Americans don’t seem to agree about much these days, but I think most people would describe the year 2016 as worrisome and disheartening. Our country endured a divisive and rancorous presidential election. We lost notables such as Judge Anthony Scalia and astronaut John Glenn, pop culture icons Gene Wilder and Carrie Fisher, musicians Prince and David Bowie, and sports figures Muhammed Ali and Arnold Palmer. Good jobs were scarce, small businesses were struggling, healthcare costs were rising, and school debts were mounting. We were reminded daily by politicians and the media that our society as we know it has fallen under the shadow of a persistent threat of terrorism.
An additional perceived menace to our society that has been the impetus of recent public dialogue is cyberwarfare, and I am persistently disillusioned and annoyed when listening to reporters and pundits discuss “hacking” and “leaking” and what, if any, impact foreign actors may have had on the 2016 presidential election.
Prior to attending law school, my background was in technology, and I am someone who knows a bit about cyber defense. I received computer engineering certifications from Red Hat Software (RHCE), Microsoft (MCNE+I) and Novell (MCNE). As a student at Brown University, where I received my undergraduate degree in International Relations, I also spent considerable time studying Russia (when it was a union of socialist republics and not a federation). While enrolled in International Business at the University of Copenhagen, I was afforded the opportunity to travel through several Eastern European countries (including behind the Berlin Wall just before it fell) and experienced honest and enlightening discourse.
There are two specific presumptions regarding the use of computer technology to disrupt the activities of another country that cause me consternation. First, the proposition that cyberwarfare is brand new and has suddenly become an imminent threat to America. The second, that somehow the Russian Federation “hacked” our November presidential election and influenced the result. I will focus this article on the current common perceptions of cyberwarfare and leave the issue of Russian hacking to a companion piece to follow.
The concept of cyberwarfare is not something new. It has been around almost since the first message was sent between computers on October 29, 1969. TCP/IP, the protocol used by all computers on the Internet today, was adopted by ARPANET in 1983, as it could dynamically route computer communications around areas devastated by an enemy attack (presumably nuclear). Wikipedia currently defines the term as, “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”
The Internet has obviously increased in scope and complexity since its genesis in the 1980’s, but the basic idea of throwing a major monkey wrench into your enemy’s infrastructure in a time of conflict has not. In fact, it could be argued that the first act of “cyberwarfare” occurred in France at the time of the Industrial Revolution when Luddite workers threw their wooden clogs (in French, “sabot”) into the gears of their employer’s machines to protest jobs lost to mechanization, an act that would eventually lead to the term, “sabotage.” Hundreds of years later, in the 1990’s, cyberwarfare became so prevalent across M.I.T.’s campus that the administration did the unthinkable — they removed all firewalls and relied on the doctrine of mutual assured destruction to restore order. Such a solution would, however, hardly be workable outside academia.
What is perhaps pertinent today in addressing cyberwarfare is the need for a basic framework of rules or laws similar to Asimov’s Three Laws of Robotics, St. Thomas Aquinas’ Principles of a Just War, or Sun Tzu’s Art of War. Once we have established such a foundation, it should be possible to build upon it to create an actionable strategy for better protecting America’s digital interests. Drawing from my own life experiences, and knowledge picked up from others along the way, I offer up for discussion the following ten laws of cyberwarfare and make a request for comments.
Law #1 – There’s always someone smarter than you.
I remember, not too long after the dawn of the Internet, being involved in a computer security project at a large consulting company. This particular project required my team to make changes to the networking configurations on several workstations. Unfortunately, a group of programmers were also, simultaneously, trying to rollout some homegrown proprietary software which turned out to be incompatible with our increased security. Frustrated with their program being rendered inoperable, one of the programmers walked up to the workstation I was working on and said, rather loudly, “You want a totally secure computer? Here you go!” and proceeded to rip the cable connecting that particular workstation to the corporate network out of the wall. Although dramatic (and a little violent), the programmer’s premise that once you connect a computer to a network it is no longer absolutely secure is correct. I have often cringed at statements such as, “our firewall is totally secure” or “our network is impenetrable.” Pride in the realm of cyberwarfare is definitely a deadly sin for, in making such statements, you are operating under the errant presumption that you have thought of every possible entre for a hacker into your private network. Given the complexities of current computer systems, to allow oneself such conceit is nothing short of delusional, as someone else in the world smarter than you will find the hole that you missed. Once you have connected a computer to the Internet, do not presume you are safe; assume that a hacker has already entered your system and safeguard your data accordingly.
Law #2 – Numbers mean everything…and nothing.
There is something to be said for numbers. Certainly, the failure of the Wehrmacht to achieve victory with Operation Barbarossa can be attributed to numbers. As German commanders discovered, it is hard to stop a million screaming Russians when you have run out of bullets. Does this military axiom translate into the world of cyberwarfare? Yes and no.
Having a large number of engineers, programmers, technicians, etc. in a cyberwarfare program is, to some degree, an advantage, particularly in the creation of malware or the decryption of an enemy’s communications. It is far less of an advantage when it comes to intrusion and counterintelligence if, a) the defender has created defined communication channels that can be carefully monitored (think Battle of Thermopylae here) and b) you accept the old Klingon proverb that, “a running man can slit a thousand throats in one night.” I would note in support of this proposition that the hackers who have posed the greatest threat / irritation to the U.S. government (at least publicly) have not come from Russia or China, but from Finland, a country with a far smaller populace.
My recommendation for an American cyberwarfare force would be a moderately sized one, commanded by the military (or a civilian with a strong background in military tactics and strategy) with the best and brightest computer engineers and programmers money can buy. Put another way, in my opinion the country would benefit more from a smaller, highly paid force than a large, less competent, and moderately paid one.
Law #3 – Security through obscurity is a bad idea; security through diversity is a better idea.
For years, there has been an active dispute between commercial software and the open source community over who produces more secure products. Commercial software’s argument is simple; how can something be secure if you tell everyone about it? All of our products are compiled code and trade secrets that no one can figure out. The open source community counters with showing the world their code so that any defects (intentional or unintentional) are immediately identified and corrected.
The open source folks seem to have gotten the better of this argument in recent years as many security holes in commercial software have been identified and exploited, and commercial software companies have been slow at times to publish a correction or “patch.” However, the open source argument really does best when you consider a large number of computers connected publicly to the Internet. If a few hundred of those computers get “infected,” the immunity of the body kicks in and soon open source programmers have closed the security hole. The open source argument is not as good when you consider computers serving a strategic purpose and not generally exposed to the public via the Internet. In that world, having one or two computers being compromised could be catastrophic particularly if there is a delay in the exploits being closed.
With the foregoing in mind, my recommendation would be for the US government to require competing vendors to produce a matrix of “nodes” throughout strategic systems (such as the power grid) with proprietary operating systems that would still allow for data exchange between those systems. As an example of why this is a good idea, how many times have you seen a Mac user escape a virus because they were immune? Viruses and malware are usually created to attack a specific system vulnerability and have difficulty jumping between disparate systems similar to the problem a real virus has jumping species. In the model I am proposing, should a “node” fall prey the critical application systems would reroute through the unaffected nodes similar to the way the TCP/IP protocol was designed to reroute communication.
Law #4 – The slow blade penetrates the shield.
Generally speaking, there are two categories of hackers; amateurs (those who do it for fun, to be challenged, or from pure curiosity), and professionals (those who do it for money or as an agent of their government). Amateurs tend to be clumsy, destructive, immature, and are usually caught. The professionals know that they do not want to get caught; they want to silently move through the target system, collecting data, and possibly leaving bombs along the way to be detonated remotely at the worst possible time for the enemy.
In order for a true cyberwarfare program to be successful, it must be years in the planning. The enemy’s critical systems must be carefully identified and slowly compromised to avoid detection. Once compromised, a decision must be made as to how often the dormant code should “phone home” with information and whether the code should have a “self-destruct” ability to avoid detection and / or take out the enemy system.
One possible attack I have considered is the placement of hundreds of extremely small, low-cost, hidden computers in various locations across a country with public access Internet via WiFi (coffee shops, airports, restaurants, etc.). When activated, these small devices could “flood” a target system (creating a denial of service) anywhere in the enemy country. In order to stop such an attack, each of the devices would need to be located and deactivated from that country’s Internet segment. With some clever programming, the devices could also randomize their attack to make detection more difficult or go dormant for some period of time after attacking for several hours before restarting. An example of such a device that is commercially available appears in a photo to the right.
With enough time, and with physical access, to a country’s Internet infrastructure, electronic communications could be rather easily disrupted. All it takes is patience and a little dilatoriness on the part of your adversary.
Law #5 – Your best offense is a good honeypot.
A state-sponsored cyberwarfare program is an expensive proposition. For it to make sense to a country like China or Russia, it must also, therefore, be run efficiently. The worst result for a second or third world country engaged in cyberwarfare activity is to find the operation their agent has been engaged in for the last year yielded worthless information. The U.S. government’s best friend may, therefore, be the honeypot.
For those of you lost by the reference, Winnie the Pooh had a bad habit of sticking his head in a honeypot to get the last bit of honey only to declare, “Oh, bother!” as he found himself stuck and wasting time trying to escape. In the cyberwarfare world, a honeypot is something that looks too good to pass up, e.g. clintonemail.com (I can only imagine the look on the first foreign agent’s face to come across that domain name; sadly, it was legitimate and not a honeypot).
As an example, when I was a very young system administrator I had a Chinese hacker attempt to access my employer’s server. So that I could hold his attention while I traced his location, I created a file called “Financial Information.zip” which he tried for days to access and download. In the end, my Chinese friend found that he had downloaded a copy of an English dictionary and he had wasted both his time and his employer’s resources.
Honeypots are a great way to cause your enemy to expend unnecessary time and effort and something that I would strongly recommend the U.S. government deploy liberally, particularly when dealing with an adversary such as China, with superior numbers.
Law #6 – Things are not always as they appear.
The protocol that runs the Internet, TCP/IP, is as flexible as it is resilient. Unfortunately, flexibility also means the identities and locations can be manipulated. This generally happens in two ways, a) the computer conducting an attack is behind another computer, known as a proxy, actually connected to the Internet (think of it as one computer controlling the other computer like Geppetto controlled marionette Pinocchio), or b) a computer connected to the Internet has come under the control of the enemy who is now using it to attack you. Tracing an attack back to the true source can be problematic under either scenario. I can remember being attacked once from a computer located in a public library in Southern California. In that particular instance, that computer had been compromised by a foreign actor attempting to penetrate my corporate network without being identified. Adding to this danger is the fact that a foreign attacker could use a computer in Greece to compromise a computer in Thailand to compromise a computer in California.
There are ways for this type of attack to be traced back to the source. One must certainly, however, be careful not to jump to any conclusions about which country could actually have been behind an attack without clear evidence. In the case I mentioned above involving the public library, I simply called the administrator of that network, notified them of the intrusion, and the attack was stopped (along with any further investigation on my part).
Law #7 – Always consider the flanking maneuver first.
In the 1990’s, a certain bank spent an extremely large amount of money to implement what, at the time, was a state-of-the-art “impenetrable” Internet firewall. Utilizing a high-level of encryption, the firewall was reportedly so secure it would take hackers using conventional PC’s hundreds of years to penetrate it. Within a much shorter time period, the bank’s network had been compromised. How did the hackers pull off such a seemingly impossible feat? They simply looked to history for the answer. When someone builds a wall too high to climb…go around it.
Using an auto dialer, the hackers scanned all direct dial-numbers assigned to the bank. Eventually, they came across a PC that someone had connected to the phone network via an analog modem. Even worse, the PC was running remote access software that was known for being insecure. The hackers were easily able to defeat that software’s security, take control of the bank’s PC, and launch an attack from behind the wall. Von Schlieffen would have been proud.
It should also be noted here that hacking is not always about taking information away. Sometimes, it is about inserting information that should not be there. The same hackers referenced above were once asked how they would attack a private individual; would they steal their social security number, their bank information, or…? Their response was that they would take nothing. They would just upload child pornography to the victim’s computer and call the FBI.
Law # 8 – By indirection find direction out.
One of my favorite stories from WW II is about how the United States discovered Midway Island was to be the next target of Japanese aggression. Unable to fully crack the Japanese code at first, American intelligence sent a fake message that Midway’s fresh water condensers had broken down. The message was picked up by a Japanese listening post and retransmitted in the clear as “AF” having trouble with its fresh water condensers. American intelligence had, in a matter of hours, cracked a code that could otherwise have taken weeks or even months to decipher. This revelation helped turn the tide of war in the Pacific and ultimately led to American victory.
The same type of clever thinking can be employed in the world of cyberwarfare. America should feed its enemies as much fake information as possible both to occupy the enemy’s resources and to increase the cost of its operations (see Law #5 above). By using indirection to find direction out, American intelligence can also, for little cost, manipulate and learn of enemy intentions.
Law # 9 – Humans are the weakest link.
Computers do not get hungry. They do not get tired. They do not get jealous. They are not greedy. Unfortunately, humans have all of these weaknesses and more.
I remember, on or after May 5, 2000, a worm was released called “I love you.” This particular worm successfully attacked tens of millions of Windows personal computers not because it was technically advanced, or unusually virulent, but because people, generally speaking, could not understand how a message that started with “I love you” could intend someone harm. There were only two individuals in my office who weren’t infected by 9:30 AM that morning, a colleague who had emigrated from East Germany and me. Around 9:45 AM, my German colleague came into my office and demanded to know if I had been infected. When I answered no, he replied, “Good….me neither. I knew if someone was sending me a message that said ‘I love you,’ something must be wrong.”
As another example, an organization bent on obtaining the client list from a private corporation placed several expensive USB thumb drives on the ground of the parking lot outside the target company. Within hours, an employee had picked up one of the thumb drives, thanked their good fortune, walked into their office and plugged the thumb drive into their corporate PC. Unbeknownst to the employee, each of the thumb drives had been infected with malware that infected Microsoft Outlook causing it to send a copy of the global address book to the attacker. The morale of these stories is that if a system looks impenetrable, look to human nature to open the door.
Law # 10 – Do not underestimate the power of the Phoenix.
My tenth, and final law, is a reference in Greek mythology to a bird that can live for as long as 1,400 years before gaining new life by rising from the ashes of its predecessor. During the course of my career, I saw engineers and consultants spend hours trying to troubleshoot strange issues with a machine’s operating system or remove a piece of malware without causing greater problems than the malware itself had created. In some instances, particularly when there was a potential for data loss, the engineers had no choice but to go through this lengthy and costly exercise.
But, more often than naught, the problem could be much more quickly resolved by wiping the system and reloading the operating system software. Many of today’s PC’s do, in fact, come with a system “reset” feature in which the existing system installation can be, relatively quickly, replaced with a fresh copy. This functionality of being reborn from ashes is possibly one of the best defenses we have to a cyberattack. As long as our critical systems have the ability to be almost immediately restored if compromised, a cyberattack on the integrity of those systems can be rather quickly defeated.
While writing this article, an old Peter Gabriel song, “Games without Frontiers,” kept running through my head. In one line from the lyrics of that song, Gabriel sings “In games without frontiers-war without tears.” At the moment, cyberwarfare is truly a misunderstood game without a frontier, devoid of any structured rules of engagement. If the Russians had, in fact, “hacked” the 2016 presidential election such that it may have impacted the outcome….what then? Should we retaliate and, if so, how and to what degree? If cyberwarfare should ever break out on a large scale, how should we wage such a war? It is my hope that this article begins a dialogue that may eventually help answer these questions and position the United States not only as a force for good on the land, sea, and air but also in the realm of cyberspace.