Abu Muqawama: Post
Abu Muqawama retains its autonomy and the views and beliefs expressed within the blog do not reflect those of CNAS. Abu Muqawama retains the right to delete comments that include words that incite violence; are predatory, hateful, or intended to intimidate or harass; or degrade people on the basis of gender, race, class, ethnicity, national origin, religion, sexual orientation, or disability. In summary, don't be a jerk.
Limiting Terminological Escalation
There's a lot of (correct) criticism about military buzzwords and calling things war which plainly are not. So credit should be given when credit is due when someone gets it right, as US Cyber Command attorney Robert Clark has:
While happy to label so-called outbreaks of “cyber-war” as “B.S.”, Clark stated that “governments are in the business of offensive cyber-operations now.” Clark also said that cyber “attack” is over-used in the media, as he feels the planet is yet to see a real cyber-attack . “Stuxnet was not a cyber ‘attack’, Estonia was not a cyber ‘attack’, that pipeline that some people say ‘yeah, that was malicious code’ wasn’t a cyber ‘attack’,” he said. ....And why does this definition matter? In other words, why should we care about loose media use of “cyber war”? Because, Clark explained to El Reg: if policy-makers are only informed by the catchphrase and not the definition, they will make bad policy.
To be perfectly clear, there are a lot of things that also aren't war that have serious security implications. Espionage is threat, for example, even if thefts of crucial secrets are not literally military operations. A hurricane--not a foreign army--devastated New Orleans. And the bad economy has far-reaching implications for our ability to generate military and diplomatic power. But securitizing an issue is not always (or even partly) likely to lead to more effective policy. Calling obesity a national security threat or declaring wars on nouns is not going to lead anywhere productive.
I tend to agree more with Tim Stevens on the issue of cyber war--it's a no brainer that distinctive cyber operations and tactics will augment more traditional military operations. Take it away, Tim:
At least 95% of this debate could be solved by substituting ‘cyber warfare’ for ‘cyber war’. That is, by accepting – as any sane person should – that ‘cyber warfare’ tactics and operations are part of war. ...We should also accept – at least, for now – that there is no pure-play cyber war. It’s either war or it’s not. Simple. A land war is still a war. A sea war is still a war. All ‘cyber’ is in this context is an environmental modifier. Useful for descriptive purposes but it doesn’t alter the essential nature of war as a political and coercive act.
I would be remiss in not observing that the line between military activities and covert operations and espionge is not really always easy to draw for policymakers or military analysts to draw in practice.
Since some forms of covert operations and military operations both aim to achieve strategic effect through violent coercion, it is easy to make arguments to the effect that Iran and Israel are engaged in "shadow war." Low-intensity operations tend to look remarkably like terrorism, crime, sabotage, subversion, and coercive diplomacy at the lower tactical margins. Those who like to eat out in Foggy Bottom (I enjoy a nice Thai place every once and a while) may be sympathetic to this agument because Iran may have gotten away with trying to put a bomb under their dinner plates.
Charles Dunlap observed that international law of armed conflict (LOAC) tends to be "effects-based"--as in the effect of the action determines whether it constitutes an "armed attack" against which can be retaliated. LOAC can at times be confusing because it does not grant a clear go-ahead for states to respond to force more generally, even if it simultaneously prohibits threats of force (talking about Articles 2 and 51 of the UN Charter respectively). Dunlap also soundly argues that the phrase "act of war" is really a political, rather than legal distinction.
You guys are going to make
You guys are going to make great government employees. Think I am starting to see the difference between main street and inside the belt way. You're impressed with your own bullshit.
Do you know what the threat looks like and what the extent of that threat even is? Now you are making rules of engagement?
You're part of the problem not the solution.
Cyber War is as easy to stop as pulling a plug (or reading a COTS product description, if it does not meet your security needs don't buy it!) . Always said that if you want to stop WW3 take away everyone's batteries. Think even Exum is impressed with the number of 123a's it takes to see at 8-12 micron with a logistics chain all the way to the battery factory.
DOD writes the spec for their toys, hire someone that knows what to ask for. Tell private companies they have liability due to not doing their security. Request the IEEE to develop standards and protocols so that private industry and defense can respond and be liable to them. That way the CEOs, Politicians, and Government can not say they did not know better when the shit hits the fan. (AKA do the f*king job they get paid to do!)
