Arquilla's "Cool War" is Fiction

In this article for Foreign Policy, John Arquilla poses the question "Could the age of cyberwarfare lead us to a brighter future?". Arquilla proposes that it will but his article utterly fails to make the case.

He builds his case for pure cyber war as an alternative to kinetic war by using Stuxnet as an example claiming that it achieved "a serious disruption of Tehran's nuclear enrichment capabilities -- and possibly of a secret proliferation program." The fact is that Stuxnet caused limited disruption (by design) and it failed to halt Iran's nuclear enrichment program. It's also important to note that Stuxnet was only discovered because the malware design was flawed, which underscores the fundamental problem with Arquilla's imaginings of the efficacy of a pure cyber war. The effects of malware are often unpredictable and unpredictability is the enemy of military planners.

Later, he suggests that Flame, the cyber espionage tool which apparently infected Iran's network years before the Stuxnet worm was created, demonstrates how cyber espionage can replace old school tradecraft - "The code that comprises it seems to make the point that we no longer need physical agents in place if we can now rely on artificially intelligent agents to dredge up the deepest secrets." This is as ridiculous a notion as the one that Arquilla offers about cyberwarfare replacing boots on the ground. Both Chinese and Russian intelligence services continue to recruit human assets for acts of espionage even as they utilize cyber espionage as a force multiplier. HUMINT isn't going away - ever.

Arquilla writes that "On balance, it seems that cyberwar capabilities have real potential to deal with some of the world's more pernicious problems, from crime and terrorism to nuclear proliferation. In stark contrast to pitched battles that would regularly claim thousands of young soldiers' lives..." I challenge Professor Arquilla to present even a shred of evidence that supports his fantasy that this future could ever come to pass. I don't know what John Arquilla's motivations are behind this embarrasingly weak article but I wouldn't accept this from a student let alone a professor of his standing.

Add to Cart View detail

The Use of Covert Cyber Counter Strikes as Active Defense (and other topics) at Suits and Spooks DC

Waterview Conference Center,  Rosslyn VA

Can the U.S. legally engage in covert cyber counter strikes as a form of active defense against hostile actions by non-state actors in Russia, China or elsewhere? That's one of the forward-looking talks being given at Suits and Spooks DC by Professor Catherine Lotrionte of Georgetown University.

Are tamper-proof chips really tamper proof? Can firmware be extracted from the locked chips such as those used on the captured RQ-170? Travis Goodspeed will show how it can be done on the cheap.

Can a privately funded spy satellite system be used to secure evidence targeting criminal behavior by governments or their officials? Thanks to the work of the Enough Project organization, we know the answer to that question is yes. Jonathan Huston will explain how they did it.

And that's just 3 of our talks. In addition to Catherine, Travis, and Jonathan, Suits and Spooks attendees will interact with:

• Don O'Donnell - Rand Corporation
• Rand Waltzman amd Randy Garrett - DARPA
• Dan Geer - In-Q-Tel
• Anup Ghosh - Invincea

Then from outside of the InfoSec space, reflecting our multi-disciplinary approach, we'll hear talks from:

• Christopher Burgess - Atigeo
• Ben Milne - Dwolla
• Janina Gavankar - Posterous Spaces for Actors
• John Robb - author, Brave New War
• Jodee Rich - CEO, PeopleBrowsr

Every attendee will have an opportunity to ask questions and interact with the speakers in an elegant setting overlooking the Potomac river and the Capital. The entire day will be focused on brain-storming new security solutions that we hope will give birth to a revolution in security affairs. Real-time analysis on a Palantir workspace will be flashed onto a screen behind the speakers and a final report will be issued afterwards to members of Congress and interested agencies.

Pricing includes breakfast, lunch, and a wine reception afterwards:

• Students and academics: $195
• Gov't employees: $295
• Early bird registration: $395
• Standard registration: $495

The early bird registration ends January 6, 2012 and we are capping attendance at no more than 100 individuals, including speakers so reserve your seat today.

Add to Cart View detail

My Expensive "Expert" Advise for the U.K. Government On Cyber Warfare

I was going to name this post 'My Free 'Expert' Advice ..." but we all know that free advice is ignored so once I hit the 'publish' key on this blog, I'll send an invoice to 10 Downing Street requesting payment. I'll make sure that the invoice is in 7 figures since they're obviously quite willing to throw extravagant amounts of money at companies with the word "expert" in their marketing materials (hence my use of the word "expert" in the title).

The reality is that there are no experts in this field. I wrote a well-received book on the subject, have spoken at dozens of conferences, had papers published, regularly consult for U.S. and foreign government agencies, and have engaged in incident response for very large corporations and I don't call myself an expert. In fact, authentic experts never bestow themselves with that title. If its used at all, it's given to them by others who have experienced their work first-hand. I know many people who I would call experts in different fields but none in the area of cyber warfare. The field is too new, too undefined and we're all still finding our way.

The British government appears to have bought into the marketing materials of prime contractors like Lockheed Martin, BAE, Ratheon, General Dynamics, RSA, McAfee, Mantech and who knows who else. Big mistake. They not only cannot protect the British government, they've been unable to protect the U.S. government. The director of the NSA along with the director of DARPA have both admitted that the current security framework we use is broken. Who implements that framework? Prime contractors like the ones I mentioned above and their sub-contractors with some help by government employees.

So here's my "expensive expert advise" for whoever is in charge of the British government's purse strings:

1. You can't keep China, Russia, France, or any other State out of your network. They're already there and they aren't leaving.
2. You can't secure what you don't own so if you want to secure your power grid, buy it back from the Chinese company that owns it.
3. If anyone tells you that they can do 1 or 2 above, grab your checkbook and run the other way.
4. While you can't keep bad guys out, you can raise the cost to mount a successful attack. Or - you don't have to out run the bear, you just have to out-run the other countries who are being chased by that bear (or dragon).
5. While you can't keep a dedicated adversary out of your network, you can keep your data from leaving. That's in large part where you need to focus your resources and where you'll get the best return-on-investment.
6. You have serious supply chain problems and need to start testing firmware updates for all those servers that you own which were made in China for backdoors.
7. You have serious software issues and need to investigate any code written by Russian firms for backdoors.
8. Cancel your contracts with Chinese telecommunications companies if they are providing products that would give them access to sensitive data.

My bill is in the mail.

Related:
Britain Has Already Lost A Future Cyber War

Add to Cart View detail

Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?

The Washington Post has reported that Iran's cyber warfare unit took over the controls of a Lockheed Martin RQ-170 Sentinel stealth drone flying over Eastern Iran and landed it with minimal damage. As of this writing, the U.S. Air Force hasn't yet confirmed or denied the attack. I've left a message with the on-call PA officer at Creech Air Force Base, which is the home of the 432d Wing which flies RQ-170 Sentinels according to this factsheet.

Creech Air Force Base, as you may recall, suffered a malware infection of its Reaper and Predator Ground Control Stations last October. After Noah Shachtman broke the story, the Air Force issued a press release claiming that the malware was a simple "credential stealer" and not a "keylogger", which is a distinction without a difference as I pointed out here. Approximately one and a half months after the Air Force issued that statement, Iran claims to have successfully compromised the flying operations of one of its drones - possibly flown out of the same Air Force base.

Iran's Cyber Warfare Capabilities

Note: The following assessment comes from chapter 16 of the 2nd edition of Inside Cyber Warfare, due out this month:

In 2010 the Iranian Islamic Revolution Guards Corps (IRGC) set up its first official cyber warfare division.Since then, its budget and focus has indicated the intention of growing these cyber warfare capabilities. Education is considered a top priority in the strategy, with increased attention to computer engineering-specific cyber security programs. The IRGC budget on cyber capabilities is estimated to be US$76 million. The IRGC’s cyber warfare capabilities are believed to include the following weapons: compromised counterfeit computer software,wireless data communications jammers, computer viruses and worms, cyber data collection exploitation, computer and network reconnaissance, and embedded Trojan time bombs.
The cyber personnel force is estimated to be 2,400, with an additional 1,200 in reserves or at the militia level. In June 2011 Iran announced that the Khatam al-Anbiya Base, which is tasked with protecting Iranian cyberspace, is now capable to counter any cyber attack from abroad, a claim that will likely be tested soon given the volatile nature of cyberspace. In August 2011 Iran challenged the United States and Israel, stating that they are ready to prove themselves with their cyber warfare capabilities. Should the Iranian cyber army be provoked, Iran would combat these operations with their own “very strong” defensive capabilities. 

