Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

Mass surveillance programmes used by the US and Britain to spy on people in Europe have been condemned in the "strongest possible terms" by the first parliamentary inquiry into the disclosures, which has demanded an end to the vast, systematic and indiscriminate collection of personal data by intelligence agencies.

The inquiry by the European parliament's civil liberties committee says the activities of America's National Security Agency (NSA) and its British counterpart, GCHQ, appear to be illegal and that their operations have "profoundly shaken" the trust between countries that considered themselves allies.

The 51-page draft report, obtained by the Guardian, was discussed by the committee on Thursday. Claude Moraes, the rapporteur asked to assess the impact of revelations made by the whistleblower Edward Snowden, lso condemns the "chilling" way journalists working on the stories have been intimidated by state authorities.

http://www.theguardian.com/world/2014/jan/09/nsa-gchq-illegal-european-parliamentary-inquiry

 

[ctg]

The latest leak from former National Security Agency contractor turned whistleblower Edward Snowden, published by the New York Times on Tuesday, revealed that the NSA has been using old-school technology to spy on offline computers. The NSA has used the secret program, codenamed Quantum, to monitor about 100,000 offline computers around the world.

The report comes just days before President Obama is expected to announce new restrictions on surveillance programs that will curtail the NSA's activities.

With Quantum, the NSA accesses computers through radio waves emitted from a variety of customized devices. One, nicknamed “Cottonmouth I,” is a USB card modified to contain a tiny radio transceiver that can secretly transmit and receive data to and from the computer.

The NSA also used tiny circuit boards installed into laptop computers that broadcast to the agency even when the computer is completely isolated from the Internet. These circuit boards communicate with a briefcase-sized relay station that the NSA calls “Nightstand.” Nightstand can attack a computer from as far as eight miles away and insert packets of data faster than traditional methods, allowing the NSA to deliver false information faster than authentic downloads.

http://www.ibtimes.com/nsa-quantum-...us-government-spies-offline-computers-1541438

 

[Charlyn_enkelit]

http://www.extremetech.com/extreme/...to-the-tiny-sounds-made-by-your-computers-cpu

Tässä on oikeasti kyse ihan muusta, se on selvää.
Halutaan antaa vaikutelma että vahvasti kryptattua liikennettä voi lukea, vaikka ei voi. Tarkoitus olisi että kohteet käyttäis muuta tapaa, esim kirje tai keskustelu.
Toinen tarkoitus, mikä on myöskin jokseenkin varma, on että halutaan houkutella agentteja esiin, näiden miesten lähelle. Siksi nimet annettiin julki vaikka ne ei ketään sinänsä kiinnosta.

Ihan puhasta paskaa kaikki tuommoinen pelleily.

 

[Charlyn_enkelit]

Kännysysteemiä ei ole suunniteltu häiriökestoiseksi vaan toimivaksi, kaistatehokkaaksi ja akkua säästäväksi.
Mikä tahansa rikkinäinen känny voi pimentää solun, mutta kuka siitä hyötyisi?

Toinen asia mikä tuli mieleen että esim puolikkailla kättelyillä voi kaataa minkä tahansa yhteiskäyttö tietoliikennesysteemin.
Näin kai se aina tulee olemaan.

Kolmas asia, että mistä tiedät että olet nyt internetissä, etkä minun privaatissa netissä?

Jos tulee liikekannallepano, niin mistä tiedät että olet nyt Suomen armeijassa etkä sitä esittävässä vale-armeijassa?
Tiedät sen sitten kun bussi ei pysähdykään rajalle vaan jatkaa matkaa keskitysleiriin.
Tämäntyyppinen tilanne oli elokuvassa Linnake tms. Saksalainen upseeri alkoi komentaan venäläisiä kun osasi kieltä.

 

[tjmies]

Kännysysteemiä ei ole suunniteltu häiriökestoiseksi vaan toimivaksi, kaistatehokkaaksi ja akkua säästäväksi.
Mikä tahansa rikkinäinen känny voi pimentää solun, mutta kuka siitä hyötyisi?

Toinen asia mikä tuli mieleen että esim puolikkailla kättelyillä voi kaataa minkä tahansa yhteiskäyttö tietoliikennesysteemin.
Näin kai se aina tulee olemaan.

Kolmas asia, että mistä tiedät että olet nyt internetissä, etkä minun privaatissa netissä?

Jos tulee liikekannallepano, niin mistä tiedät että olet nyt Suomen armeijassa etkä sitä esittävässä vale-armeijassa?
Tiedät sen sitten kun bussi ei pysähdykään rajalle vaan jatkaa matkaa keskitysleiriin.
Tämäntyyppinen tilanne oli elokuvassa Linnake tms. Saksalainen upseeri alkoi komentaan venäläisiä kun osasi kieltä.

Mistäköhän tän nyt aloittaisi? Periaatteessa ihan hyviä pohdintoja, varsinkin nuo mistä tiedät -kyselyt. Hiukan ehkä korkealentoisia mutta valideja pointteja niissä kysellään. Mutta tuo väite siitä että "puolikkailla kättelyillä voi kaataa minkä tahansa yhteiskäyttö tietoliikennesysteemin" on kyllä vahvasti lapin lisällä maustettua, tai oikeammin kyllä ihan vaan väärin. Kättelyt ja (D)DOS hyökkäykset käy kyllä usein jossain määrin käsi kädessä mutta tuo väite ei ainakaan käytännössä pidä paikkansa.
Tämä pohdinta oli sen verran lennokasta että haluaisitko vaikka hiukan avata sitä - ja mitä sillä ajetaan takaa - lisää?

 

[ctg]

Tässä on oikeasti kyse ihan muusta, se on selvää.
Halutaan antaa vaikutelma että vahvasti kryptattua liikennettä voi lukea, vaikka ei voi. Tarkoitus olisi että kohteet käyttäis muuta tapaa, esim kirje tai keskustelu.
Toinen tarkoitus, mikä on myöskin jokseenkin varma, on että halutaan houkutella agentteja esiin, näiden miesten lähelle. Siksi nimet annettiin julki vaikka ne ei ketään sinänsä kiinnosta.

Ehdotan lukemaan, jos saat käsiin, vanhoja NSAn turvallisuusoppaita ja varsinkin kohdan Tempest Mandatory Security Model. Taikka NATOn turvallisuusoppaita, kohdalta NATO SDIP-27 Level A, B and C.

 

[Charlyn_enkelit]

Mistäköhän tän nyt aloittaisi? Periaatteessa ihan hyviä pohdintoja, varsinkin nuo mistä tiedät -kyselyt. Hiukan ehkä korkealentoisia mutta valideja pointteja niissä kysellään. Mutta tuo väite siitä että "puolikkailla kättelyillä voi kaataa minkä tahansa yhteiskäyttö tietoliikennesysteemin" on kyllä vahvasti lapin lisällä maustettua, tai oikeammin kyllä ihan vaan väärin. Kättelyt ja (D)DOS hyökkäykset käy kyllä usein jossain määrin käsi kädessä mutta tuo väite ei ainakaan käytännössä pidä paikkansa.
Tämä pohdinta oli sen verran lennokasta että haluaisitko vaikka hiukan avata sitä - ja mitä sillä ajetaan takaa - lisää?

Kaikki 3-way kättelyt esim TCP voi jättää kesken ja aloittaa vaan uusia. Tämä on niin tunnettu, että se on wikipediassakin

http://en.wikipedia.org/wiki/SYN_flood

Eikä nuo vastatoimet toimi kuin jokainen tietyssä tilanteessa

 

[Charlyn_enkelit]

Ehdotan lukemaan, jos saat käsiin, vanhoja NSAn turvallisuusoppaita ja varsinkin kohdan Tempest Mandatory Security Model. Taikka NATOn turvallisuusoppaita, kohdalta NATO SDIP-27 Level A, B and C.

