May 29, 2013

More Mistakes on the Cyberwar Front

I just read this article in Wired, and had to post a short item capturing some thoughts. Mainly, this whole article calls to mind that old phrase about selling a ketchup popsicle to a woman in white gloves . . . or selling ice to an Eskimo . . . . or any other variation. Essentially, the military wants to make an iPad app that old men who have never heard of reddit can use to launch cyber attacks. And they're going to spend a lot of money to find out if this is a good idea or not. The notion that this is a good idea is at least partly predicated on the following ideas:

  1. Cyber weapons should be able to be deployed like conventional weapons. They should not require a team of elite experts to launch attacks. They should be like rockets- you point them at a target and fire them.
  2. Automation and a slick UI can be used to make cyber attacks predictable and effective.

Now to quickly point out some possible problems with the premises here. First, cyber weapons are already like conventional weapons. When the US decided to go into the compound in Abbottabad, they didn't use an iPad app or even a missile strike. They used a team of highly-trained Navy Seals armed with conventional weapons deployed with deft skill. The Seals made a stealthy incursion into the compound in the middle of the night, stalked the compound constantly making human decisions based on years of training at each and every sensory input to sweep, kill, and capture the residents. They then used the same training and human analytic thinking to destroy their downed helo, collect the necessary materials from the compound, and escape as quickly as they'd arrived. This is already how cyber attacks work.If the US military wants the equivalent of a missile, then they need to develop a zero-day, develop the next nimda worm, and code it to only target certain systems. Or build a botnet bigger than any the world has known. Then sit back, and watch the indiscriminate carnage that ensues with the spread of a powerful worm or a massive DDoS attack. If anyone can prove me wrong, it will be DARPA, but I really don't think that the types of advanced attacks the government seeks are possible through people with little to no technical knowledge armed with an iPad.Second, what has been described by the article is an advanced and complex system. It is comprised of various pieces of software and hardware. There will be firmware involved, and presumably some sort of attack infrastructure, as they describe it, consisting of more hardware and software aside from the tablet and slick UI described. If there is any sufficiently complex software that's ever been developed that does not contain bugs and is need of constant fixing and updating, then I haven't heard of it. Bugs are the antithesis of "predictable and effective."Lastly, I'll leave off with the following quote:"But you can’t expect the average officer to be able to understand the logical topology of a global network-of-networks. You can’t expect him to know whether its better to hook a rootkit into a machine’s kernel or its firmware. If cyberwar is going to be routine, Darpa believes, the digital battlefield has to be as easy to navigate as an iPhone. The attacks have to be as easy to launch as an Angry Bird."Maybe people who don't understand network topologies or what a kernel is shouldn't be able to play Angry Birds: Cyberwarfare Edition.

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!