The text that follows is a short statement I prepared for the press ahead of my presentation at the ‘The International Conference on Cyber Conflict’ (http://www.ccdcoe.org/ICCC/) in Tallinn, Estonia. It felt like I had very mixed response, so I’d be interested to hear what others think…
My background and context
Any opinion can only be understood if you also understand its context. Therefore, in order to understand the thinking that follows, you also have to understand my perspective. Three aspects of my context effect my thinking here:
- My business is Attack and Penetration testing. I have little insight or experience beyond that narrow field and therefore my view will be skewed by my professional experiences.
- Our business is primarily based in South Africa. Hence much of my perspective is formed by making my living in a developing country.
- I am no expert on international policy. Hence my hope is that my views can help to inform policy. I’m not attempting to dictate policy in any way.
It should be noted that these are the perspectives I was asked to bring to the event.
In the piece that follows I will make 5 basic hypothesis, namely:
- Information warfare is real
- Information warfare is asymmetrical
- Countries like South Africa can’t defend themselves
- Neither can other countries
- This reality must surely impact cyber policies world-wide
Information warfare is real
My first point is that ‘information warfare’ or ‘cyber warfare’ (by some definition) is real and is happening already today. Certainly, even if we are not seeing actual ‘battles’ being fought, the so-called ‘military digital complex’ described by Dr Dan Geer exists and is busy accumulating skills, technology and cyber territory as we speak. If the general public was not aware of this already, then this fact became blatantly clear from the email correspondence of information security firms ‘HBGary’, ‘Palantir’ and ‘Endgame Solutions’, which recently got publicly released after HBGary’s systems were allegedly breached by the hacker collective known as ‘Anonymous’.
Information warfare is asymmetrical
My next point is that information warfare is asymmetrical, with the cards stacked massively in favor of the attacker. Those of us doing so-called ‘red team’ work have always argued that the defender has to be successful all of the time, while the attacker only has to be successful once, which suggests that a successful compromise of any given target is always just a matter of time and money.
This fact is graphically illustrated by the apparent success of the Stuxnet attack against the the Iranian nuclear enrichment program at Natanz. By all accounts Stuxnet was a devastatingly successful attack launched by one nation or group of nations against key national infrastructure of another nation. It bypassed all reasonable security controls and could easily have been more destructive, potentially even causing loss of life. All that at the measly price of between $ 500,000 and $ 2 million – apparently less than what the US airforce currently spends in a day.
When it comes to securing an entire country against a well-funded and well-equipped adversary this is even more true, because governments have a dependency on systems and infrastructure for banking, administration, utilities, industry and communications that they do not control. Security in many of these industries is still very poor and, even if governments did apply themselves to improving security as a matter of national policy, I would argue that it may already be too late and that many systems are already compromised by malicious software, some of which will be too sophisticated to detect and remove on the scale required.
A simple analogy for what I’m saying here can be seen in the recent Wikileaks saga. We tend to think of the Wikileaks saga in terms of Julian Assange and the ‘leak’, but really what we should be considering is the fact that over 500 thousand people apparently had access to the so-called ‘secret’ documents that Assange ultimately released to the world. Its a problem of scope: How can a government hope to protect something that is being accessed by half a million people, and how can we begin to believe that, with that level of exposure, the security of SIPRNET hadn’t already been breached multiple times before?
Now you can see why information warfare is asymmetrical and why it is almost impossible for an entire country to defend itself. This is the core element of my hypothesis this week.
Countries like South Africa can’t hope to defend themselves
If its true that information warfare is real, and that its asymmetrical as I’ve argued, then where does that leave countries like my home, South Africa? South Africa is a typical developing country: Situated at the very tip of Africa, the country is a greedy adopter of new technologies like mobile telephony, nuclear power, e-government and online banking that support growth and upliftment of our people, but plagued by HIV/AIDS, crime, high unemployment and poor systems of education, we don’t have the skills or financial resources to invest in the kind of security we would need to even begin to defend ourselves. South Africa is “connected”, but not “protected”.
If my government were to approach me and ask: “How can we defend ourselves in this new realm of cyber warfare?” I would have to answer: “We can’t”. So what option is left to South Africa? Either we can ignore the problem and hope it goes away, or possibly we can develop our own offensive capability to act as a deterrent to would-be attackers. I’m not sure whether this strategy would work, but I do believe that it would at least be feasible to implement, which a defensive strategy is ultimately not. If you accept our previous assertion that a capability like Stuxnet could be developed for just a few million dollars, then even South Africa could afford to get in on the cyber warfare game and potentially strike a few retaliatory blows against its enemies or would-be enemies and thereby maintain a kind of uncomfortable peace. Rather than developing such a capability, we could acquire one commercially, or possibly join a treaty to obtain one, but it strikes me as basically the same thing.
But neither can other countries
But here’s the twist: What’s true for small, developing countries like South Africa is actually also true for all countries. The size of your country does not fundamentally alter the asymmetry of the equation: The attacker still has the advantage. One could even argue that the bigger your country, and the more connected your systems are, the more vulnerable you are to attack. If this argument is true, that means almost all countries will be presented with the same lack of strategic options for cyber warfare that South Africa has.
So where does it all go from here?
Thus far I have argued that we are (finally) seeing the dawn of a new cyber battle space and that in this new battle the odds massively favor the attacker. I’ve argued that information and information systems are simply too large, too complex and too inter-connected to defend, and that incidents like Stuxnet and Wikileaks will therefore, inevitably, become more commonplace. I’ve also suggested that this is probably just the tip of the iceberg.
I’ve argued that this new reality poses a real national-security challenge to small and emerging countries like South Africa who are ‘connected’ but can never really be sufficiently ‘protected’ to defend themselves against a well funded adversary. I surmised that this is true (to a greater or lesser extent) for all countries, no matter how large or powerful.
If this analysis is accurate then it is my opinion that countries have two options going forward. Now, I am no military or political scientist so my domain of expertise is being severely stretched here, but the two options I see are:
- Cyber neutrality and information freedom
- A cyber arms race and Mutually Assured Destruction
In the 1st option governments can accept that information and information systems cannot be defended against all threats and endeavor to shape local and international affairs in such a way that conflict is avoided, there are no secrets, and there is shared benefit in keeping their information systems alive and connected to the rest of the world.
I love this view of the future as it resonates deeply with the original hacker ethos in which I was ‘raised’, but I have to confess that I struggle to imagine it being real.
In the second model countries will endeavor to defend themselves by building deterrents – tools of mass cyber destruction aimed at their enemies with the threat of destructive digital force. As history has shown us during the Cold War it seems to me that this approach will ultimately reach a kind of digital stand-off where no single country can afford to unleash its weapons for fear of also destroying itself and the conflict will be reduced to an endless series of spy-vs-spy intrigues and counter-intrigues that will play off in the computers of every government, business, school and even home in the world.
There may be a third option, but if there is I fail to see it. One thing is clear: Unless governments, NGOs, thinkers like Tom Wingfield and other leaders act quickly to highlight and address these challenges then history will take its inevitable course and my colleagues and me will soon all be wearing uniforms and working for the military.