Blog

FireStarter: the New Cold War

By Mike Rothman

It amuses me that folks were shocked by the latest treasure trove of goodies from the HBGary email spool. Basically these folks built custom malware on behalf of their government clients. Ars Technica digs in (with pretty impressive technical depth, I might add) and makes clear what you should already know.

We are in the midst of another cold war. This war is not being fought with nuclear warheads, but computer malware. It’s not visible to most people – and, honestly, most people don’t really care. They should, because the new attacks could knock down our power grids, contaminate our water supplies, and basically cause chaos.

You all know I’m no Chicken Little – and to be clear I sleep very well at night. I wasn’t even a glimmer in my parents’ eyes when the Cuban Missile Crisis brought us to the brink, but the ramifications of an all-out cyber conflict are similar. Plenty of folks have semantic issues with calling computers attacking each other ‘war’, because no one actually bleeds (directly). And I agree with that, somewhat. Cyber conflict won’t result in a mushroom cloud or tens of thousands vaporized in a split second (not yet anyway), but the potential for indirect damage is real.

But to make the point again, I sleep well at night because as much as it hurts to know there are foreign nations in our most critical stuff (yes, APT, I’m talking about you), we are in their stuff as well. Stuxnet, anyone? What makes you think we aren’t in all the major systems of our potential adversaries? Right, that would be a bad assumption.

So we have a good old-fashioned standoff. Another Cold War. Mutually assured destruction is a pretty good deterrent to anyone actually initiating a cyber conflict. Why do you think the APT doesn’t bother to cover its tracks? They want us to know they are there. Duh.

Back in the days of the original Cold War, the private sector was engaged to improve our warheads, defend against enemy warheads (remember Star Wars?), and come up with other innovations to give us a snowball’s chance of surviving a nuclear conflict. In this Cold War, we have the private sector providing new weapons (read: malware) and new defenses (your very own security industry) to give us a snowball’s chance of surviving a cyber-conflict. HBGary is not unique in this pursuit. Not by a long shot. There are no white hats or black hats in this game. You need to play both offense and defense. And clearly the US does.

We never got the opportunity to see any of the Beltway bandits’ mail spools during the last Cold War, but I suspect we’d be similarly nauseated. But with that nausea comes a sense of relief that the best and the brightest (including Greg Hoglund) are working to protect our interests. Now I understand these weapons can just as easily be used against us, but that has always been the case.

So I guess my message is to grow up, people. National security (whatever that means) is a messy business.

No Related Posts
Comments

@mike:
attribution isn’t needed for *fighting*, it’s needed for retaliation and therefore for deterrence (which is what MAD is). you can fight blindly without it but it is fighting blind.

as for leaving trails, there are 3 reasons for that:
1) they aren’t really serious about what they’re doing (which can change at any time)
2) they aren’t yet competent enough to avoid it (which can change as well)
3) what you think you know about the trail is a psyops component of the attack, meant to manipulate your response

lastly, if you think a cold war (using your own definition) is going on in the cyber domain, i think you need to go back and re-read bejtlich’s posts on china’s philosophy for information warfare. i think it also deserves to be pointed out that the state-sponsored attacks we’ve seen are incompatible with a cold cyberwar because those states *aren’t* doing nothing. a cold war stays cold because of the presence of deterrents. there are no meaningful deterrents without reliable attribution.

By kurt wismer


@ivan and @kurt, I certainly wouldn’t put attribution as a critical requirement for much of anything anymore, regardless of what the document says. The US has fought (is fighting) wars without real attribution for any kind of deeds. That was part of the Bush doctrine to eliminating “potential” adversaries. You may agree or not with that philosophy, but that’s where we are at.

And to think that we don’t know who’s behind these attacks is naive. Again, we may not have a smoking gun that will hold up in a US court, but the state sponsored attackers leave a trail. They always do.

Ivan, I also think you are confusing the attack and the attacker. I referred to APT as an *attacker*, not a specific attack. A rootkit is one of the attacks used, but not the only one. Hoglund built rootkits, but I assure you there are other folks building other offensive weapons, on all sides.

I agree with many of your comments about the state of society Ivan. We, humanity, need to address these fundamental issues to move forward. But that’s not what we are talking about here. Every developed nation is investing in offensive computer technology, and plenty of folks in the private sector are driving these initiatives.

To me, a Cold War is one in which all sides have the ability to take out the other, so therefore no one does anything. The Cold War of the 70s was just between two nation-states. This Cold War is amongst many. But all the same, it meets my idea of a Cold War. So that’s what I call it.

But disagreement is what makes the world go around. Especially with @kurt. I’ve historically disagreed with most everything he says.

By Mike Rothman


until we figure out that whole attribution business, the idea of mutually assured destruction (if anyone is foolish enough to try that defense) is garbage and our opponents know it. you can’t strike back without accurate attribution.

as of 2008, the US military couldn’t tell the difference between the actions of a foreign intelligence agency and an autorun worm. nor could they muster adequate defenses against autorun worms even after NASA had sent one into space earlier that year. has the US government not continued to get failing grades in information security, even by their own standards, year after year?

if they’re really foolish enough to develop offensive capabilities before they have the ability to see where to point the things or know how to duck then we are all well and truly farked.

then there’s that wonderful little gem that the more advanced nations are actually at a tactical disadvantage against less advanced nations when it comes to the cyber-domain - because the more advanced nations are more reliant on technology and thus have a more fragile infrastructure when it comes to cyber-attack. repurposed state-sponsored malware in the hands of the developing world is a bigger threat to us than original state-sponsored malware is to them.

in this sense, malware as a cyberweapon is a double edged sword and it’s the dull side that’s pointing out. wielding malware as a weapon is a bit like wielding a minefield without a map, but few have the wisdom to see that.

By kurt wismer


Utter nonsense!
> So we have a good old-fashioned standoff. Another Cold War.

No we don’t , the current situation does not even vaguely resemble the Cold War or a bi-polar world dominated by two military powerhouses.

> Mutually assured destruction is a pretty good deterrent to anyone actually initiating a cyber conflict.

No, it is not and it is not just me saying this, it is also stated in US military doctrine for cyberwarfare (googlesearch for it). Deterrence requires attribution, something not easily done over virtual space (Internet et. al.) Not only it requires taxative attribution but also a clearly defined adversary to retaliate (i.e a nation state) as well as clear rules of engagement and chain of command, something that is also not necessarily available in an strongly interconnected cyber scenario with multiple players with mixed interests.

>Why do you think the APT doesn’t bother to cover its tracks?
I wouldn’t categorize a rootkit as something that doesn’t bother to cover its tracks…

>In this Cold War, we have the private sector providing new weapons (read: malware) and new defenses (your very own security industry) to give us a snowball’s chance of surviving a cyber-conflict.

There is no War, framing the debate about information security conflict among nation states and other actors in the context of war and using its rhetoric is not uncommon within the US but it does not necessarily lead to any plausible solution. My opinion is that Infosec conflict will not be solved if economic, trade, labor, education and technology issues are not addressed first disregarding of how many billions the US burns on cyberweapons and centrally-commanded (or “commandeered” ?) cyberdefenses.

>So I guess my message is to grow up, people. National security (whatever that means) is a messy business.

Great! Is that an Alberto Gonzales’ quote?

By Ivan


The only substantive difference is that in the old cold war (nice ring to it) the people with the big red button were the ones formally elected and held political responsibility for the populations that were assured to be mutually destroyed.  We went to great lengths to assure that the responsibility for pressing that button was isolated to very few. 
The same isolation of responsibility is not possible in this scenario and it is quite feasible for non-state actors to wield the same power with the same potential repercussions without the same exposure.

By Russ Spitler


us.gov is involved in hacking other governments…. For those who are surprised, fyi, water is wet….

By David Mortman


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.