Cyberwar? Avoiding the Question
Amit Yoran has a curious piece at Forbes’ The Firewall blog, Cyberwar Or Not Cyberwar? And Why That Is The Question, which I’m going to spend most of this post dissecting.* Within about half an hour of its publication yesterday I had written a fairly scathing response that I decided to sit on. I’m glad I did, as Ryan Singel at Wired beat me to the punch with a far more heavyweight attack, Check the Hype – There’s No Such Thing As ‘Cyber’. What follows is an attempt to respond to both men, although there’s far more to say about Yoran’s piece than there is about Singel’s, for obvious reasons.
Singel’s written another double-barrelled blast at what George Smith calls the Cult of Cyberwar, in this case personified by Amit Yoran. The title just about says it all, and Singel does propose that ‘cyber’ doesn’t exist. Whilst I certainly agree that what currently passes as debate is largely predicated on fearmongering and the bottom line, just because ‘cyber’ is mentioned by a lot by people you don’t like is insufficient grounds therefore to claim it doesn’t exist.
However, Singel is right to query Yoran’s own position within the cybersecurity industry. Yoran’s company NetWitness makes a lot of money from US federal contracts, and last year self-reported the ‘aggressive adoption’ of its products by 25 US government agencies, just by way of example. If there are any lawyers reading this, or Yoran himself, this is a statement by the company, not me. NetWitness is free to do whatever business it wishes with the US government, and it’s not my taxpayer dollars at stake either. Singel takes Yoran to task for not mentioning this, although Yoran’s affiliation was actually clearly stated on the piece.
What I found disturbing about Yoran’s piece were its internal contradictions, harnessed to its commercial agenda. Let’s read a few sections together. In fact, let’s read the whole thing.
Over the past two months, there has been a tremendous amount of chatter in the security community about the term ‘cyberwar’ and whether or not the US is engaged in a cyberwar. Mike McConnell (former Director of National Intelligence) wrote a pointed op-ed for The Washington Post claiming that, “The United States is fighting a cyber-war today, and we are losing.” His opinions are consistent with the current Director of National Intelligence, Dennis Blair, whose February testimony to the US Senate stated, “Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication. While both the threats and technologies associated with cyberspace are dynamic, the existing balance in network technology favors malicious actors, and is likely to continue to do so for the foreseeable future.”
Point #1: the fact that McConnell and Blair agree about this hardly provides a sound epistemological footing. It would have been useful to point out, for example, that McConnell is a senior vice-president at defence contractor Booz Allen Hamilton, a company he also worked for before he was named director of the National Security Agency in 2006. I’m not saying there’s a conflict of interest here (although such a thing does figure in Blair’s biography, see here) but it sure would have been interesting to mention McConnell’s current job.
These statements spurred an excoriating response from the pages of Wired that, “The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.”
Point #2: ‘excoriating’? I’m sure that’s the word I used to describe the Wired piece in a post for Kings of War on 5 March, No Cyberwar, Says White House Official. Pure coincidence, no doubt. The post title is also similar to my To Cyberwar, Or Not to Cyberwar post from 12 March, although Hamlet is hardly a particularly original source from which to pilfer.
At the annual RSA security conference Howard Schmidt, the newly appointed White House Cyber-Security Coordinator stated unequivocally that, “There is no cyberwar.” Nonetheless in a Washington Post article on March 19th 2010 Ellen Nakashima dramatically points out the need for clearer cyberwar policies by pointing to US cyber operations already executed and that cyber actions are underway.
Point #3: a blatant non sequitur, if ever there was one. Is Yoran seriously suggesting that because Ms. Nakashima reports that the military and intelligence agencies are actively engaged in information operations, this negates Schmidt’s comments? The knives have been out for Schmidt since he came into post just before Christmas 2009. Prior to his appointment, there were six months of abuse levelled at the Obama administration for not appointing someone quickly enough. When a qualified individual was eventually found, those same naysayers determined within hours that he was the wrong person, and have been dismissive of him ever since. Someone may already have written the story of the backroom wrangling in that six-month hiatus. Singel might not like the way ‘cyber’ occurs 42 times in Yoran’s piece but I expect that ‘lobbying’ will crop up even more often when the story is told of that period. I doubt it will make for particularly edifying reading anyway.
Various cyberwar definitions are hotly contested, even more nuance-laden and have a very material impact on the dramatic claims one might make. Before here are several observations about cyberspace upon which all well-informed parties agree:
Point #4: notice the use of the word ‘well-informed’. This is a bipartite exclusionary tactic: Part One, unless you have the requisite security clearance you are deemed unworthy of being heard, so Part Two, I’m going to tell you what’s what. Note also that that Yoran states that words “have a very material impact on the dramatic claims one might make.”