Joo, ymmärrän että muutaman hertsin dataa voi lukea vaikkapa prossun lämpötilan toisesta desimaalista näkee, että kuinka monta ihmistä on huoneessa.
Mutta jos rsa avain hurahtaa väylässä 2 Gbps, niin se ei näy missään.

 

[ctg]

ei näy ellei sitä erikseen etsi

 

[tjmies]

Kaikki 3-way kättelyt esim TCP voi jättää kesken ja aloittaa vaan uusia. Tämä on niin tunnettu, että se on wikipediassakin

http://en.wikipedia.org/wiki/SYN_flood

Eikä nuo vastatoimet toimi kuin jokainen tietyssä tilanteessa

Joo, toi on hyvä tunnettu esimerkki, mutta ei ymmärtääkseni vielä tarkoita että puolikkailla kättelyillä voi kaataa minkä tahansa tietoliikennesysteemin. Toki tcp löytyy taustalta todella useiden yleisten palveluiden takaa, varsinkin näin kuluttajapuolella.

3-way kättelyt voi hajatetussa järjestelmässä toki jättää kesken, mutta ei se yleisellä tasolla tarkoita että kaikki 3-way kättelyn sisältävät protokollat olisivat kaadettavissa näin - eikä varsinkaan että kaikissa "tietoliikennesysteemeissä" olisi edes 3-way kättelyä.
TCP nyt vaan sattuu olemaan speksattu sillä tavalla että yhdistettynä yleiseen toteutukseen jossa sockettiin viitataan käyttöjärjestelmässä file descriptorilla(jonka avaruus on niin pieni, että edes järkevä throttlaus ei auta koska kättelyn timeoutit on tcp-toteutuksissa niin poskettomia) niin se on erityisen herkkä tälle ongelmalle.

Itsekin olen saanut saman tilanteen vahingossa aikaiseksi töissä ihan yrittämättä luoda mitään hyökkäysohjelmistoa Tämä kuitenkin varmaan kertoo enemmän allekirjoittaneen taidoista kuin mistään muusta....

 

[ctg]

Professor Jean-Jacques Quisquater, a Belgian cryptographer whose work is said to have informed card payment systems worldwide, has reportedly become the victim of a spear-phishing attack by the NSA and/or GCHQ.

Belgium's De Standaaard reports that Professor Quisquater clicked on a fake LinkedIn invitation that infected his computer with something even nastier than the endless claims of industry leadership spouted by those most active on that network. The malware is said to have allowed tracking of the Professor's work, including consultancy for various firms.


Professor Quisquater's oeuvre, listed here at Google Scholar, bristles with cryptographic research. He also shared 2013's RSA Conference Award for Excellence in the Field of Mathematics for his work on “efficient zero-knowledge authentication schemes”. RSA's (PDF) notes for the award describe his efforts as “a seminal translation of cryptographic theory into practice” and as having “had a major impact on the early development of the smartcard industry.”

The professor is therefore a juicy target, as understanding either his research or the advice he offers could conceivably yield insights into real-world operations of cryptosystems or qualities of future schemes.

There's also the possibility of monitoring the professor's e-mail, which again could yield interesting information.

De Standaard says the hack on Quisquater's kit was discovered as part of the investigation into an attack on Belgacom described by one E. Snowden, late of Moscow.

The Belgian paper doesn't say why it is willing to put the NSA and GCHQ in the frame for the hack, saying only that its understanding of what went on indicates their involvement. As the story points out, the attack could be the first known instance of a spookhaus action against a private individual not under investigation for something nefarious. Quisquater's clearly not a 'civilian' , but nor does he appear to be a legitimate target whose activities could reveal the nature of a threat against either the USA or UK. If he has indeed been targeted to gather intelligence about cryptology in general, the Snowden snowball looks set to gather yet more size and speed. ®

http://www.theregister.co.uk/2014/02/03/nsa_gchq_accused_of_hacking_belgian_smartcard_crypto_guru/

How does the NSA get the private crypto keys that allow it to bulk eavesdrop on some email providers and social networking sites? It’s one of the mysteries yet unanswered by the Edward Snowden leaks. But we know that so-called SSL keys are prized by the NSA – understandably, since one tiny 256 byte key can expose millions of people to intelligence collection. And we know that the agency has a specialized group that collects such keys by hook or by crook. That’s about it.

