Receive "The World According to Tom Barnett" Brief
Where I Work
Search the Site
Buy Tom's Books
  • Great Powers: America and the World After Bush
    Great Powers: America and the World After Bush
    by Thomas P.M. Barnett
  • Blueprint for Action: A Future Worth Creating
    Blueprint for Action: A Future Worth Creating
    by Thomas P.M. Barnett
  • The Pentagon's New Map: War and Peace in the Twenty-first Century
    The Pentagon's New Map: War and Peace in the Twenty-first Century
    by Thomas P.M. Barnett
  • Romanian and East German Policies in the Third World: Comparing the Strategies of Ceausescu and Honecker
    Romanian and East German Policies in the Third World: Comparing the Strategies of Ceausescu and Honecker
    by Thomas P.M. Barnett
  • The Emily Updates (Vol. 1): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 1): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Vonne M. Meussling-Barnett, Thomas P.M. Barnett
  • The Emily Updates (Vol. 2): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 2): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Thomas P.M. Barnett, Vonne M. Meussling-Barnett
  • The Emily Updates (Vol. 3): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 3): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Thomas P.M. Barnett, Vonne M. Meussling-Barnett
  • The Emily Updates (Vol. 4): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 4): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Thomas P.M. Barnett, Vonne M. Meussling-Barnett
  • The Emily Updates (Vol. 5): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 5): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Vonne M. Meussling-Barnett, Thomas P.M. Barnett, Emily V. Barnett
Monthly Archives
Powered by Squarespace

Entries in cyberwarfare (16)

2:55PM

A Squirrelly Argument Regarding Critical Infrastructure And Our Resilience In The Face Of Attacks

THE NATIONAL SECURITY COMMUNITY TENDS TO ATTRACT DOOMSDAY TYPES, WHILE THE UTILITIES SECTOR TENDS TO ATTRACT PRETERNATURALLY CALM ENGINEER TYPES - GO FIGURE! That's the just the nature of their respective businesses, so no big surprise that, when national security officials highlight the hacking threat to critical infrastructures (most frequently, electrical grids), plenty of practitioners in the utilities arena counter that "alarmism" with more prosaic examples of power outages - namely, those caused by rodents and birds. This is a classic argument between those who focus their professional attention on low-probability/high-impactevents (e.g., foreign military hackers attacking our critical infrastructure as a prelude to war-initiation) and those who must deal with high-probability/low-impact events - like a squirrel chewing through a wire and triggering a local blackout.

So, good on WAPO's The Switch column for running this story asking, "Are Squirrels a Bigger Threat to the Power Grid Than Hackers?" Yes, the use of the modifier "bigger" here is stunningly indiscrete (newspaper headlines tend to do that to pique your interest), but the author does provide a real-world threat "floor" to the notional threat "ceiling" routinely cited on WAPO's front page. On the latter score, I recall the near-constant drumbeat of fear-instigating stories (all presumably "leaked" by the Obama Administration), in the weeks leading up to the 2009 launching of US Cyber Command, about how seemingly everyone in the world was waging cyber-warfare against America, when, of course, we know full well that the U.S. Government itself is the preeminently offensive player in this arena - as it should be.

So, no, squirrels are not a "bigger threat." That's an idiotic notion (or - more politely - an imprecise notion). Significant cyber-warfare-capable nation-states and non-state actors are the bigger threat.  Squirrels are just the more common threat.

Another way to look at the difference: I am constantly subject to the common cold, but I still consider cancer to be the bigger threat to my health. Does that mean I ignore the cancer threat (lower probability but far higher impact) to focus more on the common cold? Hardly. Like everyone, I attempt to balance risk between the two.

I also most certainly do not discount the cancer threat merely because I find it stunningly hard to prevent my contracting the common cold on a regular basis, which is the implied argument here (Focus on real problems and don't believe the hype!). Wait long enough on today's national-security "hype" and eventually somebody nefarious will give that scenario a run for its money. And when they do?  The high-probability/low-impact skeptics will be nowhere to be found, while the public - and Congress - demands answers (and scapegoats) for this huge failure of national intelligence!