The cyber domain is one which frequently favors the aggressor. Exploits against information systems are particularly attractive to organized crime and state actors because of the richness of the target environment, the ease of exploitation, low cost of attack development, reasonably strong anonymity and difficulties in attribution, and the practical shortfalls of international legal frameworks and law enforcement regimes. Defending large-scale networks is exceptionally difficult to do in the face of one or many skilled adversaries with focused intent and time. As systems and networks increase their breadth and complexity, their susceptibility to attack frequently increases as well.
In general, the signature-based security products used to defend enterprise networks, such as firewalls, anti-virus products and intrusion detection systems are increasingly blind to modern attack methods, which are increasingly embedded into application data or designed to self-mutate in order to evade detection. Across both commercial and government organizations, current methods of performing cyber risk management are ineffective.
Point #5: this is all fairly standard stuff, but completely ignores the fact that these are precisely the characteristics of computer networks that the US itself exploits. Logically, therefore, it is also an ‘aggressor’. This would have been the correct point to mention Ellen Nakashima’s story last week for the WaPo, in which covert US actions are alleged to have degraded network assets in Saudi Arabia, Germany and … the US. If you haven’t read the piece, I happen to have an op-ed in today’s Guardian about it, which you can read here. [It was written a week ago but has only just been published.]
Simply put, the threats aren’t well understood or actively quantified, the effectiveness of various controls performing risk mitigation is poorly defined and the industry’s metrics in general are rudimentary if not misleading. The lack of market transparency into data breaches for anything other than personally identifiable information also helps organizations underestimate or hide (intentionally or otherwise) the true cost of cyber incidents.
Point #6: so much for being a ‘well-informed party’, perhaps, but Yoran is actually right about this. But this is the first pillar of his developing pitch.
Closely aligned with the US Department of Defense and US government’s “traditional” definitions of the term, I suggest that cyberwar is conducting warfare by cyber means, which includes (among other things) both cyber attack and cyber exploitation.
Point #7: at least we know where Yoran stands on this – kind of makes the rest of his post redundant, unless you’re preaching to the choir. Still, read on…
In simple terms cyber attacks focus on the disruption or destruction of information, information systems or information infrastructure and to deny their availability to the system owners or legitimate users. Cyber exploitation refers to the compromise of these targets without their destruction or disruption, but rather through covert means, for the purposes of accessing information or modifying it or preparing such access for future use in exploitation or attack.
Point #8: yup, that’s military doctrine. American military doctrine, that is. In fact, military doctrine dealing with offensive operations as well as defensive. See #5 above.
Based on the terminology provided above, there can be no question that governments’ systems and modern economies are under large scale cyber exploitation and therefore at a state of “cyberwar”. However, if in its basest Wikipedia definition war is a large-scale armed conflict, claiming that we are at cyberwar seems to be a sensationalist approach at best.
Point #9: well, that’s very magnanimous. Yoran has already set out his pro-cyberwar stall but throws the doubters the bone that if their pretty little heads still aren’t convinced they can check Wikipedia, whose definition is ‘base’. Used as an adjective, this refers to something ‘low in place, value, estimation or principle’, and so on, so there’s evidently nothing substantive or well-thought out to balance the pro-cyberwar view.
The use of cyberwar evokes strong emotional reaction and can incite action on cybersecurity topics. Given the regularity and pervasive nature of compromises to nearly every large enterprise infrastructure in the world and even well intentioned organizations inability to adequately protect themselves, increasing awareness of these problems and the providing a sense of urgency to action may be warranted.
Point #10: oh, this is the kicker. This is the classic thrust of the cybergeddon posse – scare the public by feeding them fictional scenarios of impending doom and watch Capitol Hill fall over themselves to bankroll anyone with an IT degree. This form of argument maintains that the ends justify the means. As glad as I was that James Lewis dampened some of the fires of the cyberocalypse recently, he also hinted that fear brings results.
What are less well understood in this drama are the serious implications in calling the cybersecurity crisis a cyberwar. A warfare connotation or cyberwar label provides for a natural inclination to place greater emphasis on the role of the military and intelligence community.
Point #11: this is a really interesting claim to make. You can take this two ways. One, this is a good thing, as those agencies are charged with providing national security and are therefore best placed to prevent the extinction of the United States. Two, this is a bad thing, because industry should be playing a greater role, and market-based solutions will prevent the extinction of the United States.
During the last two years of the Bush Administration and, without meaningful changes to date from the Obama Administration, the central tenet of the US cyber policy remains the Comprehensive National Cyber Initiative. CNCI, architected from the Office of the Director of National Intelligence, remains strongly dominated by the intelligence community. To be clear, the greatest single pockets of expertise and capability exist within the defense and intelligence communities.
