Asymmetrical warfare in the Internet era

Here is something different for today. I’m going to put aside polls and political commentary to talk about something that I am an actual expert at (rather than a bloviating well informed amateur).

On November 28th, the Los Angeles Times ran an article about the recent cyber attack against the DoD computer systems that possibly originated in Russia. While there is no smoking gun regarding its origin or if it was a state sponsored act, the results were effective with regard to the depth of penetration.

Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.

I highlighted the passage above, because it is significant. DoD computer systems undergo sophisticated attacks from the hacker community every day. This is the price of being a large target that has a very large profile on the Internet. The DoD communicates with the rest of the world, and especially the defense industrial base, through the Internet, so it is impossible to avoid such exposure. Generally, the critical systems used to fight wars at the strategic through tactical levels are protected through isolation. These networks run Internet Protocols, but aren’t connected to the Internet.

If the attack penetrated a classified network, then it jumped an “air-gap”.

There is a distinction between “hacking” and “CyberWar” that most people don’t understand. Hacking is intended to penetrate a system to discover information or to gain control of the system so it can be used for downstream penetration attacks. However, CyberWar is not intended to gather information; it is instead intended to alter the nature of your ability to conduct military operations. For example, I have a small combat team in hostile territory and I want to send them satellite imagery showing details of an enemy stronghold. Hacking would try to determine the content of the imagery to find out how much we know about the enemy. But in CyberWar, the enemy doesn’t care about the content of the imagery, they want to either keep the combat team from getting the information, or somehow alter the contents to force a tactical mistake.

The problem is that most defensive systems (not all of them by any stretch) that the DoD has been working on provide protections against compromise of information, not protections for the integrity and availability of the information. This is especially true for commercial products sold today. VPNs and Firewalls exist to keep your information from being exposed to unauthorized individuals. They aren’t intended protect against denial of access to information, or protect its integrity.

So if I’m going to attack you using CyberWar tactics, what are the results I want to achieve? Assuming that we aren’t in a shooting war, my ultimate measure of success is if I can force a social engineered change to your security policies that results in a degrade in your operational effectiveness. In this way, I’ve made you less effective in executing against my operations and thwarting my goals. Note this passage from the LA Times article.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the drives. Defense officials acknowledged that the worldwide ban on external drives was a drastic move. Flash drives are used constantly in Iraq and Afghanistan, and many officers keep them loaded with crucial information on lanyards around their necks. Banning their use made sharing information in the war theaters more difficult and reflected the severity of the intrusion and the threat from agent.btz, a second official said.

In war, information is more important than weapons. There is a cumulative effect resulting from information density that has measurable effects of casualty rates and tactical objectives achieved. There have been several tactical simulations performed in specific theaters to look at the results of a conventional war scenario using varying densities of information, with dramatic reductions in casualty rates, often over 50%.

But the result of this attack is the wholesale ban of the primary device used today for tactical information sharing.

Given my definition above, this CyberWar attack was successful. The military has responded by issuing a security policy change that has degraded effectiveness. We lost this battle, and we are not even sure which enemy we were fighting.