Monday, November 23, 2009

Reminder: CFP for Conference on Cyber Conflict

Reminder: the deadline for the abstracts to the Conference on Cyber Conflict is in ONE week - 30 November. Surely, 300-500 words of pure genius is manageable in a week, so start writing, if you haven't already.

Official CFP website
My earlier CFP post

Cyber Security in Serbia

Last week I participated in the Security in Cyber Space Conference in Belgrade, Serbia (organized by MoD and the Jefferson Institute). I was invited to give a short high-level introduction to patriotic hacking as one of the things that might have national security implications in cyberspace.

The conference covered a lot of ground in a short time, mostly focusing on Serbian experience so far and plans for the future. Other guests represented EUCOM, Middlesex University and Norvegian Defence Research Establishment.

For those of you who have never been to Belgrade, I recommend the Belgrade Fortress, which also includes the Military Museum. Unfortunately, most texts in the museum are in Serbian, but they do have many interesting items on display (ticket roughly 1 EUR).

Monday, November 16, 2009

Shane Harris - The Cyberwar Plan

Shane Harris has an interesting article in the National Journal. The main punchline seems to be that in 2007 US performed a cyber operation against insurgents in Iraq (and is planning to fight in cyberspace in the future, as well). Specifically:
"At the request of his national intelligence director, Bush ordered an NSA cyberattack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The devices allowed the fighters to coordinate their strikes and, later, post videos of the attacks on the Internet to recruit followers. According to a former senior administration official who was present at an Oval Office meeting when the president authorized the attack, the operation helped U.S. forces to commandeer the Iraqi fighters'communications system. With this capability, the Americans could deceive their adversaries with false information, including messages to lead unwitting insurgents into the fire of waiting U.S. soldiers."

As is the tradition with revelations like this, in the end, there are no easily verifiable facts and the story itself is deniable, if necessary. On the other hand, it does say out loud what many others have omitted to so far and brings a clearly understandable example of the potential use of cyber power.

The article gives a very nice overview of many of the problems in cyber, such as finding and retaining personnel for the cyber force, attributing attacks to a state, potential escalation of the conflict to include third parties, collateral damage etc. One of the problems is the interdependency between civilian and military infrastructure, well illustrated by the quote from an USAF official: "... Iraq didn't do a good job of partitioning between the military and civilian networks." We have seen that human shield tactics work relatively well against western military. Consider then that the mixed infrastructure is like an ultimate human (civilian) shield, which could be used as a deterrent against military cyber attacks.

In a way, this article illustrates the media bias in security studies. We (western media) have long heard stories and laments of Chinese, Russian, Iranian and North Korean evildoing in cyberspace - spying on government leaders, attacking opposition web servers at home and abroad, etc. It is rare to hear someone state the obvious truth that western countries are, in fact, often doing the very same thing. With that out of the way, we can get down to business of analyzing conflicts in cyberspace.

The article briefly covers the Estonia 2007 and Georgia 2008 cyber attacks. Unfortunately, he makes the wide-spread comment of "crippling effects" in the Estonian case, which I have tried to correct and explain here. However, he only uses these cases as examples to illustrate the problems of attribution.

He proceeds by illustrating one of the key reasons why cyber operations have failed to make it into mainstream military use. A briefing on the 1999 Kosovo campaign concluded that:
"... the cyber-operation "could have halved the length of the [air] campaign." Although "all the tools were in place ... only a few were used." The briefing concluded that the cyber-cell had "great people," but they were from the "wrong communities" and "too junior" to have much effect on the overall campaign. The cyber-soldiers were young outsiders, fighting a new kind of warfare that, even the briefing acknowledged, was "not yet understood.""
It is true - cyber warfare is not yet understood. Not even by the experts who are trained to fight it. There are very few examples (often anecdotal) of actual use of cyber operations to achieve military success, and even those are usually restricted to a very narrow part of the grand plan. Therefore, it is too early to say if applying the doctrine in large scale conventional military operations will bring cyber to the dominant position, or supportive, or just annoying. It will probably take a conventional, serious (life-or-death for the state), war between two technologically advanced states to really bring out the benefits and drawbacks of cyber war.

The rest of the article is also a good read, so I highly recommend it. I don't agree with parts of it, such as the MAD doctrine as a useful analogy (I've commented on it here), but it does provide a good introduction to the military cyber issues, especially for those who are new to the topic.

Saturday, November 14, 2009

Interview in Eesti Päevaleht

Eesti Päevaleht (a daily newspaper in Estonia) published my interview [in Estonian] on cyber threats and conflicts in cyberspace.

Monday, November 9, 2009

Review: Amit Sharma on Cyber Wars

Time for another review of the articles published in the proceedings of the CCD COE Cyber Warfare Conference. Next up is Amit Sharma from India, who wrote an interesting paper titled "Cyber Wars: A Paradigm Shift from means ot Ends".

He starts out by explaining the idea behind the paper. He hopes to provide a
"framework in which cyber warfare will have a strategic effect by acting as primary means to achieve conventional ends, hence will induce a paradigm shift from the conventional notion of cyber warfare as a tactical force multiplier to the notion of strategic cyber warfare acting as primary means of achieving grand strategic objectives in the contemporary world order. The author will accomplish this objective by deriving the elixir of Clausewitz’s Trinitarian warfare and applying the concepts of Rapid dominance and Parallel warfare in cyber space so as to generate the strategic paralytic effect envisaged in effect based warfare. The author will conclude by shattering the conventional dictum of cyber defence, based on the notion of “defence in layers” and legal aspects of Law of Armed Conflict; by providing the only feasible and viable cyber defence strategy relying on the application of Rational Deterrence Theory (RDT) in general and on the idea of Mutually Assured Destruction (MAD) in particular so as to maintain the strategic status quo."
A tall order by any standard. The paper is written in an artistic and forceful language, painting the scene of an apocalyptic cyber strike that ends all and paralyses the entire state from the government to the citizen by simultaneously disrupting the trinity of government, military and people. I think that this strong emphasis on total paralysis (and total war) is a potential weakness of his approach.

