The Black War

The US Justice Department today indicted five Chinese Military officers for hacking. The DoJ alleges that the officers were hacking into US companies to steal trade secrets. Here’s the official press release on FBI.gov.

This is a sharp escalation in cyberwar tension between the US and China. In response, China has effectively walked out of a joint working group on cybersecurity between the US and China.

This story made the front page of the print Wall Street Journal today and it’s great to see the WSJ is on top of this beat, because the ramifications of this increase in tensions between US and China can’t be understated.

The US, China, Russia, Israel (working with the USA), Iran and several other nations have been engaged in a hot cyberwar for some time. I consider 2010 to be the genesis of this war – which is when Iran confirmed that the Stuxnet virus (widely believed to be engineered by USA and Israel) had destroyed many of their uranium enrichment centrifuges and when many countries (USA and UK included) acknowledged the cyber realm as a “new domain of warfare” (Pentagon quote from an article in 2010 by William J. Lynn III the former Under Secretary of Defense.)

I believe we can learn from recent history in this case and the Cold War between the former USSR and the USA is a useful model that we can use to predict what this new world with an ongoing multi-national cyberwar might look like.

During the cold war we saw:

  • Rampant espionage. e.g. the CIA vs KGB.
  • Periodic hot engagements between forces. e.g. our U2 spy plane being shot down by the Soviets.
  • Proxy wars e.g. The Soviets in Afghanistan fighting the Mujahadeen which the USA was arming. Or the USA in Vietnam.
  • Being brought to the brink of all-out hot warfare with catastrophic consequences. e.g. the Cuban Missile Crisis.

Most of the current cyberwar happens out of sight. Nothing is reported because reporting an incident reveals targets, intentions and weaponry. The only engagements that are revealed are clear victories or where revealing an engagement serves another agenda e.g. demonizing the enemy.

Another difference between the current cyberwar and the cold war is that it’s difficult to know who an attacker is because they lie beneath many layers of network routes, hardware, cryptography, code obfuscation and distributed attack networks. Even if you are able to identify the human behind an attack, you might only have succeeded in identifying a proxy – someone who is acting on behalf of a state or other entity. We’ve seen this with the FBI recruiting anonymous hackers who are acting for the government in the hope of a reduced sentence – as was the case with Hector Xavier Monsegur aka. Sabu.

Another key difference is that during the cold war, not only was it possible to identify the source of attacks, but it was (and is) possible to take inventory of the opponents weapons when a peace treaty is signed. An example of this is the START treaty that limited the number of nuclear weapons the US and Russia can keep in inventory and agreed on a timetable of inspections. [Inspections continue to this day under the New START treaty and are unaffected by the Ukraine crisis.]

It’s not possible to take inventory of cyberweapons because hiding a few lines of code is trivially easy. Hiding an ICBM or radioactive chunk of plutonium is not.

So with that in mind, I think of the current cyberwar as a Black War. Black because it happens out of sight, the weapons are impossible to inventory and the attackers are invisible.

The facts I’ve outlined above are troubling to me because, going back to my points above on the similarities between the Cold War and this war – if this Black War can bring us to the brink of a hot cyber war with catastrophic consequences – then one way to deescalate the war is through treaties that include measures like phased disarmament that starts with taking inventory of the weapons each side has. But if we’re unable to take inventory of weapons or even identify attackers, that makes peace treaties impossible to enforce. The USA may be attacked but we don’t know by who and we can’t prove that something new was added to a country’s cyberwar inventory because it lives on an encrypted thumb drive the size of your fingernail in someone’s pocket.

So if this Black War does bring us to the edge, with the risk of power grids shutting down, dams flooding, nuclear power stations melting down, air traffic control routing flights into mountains or buildings and so on – if we are brought to that edge, the route to navigate our way back to sanity is going to be different from the Cold War.

The end of the Black War is going to require a new approach to deescalation, disarmament and verification. I don’t see how that would work. My fear is that disarmament will be seen to be impossible and we’ll see the return of the Internet Kill Switch (previously proposed) which will simply disconnect a country from the rest of the world in cases of “National Cyber Emergency”.

I’m not a proponent of this approach – I’m opposed to it, so I have a keen interest in hearing alternative solutions that deescalate and disarm countries and other actors in a Black War.

~Mark Maunder – Wordfence.com Founder.

 

Did you enjoy this post? Share it!

Comments

2 Comments
  • I think that the main issue right now is that there are simply too many tools available to attackers. For example, look at the sheer number of infected servers and computers. These can be used in a large scale attack. For example, what if every infected server and pc turned on one target? That would be a kill shot indeed.
    No one is taking responsibility for these. The owner is the one who has to take action, but they dont. ISPs and Data centers should be made accountable and should make every reasonable effort to identify and resolve or block infected servers and PCs from continuing to operate.
    In the past I have reported attacks to hosts and ISPs, but they simply do not care and very rarely reply.
    Countries should agree to implement a reasonable law to make hosts and ISPs take action where reasonable. There should then be a further quarantine method such as a firewall on backbones connecting countries.
    Unfortunately this is a huge undertaking, but if nothing is done, the situation will only get worse.
    Many customers come to us tell us that they want to avoid being hacked as their website was hacked a number of times with their previous developer. We check the developers server and find they are using software versions that were installed when the server was setup, they never updated them. Having talked to a few developers, they told me that they do not update as it tends to break the customers sites and fixing that costs them money, eating into their profit. For us, security is paramount and must always take precedent over everything else. If updating our server breaks a customers website, it must be fixed, no questions asked.