Linking Cyberspace and 4th Generation Warfare - Act Deux

Friday, September 09, 2011

Don Eijndhoven


After writing the article "Cyberspace and 4th Generation Warfare - A Marriage of Convenience" I received many questions and comments that really stirred the conversation.

I'd like to further clarify some points and make some more links based on (among other things) observations stolen directly from John Robb's blog. I hope Mr. Robb doesn't mind my poaching his IP too much as I make my way forward in linking his theories to how I see the future of cyber conflict.

"Terrorists won't use cyber..."

The first comment I received, and one that is likely to persist for some time, was that terrorists prefer -and will likely continue to prefer- the more kinetic approach to critical system attacks. I agree.

imageHowever, my article was about the fact that those who wish to disrupt critical systems and services could (also) do so through cyber attacks.

I will grant that these are unlikely to be the same people who are now attacking through kinetic means. This does not mean that cyber attacks to critical systems won't happen.

It is easily conceivable that online collectives such as Anonymous and LulzSec, who are known to harbor militant types, will eventually get bored with relatively innocuous attacks and start targeting digital weak points to critical infrastructure to bring their point across.  

The fact of the matter is that collectives such as Anonymous have, despite the nuisance they have caused thus far, barely scratched the surface of the power they could wield.

The DigiNotar attack, that is claimed to have been perpetrated by a single attacker  calling himself ComodoHacker, is a prime example of how powerful cyber attacks can be when applied against critical infrastructure.  This is asymmetric warfare at its finest.

By cracking the security of a Root CA he managed to undermine all the systems (blindly) depending on it. Windows Update -thus bringing all Windows based systems within reach of compromise- and the entire Dutch governments' digital ID system for citizens to name but a few. 

Whether this was a state-sponsored attack by Iran or the act of a single individual is still a matter of debate. The CEO of Comodo apparently believes that it was state-sponsored, the attacker himself claims that it was retaliation for the Dutch involvement at Srebrenica.

Either way, the attack was a massive success and demonstrated the weak points in the CA system.  

"How is Open Source a good example?"

I received some comments that made it obvious my reference to the Open Source community missed its mark a little, probably because I had to cut some corners left and right to keep the article from bloating into a whole thesis. I was referring to the underpinning philosophy from Eric S. Raymond's Cathedral and the Bazaar, not to any endproduct, individual, group or community specifically.

To be more specific, the following points have served both the Open Source community and the Global Guerrilla community very well. I'm sure it will do the same for cyber conflicts:

  • Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.
  • Given a large enough pool of co-developers, any difficult problem will be seen as obvious by someone, and solved. Eventually some participant of the bazaar will find a way to disrupt a particularly difficult target. All you need to do is copy the process they used.
  • Your co-developers (beta-testers) are your most valuable resource. The other guerrilla networks in the bazaar are your most valuable allies. They will innovate on your plans, swarm on weaknesses you identify, and protect you by creating system noise.
  • Recognize good ideas from your co-developers. Simple attacks that have immediate and far-reaching impact should be adopted.
  • Perfection is achieved when there is nothing left to take away (simplicity). The easier the attack is, the more easily it will be adopted. Complexity prevents swarming that both amplifies and protects.
  • Tools are often used in unexpected ways. An attack method can often find reuse in unexpected ways.

"But what's with this Bazaar business?"

In his book, Mr. Robb points out that you can essentially outsource Terrorism. There is a whole black "Terrorist Market" -or Bazaar- out there where you can buy or hire virtually every individual piece of a terrorism-puzzle, from engineers specializing in crafting IED's to the people willing to plant them at a road or intersection. This has also been the case in cyberspace.

You can visit a carder website to get yourself set up with a whole batch of stolen creditcard and/or social security numbers, attend 0-day auctions to get the latest hacks or approach hacking groups to outsource the entire attack; everything is possible online in the Cyber Bazaar.

"Exactly what are our problems in Cyber Security?"

This paragraph was surprisingly hard to come up with, because for the most part "Cyber Security" is just a fancy way of saying "IT Security". In other words: Most issues we see now are not new. They've been around for a long time: IT-clueless managers, poorly trained technical staff, snake oil security vendors, misconfigured systems, lack of insightful security strategy et cetera.

Most of these topics have been debated on and written about ad nauseam -I've written quite a few myself- so I won't be addressing these in this article. The trouble for me was to define what the difference really is between IT Security and Cyber Security, and to pluck out the issues specifically related to the Cyber part of Security.