Which is why the appellate court challenge pitting encrypted email provider Lavabit against the Justice Department is so important: It’s the only publicly documented case where a district judge has ordered an internet company to hand over its SSL key to the U.S. government — in this case, the FBI.

http://www.wired.com/threatlevel/2014/02/courtint/

 

[ctg]

Miksi Pankit haluavat cybersodankäynnin ulottuvan myös tavallisiin hakkerihyökkäyksiin? Onko kuluilla jotakin seksuaalista merkitystä finanssitaloille, jotka muutenkin pystyvät maksamaan konsulttien ja tietoturvatalojen "testi" kulut ilman silmänräpätystä?

A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems.

Waking Shark II, which took place in November, was meant to test how investment banks and financial institutions held under a sustained assault by hackers.


The overall results were an improvement on those from the original Waking Shark exercise, which took place in 2011, while still giving plenty of scope for improvement, according to an official report (PDF) on the exercise from the Bank of England.

"The exercise successfully demonstrated cross-sector communications and coordination through the CMBCG [Cross Market Business Continuity Group], information sharing through the use of the CISP [Cyber Security Information Security Partnership] platform and enabled participants to better understand the requirements of the UK Financial Authorities," the report concludes, while adding that banks' communications was hampered by a lack of an overall clearing house (co-ordinator) for cyber threat information.

"Consideration will be given to the identification of a single coordination body from industry to manage communications across the sector during an incident," the report recommends.

Other problems identified during the stress-test exercise, which took place over four hours, but was designed to reflect a three day attack involving denial of service and malware elements, included confusion about the (then) Financial Services Authority. "Attacked" banks were criticised for not calling the police, a breach of agreed procedures.

The Bank of England outlined the scenario played out during the simulated attacks – which, contrary to earlier reports, did not test the cyber resilience of high street banks – for the first time.

The scenario was based on a concerted cyber-attack against the UK financial sector by a hostile nation state with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure. Although the impacts caused by the cyber-attacks would have had an international as well as a UK dimension, for the purposes of the exercise, the scope of the exercise was restricted to management of the UK impacts.
The scenario was set over a three-day period the last day of which happened to coincide with “Triple Witching” (when contracts for stock index futures, stock index options and stock options all expire on the same day).

The three-day period was broken into phases, playing out various technical and business impacts from the scenario. The scenario examined how firms would manage their response to the cyber-attacks both on a technical level (in particular information-sharing amongst the firms via the CISP tool), and from a business perspective.

Elements of the cyberwar exercise included distributed denial of service attacks "causing the firms’ global websites and certain other internet-facing systems to be unresponsive or intermittently available" as well as APT and PC wipe attacks that penetrated the firms’ networks for disruptive and destructive purposes. All this had knock-on effects on trading and reconciliation systems.

This all looks, at least on paper, to be fairly challenging, yet the exercise was criticised by some banks as not challenging enough. Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises. There were also calls to involve telecom service providers, such as BT, in the exercise.

Adrian Culley, technical consultant at anti-botnet firm Damballa and formerly of Scotland Yard’s Computer Crime Unit, said banks had a long way to go before their malware protections were up to scratch.

“UK Financial Institutions have real active infection inside their networks now, Culley said. "Caphaw is an example of one such very prevalent Advanced Attack, there are many others."

"Despite Waking Shark II there appears to be a disconnect between [Business Secretary Vince] Cable's very timely warning, and banks actually holding accessible, actionable intelligence. How they are planning to ever respond decisively without such intelligence? These bodies are part of UK Critical National Infrastructure, and both active attacks, and the threat of attack, are real. Banks need this information to detect active infections and prevent them becoming breaches. It is clear many of them do not have this.”