In my opinion, the U.S. Air Force needs to respond to this claim by the Iranians quickly and authoritatively because its lackluster conduct regarding the initial infection found at Creech makes this claim by Iran more believable, not less.

UPDATE (1121 04DEC11): CNN quotes a U.S. official confirming that an operator lost flight control of an RQ-170 Sentinel over Western Afghanistan (which borders Eastern Iran).

UPDATE (1807 04DEC11): Western sources are reporting that the RQ-170 drone was shot down however FARS quoted an Iranian military official saying that it was taken down via electronic means "with electronic war units" and with minimal damage which makes this a cyber attack. The Al-Jazeera story is here.

Add to Cart View detail

Clausewitz and Cyber War

Thomas Rid's paper for The Journal of Strategic Studies has the provocative title "Cyber War Will Not Take Place". Rid's argument is relatively straightforward. He uses Clausewitz to define the three characteristics of war: "Any act of war has to have the potential to be lethal; it has to be instrumental; and it has to be political." To be instrumental, according to Rid, there has to be a means and an end. "Physical violence or the threat of force is the means. The end is to force the enemy to accept the offender’s will." Then he uses published sources to list examples of cyber war (thankfully he avoids using the more common and in my opinion erroneous term "cyberwar") and shows how none of those examples meet each of the three criteria. In brief, Professor Rid concludes that there has never been an act of cyber war and that there probably will never be one (his final sentence leaves room for an "act of Cassandra").

Personally, I'm not a fan of the term "cyberwar" as evidenced by a recent article that I wrote for Slate, however it is apparent to me as someone who specializes in nation state activities in this area and as the CEO of a company who's clients are on the receiving end of some of those activities, that traditional thinking about warfare has been made obsolete by our dependence upon cyber-space-time. The environment within which war is conducted has been permanently altered since Clausewitz' time. Sun Tzu would have been a better choice because he at least considers the superior option of winning a war without fighting. But even within the parameters that Professor Rid has established, here are three examples that fit the Clausewitz test of being lethal, instrumental and political:

1. Kyrgyz Intelligence assassinates Gennady Pavlyuk. Kyrgyz intelligence cracked Pavlyuk's email account and used the information they obtained to lure him out of the country under false pretenses resulting in his murder.
2. Mossad assassinates Mahmoud Al-Mabhouh. Israel's Mossad mounts an operation to assassinate Hamas leader Mahmoud Al-Mabhouh which includes infecting Al-Mabhouh's computer with a trojan horse virus. 
3. Iran's IRGC arrests 30 dissidents after cracking U.S. hosted webservers. 

None of these are isolated incidents. The government of Iran continues to mine social networks to identify and arrest dissidents. Israel is one of the few nation states that openly admits to conducting cyber operations; some of which have lethal consequences. Pavlyuk's murder preceded the latest revolution in Kyrgyzstan by just a few months. And these are just the operations that we know about. There are many more examples that we'll never hear about but need to bear the probability of their existence in mind when weighing arguments by cyber skeptics like Martin Libicki, Marcus Ranum, Gary McGraw and Thomas Rid. Instead, I refer you to the "Classic of Weiqi in 13 chapters" (.pdf):

Ever since ancient times, no player has ever happened to place the pieces on the board in exactly the same way as he did during a preceding game. Therefore, reasoning must go deep and analysis must be perfect, and an attempt must be made to understand the processes that lead to victory and defeat: only in this way is it possible to attain that which is still unattained.

Related:
OECD's Cyber Report Misses Key Facts

Add to Cart View detail

Britain Has Already Lost A Future Cyberwar

Britain's Foreign Secretary William Hague decided it was a good idea to announce in The Sun that Britain 1) will strike first against an adversary planning to attack Britain and 2) doesn't have the money to adequately defend itself from a future act of cyber warfare.  He also said that he couldn't guarantee the safety of Britain's critical infrastructure "including water works, power plants, and air traffic control systems". For some reason Secretary Hague thought these pronouncements would be a good idea in light of an upcoming conference that he's hosting in London on Nov 1-2.

I haven't been invited to participate in that conference but if I were, here's the guidance that I'd provide to the Foreign Secretary - in brief:

Two Things You Don't Want To Do:
1. Don't threaten retaliation or preemption when you have no way of knowing who the attacker is. It gives away the fact that you don't have a clue about the environment which means that in any given war in that environment - you lose.
2. Don't acknowledge that you can't afford to defend your networks; even if it's true. It makes you a more attractive target and reveals a key vulnerability that's sure to be exploited.

Two Things You Do Want To Do:
1. Stop spending your limited funds on offensive cyber weapons and spend it on resilience.
2. Buy back your critical infrastructure from the foreign companies who currently own it; especially the Chinese. You can't defend what you don't own.

I have a few friends in Britian's intelligence community so I don't mean for this post to sound snarky or cruel. The fact is that you have some serious internal conflicts in your government and Ministry of Defense about how to allocate resources and identify threats in cyber-space-time. If you're seriously looking to defend Britain from a future act of cyber-war, please take my above guidance to heart.

Related:
Why the U.S. Will Lose A War In Cyberspace

Add to Cart View detail

Attribution: Vital For Offense; Irrelevant For Defense

Traditional models of deterrence require that an attacker knows that there is a price to pay for engaging in a hostile act against another party. For this model to work, attribution is critical. Unfortunately, attribution is very hard to achieve when it comes to cyber attacks. When we speak about taking offensive action against another nation state, attribution correctly applied is VITAL. Correct attribution makes the attack justified. False attribution makes the attacking state an international pariah.

When we speak about how to defend our valuable assets from cyber attacks, we don't need to know attribution because the best defensive strategies don't rely upon knowing who your attacker is or even stopping the attack at the perimeter. The very best strategy today is one that is data-centric, not network-centric. When we consult with companies that have been victims of a breach, we do our best to identify who may have been responsible but we stress that regardless of who did it, the company should re-design its security framework to be data-centric, not network-centric. Then it won't matter who attacks you because regardless of who it is they most likely won't be leaving with what they came for.

So is attribution necessary? Yes and No. If you want to strike back, yes. If you want to stop an attack from being successful, no. 

Add to Cart View detail

Why the U.S. Will Lose A War In Cyberspace

There's not another nation in the world that can wage kinetic warfare as effectively as the United States, and that is probably at the heart of the reason why the U.S. will lose a war fought in cyberspace. It's not because we don't have skilled cyber warriors, because we do. It's because present leadership in the Department of Defense is trying to fit the round peg of cyberspace into the square hole of meat space. A perfect example of this mindset is found in the Spring 2011 edition of Strategic Studies Quarterly "Rise of a Cybered Westphalian Age" wherein the authors write [1]:

First, the technology of cyberspace is man-made. It is not, as described by the early “cyber prophets” of the 1990s, an entirely new environment which operates outside human control, like tides or gravity. Rather, as its base, the grid is a vast complex system of machines, software code and services, cables, accepted protocols for compatibility, graphical pictures for human eyes, input/output connections, and electrical supports. It operates precisely across narrow electronic bands but with such an amalgamation of redundancies, substitutions, workarounds, and quick go-to fixes that disruptions can be handled relatively well as long as everyone wants the system to work as planned.

In the earliest days of the Internet, otherwise known as Web 1.0 (the Read-only Web), the above was certainly true. As we moved to Web 2.0 (the Read-Write Web), it became less true. The more integrated our physical and virtual lives become (Web 3.0), the farther away from that definition we land. The fact that the authors of the paper still believe that cyberspace is nothing more than a man-made piece of hardware says volumes about how the domain is misunderstood at the highest levels of the DoD, which is obvious with the miscategorization of cyberspace as a 5th domain [2]:

Though the networks and systems that make up cyberspace are man-made, often privately owned, and primarily civilian in use, treating cyberspace as a domain is a critical organizing concept for DoD’s national security missions. This allows DoD to organize, train, and equip for cyberspace as we do in air, land, maritime, and space to support national security interests.

I've touched upon the concept of n-dimensional conflict here, and I'm writing a chapter on it for the 2nd edition of "Inside Cyber Warfare" (O'Reilly, 2009). In the course of my research, I've come across the work of theoretical physicist Basarab Nicolescu who argues that cyber-space-time (a more accurate name than "cyberspace") is both artificial and natural at the same time [3]:

The information that circulates in CST is every bit as material as a chair, a car, or a quantum particle. Electromagnetic waves are just as material as the earth from which the calculi were made: it is simply that their degrees of materiality are different. In modern physics matter is associated with the complex relationship: substance-energy-information-space-time. The semantic shift from material to immaterial is not merely naive, for it can lead to dangerous fantasies.

One of Nicolescu's influences was nobel laureate Wolfgang Pauli and Pauli, in turn, was fascinated by Carl Jung's theory of Synchronicity. In fact, Pauli and Jung spent a great deal of time together because Pauli believed that there was a relationship between Jung's acausal connecting principle and quantum physics; specifically a conundrum known as "quantum indeterminacy"[4]. In a kind of ironic twist, Carl Jung's theory of synchronicity has its genesis in his fascination with an ancient Chinese oracle called "The Book of Changes" or Yijing. It is a divinatory oracle that dates back to the Qin dynasty and teaches that the universe is composed of parts that are interconnected. The yarrow stalks used in the Yijing symbolize those parts while the casting of them symbolizes the mystery of how the universe works (Pauli's quantum inderterminancy). Chinese emperors and generals have used this oracle since approximately 300 BC and it may still provide a glimmer of insight into the mysterious nature of this new age of cyber-space-time and how cyber battles may be fought and won.

Unfortunately for Western nations, synchronicity has its origins in the East. Western nations have a tradition in causality, not synchronicity. And the U.S. Department of Defense is deeply grounded in traditional western thinking and practicality. The decision to call cyberspace a domain was based on organizational necessity. That's how DoD is set up. Its how budgets are created and funds distributed. Its how contracts get assigned. Simply put, its how things get done at the Pentagon. This is why the U.S. will lose a war fought in cyberspace. A strategic doctrine built upon a flawed vision cannot yield a victory against an adversary whose knowledge of the battlespace is superior to our own.
____
* Even though Pauli's lifetime preceded the Internet age, he wrote extensively about a unifying connecting principle which bridged mind and matter. Nicolescu references Pauli's work and calls that connecting principle Cyber-Space-Time.

References:
[1] Chris C. Demchak and Peter Dombrowski, "Rise of a Cybered Westphalian Age", Strategic Studies Quarterly Spring 2011
[2] Department of Defense Strategy For Operating In Cyberspace, July 2011
[3] Basarab Nicolescu "The Manifesto of Transdisciplinarity", SUNY Press 2002
[4] The Information Philospher  web page (http://www.informationphilosopher.com/freedom/indeterminacy.html)

Add to Cart View detail

7 Reasons Why China Isn't The World's Biggest Cyber Threat (And Who Is)

When it comes to threats in cyberspace, conventional wisdom and expert commentary assign the number one slot to the country with the most failed operations. A failed operation is defined within the intelligence agencies of most countries as a compromised operation; i.e., one whose existence was discovered. It's important to note that the attribution of any specific country to any specific attack is an untrustworthy mix of art and science based upon IP address, who was victimized, technical evidence in the code, and what "feels right" to the person or team investigating. Based upon this formula, China has been ceded the top position as the number 1 cyber threat in the world.