Surprisingly, not many remain. Because most 'cyber issues' are arguably just IT Security issues and a matter of scale, it is my belief that the remaining issues specific to Cyber are Societal or Organizational. In fact I couldn't think of any particular IT issue that wasn't an issue when we still called it IT Security.

Societal Cyber Issues

When I speak of Societal Cyber Issues, I refer to the effects on society when certain critical cyber systems go down. For instance: What happens in society when a hacker brings down the powergrid? I'm strictly limiting this section to the philosophical side, not the resolution of detected issues because these are Organizational issues (next paragraph). 

There are Master degree programs specifically for writing scenario's such as these and hiring these specialists will probably yield very valuable results. Of course, running (multi)nation-wide cyber scenario's are a great method for uncovering the societal and organizational issues too.

Organizational Cyber Issues

The organizational cyber issues are essentially the resultant "how do we fix this" issues derived from the aforementioned scenario's. Many organizations are -for instance- not at all prepared to respond to major, prolonged power outages. It is my belief that many companies will go belly-up entirely in such an event.

Furthermore, these kind of issues tend to stack so multiple major problems can arise from one root cause. Good examples of relevant Organizational Cyber Issues can be found in environmental disasters such as Hurricane Katrina hitting New Orleans. Due to organizational failures, this major US city still hasn't fully recovered.

Looking for solutions

Essentially we need to start thinking more in the terms of individual platforms. In his book Mr. Robb uses power generation and power distribution as an example. Currently we see "the power grid" as one big piece of critical infrastructure. In reality this can be separated into two concepts: Power Generation (powerplants) and Power Distribution (power cables, transformer substations etc).

Right now the system is heavily centralized, with power being generated at large concentrated plants and distributed one-way over the power distribution network. This system contains multiple weak points that can bring down large parts of the grid when attacked because of its centralized nature. Take down a major power plant or simply cut the right cable and you may black out an entire city.

In this scenario, major weaknesses can be eliminated by allowing individual homes to power the grid with their surplus energy generated from solar panels and windmills. This decentralizes the powergrid by creating thousands of miniature power plants. This is only possible if you redesign the current power distribution network to accept two-way distribution.

This is further eased by using Open Standards that enable everyone to 'plug in' their home's power generator(s) using easily obtainable, non-proprietary hardware. This idea is not new. You can actually find several places that already have such a powergrid, and citizens get paid for power they deliver to the grid (their meter simply spins backwards).

It is ideas such as these that we must explore if we wish to become more resilient against attacks on our critical cyber infrastructure. I would love to hear of examples, so if you know of any please contact me.

About the author: Don Eijndhoven has a BA in System & Network Engineering with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he works as a Project Manager for CSFI and currently has 2 projects in his portfolio. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.

Possibly Related Articles:
Information Security
Anonymous National Security Cyber Warfare Cyberterrorism Lulzsec AntiSec
Post Rating I Like this!
Craig S Wright "Terrorists won't use cyber..."
Personally, I worry more for the amalgamation of cyber and jihadist. The new type of mischief this will create will be both terror and cyber. There are many methods that can be deployed to create kinetic effects through the wire.

Take the rail system for instance. We have simple signals and switching devices that are managed online in “semi”isolated environments (that still managed to be infected with a worm a while back here in Au. These control and report on the location and speed of trains as well as being able to override the signals.

Derailing a peak hour commuter train is kinetic, but it is also possible to achieve with far less effort than many of the successful SCADA attacks we have already seen. Crashing two trains at peak hour through signal switching attacks would also create terror and chaos with major disruptions – the type and form that terror groups such as AQ crave.

So, that is more my worry with Anon et al. That they may spawn something new.

Good article by the way Don.

Chris Mattei John,

I would like to imbed this article on my website, May I have your permission?

Chris Mattei
Don Eijndhoven @Craig: Sorry, I thought I had replied to your post but apparently I didn't. That we can achieve kinetic damage through cyberspace is a given, but like many others have mentioned, I doubt that AQ or other more 'conventional' terrorist groups will use this avenue. Splinter groups of Anon (think LulzSec) have already demonstrated -to a lesser degree- that they can be militant. I agree that these are more likely candidates to engage in cyber warfare.

@Chris: I assume you mean me (Don, not John). If you give proper attribution, I have no problem with you publishing my article :)

Chris Mattei Don,

My sincerest apologies for the name confusion. I wonder if you would find the time to review the presentation on my website when you have free time. Thank you.
Don Eijndhoven Chris,

No problem. Ive tried to read it but I received a 404. Please email it to me and I will have a look. The address you can use is donnye [at] gmail.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.