Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology

["Timothy R. Chavez" <tim.chavez () linux vnet ibm com>]

So what about attacks _with_ information?  I think the US would be more
susceptible to information warfare attacks, in this regard, if it were
more reliant on _homogeneous_ sources of information. Neil Stephenson
brings up a good point in his book Cryptinomicon that even when the
British cracked the Enigma code, they still had to constantly ask
themselves if the Nazis knew they knew and if not, how they could
effectively use the information they intercepted without giving
themselves away.  For the defender of this information, integrity of
the technology carrying it is of utmost importance, for the attacker of
this information, integrity of the information, itself, is of utmost
importance.  So I'd argue, if anything, that by meddling with the
affairs of others, we make ourselves more susceptible :)

-tim


On Tue, 21 Aug 2007 16:53:48 -0400
"Dave Aitel" <dave.aitel () gmail com> wrote:

> http://video.zdnet.com/CIOSessions/?p=165
>
> If you listen to Colonel John Hayes in the above interview, he says
> that oddly enough, they found that one of the most important
> applications they implemented for mission support was "Text Chat". He
> also noted that although he spent a lot of money building up wireless,
> people aren't using it. That's probably because wireless never works.
> Ever sat next to the door in your hotel because that's the only place
> you could get connectivity? Anyways, back to the main point: busting a
> myth.
>
> Myth: The US is more vulnerable to information warfare because it is
> more reliant on information technology. Some people like to say the US
> is "uniquely vulnerable". I hear this all the time from various
> weblogs and every time I hear it I wonder why people keep repeating
> it.
>
>
> For background, the IATAC has this to say:
> """
> The United States is vulnerable to Information Warfare attacks because
> our economic, social, military, and commercial infrastructures demand
> timely and accurate as well as reliable information services. This
> vulnerability is complicated by the dependence of our DoD information
> systems on commercial or proprietary networks which are readily
> accessed by both users and adversaries. The identification of the
> critical paths and key vulnerabilities within the information
> infrastructure is an enormous task. Recent advances in information
> technology have made information systems easier to use, less
> expensive, and more available to a wide spectrum of potential
> adversaries.
>
> The security of our nation depends on the survivability, authenticity,
> and continuity of DoD information systems. These systems are
> vulnerable to external attacks, due in part to the necessary
> dependence on commercial systems and the increased use of the
> Internet. The survivability, authenticity, and continuity of DoD
> information systems is of supreme importance to the Warfighter.
> """
>
>
> My intuition strongly disagrees with the idea that the US is specially
> vulnerable. So with that in mind, let's go through a little exercise
> in iconoclasty.
>
> Counter arguments:
> 1. Hacking has an economy of scale.
> 2. The US is a hard system to model.
> 3. Complexity breeds resilience.
> 4. Technology is adopted quickly in the US, making it a fast-moving target.
> 5. Having a "target rich environment" overwhelms an attacker's
> analytical capability.
> 6. Everyone repeats this Myth yet no one has any data to back it up.
>
> Some details:
>
> 1. Hacking has an economy of scale. 10 hackers working together are
> more productive than 10*1 hacker. Less advanced countries have easier
> technology to hack - NT 4.0 has unpatchable remote roots on it.
> Management software is more easily used on modern stuff than old
> crusty stuff. Technology rots, in other words. And rotted stuff is
> easy to break. We all know very well how to write Windows 2000 heap
> overflows. Nico is just getting Vista heap support into Immunity
> Debugger now.
>
> Of course, you only get an economy of scale when all your hackers can
> talk to each other. If Clay Shirky[1] was commissioned to tell you
> what kind of tools you need to maintain compartmentalization while
> still getting that kind of economy of scale the results would be quite
> interesting I think. Someone at DARPA needs to do that.
>
> 2. The US is a hard system to model. Hacking is easiest when you can
> model your target. Modeling a MIG is easier than modeling an F-22
> because you can purchase an old one on eBay and fit it up to act like
> whatever your target looks like. Likewise with information systems
> that drive things you'd want to target with IW attacks. Owning a Cray
> is hard. Why? Because you have to own a Cray. MMM,vector'd shellcode.
> :>
>
> 3. Complexity breeds resilience. People say that hacking the United
> States and causing damage is easier because more of what the US does
> is connected, in many cases, to the Internet. However, it's also more
> resilient - a SCADA system in a country that is less dependent on
> network technology is harder to reach initially, but you're more
> likely to find a single point of failure once you do reach it.
>
> 4. Technology is adopted quickly in the US, making it a fast-moving
> target. Hacking is a continual treadmill. New techniques have to be
> invented constantly to cope with changing technology. The US's
> technology treadmill is set on 10 with a 15 degree incline. Countries
> that change less will be easier to hack. There's a number X for any
> given system, network, or organization where X is how fast things
> you've owned get updated and your knowledge about them, exploits, and
> trojans become worthless. [2]
>
> 5. Having a "target rich environment" overwhelms an attacker's
> analytical capability. Even understanding one branch of the US
> military's IT infrastructure is too large a project for even the most
> well funded non-US attacker.
>
> 6. Everyone repeats this Myth yet no one has any data to back it up.
> This isn't a "classification" problem necessarily. Very few people
> have experience hacking at all, let alone on a scale that would afford
> them the ability to make generalizations like this.
>
> _________________________________________________________
>
> [1] Clay Shirky is the person you read when you want to know how
> people react to social software. He can be found here.
> http://many.corante.com/archives/authors/Clay.php
>
> [2] This number X is something I was looking for in the John
> Arquilla's Networks and Netwars. Although the book started off really
> well, it veered far from anything to do with hacking. Maybe one of his
> other books has something on it.
> http://www.amazon.com/Networks-Netwars-Future-Terror-Militancy/dp/0833030302
> (I don't necessarily recommend it unless you are very interested in
> the Zapatistas).
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave