From Megatons to Megapings: Cyberwarfare

A bit of news this week dealt with Cyberwarfare. Far from becoming part of the tinfoil hat crowd, cyberwarfare has been growing in real world relevance in the past eighteen months and is the primary impetus for pending legislation. While in the Cold War, detente could be measured in the megatonnage of nuclear weapons, the ability of measurement for Cyberwarfare (megaping, if you will) is very different.  In the past ten days in one publication,, two experts – Richard Clarke and Jeffrey Carr – have held very dissimilar philosophical viewpoints. Clarke sums up:

    • Around the world 20 to 30 nations have formed cyberwar military units. Everything we were talking about 10 or even 20 years ago in terms of cyberwar is happening, except for the development of relevant international law.
    • So we're at a very perilous point where the U.S., among other nations, have very capable cyberwar units that are "preparing the battlefield"–planting logic bombs and trapdoors in each other's infrastructures–and they don't really know what their strategy would be if there were a cyberwar.

Jeffrey Carr at first glance looks skeptically at the cyberwar threat as overhyped. Carr does frame the espionage threat from China accurately and in his top five cyber fallacies he claims this about cyber warfare and China:

    • [The China Fallacy] paints China as the number one adversary in anything having to do with cyber conflict in spite of the fact that there isn't a shred of historical evidence to prove it. The Peoples Republic of China has never engaged in military operations utilizing its information warfare capabilities against another nation state. The same cannot be said for the U.S., the Russian Federation, Georgia, Israel, and the Palestinian National Authority/Hamas.
    • The PRC leadership are not religious extremists (e.g., Iran) or militaristic wildcards (e.g., North Korea, Myanmar). When you paint the PRC as the world's greatest cyber threat, you miss what China is actually excelling at (cyber espionage) and you overlook and/or underestimate the authentic threats from other nation states that are busy eating your lunch without you knowing it.

Then again, Carr didn’t spend five years trying to convince two administrations of the threat of Al Qaeda, which Richard Clarke did. Richard Clarke agrees with Carr on China not yet being being identified conclusively as the instigator of a threat, however he disagrees with Jeffrey Carr’s assessment in stating that ‘launch platforms’ have been used from within China, most probably by North Korea:

    • The best-prepared country for cyberwar is one that can't be attacked but can perform its own attacks.
    • North Korea, like Afghanistan, has nothing to attack. But they're launching cyberattacks from South Korea and China. They're taking over whole floors of hotels in cities in China to set up teams of cyberwarriors.
    • In pure capability, our biggest enemy is Russia, followed closely by China. But if you ask who's the biggest threat in the sense that they might use their abilities, it might be North Korea. First, they're crazy, and second, they have nothing to lose.

Identifying the threat: Who is the Bad Guy

In warfare theory and historical precedent, having a civilian team working inside another country’s infrastructure has another name: Terrorism. Geneva Conventions stipulate combatants need to be identified – uniforms, ID cards, etc. When they’re not, it’s little more than a street fight between heavily armed factions not unlike Somalia in the 1990s. 

In 2003, Robert Clarke mentioned in PBS Frontline’s Cyberwar, how difficult assessment of weaponized software might be. Carr’s continued analysis seems to read like there’s no threat since nothing’s been done as far as China is concerned, while Clarke states that a more subtle operation has been going back and forth for years. Plausible deniability makes for the perfect vector – little risk and everything to gain

I don’t doubt Clarke’s sources however the attribution of attacks or cyberspying from within China does give me concern. Clarke says this is something that can be solved:

    • With more time, I think we can solve the attribution problem. You can't find the origin of an attack in real time. But ultimately you can do the forensics if you can hack into all the servers. The NSA can do that. And the NSA tells me that attribution isn't really a problem.

As for historical precedent with Russia, in The Cyberwar That Wasn’t, Jeffrey Carr lists internal dissidence as the main Cyberwarfare target of Russia:

    • To sum up, when the Kremlin opposes dissidents (inside the Russian Federation or members of the Commonwealth of Independent States), we see denial of service, SQL injections, and other types of cyber attacks including cyber espionage being conducted against those groups. It has happened multiple times in Ingushetia, Kyrgyzstan, Khazakhstan, Lithuania, and Ukraine as well as ongoing cyber operations (aka Information Warfare) run against [Russian Federation] dissident groups on a regular basis.

Analysis: Bad Moon Rising

Carr’s got some interesting views. Not all of them are ones I agree with. Carr seems to suggest that since we haven’t seen cyberwarfare employed by a country that it’s not really a threat. Historically in warfare, the threats you can see are not always the worst ones to worry about.

Clarke states that the hidden threats are ones which we should be concerned with. Research into SCADA probing, hardware manufacture overseas, and actual ownership of data pipelines tend to support his theories of embedded threats being a larger threat. Embedded being where Bad Guy A has concentrated logic bombs and trapdoors rather than simple and real-time DDoS and infiltration attempts.

Regarding who the Bad Guy in an attack really is, Clarke states:

    • I think an accidental cyberwar [with China] could happen, and escalation could occur very rapidly.

Caveat: Accuracy

There are some flaws with Richard Clarke’s theories. For instance, the FCC cannot do what he feels they can – at least not right now according to last week’s ruling and to be fair, Clarke’s interview with Forbes could have happened previous to this ruling. Here’s a bit from his interview which is incorrect, yet focused in the right direction for what Clarke feels needs to happen:

    • What I'm talking about would have no economic effect. The FCC can tell the tier one Internet service providers that they–not the DHS or the NSA–have to use a sophisticated search capability to look for patterns of malware.
    • AT&T and Verizon tell me they can do that tomorrow. We'd do this with the involvement of the privacy community. And it would solve 70% to 80% of the problem.

Key Analysis: Continued Confusion

Expect some legislature to be proposed (and to most likely die horribly) to give the FCC authority to regulate the ISPs. Expect the tinfoil hat crowd to always speculate that any cyberwarfare attempt is really a ‘false flag operation’.

Regarding attribution of attacks, expect controversy whenever anything occurs and mass confusion to rule in case there are megapings. I recommend watching PBS Frontline’s Cyberwar or at least reading the transcript.

Securing Our eCity Contributing Writer

Author , ESET

Comments are closed.

Follow us

Copyright © 2017 ESET, All Rights Reserved.