2:37PM

Ukraine's Electrical Grid Gets Knocked Down, But It Gets Up Again … In a Sign of Threats to Come

RUSSIA IS OFTEN CREDITED WITH EXPLORING THE SUB-THRESHOLDS OF TRADITIONAL STATE-ON-STATE WARFARE, OR WHAT ONE DEFENSE ACADEMIC HAS DUBBED "GREY-ZONE CONFLICTS."  In some ways, Moscow's experiments in interstate aggression represent a continuing acknowledgment of the overarching strategic reality of mutually assured destruction created by the still-formidable nuclear arsenals of the world's major military powers - i.e., Russia knows not to go there.  But great powers still want to act like great powers, so they meddle, they intervene, they topple governments, they support proxies in civil wars, they build artificial islands and militarize them, they insert computer viruses into other states' networks . . . and sometimes they merely send a signal like I can turn off your lights whenever I want.

 

Vladimir Putin's regime has an established reputation for this sort of international cyber-bullying, launching somewhat impressive online attacks against Estonia in 2007, Georgia in 2008 (as part of its land grab there), and more recently against Ukraine in 2014.  Western security reviews of such incidents typically find little-to-no evidence of official government involvement, and this is the central characteristic of the maskirovka approach (an old Soviet-era term that equates to covert military operations - i.e., masked).  So yeah, the whole point of such shenanigans is to be hide your tracks even as you are rather overtly signaling both capability and intent.

As we used to say about the Soviets during the Cold War, they will try every door and every window until they find one that's unlocked.

Thus, the world is meant to take notice of what recently happened in Ukraine, per WAPO:

Hackers caused a power outage in Ukraine during holiday season, researchers say, signalling a potentially troubling new escalation in digital attacks.

"This is the first incident we know of where an attack caused a blackout," said John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice. "It's always been the scenario we've been worried about for years because it has ramifications across broad sectors."

Indeed, the hackers-taking-down-electrical-grids is the sine qua non of the "cyber Pearl Harbor" or cybergeddon attack scenario that worries owners and operators of critical infrastructures around the world - but particularly in the US, where 88% of them are private-sector firms.

More details ...

Half of the homes in Ukraine's Ivano-Frankivsk region were left without power for several hours on December 23rd, according to a local report that attributed the blackout to a virus that disconnected electrical substations from the grid. Researchers at iSight on Monday said their analysis of malware found on the systems of at least three regional electrical operators confirmed that a "destructive" cyberattack led to the power outage.

Impression made ...

Why it matters for critical infrastructure writ large:

Electrical outages can lead to ripple effects that leave communities struggling with things like transportation and communication, according to security experts who have long warned about the potential for cyberattacks on the power grid.

Here the attack almost veers into clandestine mode, meaning the actor in question doesn't worry all that much about its identity being revealed:

In this case, the attackers used a kind of malware that wiped files off computer systems, shutting them down and resulting in the blackout, Hultquist said. At least one of the power systems was also infected with a type of malware known as BlackEnergy. A similar combination was used against some Ukrainian media organizations during local elections last year, he said.

So just imagine who was messing with Ukrainian media during local elections last year, and then realize that that same actor didn't bother changing up his cyber pitch this time around because . . . hey, that's not the point here.

Here we get to the true signaling:

While [cybersecurity company] ESET's analysis showed the destructive element was "theoretically capable of shutting down critical systems," it said BlackEnergy malware's ability to take control of a system would give attackers enough access to take down the computers. In that case, the destructive element may have been a way to make it harder to get the systems up and running again, according to ESET. (bolding mine)

That is what should grab the attention of any nation's critical infrastructure operators - not just the takedown capability but the suggested keepdown capacity.

