Cyberwar, the IT Professional, and Battles between Nations

On the securitymetrics list, Joel Rosenblatt recently posted a link to an article by David Gerwitz  and asked "Do you, as IT professionals, have to get involved in the battles between nations?"

It is a good question, but the article he cites confuses cyberwar and cybercrime. After all, not all cyber attacks are cyberwar, if you understand war of any kind to require the use of force, political objectives, and, arguably, nation states.

Given that understanding of war, the metrics that the article cites are misleading. Most data breaches are made for economic gain, not political advantage. Therefore, the numbers cited about the cost of breaches, the growth of incidents, and so forth, miss their mark. So do the numbers on the growth of the amount spent on defense, given the apolitical nature of the attacks and the attackers they are defending themselves against.

I would make the further point that we have yet to see true cyberwar. Attacks in Estonia, Georgia, Ukraine, and elsewhere have been examples of how cyber attacks can affect political conflict. But were they truly cyberwar? Nobody died. No long-lasting damage was done. Did these cyber attacks, in the end, successfully advance any political goal?  Arguably, no.

That said, the article asks a larger question that does need an answer. To paraphrase it: What responsibility must private enterprise take in defense against attacks in cyberwar? In addressing this list, Rosenblatt placed this question at the personal level when he asked "Do you, as IT professionals, have to get involved in the battles between nations?"

It is unlikely that anyone would argue that private enterprise bears no responsibility. The question can then become more precise: How much responsibility should lie on private hands and how much should be assumed by the government? This has been debated publicly, at length, for years. The White House has issued Executive Orders to address the issue, and Congress has passed some legislation and debated much more. Nonetheless, it not yet been answered.

Part of the reason why the question remains open is that we don't have a clear idea what cyberwar is. What do we need to prepare for? More Sony attacks? Massive DDOS attacks like in Estonia? Attacks on industry like the assault on power stations in Ukraine? Or something else?

The truth is that we need to prepare for the last, for something not yet seen in its entirety. Or perhaps not at all. Herzi Halevi, the Chief of Israeli Intelligence, recently pointed out that the power of air warfare did not become evident until World War II, about 40 years after the airplane was invented. With that in mind, it is early days in the development of cyberwar.

Drawing on the analogy with air power, we can expect cyberwar to be of two kinds. 'Tactical' cyberwar will directly affect the battlefield. The growing importance of digital communication makes the importance of this aspect of cyberwar clear. 'Strategic' cyberwar is analogous to the use of Liberators and Lancasters to bomb German industrial plants, railroad yards, dams, and oil fields.

The former is clearly the province of government. The latter is where the private sector comes in. A difference between cyberwar and air war is that private enterprises can do much to protect their assets against cyber attacks, but little to protect them against air attacks. Indeed, when it comes to cyber attacks, the essential work is out of the hands of government, though it can provide money and information.

That is particularly true in the United States, where private enterprise does not trust government and has little inclination to work with it. There is less distrust elsewhere, so government can do more. The Israeli government, for example, is establishing a national CERT that will provide cybersecurity services to private industry. With the American public and private sectors at loggerheads, nothing like that can be done here and be effective.

And, as it stands now, the money and information that government might provide won't be available. Congress almost certainly won't provide funds for defenses that private industry is not certain it needs. Despite much effort and almost endless discussion, information has been exchanged grudgingly at best.

What does this mean? The United States is likely to remain unprepared for attacks made in strategic cyberwar, barring some horrendous wake-up call.

So, following on Rosenblatt's question, what is an IT professional to do for cyberwar?  Keeping in mind that not all cyber attacks are cyberwar and that many of the tactics, techniques, and procedures of cyber attacks used by nation states and private criminals are similar, I would tell the professional: Keep on working to strengthen the defenses you are responsible for. That may seem a small task to those who don't have to do it, but it is essential. Those who make policy, in industry and government, should do much more.

Putin’s Russia and Political War

Has Russia changed? Does it have a new strategy for dealing with those who oppose it?

Some think so. After a British court found cause to believe that Putin was complicit in the death of Alexander Litvinenko and after attacks on power plants in Ukraine, attributed by many to Russia, it has been argued that Russia has adopted a new strategy, a new tradecraft.  In particular, the claim has been made that Moscow has replaced murder with hacking.

The truth is that Moscow uses a multitude of means to deal with opposition in the world beyond Russia’s borders.  It always has. It is doing nothing new.  It follows a strategy that was adopted by Lenin.

Political war: More than hacking, less than combat

Lenin and his successors in the Soviet Union used all means available to influence a world they saw as irretrievably hostile. Putin’s Russia does much the same. Because of geography and the relative weakness of Russia’s military or simply out of prudence, the use of Russia’s military has been out of the question in most of the world. Like Lenin and Stalin before him, therefore, Putin has come to rely on political war, that is, on “the use of political means to compel an opponent to do one’s will.”

This is not the same as hybrid war, the term used to describe Russia’s actions in Ukraine. Hybrid war still relies on military force and political war has a different aim. In Ukraine—and in Syria, for that matter—occupying territory matters, which makes military action necessary. In political war, the goal is simply to weaken the political will of opponents, to “chip away at public confidence.”