Breachaholics encouraged to join 10-step programme
After a summit of regulators and intelligence chiefs on Wednesday, Cable warned of the more widespread vulnerability of Britain's critical national infrastructure to cyber-attack. The regulators - which included representatives from the Bank of England, Civil Aviation Authority, Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom - were briefed on the threat posed to systems by GCHQ boss, Sir Iain Lobban.

Cable called on regulators to oversee the adoption of more robust cyber security measures. Firms were encouraged to "undertake a self-assessment against the ‘10 steps’; take up membership of the Cyber Security Information Security Partnership, or CISP; manage cyber risk in their supply chains by driving adoption of the HMG Preferred Organisational Standard for Cyber Security."

KPMG security expert Stephen Bonner warned that organisations will reduce the chances of successfully defending themselves, if they continue to act in isolation.

“Fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached," Bonner, a partner in KPMG’s Information Protection and Business Resilience team, commented. "But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another.

KPMG said the rising number of attacks targeting cyber vulnerabilities presents a growing danger to financial institutions.

"We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.” ®

http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/

 

[ctg]

National security is often synonymous with secrecy. But when it comes to software development, the U.S. defense and intelligence establishment can be surprisingly open.

This week, the Defense Advanced Research Projects Agency — or DARPA, the research arm of the U.S. Defense department — published a list of all the open source computer science projects it has funded, including links to source code and academic papers that detail the code’s underlying concepts.

Anyone is free to not only peruse the source code and add to it, but actually use it to build their own software — and that includes foreign governments. The belief is that because anyone can contribute to these projects, the quality of the code will only improve, making the software more useful to everyone. It’s an approach that has paid off in spades among web companies from Google and Facebook to Twitter and Square, and the government has now realized that it too can benefit from the open source ethos.

The Softer Side of DARPA
DARPA is known for some pretty whacked out projects. Mind controlled exoskeletons. Space colonization. Turning pets into intelligence assets. That sort of thing. But it does have a more sober side. The agency funded the creation of the network that eventually became the internet, for example. And, more recently, it funded work on Mesos, the open source platform used by Twitter to scale applications across thousands of servers. It’s more of the latter that shows up on DARPA’s new site.

The site is focused on computer science research, so projects that fall outside of that discipline — such as the OpenBCI brain scanner and the open source amphibious tank — won’t be found on the list. But there’s still quite a few important projects, including Mesos, the in-memory data processing system Apache Spark, and the Julia programming language for mathematicians and scientists.

Most of these DARPA-backed projects are on GitHub, the popular code hosting and collaboration service that has come to symbolize the type of non-hierarchical collaboration celebrated by open source enthusiasts and tech culture in general. The site makes it easy for anyone to examine source code, suggest changes, and discuss decisions. Mirroring the way it treats software, the company itself operates with no job titles, no middle management, and only a thin layer of top-level management, preferring instead flat or “holacratic” structure.

When the Military Invented Open Source
That sort of non-hierarchical thinking may seem at odds with military culture, but in reality, many of these ideas were pioneered by military researchers. Today, we often trace the origins of open source software to work done by industrial research labs like Bell Labs and Xerox PARC. But in his book From Counterculture to Cyberculture, Fred Turner argues that open source’s roots stretch back even further to the World War II era defense research laboratories that created technologies such as radar, the atomic bomb, submarines, aircraft, and, yes, digital computers. “The laboratories within which the research and development took place witnessed a flourishing of nonhierarchical, interdisciplinary collaboration,” Turner writes.

He points to the MIT Radiation Laboratory — which was formed by the National Defense Research Committee, a predecessor of sorts to DARPA — as a model example. “It brought together scientists and mathematicians from MIT and elsewhere, engineers and designers from industry, and many different military and government planners,” Turner says. “Formerly specialized scientists were urged to become generalists in their research, able not only to theorize but also to design and build new technologies.”