Yes, the fingerpointing is eastward . . .

Hultquist believes the attacks that caused the blackout were the work of a group iSight dubs "Sandworm" that the company previously observed using BlackEnergy. In a 2014 report, iSight said the group was targeting NATO, energy sector firms and U.S. academic institutions as well as government organizations in Ukraine, Poland  and Western Europe.

"Operators who have previously targeted American and European sensitive systems look to have actually carried out a successful attack that turned the lights out," Hultquist said.

He described the group as "Russian," but declined to connect it to a specific government or group . . .

Such is the nature of maskirovka, remembering, of course, that Putin began his career in the KGB.

Now the part that most clearly matters to us here at Resilient Corporation:

The picture can often become clearer as more information trickles out, but the public and even some of those investigating may not be operating with all the facts, according to Cross.

"When a plane crashes, the FAA publishes all of the details about the incident. That makes sense because we pilots want to know what to do to avoid the next crash," he said. "In our industry, when something like this  happens, some information comes out and some doesn't."

Great analogy, suggesting that the lack of industry transparency here can cost us in the long run.  One doesn't counter maskirovka with "proprietary" concealment but with information-sharing.

Not everyone necessarily has an interest in fully disclosing the attacks because it might embarrass them or give new information to attackers, Cross said. But he argues that the more people  know the details about the attack, the better the security industry can prepare for the next one.

"People should operate with an abundance of caution and assume the threat  is real while demanding technical detail and evidence," he said.

Bingo!

As for Ukraine, the final bit of news was heartening:

Assuming that the hackers did take out the power in Ukraine, there was a silver lining, according to Cross: The grid seems to have rebounded quickly.

"The world didn't end here - they did get power back up," Cross said.

This time, yes.  But this scenario will grow less exotic over time, and that's why our resilience still-set must keep pace .

1:07PM

(RESILIENT BLOG) Dependency as Vulnerability Means the Best Cyberdefense is a Wicked Cyberoffense

NATIONAL SECURITY, AS A BUSINESS DOMAIN, IS DRIVEN BY THE MANTRA OF "BE AFRAID, BE VERY AFRAID.  When we're just talking among ourselves, the conversation remains professional.  But there's always that temptation to go all apocalyptic when you take those conversations into the public realm.  It's the old if you only knew what I know trump-card that any professional has a hard time not using.  We can currently blame this dysfunctional dialogue on the media (driven to sensationalism) and the Internet (nutcases galore), but we cannot dismiss the grounded reality at the core of these discussions, which is dependency as vulnerability . . . 

 

READ THE ENTIRE POST AT:


9:22AM

Cyber mischief as the new signaling

NYT story on cyber attacks on two major SouKo banks - presumably by NorKo.

I think this becomes the new brinksmanship/signaling in the digital age, meaning it's truly a virtual form of warfare and not a real warfare domain per se.  It's easier and more clear than the usual diplo protests.

So we have this as a fifth vein of cyber (offensive/offending).

The five categories, in my mind, are:

 

  1. Sheer industrial espionage (see China - on mass scale)
  2. Sheer spying (done by all - with US long in the lead with NSA, but less so today as others catch up)
  3. Normal espionage (see Israel v Iran, US's Stuxnet with Israel v Iran, etc.)
  4. In support of conventional offensive ops (meaning, old-fashioned EW [electronic warfare] updated) - this being the least frequent use because true wars are shorter and less common now.
  5. Signaling

 

What I don't see is cyber as a separate offensive warfare category - i.e., that and that alone as THE attack.  You use as enabler in traditional attack, or its virtual warfare at best (remember that virtual means "not X").

That's why I don't find cyberwarfare so novel or weird or supremely trumping as some do.  It's just a lot of old modalities updated and augmented - nothing more.

