Taking the Crowbar to Cyber-Denying Eyes

Tuesday, April 03, 2012

Don Eijndhoven


I've been quiet with my blogposts lately. I know and I apologize. Between writing a lengthy article on Cyber Warfare for PenTest Magazine, writing papers for the MBA degree I am working on, and snowboarding the gorgeous slopes of Val Thorens (France), it's been sort-of busy.

I must say though, that when I sat down and went looking for a subject for a new article, the last thing I expected was that there are still actually people out there who flat-out deny the threat of Cyber Warfare.

To be honest, I was dumbfounded. This next piece is, I'll admit, a bit of a rant. Mostly because quite frankly I enjoy ranting occasionally. Consider it a brief post-holiday deviation from my usual style. Blame it on the cocktails if you must. I'll give you a brief summary of Jerry Brito's article.

I'll only do some minor paraphrasing, honest.

"Cyber Warfare doesn't exist! Yes we're being robbed blind through Cyber Espionage by nation states, but thats not Cyber Warfare. Cyber Warfare is kinetic cyber attacks! What do you mean Stuxnet? ...DuQu? Yeah but those didn't cost lives! The rest is just DDoS attacks! I can't see any evidence to the contrary so it must be a hype. Did I mention im really comfortable here with my head resting in a hole in the ground? A bit sandy though." 

Okay so that last sentence might have been a little less-than-true, but still. What's worse is, is that this guy is the Technology Policy Program Director at George Mason University. When people wake up after he introduces himself (can someone please shorten that title?), people listen to this guy! Why do we let people like this represent our industry, or even anywhere near our young to educate them?

It seems to me that making your own arbitrary (and apparently poor) definition of Cyber Warfare, and then discounting MOUNTAINS of evidence that undermine your point, isn't very scholarly to say the least. It's a bit like arguing against Darwin's theory on Evolution by taping a bible to your forehead and plugging up your ears screaming "I CANT HEAR YOU" over and over.

Can we please stop giving a stage for these people who are obviously cherry-picking their way to an uninformed argument?

I will grant you that there is still a lot of debate going on about the true definition of Cyber Warfare.

There are many definitions and most are considered incomplete, too narrow or too broad. But we all agree that there is at least some element of Political Will involved, and computer systems and networks are the playground on which this assertion of said political will is taking place.

Technically, Cyber Espionage often involves a pretty much equal amount of breaking-and-entering as it would be to shut down the targeted system. The difference is mostly in the intent, not the methodology. If this is committed by a nation state, or a non-state actor with political intent, then Yes: you could (and should) call it Cyber Warfare.

In this regard it is the same as a nation state sending a military airplane into enemy airspace. Whether its a spyplane, a fighter jet or a bomber, it is still politically motivated and thus could be called Air Warfare. You can't run around yelling "DDoS don't count!" or "It doesn't count 'till someone ends up dead!" because those aren't relevant points in this debate.

By the same token, not all traditional military operations require someone to die. You cannot discount entire swathes of activities and still expect your argument to hold water.

So that pretty much covers the faulty logic of his argument. But we're not there yet. Even IF we would be foolish enough to accept his premise at face value, he is still factually incorrect, because he is basing his statement on two very critically wrong assumptions:

1. His own perceptions of reality and;
2. His limited understanding of the current situation.

First off, it is highly unlikely that every successful cyber attack is common knowledge. For a nation state to be severely compromised through cyber attacks is embarrassing. These systems are supposed to be highly protected. So much embarrassing, that it is unlikely that they would publicly come forward about it themselves.

Iran didn't publicly admit their Natanz site got hit with STUXNET until the attack code was discovered by (non-Iranian) security researchers. Aside from the embarrassment, its also possible that admitting such weakness sends out an invitation to other would-be attackers.

All things considered, I have more sympathy for governments staying quiet after a breach than I do for corporations, simply because the stakes are so much higher. In any case, Jerry's "evidence" by which he measures his statement is almost certainly severely incomplete.

