When people hear the words "cyber war," they've been conditioned to think of national secrets being stolen and catastrophic damage to vital public infrastructure. Over recent months many technical discussions have focused upon the physical damage that can be made to power generators or even uranium enrichment centrifuges -- with a heavy emphasis on SCADA network security flaws.
We tend to think of cyber warfare as a digital weapon with direct parallels to conventional, a.k.a., kinetic, warfare. That is to say, the objectives of launching a cyber offensive are often interpreted as the physical destruction of critical infrastructure and the war making capabilities of an opponent.
While there is still plenty of debate to be had concerning the technical feasibility of actually targeting specific infrastructure components for destruction, there are enough proof points (anecdotal or experimental evidence) to warrant the fear of kinetic damage through cyber warfare tactics.
When discussing the tools and tactics of cyber warfare, a great deal of attention has historically been paid to the exploitation of zero day vulnerabilities and the use of carefully crafted malware components. To make things a little more dramatic and edgy, the industry increasingly adds the term "weaponized" to these infiltration vehicles.
A disproportionate amount of attention is applied to zero day exploits and malware. In many ways, this is likely due to the limited vocabulary within the information security and cyber warfare realms for which we can succinctly differentiate between various tools and tactics.
The adage "If all you have is a hammer, then everything is a nail" certainly springs to mind.
The resultant problem is that there are subtleties in the tools that may be employed in cyber warfare for delivery against a much broader range of missions. In a mechanical sense, it's a bit like differentiating between a flathead screwdriver and a chisel -- the basic shapes are the same but their utility is completely different.
Shock and awe
When it comes to cyber warfare, the visualization of things going bang and blackened smoke rising to the sky is certainly dramatic, but I think that many discussions on the topic are missing key strategy points. Sure, cyber warfare tactics can have kinetic destruction capabilities and can likely be employed on a tactical battlefield (and treated like yet other munitions), but these tools also enable military forces to conduct an older form of strategic warfare -- that of siege.
Anyway you cut it, kinetic warfare is expensive. The design and construction of stuff that makes things go "Boom" is expensive. The delivery of the stuff that goes "Bang" is expensive. The stuff with the craters and smoke coming out of it was probably expensive. And, once the war/dispute/peace-keeping is over, someone has to pick up the pieces, replace the things with the craters and smoke, and that’s even more expensive. And with that, we come squarely back to why a modern day cyber siege may actually become a core tenant of future cyber warfare.
I'm not talking about the digitization of a bloated and infectious cow being hurled over the ramparts of some firewall, but rather the employment of sophisticated cyber warfare tools whose purpose is to temporarily denying the enemy access to their weapons, or their population to core infrastructure and utilities, or both.
The key word here is "temporarily." Just like in the Middle Ages where defenders were denied access to food and water by their siege enforcers, or the 20th Century tactics of blockading trading routes and access to petroleum, cyber warfare tools and tactics can be used to conduct a siege and enforce an electronic blockade. Most importantly, with the minimization of collateral damage, once the conflict is resolved and the siege is lifted, the targets can be reinstated and operational in the minimum amount of time and expense.
It is easy to envisage some aspects of a cyber siege. Take, for example, a nation's power grid. Rebuilding and replacing physically destroyed substations, generators and dams will take considerable time and resources, and financially cripple the nation for years in to the future. On the other hand, if the attackers were to electronically deny the nation's operators from controlling the power grid -- locking them out, altering shutdown and recovery code, affecting micro-controller code and mechanical performance, etc. -- at the end of the conflict, the siege could be lifted and control restored to a more compliant regime. The same of course applies to all the major utilities: water, sewerage and communications, not mention 911 services.
But those are just the most obvious siege targets and attack vectors. Think of the disruption caused by an industrialized nation's banking system suddenly stopping and the ability to withdraw or transfer money gone, port and air traffic control systems being unavailable, traffic lights and rail system infrastructure responding to random instructions, hospital and health monitoring system not working, or police and jail records being "corrupted."
Worst of all, the cyber munitions don't even need to be particularly sophisticated. For example, upon electronic infiltration the soldier could simply change all passwords and encrypt all critical data using keys they themselves control. Once the conflict is resolved the siege can be lifted by simply handing over the new passwords and keys.
Of course, the likelihood of a cyber siege being successful against a military force is obviously remote. However, the effect on the nation's population is likely to be great. The purpose of such a siege is to increase pressure and drive change internally. A 13th Century siege was rarely designed to starve the soldiers of a besieged town in to submission, rather it was to force the interned populace to rebel against their own defending force and open the gates from within.
The increased reliance of electronic systems within industrialized nations makes them increasingly vulnerable to a cyber siege strategy.
As events throughout the year have shown, political regimes tend to topple from within when the populace is subjected to extreme hardships and denials of basic infrastructure, services, and, of course, freedoms. In parallel, the demands upon of international policing actions -- in which external military forces seek to end internal hostility and aid the transfer of power -- are increasing.
While the kinetic elements of cyber warfare enhance the tactical capabilities of a military power, non-destructive cyber siege strategies could be employed more efficiently when change may be driven internally and where, upon banishment of the aggressor, the nation's populace can promptly recover without a substantial loss of infrastructure and incurring huge national debts.
For this very reason, we can probably expect electronic sieges being a more popular vehicle for resolving conflicts in the future -- and thoroughly messing up the classic conventions of war.
Gunter Ollmann is VP of Research for cyber security firm Damballa. Gunter has over 20 years of experience within the information technology industry and is a known veteran in the security space. Prior to joining Damballa, Gunter held several strategic positions at IBM Internet Security Systems (IBM ISS) with the most recent being the chief security strategist. He also held the role of director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to joining ISS, Gunter was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. Gunter has been a contributor to multiple leading international IT and security focused magazines and journals, and has authored, developed and delivered a number of highly technical courses on Web application security.