I've been quiet with my blogposts lately. I know and I apologize. Between writing a lengthy article on Cyber Warfare for PenTest Magazine, writing papers for the MBA degree I am working on, and snowboarding the gorgeous slopes of Val Thorens (France), it's been sort-of busy.
I must say though, that when I sat down and went looking for a subject for a new article, the last thing I expected was that there are still actually people out there who flat-out deny the threat of Cyber Warfare.
To be honest, I was dumbfounded. This next piece is, I'll admit, a bit of a rant. Mostly because quite frankly I enjoy ranting occasionally. Consider it a brief post-holiday deviation from my usual style. Blame it on the cocktails if you must. I'll give you a brief summary of Jerry Brito's article.
I'll only do some minor paraphrasing, honest.
"Cyber Warfare doesn't exist! Yes we're being robbed blind through Cyber Espionage by nation states, but thats not Cyber Warfare. Cyber Warfare is kinetic cyber attacks! What do you mean Stuxnet? ...DuQu? Yeah but those didn't cost lives! The rest is just DDoS attacks! I can't see any evidence to the contrary so it must be a hype. Did I mention im really comfortable here with my head resting in a hole in the ground? A bit sandy though."
Okay so that last sentence might have been a little less-than-true, but still. What's worse is, is that this guy is the Technology Policy Program Director at George Mason University. When people wake up after he introduces himself (can someone please shorten that title?), people listen to this guy! Why do we let people like this represent our industry, or even anywhere near our young to educate them?
It seems to me that making your own arbitrary (and apparently poor) definition of Cyber Warfare, and then discounting MOUNTAINS of evidence that undermine your point, isn't very scholarly to say the least. It's a bit like arguing against Darwin's theory on Evolution by taping a bible to your forehead and plugging up your ears screaming "I CANT HEAR YOU" over and over.
I will grant you that there is still a lot of debate going on about the true definition of Cyber Warfare.
There are many definitions and most are considered incomplete, too narrow or too broad. But we all agree that there is at least some element of Political Will involved, and computer systems and networks are the playground on which this assertion of said political will is taking place.
Technically, Cyber Espionage often involves a pretty much equal amount of breaking-and-entering as it would be to shut down the targeted system. The difference is mostly in the intent, not the methodology. If this is committed by a nation state, or a non-state actor with political intent, then Yes: you could (and should) call it Cyber Warfare.
In this regard it is the same as a nation state sending a military airplane into enemy airspace. Whether its a spyplane, a fighter jet or a bomber, it is still politically motivated and thus could be called Air Warfare. You can't run around yelling "DDoS don't count!" or "It doesn't count 'till someone ends up dead!" because those aren't relevant points in this debate.
By the same token, not all traditional military operations require someone to die. You cannot discount entire swathes of activities and still expect your argument to hold water.
So that pretty much covers the faulty logic of his argument. But we're not there yet. Even IF we would be foolish enough to accept his premise at face value, he is still factually incorrect, because he is basing his statement on two very critically wrong assumptions:
1. His own perceptions of reality and;
2. His limited understanding of the current situation.
First off, it is highly unlikely that every successful cyber attack is common knowledge. For a nation state to be severely compromised through cyber attacks is embarrassing. These systems are supposed to be highly protected. So much embarrassing, that it is unlikely that they would publicly come forward about it themselves.
Iran didn't publicly admit their Natanz site got hit with STUXNET until the attack code was discovered by (non-Iranian) security researchers. Aside from the embarrassment, its also possible that admitting such weakness sends out an invitation to other would-be attackers.
All things considered, I have more sympathy for governments staying quiet after a breach than I do for corporations, simply because the stakes are so much higher. In any case, Jerry's "evidence" by which he measures his statement is almost certainly severely incomplete.
Secondly he is saying that Cyber Warfare is a hype based on his 'evidence' right now. But just because a cyber attack that fits his cherry-picked definitions hasn't happened yet, doesn't automatically mean it never will! If there is one major certainty in Cyber Warfare, is that things change - and change FAST.
Any information you receive is completely obsolete a second later. New attacks and even entirely new concepts of attack methodologies are developed daily. A few years ago, the US Air Force figured that there were roughly 120 countries developing Cyber Warfare capabilities. This was before major international debates on the subject started. I think its safe to assume that more countries have started a Cyber program since then, don't you?
Compared to the individual, these are all players with extremely deep pockets. Deep pockets capable of investing heavily into cyber attack research. I'm sure that at least some of them managed to come up with an idea or two that hasn't been field-tested yet, further eroding Mr. Brito's argument.
Again I would ask that we stop giving airtime to these silly arguments and get back to the more important task of actually securing ourselves.
About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA at Nyenrode Business University. Among a long list of professional certifications he obtained are the titles CISSP, CEH, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the Founder and CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.
Cross-posted from ArgentConsulting.nl