Dailydave mailing list archives
Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki
From: Nate Lawson <nate () root org>
Date: Fri, 25 Mar 2011 11:48:57 -0700
On 3/25/2011 10:26 AM, Marsh Ray wrote:
On 03/24/2011 09:23 PM, Nate Lawson wrote:So scary! And yet that is the same list that hackers were supposed to bring on us. Using only touchtones and modems...The "only touchtones" part is usually an exaggeration but I don't see what you have against modems. :-)
The problem I had with this list is that it requires huge coordination and constant cost being spent with no immediate objective. Think of the basic effort to maintain working 0-day exploits in IE, Adobe, etc. Sure, Immunity can do this on a moderate budget (how much, Dave? :) Now, think how much more it will take to maintain a chain of vulns that are targeted to a single Iranian nuke factory. Multiply that by every factory in North Korea, Russia, Libya, and any other countries that might have assets the US would target. Add in industrial targets you mentioned like banking, traffic lights, autos, power, etc. All this would have to be done in advance of an attack, maintained in readiness against upgrades, configuration changes, etc. There are so many targets that the cost would be prohibitive, even for a nation. Even just the intelligence cost of knowing exactly how all those industrial assets are built worldwide would be huge, let alone maintaining a huge pool of chained exploits for every possible configuration. It makes much more sense to spend money in two ways: 1. Maintain a pool of vulns in common software and introduce backdoors during manufacturing for key components. With luck, your eventual targets will use at least some of these. 2. Once you are ready to perform an actual attack, do all the research and create a custom tool with a very short shelf life. You may incorporate items from #1, but often the determining factor is custom code based on your latest intelligence reports. In terms of value to an attacker, everything you listed was a DoS. Don't we all value code execution over DoS bugs? Same thing for intelligence agencies. The NSA would rather have backdoors in all your comms equipment than take out your power.
These are all techniques and tools for waging war, not a unique type of war. [...] Attackers will use all the tools of the day. Computers and networks are tools, widely available today. What more is there to say about that?But modern wars are not fought with all the tools available to every side. Certainly that hasn't happened for any nuclear state since 1945. There's an invisible line between "conventional" and "nuclear" war and policies and systems are in place to maintain that distinction.
As I mentioned previously:
In any threat model, adversaries can be expected to use all options that are available that meet the cost vs. risk constraints.
The cost/risk to the user of nuclear weapons was too high to justify them.
Whether or not there is this thing called "cyberwar" which exists as a distinct category of war is an open question for the people who decide policies on such things. At what point do organized cyber-attacks trigger cyber-retaliation? At what point to they trigger kinetic retaliation?
Now you're talking policy, which will be specific to particular countries, situation, and time. The differing factor is not the tools involved, it's the specifics of the situation. Why do we tolerate Pakistan's nuclear industry but not Iran's? Both are nuclear. It's because of our strategy wrt the particular actors. We don't have a generic "nuclear" policy that is applied to all nations or situations equally.
To use a specific example, I'll feel much safer when the power company removes "remote shutoff" support from my power meter.Usually once control becomes centralized like that, there's no going back. It's undoubtedly easier to collect on past due bills by shutting service off remotely, and occasionally it's justifiably useful in hazardous situations like fire.
It's a vuln, the barrier to exploit is low, and the impact could be very high. Again, I'm more concerned about vulns and their risk than which actor will choose to exploit it first.
We should be intensely discussing how that got in there, how to remove it, and how to prevent it from happening again. It's a known vulnerability, and I have the flash dumps to prove it.Normal people can't distinguish between Nate Lawson with flash dumps and a 4chan faction with an ion cannon. This is a sad (and dangerous) state of affairs, but we in the security industry will get nowhere by blaming others for it or expecting others to solve it.
I know why this cyberwarfare stuff is so annoying. It reminds me of debates about how skilled an attacker must be to exploit a particular hole ("you must be this tall..."). You end up drawing artificial distinctions, attackers learn new techniques, and the end result is still that you get hacked. Even in your 4chan example, there are people there that can hook up JTAG to a meter and dump its flash, run IDA, etc. I'm saying the opposite -- the barrier to exploiting smart meters is so low, there's no need to draw a distinction between skilled attackers and anyone else. Nation state or bored teenagers, the only question is "who will use this hole first?" The cost and inaccuracy involved in predicting all of your future opponents and their exact skill levels is so much greater than fixing the hole.
The vulnerability is the problem, not who chooses to exploit it first.I agree with you 100%. But most people don't think that way and I suspect that, at least for their purposes, they may be right.
...
However, the uncertainty of fundamental variables such as scope, severity, and reliability of attribution mean that "cyber conflict" is a different sort of animal for which our traditional methods of mitigating risks are insufficient.
I disagree -- it's not a different sort of animal. Attackers of many different kinds will target infrastructure. When infrastructure changes to depend on new technology, that's another link in the chain that can be attacked. For all of history, we have had to consider that in building defenses. New defenses need to be developed for new technology, but that has been the case whether the technology was dams, missile silos, or computers. I think the approach of risk management is still important, but I do agree with you that many people building systems that depend on new technology aren't assessing the risk correctly. -- Nate _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki, (continued)
- Message not available
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Dominique Brezinski (Mar 27)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Michal Zalewski (Mar 27)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Jim O'Gorman (Mar 27)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki beenph (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Yiorgos Adamopoulos (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Nate Lawson (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Kevin Noble (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Marsh Ray (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Nate Lawson (Mar 25)
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Miles Fidelman (Mar 27)
- Message not available
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki Nate Lawson (Mar 27)
- Message not available
- Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki delchi delchi (Mar 25)