The Soviet Union used a variety of political means—both overt and covert— to extend its influence into the West and elsewhere. Many of these means have been updated and are used by the Kremlin today. Instead of Radio Moscow, look at RT and similar   Instead of support given to Communist Parties in the West, look at the support given to right-wing parties.

Information technology has increased the potential of political war in the 21st Century. The cyber realm promises to extend the reach of political war far beyond. Russia has been taking full advantage of it.

As they have shown, social media can be a potent tool of the political warrior. It is ubiquitous, accessible through any smartphone or computer, available at any time of day or night, and increasingly important in the lives of many in the developed world.

It is also less attributable than older media. Whereas radio in particular was clearly identified with its owners and the country from which it broadcast, social media are often ostensibly state-neutral. We knew who Tokyo Rose, Radio Moscow, the BBC, and Radio Free Europe represented; we don't know that about most of those who post on Facebook, Twitter, or LinkedIn. They can come from anywhere; they can be anybody.

Then there is hacking, or cyber war, if you will. It is often hard to attribute the source of cyber-attacks to their source, particularly if that source is a nation-state determined that its efforts remain hidden. Indeed, attacks often go unnoticed for years even as they quietly achieve their goals.

They can be launched to serve a multitude of purposes. Some can deny access to services available online, as in Estonia in 2007. Others can be another form of espionage, as with the attacks on OPM databases in 2014-2015. Still others can wreak physical destruction. Stuxnet showed that potential. More recently, just last year, the BlackEnergy toolkit was used to attack power plants in Ukraine. It appears to have been used for a variety of political purposes since at least 2014.

Of course not all of these attacks were made by Russia, and Russia is far from the only country able to wage cyber war. But it is widely recognized that Russia is one of the best at it. It is an important element in the Russian approach to political war, as an article by two Russian military officers published in Voennaya Mysl in 2013 shows. They describe a continuum of operations through all phases of ‘new-generation war.’ Cyber-attacks have a prominent role throughout, from spreading propaganda to the final, military phase.

What is to be done?

The West has always had difficulty dealing with political war. The credulousness of William Duranty, who won a Pulitzer Prize for reporting that the Great Famine in Ukraine did not occur and Joseph Davies, the ambassador to Moscow who believed that the people Stalin put on stage in the show trials were guilty, are but two examples. There are myriad others that can be gathered from across the Western world.

As Mark Galeotti argues, we are no better prepared today as Putin and his government use the methods of 21st Century political war to combat the many hostile elements they find in outside world. We need to recognize the efforts that they are making and the means they have available. Sometimes they will succeed.

Should Russian political war be cause for alarm? Arguably not, especially in regard to the United States. After all, it is not new. We survived the Soviet version of political war; the Russian threatens us less, despite the evident effectiveness of Russian cyber arms over the last decade and the growing efforts to gain influence through the new and old media.  Moreover, political war is not war war. And while Russia is certainly not a friend—the hostility of Putin to the West can be almost palpable—it is not an out and out enemy. For most of its history, the Soviet Union was.

Countries where democratic institutions are weaker are a different matter. Ukraine is one example, but Bulgaria is another. A response to Russian efforts to wage political war is needed, but it should be measured.

We would do well to nurture that antidote by strengthening private and public programs that foster open media, good government, and cyber defense. An increase in covert programs such as those George Kennan sought in 1948 will not survive when they come to light once again, as they did before and will again. The creation of a bureaucracy devoted to political war, as Max Boot advocates, is overkill.

Our response to this long-standing Russian reliance on political war needs to take into account the strengths that our open society can bring to a political struggle. The weaknesses have been often noted, but truth is a powerful antidote to propaganda.

Reading Packets is Like Chess, Except When It’s Like Poker

In chess, everything is laid out in front of you. Nothing is hidden. The outcome depends solely on your skill. No cards are hidden. You can’t be dealt a bad hand. No dice can give you snake eyes or boxcars.

When looking at network traffic, packets give you a chess player's view. It is all there in front of you, whether you are troubleshooting problems or looking for what the bad guy did.  That doesn’t make it easy, of course. Your skill and knowledge determine how much you can do, especially against a stronger opponent.

Of course, encrypted traffic is different. Then it becomes more like poker. Much of what you would like to know is hidden.  As the game goes on, you can get clues about what is hidden, but you cannot know for certain what is there.

To be more precise, looking at encrypted traffic is more like playing stud poker than draw. In the latter, all cards are hidden. In stud, some are dealt face up, so you always know something about the hands on the other side. Network packets always show their headers. 

These are the cards you can see. Pulled together into session data, they give you a solid basis for analyzing what is going on. 

This makes reading packets an important skill for network administration and an essential skill for network defense.

[Here comes the commercial part.]

For that reason, my favorite security course is SANS Security 503. It also happens to be one of the best courses SANS has put together. That is why I am teaching it in the SANS Mentor format this spring. The course will meet in Rockville, MD, each Wednesday beginning April 13.

In addition to reading packets you will learn about intrusion detection using Snort and Bro. As you might expect from a SANS course, there will be plenty of hands-on work, so you will come out knowing that you can actually do it.

You can find more information about it at https://www.sans.org/mentor/class/sec503-rockville-13apr2016-james-voorhees.

If you are in the DC area, I hope you’ll sign up.