Citation for Michael Warner (2012): Cybersecurity: A Pre-history, Intelligence and National Security, 27:5, 781-799 – http://www.tandfonline.com/doi/abs/10.1080/02684527.2012.708530

Referencing for ‘Cybersecurity: A Pre-history” – by Michael Warner

First and foremost – I want to say I enjoyed to read and then re-read many of the chapters and I found myself trying to uncover what did writer actually meant with the detail and thought about the subject(s) in question. Little of that found its way to this article. Highly recommended document.

Second, I want to share the most interesting remarks found by me and trying to align them somehow rationally with the thoughts I have regarding ‘cyber warfare’ or better said with “critical, extended infrastructure where most of the human related need for information processing exists for keeping up the continuity.” Well, hopefully I have now found some of clues for the questions on the answers we have in our hands currently.

Text: Open Source: Feel free to copy, but name the source and invite to discuss. Do not alter my words.

The Logical path.

…its an meta fora, in big. Information and the information superiority actually delivered what the 60’s imagination of flying cars and teleportation capability was. No one imagined (except few, the rare) that there would be device size of matches which could allow communication, moving information near in the speed of light to places around the world and actually teleport yourself.

The logical path created such enormous capability to utilize and to collaborate with information. In evil too.

As a big fan of real science and scifi too, it would really be interesting to see how scifi literature, movies and people involved in might been involved in shaping such path, intentionally or without intent.

To rise those involved to tickle human minds, writers do have essential role. I’ll discuss more about the cyber games and playbook scenarios in latter, but creating working playbook scenario (Note: in which in general I do not personally believe), I would hire some journalists and writers to co-op a sufficient model.

The Revolution part.

I had recently discussion with some highly respected information security professionals about how we get here. Some part said it was constant development from the early INTER-NET era, some part said it was rapid revolution. While discussing about cyber and warfare with it, the history of interconnected information systems (“ARPA”) tells much. The capability it and its offspring to say, created ability to deliver the whole cyber warfare concept. No analog warfare is comparable with cyber how we tend to understand it.

I believe it was the revolution. It created totally new science within information management capability.  New science creates often new capability for warfare. Isn’t that obvious?

One more thing to add: Cyber warfare feels to be inexpensive, but that is only half of the story. The actual ‘weapon’ or platform, delivery mechanism might be, but all that is required to make it happen is not. It has been paid times already and bringing up it as new concept is inventing wheel again. However, the Platformization of cyber weapons do require technology advancements and delivering new technology costs. It requires talents, more than pure HW like in kinetic world. Bribing people with candy bar is not new thing either.

The maliciousness part.

Majority of malicious activities performed till today are still very low yield and deliver moderate harm, mostly by denying access
to services used by crowds. Its no warfare, stricly. In addition to Warner’s list of cyber milestones, I believe there is some room for minor steps as well. Taking for example theme missing from the list, ‘Computers can do harm for physical infrastructure’. That’s 1970 when first systems with such functions evolved.
We call today them ICS or SCADA for lack of better name.

I don’t want to go into preaching about the steps taken to implement malware over the fortified information systems, that discussion has found its way already on family dinner tables. However, only few actually understands what a  widespread maneuver and operations involved such as it really requires. However, I am against the doctrine saying only countries fight wars. That simply is not true.

Organization or loosely affiliated entities with serious will,  understanding of tactics, techniques how environments are build and used, AND how to carry the task create as much as threat posture than any nation existing at the moment. It is not necessarily about funding, but quality over quantity. Running such ‘system’, say ‘end2end service architecture’ requires amount of resources to keep it running.   APT referencing usually to nation-states with adequate funding might see differentiation near future. It’s stupid crypt0num anyway.

Can country/critical infrastructure/way of life that is against the believes of adversary , be ‘cyber occupied’ before any notice of it? By whom?
Interesting mind game.

The part that fills the cabinet.

Its no different now, actually Taking massive datacenters and the amount of data/speed they deliver at the moment. Putting in parallel, it’s no different that it was in early stages. Sure, computing power capabilities have rapidly growd but the concept of operations (conops) at large is still the same.

More and more information is under 3rd party managed entities, with applications which are utilized by the same logical path introduced before. While thinking about the current model how information is used by for example mobile users and stored within the clouds, only few really think through about the security concerns evolved in. Larger posture delivers larger threat?

Organizations whom are concerned about the information assurance, therfore, are not willing to outsource their infrastructure or information assets to 3rd parties even in the case that their own ability to maneuver with information security may be less that willing state defines.

This creates rather interesting conclusion: While there is NOT GUARANTEE of information assurance within clouds. BUT basically Everyday Jack must use them due the service architecture deployment, what is the chance its not misused? Now to fill the equation in both sides, Everday Jack is working with organization NOT outsourced their information assets in the cloud(s) AND uses only partly his mobile for working. There is no security governance over clouds existing here.

The part that does access controls, identity management and rest of the identification

Interestingly, within the essey it was told that RAND resarcher Ware expressed concern with access controls and management of user identification.  Well,  gentlemen – the issue exists still and even worse per today. There is not single entity to provide seamless, secure and ubiquitous user identity management within clouds currently.

So taking into account the Mr. Ware wrote the details back in 60’s, while concept of “Identity management” did not even exits,  it feels nightmare and simultaneously highly motivating; some of the great thinkers did have eye for such an issue, while industry has followed too much one logical trail.

Join this with encryption theme in the clouds, multiple service providers and theme I just love – BYOD filled with current days issues already. Happy?

The contemporary part.

About contemporary technology vs. ICS (commonly known as SCADA too). I would like to discuss this in detail, but instead I just say “Look what Kaspersky is allegedly working on at the moment?” A dedicated security enabled operating system for protecting critical infrastructure. Reason: Contemporary technology does not provide secure system in open environment.  The environment openess is created by other facilities required to run the ICS, not the ICS itself. This was exactly what agencies needed, but put aside and industry followed the conops resulting: bad information assurance discipline.

“Ok, lets take non-COTS tool then? It will cost.”. This is wrong! It does not NEED to be NON-COTS technology still. The Logical Path just made just an a illegal step.

The part that taps you.

What is interesting to found in NSA related parts that the first point for allegations was NSA eavesdropping U.S citizens.  How that was put in first line within democracy held, in somewhat civilized nation?  As I do not practice politics, I’ll rest my case. Everything is possible in name of need. How you solve prisoner’s dilemma?

The part of Art for gaining access

I’ve read once before Mr. Roger Schell’s article regarding the tricks for gaining access to computer systems. This is pretty much summary real vulnerability analysis vs. the finding exists by implementation. The secure by design AS adversary asset summarizes many of the thoughts. Don’t get me wrong, here is a piece of paranoia left for all to agree by themselves.

However, it keeps me wonder how come most modern malware was originally designed. With great knowledge of background information making it secure for adversary? Only the roles has been flipped over. Sounds familiar? Yes, its weird thinking but rational.

Taking an small example: Many of us might not know that while there is security applications having watchful eye with TCP/IP, many of the secret and yet so visible stuff can be concealed with Ethernet below. That can be used example for communicating with system open handly while delivering instructions to legion malware staying dormant within the environment, awaiting the correct packet to arrive.

Alternatively, similar approach can be used to detect defensing side “radars”, to make this quiivalent with kinetic world. Once array of “radars” or scanners has been detected, it is extremely hard to change the setup for defense capabilities instantly while keeping up the appearance of believeable posture nor revealing the tactics further. This creates an interesting game with tremendeous speed. Don’t give me the bs of undetectable HW within networks. If Ethernet goes in, it is visible. Somehow it always disrupts the posture.

I want to make the whole computerized threat clear as possible: Each internetworked computer may possess potential threat and therefore risk against whom ever targeted. So I pretty much agree Warner’s thoughts here and history pushes this in correct detail too. Hey: Do you think that putting IT infrastructure in cloud would be any better than without it? Which one is worse?

The part that discusses of multilevel securiy.

While NSA was sceptical for multilever or layer security, well, it sure looks like that that was one of the  design principals for Windows operating systems. Everyone long enough working with the field is familiar with for example Windows NT C2 security configuration tool. It sure makes feel that people backgrounding with NSA was highly involved with design with Windows on that time andsaw other features more interesting.

Yes, there is multilayer security operating systems, but using them in vast majority of organizations running for example ICS/SCADA or doing development work for highly sensitive purpose is out of this world. It’s not possible.

...which assmbles the conclusion that while agency was reluctant to push such idea forward, the industry adopted less secure way
for doing their business and trying to create auxiliary capabilities on top of unsecure environments. Sounds familiar? BYOD?