Instead, I propose that you put aside the marketing hype, the questionable attribution methods, and the upside-down formula of # of failed ops = greatest threat and re-evaluate the cyber threat landscape through a more rational lens. To that end and in the hopes of stimulating some informed discussion on the topic, here are 7 reasons why the Russian Federation should replace the Peoples Republic of China as the world's most dangerous cyber adversary.

1. Russia is the only nation that has engaged in a military action with a cyber warfare component: The Russia-Georgia War of August, 2008.
2. Russia is the only nation that has engaged in a cyber attack which crippled components of an entire nation's critical infrastructure sporadically over a three week period: The Estonia Cyber Attacks 2007
3. Russia's Prime Minister formerly ran industrial espionage operations for the KGB and still considers such operations an asset to the country.
4. Russia has built a parallel military and civilian information warfare infrastructure that it actively uses against internal and external adversaries. For example, the Federal Security Service's 16th Directorate which is responsible for the interception, decryption, and processing of communications has been recently been identified as Military unit (VCH) 71330.
5. The Russian government funds organizations like the Nashi which engage in cyber attacks and other malicious acts.
6. Individuals closely aligned with the Russian government are prominent venture capitalists who invest in the world's largest social network companies and in U.S. technology startups as a self-funding open source intelligence operation.
7. Unlike China, Russian cyber operations are rarely discovered, which is the true measure of a successful op.

-------------
For full disclosure, my company provides this type of research to corporate clients so that they can better gauge their risk among the world's threat actors.

Add to Cart View detail

Thomas Wright Falsely Claims U.S. Double Standard In Cyber Warfare

Thomas Wright is the Executive Director of Studies at the Chicago Council on Global Affairs. His OpEd in the Financial Times today "America has double standards in fighting cyberwar" attempts to make the case that the U.S. is hypocritical in its approach to building an international consensus on cybersecurity.

While Wright's academic credentials are impressive, he loses a lot of credibility with his opening sentence which claims that the CIA website was hacked, and that it, plus the IMF and Citibank attacks have pushed us to the brink of "cyberwar". Frankly, anyone who thinks that a website that suffered a Denial of Service attack has been "hacked" has no business writing about cyber-anything let alone something as emotionally charged and least understood as "cyberwar".


He immediately moves on to mis-state the White House position on optional responses to a cyber attack. There is no White House strategy that treats cyber attacks as acts of war. I encourage Mr. Wright to actually read the White House's International Strategy for Cyberspace (,pdf) rather than guessing what it contains. Here's a very brief summary taken from the report:

"International Strategy for Cyberspace", p. 12

Later, he refers to the well-publicized but non-supported theory that the Stuxnet worm was a U.S-Israeli operation. Personally, I doubt that Mr. Wright has spent any time at all evaluating what is known and unknown about the Stuxnet worm but I challenge him to present any evidence in support of that theory. He won't, of course, because there is none.

Thomas Wright has a Ph.D. in government from Georgetown University and lectures on National Security. He apparently is not a lawyer so I can forgive his liberal use of "act of war" which is a non-existent entity in the Law of Armed Conflict. But he's sufficiently educated where one of his professors at Georgetown, Cambridge or University College Dublin should have taught him some critical thinking skills. It doesn't take a Ph.D. to understand cybersecurity sufficiently to engage in discourse about the many difficult issues that need addressing. It does, however, require a commitment to spend some time understanding the facts first and making oneself familiar with the source material. Based solely upon reading Wright's OpEd, he doesn't know what a DoS attack is, he doesn't know what an act of war is, he doesn't understand the White House's strategy for cyberspace, and he assumes that the U.S. was behind Stuxnet without knowing why. This doesn't reflect well for Mr. Wright or the Chicago Council on Global Affairs that employs him. In fact, it goes contrary to the stated mission of the Chicago Council - to influence discourse. I'm assuming that the Council's board mean't "responsible" discourse.