6:14PM

Time's Battleland: National Security Putting China’s “Hacking Army” into Perspective

Great New York Times front-pager on Tuesday finally provides a substantive overview of the comprehensive hacking activities of the Chinese military against all manner of U.S. industries (with an obvious focus on defense).

Actually, the title was a bit of soft sell (China’s Army Seen as Tied to Hacking Against U.S.). This unit’s activities have been much discussed within the U.S. national-security community for several years now, so we are far past the “tied to” allegation. It’s clear that Beijing has the People’s Liberation Army conduct widespread cyber- theft all over the world, targeting the U.S. in particular.


Read the entire post at Time's Battleland blog.

I blame Dave Emery for making me write something on the subject.

11:27AM

Time's Battleland: (CYBER) New Air Force Mission: Cyberwar Belongs to Us

The Wall Street Journal noted last Friday about how the “Pentagon digs in on cyberwar front.” Bit misleading, as it’s really the Air Force that’s desperate to corner that market. You know the general story of Big War Blue (Navy, Air Force) feeling disrespected and underfunded across the “war on terror” era, and you’ve been treated ad nauseum to their budgetary counter-revolution in the form of the AirSea Battle Concept (whose combined Air-Navy motto should be: “It’s China’s turn — as well as ours!”).

Read the entire post at Time's Battleland blog.


11:42AM

Time's Battleland: (CYBER) Cyber Warfare Treaty: DOA, Thanks to President and Pentagon

Misha Glenny making a smart case in the New York Times for a cyber arms control treaty, but it won’t happen.

Why?

For the same reason why the U.S. has refused – for many years now – to engage other great powers on a treaty banning space weaponry: our Pentagon wants to dominate that imagine conflict space like any other. This fantasy lives on despite the great private-sector forays into space transport and travel.

Read the entire post at Time's Battleland blog.

11:34AM

Time's Battleland: MILITARY SPENDING On Cyber Warfare, the American Public Is Constantly Being Played by the Pentagon

From a Washington Post piece describing “Plan X,” the Pentagon’s new push to develop cutting-edge offensive cyber weapons:

It makes sense “to take this on right now,” said Richard M. George, a former National Security Agency cyberdefense official. “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

Read the entire post at Time's Battleland blog.

11:53AM

Wikistrat's chief analyst quoted in Reuters piece on cyber struggle landscape

Disagreements on cyber risk East-West "Cold War"

Fri Feb 3, 2012 11:32pm IST

LONDON - With worries growing over computer hacking, data theft and the risk of digital attacks destroying essential systems, western states and their allies are co-operating closer than ever on cyber security . . . 

But many Western security specialists say the evidence against both nations -- particularly China -- has become increasingly compelling.

"China is currently engaged in a maximal industrial espionage effort that it justifies internally in terms of a catch up strategy (with the West)," says Thomas Barnett, chief analyst at political risk consultancy Wikistrat and a former strategist for the U.S. Navy. "The key question here is: can China assume the mantle of intellectual property rights respect fast enough to avoid triggering economic warfare of the West... If it can't, then this is likely to get ugly."

Read the entire column at Reuters.

10:32AM

Time's Battleland: Cyberwar fears: disaggregating the threat

Is that China over there, stealing everything?

My man Mark Thompson puts up a cheeky post yesterday that I most heartily approved of. In it he speaks of cyberwar worrywarts and rightly fears that, as the terror war recedes in some priority, new little piggies approach the DoD trough. And as these cyberwar advocates find such a prime target in China, I would note that their efforts merge with those of the big-war crowd that also hopes to regain ascendancy - despite the overall budget crunch.

Now, Mark gets immediately taken to task by none other the great Bruce Sterling over at Wired (HT, Craig Nordin) . . .

Read the entire post at Time's Battleland.

11:40AM

Time's Battleland: As you approach #1, the catch-up tactics need to cease

NYT story on how the Defense Department suffered a massive loss of data during a hack last March.  Pentagon won't say which country is to blame, which makes it either China or Russia. Why tell us now?  The cleared version of the new US cyber strategy is being released, as Mark just noted.

Read more at Time's Battleland.

10:44AM

Time's Battleland: Cyber-espionage: We're #2! We're #2!

V is for Vendetta

Economist story (6/18) about the recent wave of high-profile attacks by hacker collectives references "SQL injections," or the technique of penetrating databases of companies, agencies, etc. McAfee, the web security firm, says about half of those it tracked over the first quarter of 2011 were made by Chinese "cyberspies" - a rather imprecise term for the Economist because it implies all are working for the government when, you know, China isn't exactly without criminals or hacktivists.

Read the entire post at Time's Battleland.

Pic above if from actual Economist story.  Damn those Wachowski bros!

Just rewatched the film (2006) about a month ago.  Big fun for fans of Natalie Portman and Hugo Weaving - and Stephen Rea.  Also a great turn from my big favorite John Hurt (he gets to play Big Brother this time!).

The real continuity goof with the film: the West's fictional descent into fascism begins with a US-led invasion in the Middle East in response to a terror strike. Oh well, guess we have to settle for the Arab Spring instead.

Dang!

6:17PM

Time's Battleland: Comparing my Time Battleland post on the new US cyber strategy with my World Politics Review column on the same subject

 

NOTE: BECAUSE THE COMMENT OCCURRED HERE BUT INVOLVE THE TIME BATTLELAND BLOG, I CROSS-POST THIS EXCHANGE ON BOTH SITES.

Reader Brad Hancock jumps at the chance to compare my recent Time Battleland post on the new US cyber strategy with my just-published World Politics Review column.

Mr. Hancock comments at my Globlogization site that:

Compare this piece in WPR to the one Barnett wrote for Time on the same subject three weeks ago. Time readers were literally told they should fear the lowered tripwire for great power war and that "Dr. Strangelove has re-entered the Building", complete with a Guns of August/President Palin scenario in case they didn't get the picture. They were forewarned that "all such concerns will be downplayed by sensible national security types" but the hot war capacity would remain.

Now, WPR readers are told "there's no reason to fear America's decision to fold the cyber realm into this overall deterrence posture..." and, of course, the hot war capacity will remain. I understand the need for using a different tone when writing for different outlets such as Esquire, Time, or WPR. But the Time piece was full of sensational fear-mongering that Barnett rightly criticizes when he sees it in others. This makes me wonder if I should ignore him when he uses his "outside voice."

Suffice it to say, I am always happy when people read my various pieces so carefully!

Here's my answer to the charge:

There are some in the national security community who consistently hype the cyber threat - as in, the amazing damage they can do to us in an instant!  I am not one of these types, and nothing in my years in the IT field (first working for the Center for Naval Analyses across most of the 1990s, then the Defense Department in the years leading up to and following 9/11, and since 2005 as an executive in a IT technology firm in the private sector) has convinced me that offensive cyber warfare trumps America's innate resilience as a networked economy/polity/military/society/etc.  We can always take one on the chin, but our resilience will prevail.

There is, within that more worried segment of the community, a subset that advocates very aggressive countering responses, believing that any enemy's opening shot should be met with a big-time response. Those thinkers and decision makers may well feel greatly empowered by the new US cyber strategy - depending on how it plays out in the real world in coming years (for now, the strategy is mostly words on pages moving toward realized policy).  I believe that those hardcore cyber response types can be considered in the same context as the we-will-inevitably-go-to-war-with-China types, in that both are looking for hunting licenses. Again, depending on how you look at it, the new US cyber strategy may well provide one.  I think that's dangerous - as in, Strangelovian dangerous.

That is what I addressed in the Time post.  There I focus on the start of what could be any number of types of crises ("Is that a normal blackout or the start of WWIII?") and the dangers of small things spiraling out of control into big things.

There are also many of us in the national security community who believe that any state that will launch a major offensive cyber attack on the US (as opposed to the day-to-day snooping/hacking/thievery - all of which the Chinese do in spades) will do so only as prelude to a full-on attack.  Why?  Why blow your super-secret wad on anything less, especially if the US might misinterpret and light you up with nukes in response?  If a non-state actor does so, then we're on a different track (he can't follow up with a full-on attack and we can't exactly respond in-kind kinetically, can we?).

If you think along these lines, then you're more likely to advocate folding in our cyber deterrence strategy - with regard to state actors like China - into something more like our nuclear version (i.e., we basically tell you, if we think you're going all the way, we'll go all the way right back at you).  That threat is mutually assured destruction, and it's meant to be a little crazy and ambiguous.  But it's a threshold threat, and that threshold is decidedly high - as in, we really need to believe you're going all the way.

In the WPR column, I wrote about that threshold argument and the desirability of viewing the new US cyber strategy along those lines.  I was sounding no alarm on this score, but contextualizing - as I prefer to - the new cyber strategy as being in line with past strategic practice.  But not everybody agrees with this logic. 

So the two pieces reflect two different ends of the spectrum:  in the Time post I warn about those who may take off running with the new strategy, believing it empowers the national security community to spot "war" on a near-continous basis with China.  In the WPR column I pull back my lens and go with the threshold of great-power war argument, which I believe must be kept very, very high, and I'd like to see the cyber strategy be interpreted as strengthening and not weakening that threshold.

So to sum up: if you believe that cyber warfare is an entirely new animal and that the new cyber strategy empowers the US national security community to treat it as such, possibly redefining the acceptable pathways to great power war, then I think you should be very much afraid of what may be done with this new approach. If you see cyber deterrence as being in the same ballpark as nuclear deterrence - despite its many obvious differences, then you can view the new strategy with more calm.

Problem is, all sorts of national security "blind men" will be feeling up this "elephant" in the coming months and years, and darn near each will walk away with his or her own impressions.  That's why we need to debate this subject from a variety of angles and - yes - use a variety of voices and venues. I don't believe in reducing the threshold of great-power war, but some in the US national security community most decidedly seek to do just that.

Mr. Hancock is correct to point out that I scare in one article and soothe in the other, and that I don't provide obvious linkages between the two rationales.  And that's why I'm glad he made the comment so I could respond in this fashion.

And yes, I had fun picking out the graphic ;<)

9:59AM

WPR's The New Rules: Don't Fear U.S. Cyber Deterrence

It is tempting to view the Obama administration's new cyber strategy as the creation of yet another "conflict domain" to worry about in U.S. national security. Thus, in our enduring habit of piling new fears on top of old ones -- nuclear proliferation, terror, rising powers and failed states, among others -- we imagine yet another vulnerability/threat/enemy to address with buckets of money. In truth, the strategy document is just our government finally acknowledging that, as usual, any fruitful international dialogue on this subject awaits the first move by the system's most advanced military power.

Read the entire column at World Politics Review.

8:11AM

Time's Battleland: "America openly wages cyber warfare around planet"

NYT story describing how Obama administration is funding all sorts of shadow networks to thwart government censorship overseas. I think this is fine.  [Blank] 'em if they can't take the Web - a Defense Department creation, BTW.

Read the entire post at Time's Battleland.


6:00AM

Time's Battleland: "According to new Pentagon cyber strategy, state-of-war conditions now exist between the US and China"

China has been pre-approved for kinetic war strikes from the United States at any time.  Let me explain how.

First off, what the strategy says (according to the same WSJ front-page article Mark cited yesterday):

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.

In other words, if you, Country C, take down or just plain attack what we consider a crucial cyber network, we reserve the right to interpret that as an act of war justifying an immediately "equivalent" kinetic response (along with any cyber response, naturally).  If this new strategy frightens you, then you just might be a rational actor.

Read the entire post at Time's Battleland blog.