Today, we’re more familiar with the NSA’s cloak and dagger approach to research, but the collaborative approach of the WWII era military-industrial-academic complex has never really gone away. The Army recently partnered with Local Motors to crowdsource new military vehicle designs. The CIA created In-Q-Tel, a venture capital firm that funds tech startups, including open source big data companies like Cloudant and MongoDB. Even the NSA is part of the action, open sourcing its big data storage system Accumulo.

In other words, the defense industry sees what Facebook and Twitter and so many other web companies see: that innovation often comes from openness.

http://www.wired.com/wiredenterprise/2014/02/darpa-open-source/

 

[ctg]

"CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps higher than the previous record DDoS attack which used DNS reflective amplification."

http://tech.slashdot.org/story/14/0...han-the-spamhaus-attack-strikes-us-and-europe

 

[TomTom]

Sillä lailla, mpnetin nimipalvelimet on cloudflarella.

 

[ctg]

Sillä lailla, mpnetin nimipalvelimet on cloudflarella.

Eilen tuli esiin cloudflare messuja joilla saitteilla, mutta mpnet on toiminut moitteettomasti ja se on nopein latautumaan täältä londoniumista käsin vaikka ssl pitääkin päällä. Jopa muutama brittiläinen saitti jää jalkoihin.

 

[ctg]

Security researchers recently unearthed a spying tool that managed to go undetected for the past seven years. Dubbed “The Mask” by those at Kaspersky Lab, the malware zeroed in on a wide range of high-profile targets for the better part of a decade using techniques and code more sophisticated than anything previously found in the wild. Experts at Kaspersky say the malware specifically went after government agencies, diplomatic offices and embassies, research organizations and activists as well as those in the gas, oil and energy markets. It employed a combination of malware, rootkit methods and even a bootkit to remain undetected over the years.

http://www.techspot.com/news/55640-...went-undetected-for-the-past-seven-years.html


sorry et tulee näin myöhään, mut mul on helvetillinen migreeni päällä

 

[miheikki]

http://www.mpc.fi/kaikki_uutiset/la...ta+halutaan+katkaista+sahkot+ja+vedet/a967654

TIEDUSTELUPALVELU
Suvi Korhonen, Tietoviikko, 8:25

Lakiesitys: NSA:n päämajasta halutaan katkaista sähköt ja vedet

Marylandissa Yhdysvalloissa käsitellään lakialoitetta, joka vaatii kunnallistekniikan eväämistä NSA:n päämajalta Fort Meadelta, kirjoittaa US News.

Kahdeksan republikaanin lakiesityksessä osavaltio pidättäytyisi kaikesta materiaalisesta ja muusta avusta ja yhteistyöstä tiedustelupalvelun kanssa tai sen alihankkijoina toimivien yritysten kanssa.

Lakiesitys tarvitsisi puolelleen kolme neljäsosaa osavaltion valtuuston 141 jäsenestä.

Käytännössä laista seuraisi sähkö- ja vesijohtoverkosta pois katkaisemisen lisäksi kielto käyttää NSA:n keräämää tietoa oikeudenkäynneissä Marylandissa. Paikalliset yliopistot eivät lisäksi voisi enää tehdä yhteistyötä tiedustelupalvelun kanssa.

Fort Meade maksaa vedestä vuodessa 2 miljoonaa dollaria. Baltimore Sun raportoi keskuksen käyttävän saman verran sähköä kuin osavaltion alle 40 000 asukkaan pääkaupunki Annapolis.

Lakiehdotus on osa laajempaa kampanjaa, jolla on kannattajia kummassakin maan valtapuolueessa. Vastaava NSA:n vastaisia lakiesityksiä on käsitelty ja tulossa valtuustoihin myös muissa osavaltioissa.