Secondly he is saying that Cyber Warfare is a hype based on his 'evidence' right now. But just because a cyber attack that fits his cherry-picked definitions hasn't happened yet, doesn't automatically mean it never will! If there is one major certainty in Cyber Warfare, is that things change - and change FAST.

Any information you receive is completely obsolete a second later. New attacks and even entirely new concepts of attack methodologies are developed daily. A few years ago, the US Air Force figured that there were roughly 120 countries developing Cyber Warfare capabilities. This was before major international debates on the subject started. I think its safe to assume that more countries have started a Cyber program since then, don't you?

Compared to the individual, these are all players with extremely deep pockets. Deep pockets capable of investing heavily into cyber attack research. I'm sure that at least some of them managed to come up with an idea or two that hasn't been field-tested yet, further eroding Mr. Brito's argument.

Again I would ask that we stop giving airtime to these silly arguments and get back to the more important task of actually securing ourselves.


About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA at Nyenrode Business University. Among a long list of professional certifications he obtained are the titles CISSP, CEH, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the Founder and CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.

Cross-posted from ArgentConsulting.nl

Possibly Related Articles:
Methodologies Government Cyberwar Attacks Network Security National Security Cyber Warfare Definitions Cyber Espionage
Post Rating I Like this!
Bill LeRoy Electronic Warfare or Electronic Spying has been going on since Morse Code or maybe even before that. Intercepting messages and then changing them to cause havoc is probably an ancient art of war. It should be no surprise to anyone, even propaganda is a method of warfare. That's like saying biological warfare is not possible or does not exist or does not happen.
Don Eijndhoven I agree. Thats why I really don't understand where this reluctance is coming from to call things as they are. And such ridiculous reasonings they apply too!
Krypt3ia Don, you were likely expecting me.. So here I am. There is a fine line between cyberwar and cyberdouchery...

When bullets fly because of a "cyber attack" then I will agree cyber war has broken out. Until then it's all just attrition of another kind.

Don Eijndhoven Haha you are always welcome Scot. I would agree that it can be hard to capture when something crosses the line from cyber 'douchebaggery' and into the realm of warfare, but you'll agree with me that these are matters of intent, origin and target. There is a very definite realm in which you can call certain activities Cyber Warfare, and the person I was harping on is trying to deny that. You disagree?
Krypt3ia Don,
I have issues with the semantics of the title "cyberwar" itself I think, as I have posted in the past so, I agree there is a problem and we need to address it, but, calling it cyberwar makes my skin crawl still.

On the 4 W's I am currently working on a project that may help in determining all of that (a framework) that might make it to BH and DC this year *crossing fingers* I guess with Dr. Cyberlove out there pimping China's cyberwar on us all, I am just that much more jaded.
Bill LeRoy I equate the current position on this as cold war activity. There is no public announcement of a shot that is fired, but there is a lot of espionage taking place on what and can be possible from the position of disrupting the digital supported supply chain economy. I don't believe the cold war has ever entirely gone way, its just that the fences and tanks are not visible.
Don Eijndhoven Scot, you'll LOVE my article in PenTest Magazine then. I dedicate about half the article (3000+ words) to why, in some cases, its perfectly legitimate to use warfare semantics. If you want a copy, send me your email and i'll mail it to you.

@Bill: There's a lot more going on than just invisible attacks. For one, not nearly everything is as invisible as some people seem to believe. In many cases, both the attacker and the target know exactly whats' what, but especially on the national level it is sometimes advantageous to keep your mouth shut. Martin Libicki expounds about it in his piece on Cyber Deterrence (a RAND publication thingie). Check it out if it interests you.
Krypt3ia @Don,
I like a good read krypt3ia@gmail.com
Bill LeRoy This nothing much to do with cyber warfare but more with regards to the software that runs these arms post cold war projects.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.