Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki

[Nate Lawson <nate () root org>]

On 3/25/2011 10:26 AM, Marsh Ray wrote:
> On 03/24/2011 09:23 PM, Nate Lawson wrote:
> > So scary! And yet that is the same list that hackers were supposed to
> > bring on us. Using only touchtones and modems...
>
> The "only touchtones" part is usually an exaggeration but I don't see
> what you have against modems. :-)

The problem I had with this list is that it requires huge coordination
and constant cost being spent with no immediate objective.

Think of the basic effort to maintain working 0-day exploits in IE,
Adobe, etc. Sure, Immunity can do this on a moderate budget (how much,
Dave? :)

Now, think how much more it will take to maintain a chain of vulns that
are targeted to a single Iranian nuke factory. Multiply that by every
factory in North Korea, Russia, Libya, and any other countries that
might have assets the US would target. Add in industrial targets you
mentioned like banking, traffic lights, autos, power, etc. All this
would have to be done in advance of an attack, maintained in readiness
against upgrades, configuration changes, etc.

There are so many targets that the cost would be prohibitive, even for a
nation. Even just the intelligence cost of knowing exactly how all those
industrial assets are built worldwide would be huge, let alone
maintaining a huge pool of chained exploits for every possible
configuration.

It makes much more sense to spend money in two ways:

1. Maintain a pool of vulns in common software and introduce backdoors
during manufacturing for key components. With luck, your eventual
targets will use at least some of these.

2. Once you are ready to perform an actual attack, do all the research
and create a custom tool with a very short shelf life. You may
incorporate items from #1, but often the determining factor is custom
code based on your latest intelligence reports.

In terms of value to an attacker, everything you listed was a DoS. Don't
we all value code execution over DoS bugs? Same thing for intelligence
agencies. The NSA would rather have backdoors in all your comms
equipment than take out your power.

> > These are all techniques and tools for waging war, not a unique
> > type of war.
> > [...]
> > Attackers will use all the tools of the day. Computers and networks are
> > tools, widely available today. What more is there to say about that?
>
> But modern wars are not fought with all the tools available to every
> side. Certainly that hasn't happened for any nuclear state since 1945.
> There's an invisible line between "conventional" and "nuclear" war and
> policies and systems are in place to maintain that distinction.

As I mentioned previously:
> In any threat model, adversaries can be expected to use all options
> that are available that meet the cost vs. risk constraints.

The cost/risk to the user of nuclear weapons was too high to justify them.

> Whether or not there is this thing called "cyberwar" which exists as a
> distinct category of war is an open question for the people who decide
> policies on such things. At what point do organized cyber-attacks
> trigger cyber-retaliation? At what point to they trigger kinetic
> retaliation?

Now you're talking policy, which will be specific to particular
countries, situation, and time. The differing factor is not the tools
involved, it's the specifics of the situation.

Why do we tolerate Pakistan's nuclear industry but not Iran's? Both are
nuclear. It's because of our strategy wrt the particular actors. We
don't have a generic "nuclear" policy that is applied to all nations or
situations equally.

> > To use a specific example, I'll feel much safer when the power company
> > removes "remote shutoff" support from my power meter.
>
> Usually once control becomes centralized like that, there's no going
> back. It's undoubtedly easier to collect on past due bills by shutting
> service off remotely, and occasionally it's justifiably useful in
> hazardous situations like fire.

It's a vuln, the barrier to exploit is low, and the impact could be very
high. Again, I'm more concerned about vulns and their risk than which
actor will choose to exploit it first.

> > We should be
> > intensely discussing how that got in there, how to remove it, and how to
> > prevent it from happening again. It's a known vulnerability, and I have
> > the flash dumps to prove it.
>
> Normal people can't distinguish between Nate Lawson with flash dumps and
> a 4chan faction with an ion cannon. This is a sad (and dangerous) state
> of affairs, but we in the security industry will get nowhere by blaming
> others for it or expecting others to solve it.

I know why this cyberwarfare stuff is so annoying. It reminds me of
debates about how skilled an attacker must be to exploit a particular
hole ("you must be this tall..."). You end up drawing artificial
distinctions, attackers learn new techniques, and the end result is
still that you get hacked.

Even in your 4chan example, there are people there that can hook up JTAG
to a meter and dump its flash, run IDA, etc. I'm saying the opposite --
the barrier to exploiting smart meters is so low, there's no need to
draw a distinction between skilled attackers and anyone else. Nation
state or bored teenagers, the only question is "who will use this hole
first?"

The cost and inaccuracy involved in predicting all of your future
opponents and their exact skill levels is so much greater than fixing
the hole.

> > The vulnerability is the problem, not who chooses to exploit it first.
>
> I agree with you 100%. But most people don't think that way and I
> suspect that, at least for their purposes, they may be right.
...
> However, the uncertainty of fundamental variables such as scope,
> severity, and reliability of attribution mean that "cyber conflict" is a
> different sort of animal for which our traditional methods of mitigating
> risks are insufficient.

I disagree -- it's not a different sort of animal. Attackers of many
different kinds will target infrastructure. When infrastructure changes
to depend on new technology, that's another link in the chain that can
be attacked. For all of history, we have had to consider that in
building defenses.

New defenses need to be developed for new technology, but that has been
the case whether the technology was dams, missile silos, or computers. I
think the approach of risk management is still important, but I do agree
with you that many people building systems that depend on new technology
aren't assessing the risk correctly.

-- 
Nate
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave