How To Win A Cyber War
By Peter V. Radatti
radatti@cyber.com
CyberSoft
December 17 2008
My name is Peter Radatti. I am the founder and President of the CyberSoft Operating Corporation, a computer security company. If you are in the US Military or an allied national military, then you have used our products many times on a daily basis as they have been integrated into many support and weapon systems. You may or may not have actually heard of us.
How do you win a cyberwar? First we must define what "win" means in this context. Does it mean to destroy the enemy? No, I do not think so. The usual goals of a cyberwar is to subvert, disable or destroy the enemy. Worthy goals but with today's technology, a cyberwar is a war of mutual destruction. They destroy you, you destroy them. That is not a win, that is a draw and under that definition of "win" that is the best you can hope for. Remember, everyone can afford the technology to stage a cyberwar. It does not require a nation or even great wealth.
So can we win? Yes! We change the definition of "win" to 'make all cyber attacks ineffective at a national level'. Then we can have a definitive win.
What is truly interesting about a defensive win is that the technology of defense can be universally shared, even with enemies, and everyone becomes stronger. Not just in the way that making encryption algorithms like AES public made it stronger but also in the way that making all of the population immune to a virus can make that virus extinct. Witness Polio which is almost gone from the world but was once a scourge.
Cyberwar is a defense game. Attacks are only a side action. Remember the elephant really doesn't care about the flea, mostly because it doesn't have to!
So far all cyberwars have been skirmishes. Enough to know it is real but not enough to have been a 'war'. None have gone full scale. Once a cyberwar goes full scale you can expect it to become a war of mutual assured destruction. A cyberwar will destroy the Internet and with it all of the functions that have been moved to the Internet such as IP-telephone, Internet Banking, stock market transactions, Pay Online, IP-cameras, X-Ray sharing and tele-medicine, International trade, email, web access and everything else that uses the Internet. Worst of all, people will not have access to their porn and stolen music. The costs to the economy will be immense. The cost to the technologically advanced nations, which is more dependent upon the Internet, will be greater than to countries which are not as heavily integrated into the Internet. Of course, the Internet is not the entire electronic infrastructure. The telephone networks, cable television networks, cellular phone networks and traditional broadcasting can all be involved in a cyberwar.
One of the problems of cyberwar is that most of the attacks are obvious to all parties involved. Denial of service is as good as taking down a system and a lot harder to deal with. Subversion of services is especially important since it can allow the attacker to take control of critical real world actions. Software attacks are easy to formulate to bypass all commercially available virus scanners. Automated software attack 'factories' can generate millions of attacks which can flood a system. Consider each attack to be one missile. Given millions of different attacks, one of them will succeed. Even if they do not succeed, they will overload the scanning systems to the point of denial of service. Zombie systems can insure that national perimeter defenses will fail since these attacks will originate from the inside.
Some of the attacks such as IP flooding causing denial of service attacks are hard to resolve because their nature takes advantage of defense as part of the weapon delivery. That is, systems which are intended to resolve these types of attacks can be overwhelmed by the attack, which then causes further denial of service down line. Most defensive systems are at choke points thereby making them the best targets of attack. Control the choke point and that provides control of everything down line at a reduced cost of effort.
There are a number of interesting things that need to be understood about cyberwar and it's differences from either a hot or cold war. First, the number of people directly involved as attacker or defender will be small. The number of people affected as collateral victims will be large. Attacks may be staged with a slow pre-attack followed by a swift and decisive attack or there may be no pre-attack at all. Only a very small percentage of the national network of the defender needs to be damaged for a victory. A cyberwar may be part of a larger, most likely, hot war. The targets in a cyberwar will, by necessity, be both civilian and military along with governmental. The more havoc the better. The goals of a cyberwar may be very different depending upon what stage the war is in. If the war is hot then the goals will be control of the enemy military infrastructure, manipulation of the enemy economy and disruption of normal services.
There have been actual small scale cyberwars. These attacks have been very limited but still instructive, as much by what was not done as by what was. So far, at least publicly, these have been limited to subversion of websites. There did not appear to be any use of standard attacks such as trailing IP packets which can overwhelm systems or much in the way of data flooding attacks. Those attacks appear to have been human operated while other small scale attacks appear to happen below the level of cyberwars. These can be automated attacks and more in the order of probing or research and development. From what I can see, everyone has the same attack tools but no one seems to have really great defense tools. Of course, if someone did I would not know about it!
The one thing we are sure of is that the attacker always has the advantage because they know when and how they are going to attack while the defender has to be on guard all of the time, in every way. Yet, the next cyberwar will not be won by the best attacker. The role of the attacker is important because you have to try and take out the enemy. You don't want to defend forever! The role of the defender, while imperfect, will determine who will win the war. The reason for this is that the definition of winning is the person who has an intact electronic and economic infrastructure during and when the war is over.
It is not enough to harden and prepare just critical governmental systems during a cyberwar. Civilian systems must be afforded some degree of protection in order to avoid economic and emotional disruptions which will affect the men fighting the war. This is hard for several reasons; the most obvious being the scope of the entire problem. There are, however, simple solutions that could potentially provide a national anti-cyberwar umbrella. These solutions are often overlooked because they are simple, take advantage of simple physics and use the tried and true methods of warfare, brute force.
The physics involved is simple. Cyberspace can not exist without physical space. The entire cyberspace construct is imaginary. It is a way of thinking. What is actually happening is that information is flowing electronically over a medium, usually a wire or a radio wave. These wires have to converge in order to make interconnections. The number of places where convergence takes place, while a large number, is always a finite number. In fact, the higher you go in the physical tree of the Internet the smaller the number of connection nodes. It would be a very bad idea to attempt a defense at the trunk of the tree. There are too many branches and leaves above it and they could easily flood the ability of any trunk-based defense into becoming more of the problem. In fact, providing silent defense at the lowest levels of the physical branches of the Internet would reduce the size of the problem significantly and provide for instant, nation wide, brute force defense. What is best is that at the lowest branch-leaf level, the defense becomes reactive and regional.
If these defense systems were then given instruction by private channel such as satellite or any other method that does not rely upon the network being protected, then defenses could be developed and broadcast nationally within minutes. This would allow for instant deployment of tactical changes as the war progressed.
Viruses, Trojan Horses, IP attacks and new previously unknown attacks could all be detected and blocked. Zombie systems would be cut off and ineffective outside of their local area. In newer networks such as the Verzion FIOS network, the Comcast network and the Time Warner network that could potentially be one subscriber household. Even if an attacker converted thousands of home and office computers into zombie systems they would be ineffective since they would be cut off from the remainder of the network.
A defense of this type might not even be noticed by the general public but would be very noticed by the attacker.
Where, in fact, do these local nodes exist? Telephone company Local Switching Office locations, cable company Internet control offices, radio WiFi control offices, dialup service providers (national and local) and at the trunk level the national interconnects operated by multiple organizations. This is in addition to the fact that all connections into or out of the country exist physically, these are especially finite and known.
The only way to attempt to proceed with an attack in the face of an Internet Defense With Teeth is stealth. Using encryption or slow and low might allow attacks to bypass pattern analysis but if many of these nodes were then connected to a national aggregate data analysis center even a slow and low attack would be detected. In addition, a national center would allow for syngery and the concentration of the best of the best in an area that allows them to provide the maximum benefit.
Since we are talking about the physical layer of national electronic infrastructures, we should also consider that primary offices such as telephone exchange offices, Internet backbone offices and significant server farms such as Google, Yahoo, Microsoft, ServerBeach and others are probably not blast proof. One truck bomb can take out a significant amount of the electronic infrastructure for a geographic area. If that area is NYC, Washington DC, Los Angles or Colorado Springs then the effect is national. One server farm such as ServerBeach may contain thousands of servers each of which may contain hundreds of websites. The loss of one of these centers could be very disruptive to the operation not only of those websites but of thousands of other websites that reply on services from the disabled servers. Making these buildings blast proof is a well known off-the-shelf technology and now reasonably inexpensive. Generally only the building skirt (wall, windows and doors) need to be upgraded to make an existing building blast proof.
It should be pointed out that the primary communications channels on the East Coast of the United States are all co-located in one specific area, traveling thousands of miles above ground in unhardened conduit. This is mostly because the right of way to allow the installation of cables already existed. A small explosive charge placed every 50 miles could disrupt all telephone and Internet communications in the Mid-Atlantic traveling north and south. In fact, this has already happened, yet no visible improvement to the security has been made. Armoring the cable in blast proof conduit would be much less expensive than running a secondary backbone or burying the cables.