Part that plays the games

Pushing the 1979 NORAD event to current days scenario:  Would nation with its important, critical infrastructure and procedures with them go nuts in trying to figure out whether or not the scenario is really happening, whom to attribute for it and what is needed to disable it? Inter-organization co-operation is important, thus the yield of such offense is very often unknown. We do not have too much modern, interworked history and background where to lean in principles of learning from past. Please, spare me from preaching about what was the intent. The intent IS to secure and defense the interest.

The games: Most of the ‘war games’ initiated are not simulating such events too well and if even if they even do, the playbook follows pretty classic way to deliver the game. They do not take into account that there are no actually rules existing and adversary can, in their hearts will, pop-up capability rapidly and then evade.

The Need for Speed part for the politics

As I do not practice poltics the following is written by merely understanding the feels in cyber community. Based on what Michael Warner writes and the background I’ve learned, it feels that U.S and so many other nation-states have created a bullion size issue from information security (“cyber”) that is handled as political issue, only.

Adopting books of war strategy, war is continuum for politics – but it’s unnecessary to go to war without creating defense posture while the game tolds you are in the underdog position. I have to admit, that greater and more complex nation grows more  it needs legistlation to keep its governance. However, the rapid expansion of information capability created simultaneously extension in speed, in which politics did not keep up in running.

This in turn, crafted an impossible model where nation creates legistlation or issues order to create/protect information society with tools too big and too costly, with speed equivalent to snail. Spitefully said, moving like turle would require rethinking the cyber defense posture from the beginning, including “multilayer security” previously mentioned.

It looks like U.S has developed ‘offense in first’ strategy to keep up the defense posture upright. Right?

The field. Nothing to add, its everything.

1991 operation DESERT STROM might been so said ‘first informatin war’, however information warfare is ages old concept. Wikipedia
claims it to be ‘primarily American’, however that is not true at all. It has widely been adopted by U.S in past and current conflicts, operations and even businesses. If you thinkg about the capabilities shown the late malware offense’s against adversarys infrastructure, it is nothing what was witnessed in DESERT STORM. Using such manuevers to deliver non-kinetic power require vast amount pre-planning, intel and even more time to enable ‘payloads’ accurately the narrowed down objective. Sure, objective can be wide and large as desired but same princples exists.

The DESERT STROM was still highly analog. Currently, the concept is analog-digital, non-kinetic to kinetic. When do we see purely digital? If you think about the C2 structure, it exists in pretty much every IT related operation somehow. It exists on form or another in businesses and it definetly exists in functions responsible to protect information networks, decision make structures and while managing – or at least trying to manage, amount of vulnerabilities and threats.

That being said, vulnerability for assymmetricity gives a juicy spot to alter the C2 structure itself.

I once said that globe is filled with chips with issues within them, intentionally made or by mistake as programming bugs. This in turn renders the sense of cyber defense capability useless while in fact you are not able to trust your infrastructure at all. The risk appetite must be taken into account and realize WHERE this is issue and can non-COTS save the day in cost effective manner. For many of the COTS available routers, operating system cab be patched by user itself and even replaced with “better” one.

If you can control the infrastructre from bottom up, can you then control the administrative top too?

However, the demonstration in which objective was to take control power grid controls does not require, even per to day,  any specialized tactics, techniques nor procedures. Those come in hand while attacker has motivation over the curiosity and then there is requirement for dodging, deception, evading etc. – all the field stuff needed in kinetic world too. Interestingly, for example U.S has put lots of pressure in securing the critical infrastructure still leaving  major holes in technical and in maneuver side.

No FERC regulation is able to protect the environment for deterministic opponent while the whole base is on non-solid ground.

The Conclusion

Interestingly Mr. Warner went on his conclusions back to the ‘decision’ to push cyber capability envelope. In case the joint understanding was met in 1997, very little has happened after all. Or has it? Companies originating from U.S has developed amoúnt of technologies surrounding the theme and created a bullion size market. Full spectrum cyber operations dated then may have indicated wider yield in using OSINT capabilities and structures happening already. Would it be miracle with all the SOME and information available currently.

We could easily say that these verdicts made has been highly cost effective decision, don’t you agree?

However, what comes to the security posture U.S and in parallel it would be fair enough to say, other nation-states too, I see very little something that really shows the nations cyber defense capability in place.  I admit, it is not matter of one single organization to deliver, but how come so little concrete has happened in the sector since 1997 even while the world and potential adversaries have evolved so much?  How the security has been such as issue? Compare it to kinetic world and you should see the disalignment.

In warfare, simplicity should be power when utilized, but complexity when confronted.

I wonder what CN is doing while recultant not to utilize COTS stuff from rest of the world?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s