whole economies and one cannot defend with the help of ICBMs and nuclear weapons. My diplomatic mission is how to make nuclear weapons useless!

Is it just me or did Dr. Kalam, by the twisted logic expounded earlier, just say that he is going to advancement of cyberwar his diplomatic mission?

Putting that aside, let us go back to the first remark made by Dr. Kalam that NPT has been rendered useless by threat of cyberwar. While I don’t know enough about NPT to judge its overall success, I think there is enough gyan floating around to say that cyberwar just does not invalidate or make useless conventional warfare, especially the use of nuclear weapons. Let us examine some of these points.

  • There is not enough “umph” in cyberwar, notwithstanding the Stuxnet scare, to replace the power and influence held by the possession of or capability to produce nuclear weapons. Even if the consequences of engaging in cyberwar can equal that of nuclear weapons, one cannot imagine that many scenarios where it can exceed the destruction of nuclear war. The images from Hiroshima and Nagasaki are too well engraved in our collective conscience to allow us think otherwise.
  • Cyberwar has one very distinguishing factor compared to conventional warfare that works against it – the “one timeness” of its delivery mechanism. By this I mean the way the enemy is attacked using a specific vector. Nuclear bombs can be dropped again and again over the years by, say, aircrafts. Software vulnerabilities that are exploited for the conduct of cyberwar have the lifetime of single use. Stuxnet exploited four 0-day vulnerabilities but now that these have been identified, patching systems to inoculate against the attack becomes an easy job. You can deploy anti-aircraft guns to shoot down aircrafts that could deliver nuclear bombs, but there is no sure-fire way to protect against all of them.
  • The non-proliferation of nuclear weapons is, in theory, something that can at least be worked towards. Cyberweapons are too varied, too easy to proliferate (can fit into a DVD, if not a CD) and too hard to  control or supervise. Sure, the amount of investment needed to develop a Stuxnet-like malware could run into millions but the final malware itself takes hardly any effort to copy, replicate or even modify.
  • The logic that, because missiles cannot block cyber attacks one might as well as give up on trying to defend against or prevent further use, is flawed at two levels. As per prevailing theory, the fear of kinetic attack is one of the key deterrents against full-blow digital wars. While the rules of engagement for this new war front is still being formulated, any nation, if pushed hard enough to the corner, would consider responding with kinetic action against an act of digital aggression aimed at its interests.  At the other level, just because one cannot counter weapon 2 with weapon 1, it does not make sense to neither give up on developing weapon 1 nor given up on fighting against its spread. That would be pretty short-sighted.

The way I see it, cyberwar can only be part (a big part, but still a part) of a bigger war strategy. One can use cyber components to weaken the enemy, disrupts supply chain, create economic havoc, push back technology progress and what-not, but in the end the “no bullets fired” war is not really the war in conventional sense and does not have the same effect.

Comments { 3 }