OPEN SOURCE WARFARE: Cyberwar
In less than an hour, I had become an Internet soldier. I didn't receive any calls from Kremlin operatives; nor did I have to buy a Web server or modify my computer in any significant way.
Evgeny Morozov, Slate, An Army of Ones and Zeroes
How I became a soldier in the Georgia-Russia Cyberwar.
Cyberwarfare is a form of open source warfare (see Brave New War for a deep exploration of open source warfare) over the Internet fought by groups civilians for reasons of nationalism, revenge, and (worst of all) fun. It's messy, chaotic, and nearly impossible to control. The benefits of an open source cyberwar include:
- Deniability. Offensive operations by government computers/personnel against a target nation is an act of war. Actions by civilian vigilantes is not and can be disowned. An inability to point to a an offending organization can make blame difficult to affix: note the speed at which the US tech press was willing to deny a Russian cyberwar against Estonia.
- A huge talent pool. Rather than spend money on training a limited number of uniformed personnel (likely poorly), it's possible to draw on a talent pool of hundreds of thousands of participants (from hackers to IT professionals to cybercriminals). Given the rapid decay/turnover in skills, high rates of innovation, high compensation, and the value of real-world expertise, the best people for cyberwarfare don't work (nor will they ever) in the government. The best you can do is rent/entice them for a while.
- Access to the best Resources/Weaponry. The best tools for cyberwarfare are developed in the cybercriminal community. They have vast and rapidly growing capabilities: a plethora of botnets, worms, compromised computers within target networks, identity information, etc. Further, these capabilities are cheap to rent.
The Problem
Unfortunately, in the US, there is nothing but confusion over cyberwarfare. The news that the Pentagon will not create a new USAF new Cyber Command added to a recent failed attempt by the US military to define what 'cyber deterrence' means and it becomes evident that the entire concept of 'cyberwar' is yielding little but confusion. Unfortunately, it appears little relief is in sight.
In contrast to failed US efforts, both China and Russia have adopted the OSW approach to cyberwarfare. How did they do it? Simply:
- Engage, co-opt, and protect cybercriminals. Essentially, use this influence to deter domestic commercial attacks and encourage an external focus. This keeps the skills sharp and the powder dry.
- Seed the movement. Once the decision to launch a cyberattack is made, start it off right. Purchase botnets covertly from criminal networks to launch attacks, feed 'patriotic' blogs to incite attacks and list targets, etc.
- Get out of the way. Don't interfere. Don't prosecute participants. Take notes.
Hey John,
Good to see you posting again. It does appear that the resilient bear (Russia) is flexing again. Keep pointing out the ever widening arsenal other states are using. The US remains slow to adapt, resistant to change and unfortunately idealistic when it comes to what Russia and other nations are doing with the diverse forms of warfare you elaborate on.
Posted by: Hakim Hazim | Friday, 15 August 2008 at 08:13 PM
Nice summation, John. I underscored many of the same points when I described the Chechen model of Russia's cyberwarfare strategy. I just updated that post with a trackback here.
Posted by: Jeff Carr | Saturday, 16 August 2008 at 09:15 AM
Hi John, i've read the post Evgeny Morozov wrote on slate and i think it's a little too simple. Ok, it's just the result of one hour of research, but i think it is a little misleading. Or at least it treat the subject with a little too much lightness.
Point is that the actions of "single activists" like what he had tried to become matter very little in this kind of attacks.
Back in the early 2000's i worked with a group of people that organized some netstrikes (that's how we called them, we thought of this kind of actions as a digital version of a street march).
The targets were much fewer and smaller than what he's talking about and the effort much more concentrated in time (mainly one single site at a time and mostly local administrations and for a one-off event) but even if we managed to mobilize people on a national scale the strikes usually managed to completely deny access to the sites just for a few minutes at a time.
Being mostly political and symbolical demonstrations everything was kept "clean", there was no real hacking or exploiting of the websites but just people downloading the site's home page (sometimes with software very similar to the one used by the author) many times per second.
We simply weren't able to reach the critical mass necessary to create serious problems to the servers.
And all of this happened 6/7 years ago, when bandwidth (especially on the provider side) was much more expensive and specific coutermeasures were almost unheard of.
The issues being fighted over here are clearly much bigger and there's much more people involved but, at the same time, there are many more targets and they plan long attacks. With this kind of goals support of single "soldiers" is pretty pointless on a technical point of view, you need them only to give legitimacy and deniability to the real attacks (carried with huge networks of botnets and direct hacking).
M
Posted by: echomrg | Wednesday, 20 August 2008 at 10:58 AM
I remember being at a job fair in 1999. I'm former Marine infantry and was about to finish up a Computer Science degree. I asked the FBI recruiter how likely it was that I would actually do computer work while in the FBI. He said most likely I would not be able to work with computers in any way.
It's no wonder these organizations don't have a great internal capability for computer security.
Posted by: Demian | Monday, 19 January 2009 at 03:54 PM