Do you read you customer service agreements end-to-end????? I do, drives people nuts. Bankers bitch like hell at closing, but guess what I am the one paying for the pleasure of their company.
We do it to ourselves.
Ah, but is this another piece
Ah, but is this another piece of the future "non-expeditionary punitive actions" puzzle? If instead of trying to mount a failed expeditionary punitive action against Foggy Bottom by way of a used car salesman, had the Iranians been able to display even a DPRK-level of cyber skill (or if the mullahs had been willing to spend the moolah to hire competent Russian cyber-mercenaries), they might not be looking like such fools.
LOL, I shall now cease and desist on the subject.
"Stuxnet was not a cyber
"Stuxnet was not a cyber attack"
Well, little rabbit, let's explain how to make Stuxnet 'real'.
1) Generate a Stuxnet-type virus targeting U.S. nuclear reactors running similar software ('98 Windows, isn't it?). A simple instruction is all that's needed: shut off cooling systems, withdraw control rods. Guaranteed meltdown, isn't it? What, too many social studies courses? No idea what 'uncontrolled meltdown" means? Well, that's you fucked, isn't it?
2) Run away
There you go, a "real" Stuxnet attack targeting a U.S. reactor, and just look at Fukushima or Chernobyl to see the results. I'd suppose Indian Point, upwind of NYC, would be a primary target (but there are many others).
Clever little monkeys, weren't they, to come up with this? Now, just wait for the blowback.
Gosh, shutting down the bombs-in-waiting might not be such a bad idea - but remember this - the only reason this Stuxnet-blowback theme hasn't been discussed in the corporate media or by the Obama administration is that both entities are largely owned by large corporate energy interests - Exelon coal/nuclear has always backed their Illinois coal state Senator, and Republicans to the same extent.
Buy both sides of the aisle, and everyone's your friend, right?
gunboat diplomat on May 18,
gunboat diplomat on May 18, 2012 - 10:08pm
Think you have been reading too many Sci-fi books. To really understand the problem and the level of threat you would have to take apart the Siemens control system that Stuxnet targeted and know intimately the control functions the Siemens system was automating. After that understanding, you would have to consider the fail-safes layered in the control systems. Only then can you make an assessment of damage that could be affected.
Automated systems require specific programming inputs unique to the electronics to make control changes. It is the specific nature of electronic systems that makes scaling an attack difficult. Scaling an attack would require a broader knowledge of industrial applications of mass produced automated systems.
Weaknesses within industrial systems where automated functions are inherently scaled can be exploited and could have a mass effect. An example would be a power grid controlled from a central computer. There would still have to be vectors where the abnormal programming could infect the control system.
Think this post is about the limited nature of cyber attacks. Although I am not sure the response the author is looking for from the audience.
This reader tends to agree that no full-up cyber war attack has been made to date. The Stuxnet virus was limited by the specific nature of programmed systems. Mass production of computer operating systems and hardware enabled the transmission of the virus; however, once in the targeted system the virus’s effect was not catastrophic or wide spread. Once Stuxnet was identified in the automated systems, the system was made virus free.
What should be the corrective action?
Systems should be designed to assume the security of the systems would be breached. Program changes should not be realized with out redundant security validation from at least two highly encoded and verified sources within the software programming. Organizations like IEEE and ISO can provide standards and certifications for followed procedures and systems could not be made licensable without certifications. Older systems could be certified as they are updated with security reviews completed until updating is realized.
Security was after thought in dated system designs; cost was a first order requirement. Industry automates to reduce cost. DOD adopts commercial systems to reduce cost. If the system is thoughtfully designed, both reduced cost and improved security can be realized. Specifications of current DOD purchases of commercial systems should be reviewed prior to adoption, rejected if the systems do not pass muster for critical functions.
A hierarchy of critical functions should be known so that non-secure systems are used for critical purposes.
Having layered security systems produced by defense contractors would be wasted money.
In other words any person that merges a Microsoft OS with a nuclear reactor for all the bugs and security issues in past OS releases has to be one dumb MotherF*cker. Any organization that lets programmable media into a secured area not only deserves WikiLeaks, but also has its head up its *ss. People should be using their common sense and doing the f&cking jobs that they get paid soooo well for and get benefits for life to do.
Not sure about you, but the last paragraph makes more sense than the rest of this dry bullshit.
Add your comment