Point #12: I suppose it depends upon what ‘expertise and capability’ you’re talking about.
Offensive cyber activities can also drastically improve our defensive postures. Compromising the operations of foreign intelligence services and criminal gangs has strategic value in cyber to: provide misinformation campaigns, cause them to doubt the intelligence they’re collecting, provide insight into current compromise, command and control methods and data exfiltration techniques, among other things.
Point #13: I’m not really sure what Yoran is proposing here. I suppose that to do these things would require the US to be ‘at cyberwar’, right? Or not? I genuinely don’t know what he’s getting at. From a national security perspective, the usual argument is that offensive capabilities could be used in order to create a deterrence effect (deterrence by punishment). He’s already made the point that the US military and intelligence services are engaged in ‘cyber operations’ and ‘cyber actions’, and no doubt there’s a learning function to these activities, but this statement is a little unclear, to say the least.
Additionally, their understanding of attack methodologies can be used to better define requirements for those trying to defend enterprise networks in the government domain, which bear near identical alignment with those trying to defend infrastructures in the private sector and build better security products.
Point #14: another pitch for federal bucks.
That said, the current government approach to cybersecurity relies unacceptably on centralized monitoring and protection architectures. These highly classified technologies do not represent market leading capabilities or approaches to cybersecurity. Nor do they educate or inform network defenders in the government or private sector on how to better protect themselves. They do leave executives and key decision makers, most of which don’t grasp the important nuances of cyber, with the impression that these programs will be effective in stopping advanced threat activity – a bold vision with no basis in reality.
Point #15: I actually agree with that assessment, for the most part, but I disagree with Yoran’s reasons for saying it, and with the conclusions to be drawn from it.
At present, the billions of dollars spent on some of the intelligence and defense cyber programs are in direct competition for the already scarce resources with those defending enterprise networks.
Point #16: is government really meant to be paying for the defence of ‘enterprise networks’? I suspect my ignorance is due to not really understanding what is meant by ‘enterprise networks’ in this context. I’m happy to be enlightened. I suppose it doesn’t matter too much, unless Company A makes more money from non-defence programs than it does from Capital-D defence. In that circumstance, Company A would want government to pump more cash into the enterprise sector…
Ultimately, it doesn’t matter how you define cyberwar or whether you believe we are currently at a state of cyberwar or not.
Point #17: oh, I could swear Yoran said it did matter. That bit about words having “a very material impact on the dramatic claims one might make.” Silly me.
At its core, cybersecurity must be dealt with as [a] key international economic issue and not simply a national defense or security one.
Point #18: I agree wholeheartedly with that statement but for entirely different reasons from Yoran.
The impact of misrepresenting or miscalculating risk was felt in the sub-prime market and cascading global financial meltdown. Today’s cybersecurity challenges and implications are more pervasive.
Point #19: that’s a complex statement. He’s not exactly saying that the cybersecurity risk is more pervasive but he’s not quite saying it isn’t either. What he is certainly implying is that to ignore cybersecurity risks will lead to “cascading US societal meltdown”, the existential argument we heard only this week from the FBI’s Steven Chabinsky: a risk so great it could “challenge our country’s very existence.”
What does matter, is largely agreed upon – modern society has failed to understand and measure the risks associated with cyber and also to develop and deploy the protections necessary to operate safely online.
Point #20: Ryan Singel pointed this out but why resort to scary ‘cyber’ terminology if all you mean is ‘online’?
While definitions matter, the time for action is now.
Point #21: ah, that’s why words do / don’t matter: action is more important than thought. It’s completely irrelevant for the purposes of cybersecurity what the public or politicians are allowed to know or understand about it, as long as people like Yoran are the guardians of the flame. This is precisely why George Smith persists with his Cult of Cyberwar idea – the priesthood guard the secrets, and they alone decide what is good for society. That’s called pre-literate, ladies and gentlemen, and is exactly what we don’t want from cybersecurity. Bruce Schneier made the point a while ago that the general public should pretty much ignore cybersecurity and leave it in the hands of the professionals. That argument’s all well and good in the marketplace but starts to ship water pretty badly when it comes to government spending.
*
So, despite its length, that’s a very cursory reading of Amit Yoran’s piece. As far as I can tell, this is an attempt to look reasonable but it fails because it merely reproduces the rhetoric of all those involved in pushing the cybersecurity agenda as currently formulated. Its central thesis is that industry should be allowed to sell government the best solutions to these very serious cybersecurity issues, not because these actually are the best solutions, but because industry knows best. Yoran bases his argument on the contested utterances of a self-selected group of male insiders, whom he portrays as beyond reproach. He does not actually make the case for cybersecurity at all, or even critically address the question that frames his post. Then again, he doesn’t need to – after all, the US is at cyberwar, right? All bets are off, and normal rules do not apply. The fact that his argument is circuitous and self-serving matters not, apparently.
Perhaps it’s a little unfair to pick Yoran’s words apart like this, particularly when it’s ‘just’ a blog post. Let’s face it, if anyone did the same for me, I’m sure they’d find all manner of inconsistencies and idiotic statements that I’d be hard put to defend, and this post certainly wouldn’t stand up to academic scrutiny. The difference is that I’m a nobody, whereas Yoran is in a position to influence policy and those who make it. He was a member of the CSIS Commission on Cyber Security that advised the Obama presidency (and drafted current US cybersecurity policy) and a successful IT-sector businessman to boot.Yoran is but one of many people in similar positions who dominate the media environment, and who wield significant political influence too. It’s not a new situation by any stretch but that doesn’t mean it should pass without comment. A blog post still has agency.
* Personal disclosure: I also write occasional unremunerated pieces for The Firewall. For the record, they do not exert editorial influence over my posts, here or there.
Yowza! The screen is still hot to the touch!
I’m not articulating anything you haven’t said more subtly throughout your oeuvre, but it is really striking how the “cyberwar” narrative mirrors that of the other “wars” (i.e. those on drugs and terror) that seem to be matters of criminal justice rather than conflict. Altogether too many Buck Turgidsons, and too few Dixons of Dock Green, for my taste.
To the meat: the criticism of Schmidt’s appointment is pretty much identical to that of Rajiv Shah at USAID. It took the administration nigh on a year to pick their man, and when they did, he was too young and inexperienced to be at the helm. It is tempting to put this down to partisan sniping.
“The cyber domain is one which frequently favors the aggressor” is a truism, and you’re right to bring it up. This is essentially the defining characteristic of modern, Internet-connected systems.
The focus of a system’s administrators is to keep the thing running within normative bounds. The focus of its attacker is to find its weaknesses. You can’t simultaneously do both without huge resources. Security, from the perspective of the administrator (and oftentimes the vendor) is necessarily reactive, which is why “security researchers” command large sums (read: “blackmail”) for “responsible disclosure”.
I don’t believe I am alone in thinking that the US has to bear some measure of responsibility for attacks on its own infrastructure. Not in the sophomoric “you had it coming” sense, but because they have continually resisted the export of cryptographic technology, to the extent that crpto was still defined as Auxiliary Military Technology until relatively recently. Chains, and indeed webs, are only as strong as their weakest links, to coin the (equally sophomoric) phrase.
How different the world might now be, had we built the net to demand trust, rather than erroneously assume it.
Hi Chris,
Good comments all. Responding backwards as it were …
Interesting point re trust. It’s a word I’ve heard time and again recently and it rings true. I have no particular beef with industry and I believe them when they say that trust is important. It’s crucial for business and also for keeping systems “running within normative bounds”, as any good sysadmins will tell you ;-) Businesses and CERTs often say that a primary role of the state and multilateral organisations like the EU and UN is in engendering trust networks but that they should not try and control them per se.
On disclosure and resources. I have some sympathy with businesses who have seen disclosure in terms of the bottom line – it’s a double-bind. On the flipside, we have the priesthood doing as you say. The same could be said of plumbers, I guess, but they’re not claiming malfunctioning sewerage systems to be existential threats.
Your point about Schmidt is well-taken and reminds me that I meant to update that para with a reference to another reason why people are hacked off about it: lack of Congressional oversight. It was an executive appointment. That’s a bit disingenous though – Congress still hasn’t approved the new Cyber Command boss and, as with any large bureacracy, the wheels can move mighty slow on occasion. I wonder what would have happened had the appointment of the Cybersecurity Coordinator had to wait for Congress? More accusations of tardiness, lethargy, apathy, inability to make decisions, etc. Personally, I prefer the parliamentary route, but that’s just me.
Drugs. Terror. Miaow miaow and butt-bombs. I see that Counterterrorism Blog has wet itself over female suicide bombers, which they characterise as a growing threat. Sheesh. One more thing to panic about, no doubt. As for cyberwar, it’s just one scenario out of many and, as you rightly say, most of the current furore is actually about crime. It’s also about collaboration to develop resilient networks, education, climbing down off one’s warhorse, and thinking a little more carefully about what the internet actually is for most people, rather than thinking of it as a mess of tubes full of shit.
However, I do think that are confrontations being played out on the net, and also existing principally within it. These occasionally flare up into what might be characterised as conflict but generally do not. Sure, they’re a huge pain in the ass for many folks but it pays us to be circumspect before plunging into another war-on-something. If there is a war, it’s what Arquilla and Ronfeldt theorised as ‘netwar’, although even that has a militaristic ring to it. Doesn’t mean they’re not right though. I intend to spend the summer picking this apart properly …