Even though all theoretical model are abstractions, I believe his trinity (imagine a triangle) model is somewhat idealistic and naive. His description of the people corner is exclusively oriented to the liberal western countries (which includes the minority of the world's population and, arguably, are not as liberal or democratic as they may portray themselves). What about the rest of the world? The model's military corner is focused on the network-centric digital troops, which again represent the minority (although a powerful one) in the militaries of the world and even that is not always as networked on the battleground as the doctrine would imply. Last, but not least, the government corner, where governments are charged to provide "a secure, secular and democratic environment" for the people. Well, let's try to name some big countries that fit that idealistic description to the letter in practice, as well as in theory. It won't be easy. So, the model applies in a theoretical ideal case and I agree that in such a case the implications can be extremely dangerous.

The danger comes from simultaneously taking down all three components of the trinity with a parallel cyber campaign, which, as we have just reviewed, is entirely dependent on the assumption that the country is wired beyond the point of safe return. He concedes that in most recent cyber conflicts this parallelism has not taken place and we have seen much more limited campaigns.

He then proceeds with a five step plan for a strategic cyber campaign: "Shape, Deter, Seize initiative, Dominate and Exit". This is a nice and clean model for describing a (cyber) conflict, but I disagree with some of his conclusions.

In discussing the deter stage, he touches on the concept of countervailing, or "making known to the potential adversary that the implication of a nuclear strike would be far greater than the potential gains an adversary can achieve by initiating the first strike." He mentions that the recent cyber attacks against Estonia, Georgia, UK, France etc. may be an example of cyber counterveiling. I do not see it that way, as a key point of countervailing relies on letting the enemy know your capability - and no state has taken responsibility for the attacks listed. Furthermore, the cases he cites are not traditional military conflicts (with the possible exception of the Georgia attacks), but merely harassment or espionage, which do not demonstrate the potential destructive capability of a state. They do serve as reminders that networks are vulnerable, however.

He does make a good point that in order to deter an attack you need a "Cyber Triad capability", which consists of
"Regular defence/military assets and networks, [...] isolated conglomerate of air-gapped networks situated across the friendly nations as part of cooperative defence, which can be initiated as credible second strike option; and [...] a loosely connected network of cyber militia involving patriotic hackers, commercial white hats and private contractors which can be initiated after the initial strike or in case of early warning of a potential strike."
He proceeds by demonstrating that the concept of defense in layers and the Law of Armed Conflict (LoAC) do not work in a strategic cyber campaign. I do not understand his point that a system built on the concept of defense in layers (defence-in-depth) is "as strong as its weakest link." To me, defense in layers means exactly the opposite - you can take out any single node and the system remains secure due to the other layers.

His other argument is that LoAC does not cover strategic cyber warfare. Granted, there have been no successful applications of LoAC to strategic cyber warfare yet, but that is because we have not yet seen a strategic cyber warfare campaign in the armed conflict sense. As mentioned above, we have plenty of hactivism, espionage and other examples that fall outside the LoAC framework, but no state-on-state wars where cyber has played a significant role. Therefore, it is premature to throw LoAC out of the window as it is today. However, I agree that it needs updating to meet modern scenarios and the CCD COE is among the experts that work toward this goal (some discussions on this took place at the Cyber Conflict Law and Policy Conference).

He finishes by arguing that Mutually Assured Destruction (MAD) doctrine is the best way to keep states from engaging in strategic cyber warfare. I would argue that MAD simply does not work well in cyberspace, as
  1. attribution of the cyber attack may be impossible,
  2. in case attribution can be achieved, there is a question of false-flag operations,
  3. in case a second strike is launched, there will be ample collateral damage to third states, which can escalate the conflict further,
  4. the cyber triad is never ideal and many (most) countries in the world today are almost invulnerable to strategic cyber warfare, because they have little or no reliance on cyberspace,
  5. in case a strategic cyber campaign succeeds against a modern military power, they can always retaliate with weapons of mass destruction (missile silos should be air-gapped from the rest of cyberspace, at least I would hope so).
Overall, the paper has a lot of provocative thoughts and arguments and I enjoyed reading it (what would be the point of reading things that do not raise a single question or counterargument). I have not covered some of his points that I agree with and, as always, I recommend reading the full paper. We met briefly at the Conference in June and discussed some of the points above, and in the end agreed to disagree on some of them. I wish him luck in his research, as he definitely rocks the boat.

Wednesday, November 4, 2009

CFP: Conference on Cyber Conflict

The Call for Papers is out for the CCD COE Conference on Cyber Conflict. The event will take place in Tallinn from 16-18 June 2010 and it combines the two conferences that the Centre organized in 2009 (You can read summaries here and here). There will be a separate training day on June 15th.

Bruce Schneier will give the keynote address and judging from the experience of the this year's events we expect many other interesting talks and papers as well.

The conference is split into three tracks: Technical, Concepts and Strategy, and Legal and Policy. Paper submissions are welcome to all tracks. Note that the deadline for abstract submission is a mere four weeks away!

Key dates
Abstract due: 30 November
Paper due: 01 March 2010
Conference: 16-18 June 2010