Add to Cart View detail

AnonOps, LulzSec, & The Modalities Of nth Dimensional Conflict

Credit: Perceivin da multi dimensions

This post contains the beginning of my work to develop a new model with accompanying strategies for defending against anarchist clusters like LulzSec and Anonymous as well as more traditional opponents in cyberspace. I've named it the Principles of nth Dimensional Conflict. Since this is a work in progress and because I intend to flesh the principles and modalities out in more detail in the 2nd edition of Inside Cyber Warfare, I hope that interested parties will feel free to leave a comment with their thoughts and suggestions.

The genesis of this idea began with my first book in which I used the science fiction metaphor of a parallel universe to describe cyberspace: "a mysterious, invisible realm existing in parallel to the physical world, yet able to influence it in countless ways" (p.xiii). It's also why I've opposed the classification of cyberspace as a fifth warfighting domain. The Department of Defense as well as national and international law enforcement agencies have been relying upon traditional models to combat offensive cyber operations of all types with only marginal success. The information security community whose mission is to build software that protects private and government networks has failed miserably in executing that mission. In fact, some of their core principles such as publicizing vulnerability research may be causing more harm than good. The latest innovation is the rise of anarchist clusters like Anonymous and LulzSec who seemingly breach government and corporate websites at will. It has become clear to me that false assumptions about the battlespace have produced ineffective, possibly harmful defensive strategies and that we have to start fresh.

I've laid out some baseline principles that underlie recommended modalities or modes of action. In addition to my own interest in Complexity theory and Quantum physics, my thinking in this area has been greatly influenced by a research paper published by JASON in November, 2010: "Science of Cyber Security".

The Principles:

• Cyberspace is an artificially constructed environment that is only loosely tied to the physical universe and is not constrained by three dimensional space, therefore there are few apriori constraints on either the attackers or the defenders.
• It is not possible to definitively measure a level of security as it applies to the general operation of information systems (JASON).

The Modalities:

• Uncertainty and randomness favor the adversary, therefore defenders must implement components of randomness and uncertainty as part of a network defense strategy
• Since it isn't possible to anticipate every type of attack, the defender must become a competitor to the adversary and continually attack his own system "in the hopes of finding heretofore undiscovered attacks" before the adversary does.
• Transparency such as commercial anti-virus systems and InfoSec research favors the adversary. Secrecy favors the defender.
• For the adversary, trust is more important than identity. Since the Internet favors anonymity by design, defenders may achieve more success by breaching an adversary's trust loop than identifying who the adversary is.

I intend for this project to evolve into something more tangible in relatively short order but I don't expect it to be well-received. There's a lot of money invested (and being made) in the current flawed model and there's no scientific method that can be applied to the field of cybersecurity to help persuade skeptics. Absent scientific evidence, the best reason for corporate executives, military planners, and government policy makers to force themselves to explore and consider alternate paradigms like this one is the rapidly growing popularity of anarchistic hacker crews like LulzSec who will continue to thrive in the antiquated security environment that we've created up until this point. It's time to not only change the game, but the dimensional universe that the game is played in. Yes, we can do that in cyberspace.

Add to Cart View detail

The Next Edition of "Inside Cyber Warfare" - Coming Soon*

I'm very happy to report that my publisher, O'Reilly Media, has approved an updated second edition of my book "Inside Cyber Warfare: Mapping the Cyber Underworld". I'll be spending the next three months writing three new chapters and updating four of the original ones. New content will include research in the following areas:

• A detailed examination of cyberwarfare commands by nation state, including organization and capabilities
• An operational profile of Anonymous focusing on its campaigns, strategy and tactics
• The Peoples Republic of China's use of technology transfer of IP, both overt and covert.
• The Russian Federation's heavy investment in Facebook and other social media through its politically connected Internet entrepreneurs
• Plus guest essayists and a few other surprises

I'll be using this blog to keep everyone updated as to the book's progress so be sure to subscribe.

* I modified the title of this post because while I'm hopeful that the new edition will be out this December, it's really too soon to announce a date. 

Add to Cart View detail