On CyberWar

To the Tune of: Jeff Wayne;Richard Burton;Justin Hayward – The Eve Of The War

This is the longer draft of a short piece I did for the just-released Delayed Gratification. Before the Wikileaks stuff happened incidentally, so I was prescient about 4Chan.

Undersea Cable

Missile weapons, phalanxes, military organisation, artillery, ironclads, dreadnoughts, machine guns, submarines, and finally nuclear weapons. These are all shifts of technology that led to shifts in international power, making the ultimate weapons of their time obsolete. Rifled guns eradicated knights, ironclads wiped out galleons, like lightning against tin hats.

Cyberwarfare is the latest technological shift. Simply put, it’s an aggressive action using computer technology. It’s mostly a threat to networked devices, so an obvious defense would seem to be to not connect your machines to the Internet, especially not important ones. Yet, the two biggest infections of recent years (this year’s Stuxnet attack on Iran and 2008’s total infection of the US Central Command) were both started by USB sticks. Moreover, as we’ll see, aside from isolating your computers, the physical infrastructure of the Internet is itself vulnerable to everything from fires to enthusiastic hoeing.

The UK government thinks Cyber attacks are such a huge threat that, even in the midst of the biggest public service retrenchment since Henry VIII burnt half his cabinet, they’ve just allocated an extra £650 million to defending against it, and rated it as a Tier 1 threat – that means we should be more scared of it than nuclear, chemical, biological or radiological attacks. Meanwhile, the US government has admitted that hackers steal enough data from US agencies, businesses and universities to fill the library of congress many times over.

The varieties of cyberwarfare range from the brute force, such as the ‘DDOS’ (distributed denial of service) employed by Russian bot-nets and angry forum users, to national networks such as the Chinese Titan Rain hacking system or Russian Moonlight Maze, to the highly targeted Stuxnet (the culprit of which is unlikely to be known until we accidentally hack whoever it was back). You can see from this that normal governmental cyberwarfare is not qualitatively different from normal hacking and virus-creation – Stuxnet is only thought to be governmental because of the use of rare, valuable vulnerabilities.

Stanislav Petrov

Who are the great powers in the world of cyberwarfare? An anonymous industry expert we contacted pointed to “nation states, organised criminal organisations and (defensively) some large organisations (especially in financial services)” as the major actors. Unlike economics, where a company or country can use a small number of experts to dominate a market, or a small lobbying firm to distort a market, what’s required to be a major power is large numbers of committed technical experts. So cyberwarfare gives disproportionate power to mass movements that include technical types, for example cyber vigilantes like Wikileaks or the huge, juvenile anarchist community 4chan.

Despite its apparent technological expertise, most of the United States’ technology production and know-how was long ago outsourced to the Far East; so compared to its dominance in almost every other field (it spends 45% of the world’s total military spending), it has been relatively weak in Cyberwarfare. So how do they plan to defend against it? Former US Homeland Security secretary Michael Chertoff suggested in October that Cyberwarfare is best opposed by open protocols, similar to but not quite at the level of mutually-assured destruction (MAD); “…it’s important to define when and how it might be appropriate to respond,” explained Chertoff. “Everyone needs to understand the rules of the game.”

Sadly, as our expert points out, it’s very easy to establish protocols, but there are three major problems. Firstly, this is such a mutable field, that these protocols would either have to be really wide-ranging, or very vague to deal with the rate of technological change. Secondly, there are so many ongoing attacks (with more than 100 foreign intelligence agencies trying to hack into US military digital networks, and over 1000 attacks a month) that determining which ones justify a response isn’t clear. “Any attack needs to cause (or be about to cause) real world damage.” If that could be established a response would then follow existing international treaties.

Sadly, the third problem is the biggest. “The fundamental difficulty at the moment in establishing a cyber response doctrine is the difficulty of definitive attribution of any cyber attack (including intelligence gathering operations).” says our source. “At a very recent conference I attended there was strand of thought developing that attribution might always be largely impossible without fundamental changes to the structure to the Internet, with detailed monitoring of any cross-border traffic.” Without such a change, no government can attack on good faith – data is faked so easily, that “Any web-based attack can be launched from computers all over the world.” Still, Chertoff talked of attacking anyway to remove the node the attack was coming through – even if that node was blameless.

Sub-saharan Undersea Cables in 2012

Even if all that’s solved, you have to rely on the protocols being carried out – as the case of Stanislav Petrov shows. He was a Russian bunker commander in 1983 when his (broken) systems told him that nuclear war had broken out; he thankfully, refused to launch his missiles, against the doctrine of MAD, but undermining the whole point of the protocol. A protocol that’s not carried out is worthless – and neither men nor machines can be relied upon.

So what defenses do we have? Well, less advanced nations have a slight advantage. As William Lynn, US Undersecretary of Defense, pointed out recently, dispersed, complicated and messy systems, like the US power grid, are protected by their complexity and lack of connection. Conversely, anything with remote, internet-based design built-in is really asking for trouble. However, as our expert says “If you know a previously undiscovered vulnerability and/or you can socially engineer a victim into clicking on a link or opening an email then you will always get in.” Undiscovered vulnerabilities are rare in the wild – that was, until Stuxnet used four of them.

That said, computing is still entirely a physical medium – the Internet has not evanesced or apotheosized to exist entirely in the air (yet). “It’s safe to assume that security of the physical infrastructure is a key part of any cyber warfare planning.” says our expert. Key elements of the net exist in the unlikeliest locations; favourite locations for server farms (the great data stores of the internet) are deep, unused mines, and other cold, dry areas. Meanwhile, much of the world’s data is carried through thin undersea cables that are vulnerable to boats anchors and cluster as they come ashore in very few locations – New York, Cornwall, Rio, Singapore, and Mumbai (see image, right.) An still-unexplained accident in 2008 meant that 80 million people across India and the Middle East lost connection.

That’s not the whole story. As Lynn points out, the substrate of the Internet can be compromised too – “The risk of compromise in the manufacturing process is very real and is perhaps the least understood cyber threat.” Back doors and kill switches can be built into software and hardware, not being activated until necessary. If all else fails, seven people worldwide (including one from Bath, Somerset) have been entrusted with keys that reset the internet – assuming that at least five of them can make it to Texas to do it!

Holidays in the Kaiber Kush

All dreams begin and end with an elipsis… …so I’m feeling a bit lonely right now. My friends have all bummed off and left me to entertain myself, except one who I’m just walking up to the top floor of the hotel to say goodbye to, before I go and find something to do. We get to the top floor, and it’s a bit like an modernist pub, with banquette seating and high windows that show arid, impossible old mountains scraping at the air. It turns out my friend is meeting a buncha people including Peter Kay, the northern comedian, so I do my balloon trick (something involving a highly-inflated balloon and pratfalls, as far as I can remember) and Peter Kay outdoes me, without even getting up, by punning about balloons, whilst doing a trick where the balloon cord is trapped under his buttocks.

To the tune of: Leadbelly – Ham An’ Eggs

All dreams begin and end with an elipsis… …so I’m feeling a bit lonely right now. My friends have all bummed off and left me to entertain myself, except one who I’m just walking up to the top floor of the hotel to say goodbye to, before I go and find something to do. We get to the top floor, and it’s a bit like an modernist pub, with banquette seating and high windows that show arid, impossible old mountains scraping at the air. It turns out my friend is meeting a buncha people including Peter Kay, the northern comedian, so I do my balloon trick (something involving a highly-inflated balloon and pratfalls, as far as I can remember) and Peter Kay outdoes me, without even getting up, by punning about balloons, whilst doing a trick where the balloon cord is trapped under his buttocks.

The landscape is like this, but more craggy.

Deflated, I say goodbye and head downstairs. I head out into the sunbathing area, which is a big crescent of white sand crammed with cheap loungers, that backs up against the brick walls of the hotel. The hotel looks awfully like a power plant converted into a villain’s lair; it isn’t, but it just looks like that. I sit on a lounge and, wondering what to do, stare at “the pool”. It’s a horrible oily dark colour and they’ve just poured water between the (obviously imported) sand bank and the hotel’s thick circle wall. I was thinking about a swim, but now I’m not; especially as a passer-by points out the ominously large outflow in the wall.

Poached egg dish
Good Eggs.

So I go for a walk instead, passing through a gap in the cyclopean wall. Outside, there’s a mountainous desert, with sand-riddled rocks pushing their red extremities up through a thin layer of grey sand. Looking back the hotel is totally alien to the landscape but also very much the focal point of it – how I always imagined Gormenghast to squat in its environs. I go a little off the track, and am just turning to empty some receipts out of my pocket. When I turn back, I’m on a precipice; thinking now, I realise it’s a flashback to climbing Mount Olympus mixed with crawling to the edge of Masada. I have bad vertigo – I can’t go near edges – and here I just collapse into a squat and wait for the feeling to go enough that I can move. There’s a hole worn in the red sandstone that has an excellent view of a desert floor far below. I’m completely concealed from the road here, and I hear lots of noise, shouting and clashes; the hotel’s been attacked! I stay hidden in my cubbyhole.

Abruptly, through another hole to my right, a square pan appears and an Arabic voice instructs me to cook some eggs for their leader. They’ve found me. Quickly, I poach some eggs, and a floating Wii-style icon starts moving them around, feeding them to an unseen face. He mops it all up, though it’s strange to see poached eggs slice themselves open; they’re perfectly cooked, thankfully. Next the rock fades and a strong, handsome woman’s face appears. Beneath it is a name in stone-cut Cyrillic – Katerin – as I realise my next challenge is Katherine the Great, my focus sort of zooms in on her, as her skin turns the colour of blue frost. I imagine there are more dictators waiting – and I get cooking…