 

[ctg]

British intelligence ran denial-of-service attacks against chatrooms used by Anonymous and LulzSec, according to an investigation by NBC News involving Snowden confidante Glenn Greenwald.

http://www.theregister.co.uk/2014/02/05/gchq_anonymous_ddos_spat/

 

[ctg]

Thomas Rid (“Cyberwar and Peace,” November/December 2013) describes cyberattacks as somehow separate from conventional warfare because they fail to meet all three of Clausewitz’s definitions of war as violent, instrumental, and attributable to one side as an action taken for a political goal. Therefore, he says, “cyberwar has never happened in the past, it is not occurring in the present, and it is highly unlikely that it will disturb the future.” But his argument is a simplified representation of the complex realities of war and security today and their inherent links to cyberspace.

Today, the world is so immersed in technology that activities in cyberspace have become inseparable from the everyday operations of business, education, government, and the military. Actions online affect actions offline, and vice versa. Thus, far from being separate from conventional war, as Rid would have it, cyberwar is deeply embedded in contemporary military practices.

Jarno Limnéll argues that activities in cyberspace are an inherent part of conventional warfare. He also contends that the psychological impact, not just the physical violence, of cyberattacks matter. I agree on both counts. But Limnéll’s conclusion, that “waging cyberwar still remains the business of the armed forces alone,” is simply wrong -- and the U.S. government thinks so as well.

Last December, the White House announced that it would not separate the National Security Agency and the Pentagon’s Cyber Command and that it would continue to put one chief in charge of both agencies. Like Limnéll, some other experts, including the members of a review panel appointed by U.S. President Barack Obama, recommended separating Cyber Command’s military capabilities from the NSA’s intelligence activities. But the White House’s decision to maintain the current setup was correct. Creating separate agencies focused on offensive cyber-operations would be rash, because it would mean ignoring four problems.

First, there is actually little difference between contemporary computer-based military operations and the signals intelligence work of the NSA. Indeed, most cyber-operations that are considered offensive actually amount to intelligence collection, not sabotage of critical infrastructure. Thus, an artificial institutional division of labor between the military and the NSA would likely create duplication and waste.

Second, it is unlikely that an independent cyber command would accomplish much. Hawkish generals and politicians ignore the fact that it is quite difficult to create a cyberweapon, software that can physically harm an opponent’s critical infrastructure. There is a reason why proponents of such operations have only one proper example to draw on: Stuxnet, a U.S.-Israeli operation that was designed to damage Iranian uranium-enrichment centrifuges. A high-end sabotage campaign is likely to be a complex, intelligence-devouring, labor-intensive, and target-specific engineering challenge. As frustrated and confused lower-ranking insiders have told me, their superiors balk at that reality and turn to developers and say, in general terms, “Build me a cyber–Tomahawk missile.”

This relates to a third problem: a potential arms race in cyberspace. If having a cyber command becomes a symbol of power, other nations will want to have their own cyber commands. Some countries, among them the United Kingdom, are already considering plans to waste significant resources on offensive cyber-capabilities, needlessly gearing up for a cyberwar that may never occur.

Finally, the idea of creating an independent cyber command ignores the fact that refined offensive capabilities do not translate into better defensive ones. Many conventional weapons can be used defensively or offensively. But cyberweapons are different; Stuxnet, for example, could be used only offensively. The NSA’s offensive strategy exploits vulnerabilities, or “back doors,” in widely used software. But U.S. computer systems have back doors, too: just ask Edward Snowden, the former NSA contractor who leaked classified information about such vulnerabilities. In cybersecurity, a good offense is the worst defense.

U.S. officials should work to prevent a “cyber–Pearl Harbor” through better defenses. But waiting for cyberwar, as Limnéll suggests, is a failure of imagination. “This is our cyber-9/11,” a British intelligence official told me, referring to the Snowden leaks. “We just imagined it differently.”

http://www.foreignaffairs.com/articles/140762/jarno-limnell-thomas-rid/is-cyberwar-real
http://www.foreignaffairs.com/articles/140762/jarno-limnell-thomas-rid/is-cyberwar-real