Lets now discuss the physical properties of all electronic infrastructures. First, they all exist in the physical world. Secondly, they are finite and mostly fixed. A website might move from one server to another server with just the automatic change of a Domain Name Service address but the physical server is not going anywhere without someone disconnecting it and carrying it away. The same thing can be said for all of the cables. Almost all telephone and Internet communications exist on cables. Metal, fiber, string it does not matter, the conduit exists physically. Even electronic communications such as satellite exists physically. While the satellite is not within easy reach the ground stations are. If a radio link exists between two building such as on a medical campus, it can be disrupted using a battery operated device. Easier still, just cut down the attenna or charge the attenna with 120 volts AC which will burn out the transmitter. Again, the cables and antenna can be armored but rarely are. Doors to the rooftop of buildings are normally protected with locks that can be opened in less than 15 seconds with little skill by someone who knows how to use bumpkeys.
So all communications exists on conduits which physically exist and therefore can be physically disrupted. Disruption however, is a doubled edged sword. While an attack can disrupt conduits, the owner of the conduits can also deliberately disrupt them. For example, by careful mapping of the physical layer of the Internet, locally geographic areas can be surgically disrupted to isolate attackers into undesirable topography. This is especially true of International communications which have the additional advantage of being carried by a revelatively small and well known number of conduits. Basically you are isolating the poisoned well so it does not poison the rest of the network.
In addition to disruption of service, there is a great deal of intelligence that can be learned by listening to the unmolested information flow. Cell phone communications are trivial to intercept at the local level. There have been cases of people intercepting cell phone conversations on I95 near Washington DC and selling the resulting information to the press. Congressmen were the victims in this case so they passed a law making it illegal. Still, anyone can modify off-the-shelf radio receivers to receive cell phone conversations. This is a problem that is actually easy to resolve. Encrypt all cell phone conversations. This would not stop legitimate governmental wire taps but it would stop an enemy from automated collection of cell phone conversations in areas of interest. Encryption of normal off-the-shelf cell phones is available.
Now we turn our conversation back to the defense of individual computers. We already established that we can defend an entire country of computers by deliberate isolation of leafs of the Internet by severing. We discussed that we can protect the electronic infrastructure by blast proofing and changing locks. We discussed protection of cell and even normal phone line conversations by encryption. All of these are potential rich targets for a cyberwar but subversion of our computer infrastructure can be more devastating. Expect an enemy to produce a target list. That is computer systems and network segments they want to either eliminate or control. There is no reason why a defender could not develop the same list and then move to harden the systems on that list, either transparently or with the corroperation of the system owners. There are war time precedents for this during World War II when entire lines of production were protected in order to insure some required system down line was protected. In the case of the Internet, the protection could even be transparent to the target, however, the very best defense is knowledge. Knowledge is something that is in short supply in the computer industry. One of the reasons for that is that computer systems have become so complex that no one person can understand everything. There may be many thousands of files as part of the operating system or installed applications. A slow and low attack might modify one of these files via some unknown flaw in the system which, in effect creates a back door. Who would notice one normally operating file hidden out in the open among thousands of files? Any baseline control system would. My company CyberSoft has been producing baseline control systems for almost twenty years. The knowledge of how to create and use baseline control systems has been around for a long time, yet they are rare. CyberSoft's self healing systems, which is another type of baseline control where the system automatically corrects any problems with the baseline is a defense that can be implemented at any level. It can be put on every desktop, in every printer or network appliance, every server, every router and firewall. In short, if it is connects to a network then it has a baseline and that baseline can be controlled. Baseline control can breath life back into a zombie system, it can make a virus infection moot. For a very tightly controlled system, it can remove or replace trojans and makes the existence of unsuspected flaws moot. A system under strict baseline control will always repair itself and in doing so make most attacks against it moot. What good is a slow and low attack if it is detected at every system the attack is directed to? None. System integrity and operations capability is preserved by baseline control making all forms of attack other than denial of service and destruction of the file system attacks moot. Denial of service attacks are made moot by surgical severance of the network segment generating the attack. Mostly, all of this is automated and protection can happen faster than human decision making speeds. All of the above is detected, and if necessary coordinated by a national aggregate data center. The national aggregate data center is necessary to defend against attacks of the baseline and severance systems themselves. The automated defenses become the number one target because of their effectiveness so these systems then need protection and that protection is provided by aggregate data and self healing. When the baseline of a baseline control defense system is modified, that fact is recorded at the center. The baseline is corrected and then highly monitored. If a pattern is detected, then corrective action can be made. Even if no pattern is detected the fact that a defense system was modified triggers a threat level advance that can be used to prepare. Think of this as a weather prediction system, except that the weather being predicted is a cyberwar. The advantage of an aggregate datacenter is that the longer it operates the smarter it gets so that eventually a prediction of the start of a cyberwar becomes possible and a complete defense gives the win.
All of the technology I discussed in this paper already exists. Most, except for the national datacenter, is common off-the-shelf. I am now available for questions.
