Tag Archive: warfare

So far, this year, hundreds of millions of users of online services have had their accounts compromised or sites taken down. From Sony, Nintendo, the US Senate, SOCA, Gmail to the CIA, the FBI and the US version of X-Factor. Self-inflicted breaches have occurred at Google, DropBox and Facebook. Hackers have formed semi-organised super-groups, such as LulzSec and Anonymous. Are we at the point where information security professionals are starting to say, “I told you so”?

The telling thing about nearly all of these breaches is simple it would have been to limit the impact: passwords have been stored in the clear, known vulnerabilities not patched, corporate secrecy getting in the way of a good PR message and variable controls on sites of the same brand.

The media’s response is often “hire the hackers!”, an idea that is fundamentally flawed. Would you hire a bank robber to develop the security for a bank? No. The fact is that there are tens of thousands of information security professionals, many of whom are working in the organisations recently attacked, who know very well what needs to be done to fix many of the problems being exploited.

Many corporations have decided to prioritise functionality over security to the extent where even basic security fundamentals get lost. There needs to be a re-assessment of every organisation’s priorities as LulzSec and Anonymous will soon realise that there are juicy and easier pickings away from the large corporates and Government sites, who have had the foresight to invest in information security controls.

This may sadly be just the beginning.


Stuxnet presentation

I have finally got around to uploading the PowerPoint presentation that I gave at the ISSA Ireland Conference in Dublin at the beginning of the month. Sorry it took so long!

You can get it here.

Hacktivism vs cyberwar?

The BBC have an interesting article, entitled “Is cyber-warfare a genuine threat?”, which poses several interesting questions. There is a general consensus that something needs to be done to allow for a consistent approach to

All this relates to the document entitled “[the] First Joint Russian-U.S. report on Cyber Conflict“, created by the EastWest Institute. Some of the things they looked at were:

  • Just as a Red Cross designates a protected entity in the physical world, is it feasible to use special markers to designate protected zones in cyberspace?
  • Should we reinterpret convention principles in light of the fact that cyber warriors are often non-state actors?
  • Are certain cyber weapons analogous to weapons banned by the Geneva Protocol?
  • Given the difficulties in coming up with an agreed definition for cyber war, should there be a third, “other-than-war” mode for cyberspace?

One of the things that comes out of this document is the need to provide real-world analogies for issues on the Internet in order to contextualise the issue and come up with an appropriate response. If you sit at a desktop PC as an end-user, you have absolutely no idea what’s going on on the Internet beyond what’s currently displayed on your screen. This opacity has a number of consequences:

  • Most people take risks that they wouldn’t do if they understood the threat they faced;
  • Hacktivists or casual hackers have no understanding of the damage that they do or the power that they wield, resulting in potentially catastrophic consequences.

In light of my previous post about Hacktivism, is there a danger that if the definition of cyberwar is too strict, that a teenager in his bedroom could start a global conflict? As one comment indicated, the power in the hands of an individual can far outweigh the power they would have in the real world and, therefore, to some extent, everyone is equal. Where are the boundaries? And what should be sacred? The document outlines some ideas about having an agreed set of “neutral” entities, like the Red Cross or Red Crescent, but who is entitled to agree on the list?

Traditionally, only militaries had the capability to wage war and, therefore, it was appropriate for their associated governments to sign treaties that governed the rules of war. Now, however, everyone has the same potential.

While you can control the substances needed to make bombs, you can’t control the creation of code.


This post prompted a lot of discussion offline, summarised thus:

  • The biggest problem is determining accurately where an attack comes from in order to respond to it;
  • Compromised machines will become the main launch-pad for attacks, as it allows for deniability on the part of the originator of an attack;
  • The “super powers” will probably want to have the ability to respond conventionally to a cyber-attack, as online they don’t have the same overwhelming power as they do in the real world;
  • “Protected organisations” will quickly find themselves exploited as launch-pads for attacks if their not very well defended.

Information Warfare

One of the course books I had way back when I was doing my MSc in Information Security at Royal Holloway was entitled “Information Warfare and Security“, and written by Dorothy Denning. It was an interesting book and got me thinking about the use of the Internet for military purposes and how the pervasiveness of the Internet could impact society if it were to be attacked.

The book was written in 1998 and a lot has changed since then; I was still using a 28kbps dialup modem and the communications course on my Computer Science degree focused a lot on ATM packet transmission. But the fundamental issues were already there.

The film WarGames was the first that addressed the issue of the possibility of hacking military systems but the most vulnerable networks now are civilian, those run by organisations that provide utilities and services to the general population, power and water for example. Given that private companies generally don’t spend as much on information security as governments, there is a risk that they haven’t spent enough. And people are being targeted with sophisticated Trojans whose purpose is unclear.

So, as a country whose critical infrastructure is under attack, how do you:

  1. Determine where the attack is coming from
  2. Determine whether it is state-sponsored or the work of “hacktivists”
  3. Decide what to do in retaliation, if anything

At what point does a cyber-war escalate into a physical one?

I realise that there are plenty of studies around the globe looking at these issues. I am not sure that there has been any final agreement about the implications of declaring Internet war nor under what circumstances. I do know, however, that many countries are developing their cyber warfare capabilities.

%d bloggers like this: