A bit of news this week dealt with Cyberwarfare. Far from becoming part of the tinfoil hat crowd, cyberwarfare has been growing in real world relevance in the past eighteen months and is the primary impetus for pending legislation. While in the Cold War, detente could be measured in the megatonnage of nuclear weapons, the ability of measurement for Cyberwarfare (megaping, if you will) is very different. In the past ten days in one publication, Forbes.com, two experts – Richard Clarke and Jeffrey Carr – have held very dissimilar philosophical viewpoints. Clarke sums up:
Jeffrey Carr at first glance looks skeptically at the cyberwar threat as overhyped. Carr does frame the espionage threat from China accurately and in his top five cyber fallacies he claims this about cyber warfare and China:
Then again, Carr didn’t spend five years trying to convince two administrations of the threat of Al Qaeda, which Richard Clarke did. Richard Clarke agrees with Carr on China not yet being being identified conclusively as the instigator of a threat, however he disagrees with Jeffrey Carr’s assessment in stating that ‘launch platforms’ have been used from within China, most probably by North Korea:
In warfare theory and historical precedent, having a civilian team working inside another country’s infrastructure has another name: Terrorism. Geneva Conventions stipulate combatants need to be identified – uniforms, ID cards, etc. When they’re not, it’s little more than a street fight between heavily armed factions not unlike Somalia in the 1990s.
In 2003, Robert Clarke mentioned in PBS Frontline’s Cyberwar, how difficult assessment of weaponized software might be. Carr’s continued analysis seems to read like there’s no threat since nothing’s been done as far as China is concerned, while Clarke states that a more subtle operation has been going back and forth for years. Plausible deniability makes for the perfect vector – little risk and everything to gain
I don’t doubt Clarke’s sources however the attribution of attacks or cyberspying from within China does give me concern. Clarke says this is something that can be solved:
As for historical precedent with Russia, in The Cyberwar That Wasn’t, Jeffrey Carr lists internal dissidence as the main Cyberwarfare target of Russia:
Carr’s got some interesting views. Not all of them are ones I agree with. Carr seems to suggest that since we haven’t seen cyberwarfare employed by a country that it’s not really a threat. Historically in warfare, the threats you can see are not always the worst ones to worry about.
Clarke states that the hidden threats are ones which we should be concerned with. Research into SCADA probing, hardware manufacture overseas, and actual ownership of data pipelines tend to support his theories of embedded threats being a larger threat. Embedded being where Bad Guy A has concentrated logic bombs and trapdoors rather than simple and real-time DDoS and infiltration attempts.
Regarding who the Bad Guy in an attack really is, Clarke states:
There are some flaws with Richard Clarke’s theories. For instance, the FCC cannot do what he feels they can – at least not right now according to last week’s ruling and to be fair, Clarke’s interview with Forbes could have happened previous to this ruling. Here’s a bit from his Forbes.com interview which is incorrect, yet focused in the right direction for what Clarke feels needs to happen:
Expect some legislature to be proposed (and to most likely die horribly) to give the FCC authority to regulate the ISPs. Expect the tinfoil hat crowd to always speculate that any cyberwarfare attempt is really a ‘false flag operation’.
Regarding attribution of attacks, expect controversy whenever anything occurs and mass confusion to rule in case there are megapings. I recommend watching PBS Frontline’s Cyberwar or at least reading the transcript.
Securing Our eCity Contributing Writer
Author ESET Research, ESET