×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Next Arms Race: Cyberweapons

Soulskill posted about 2 years ago | from the mutually-assured-downtime dept.

Security 125

Harperdog writes "Scott Kemp writes about the similarities between the nuclear arms race and the use of cyberweaponry for offensive purposes. As the article points out, offensive cyberwarfare leaves a nation's own citizenry vulnerable to attack as government agencies seek to keep weaknesses in operating systems (such as Windows) secret. Quoting: 'In the world of armaments, cyber weapons may require the fewest national resources to build. That is not to say that highly developed nations are not without their advantages during early stages. Countries like Israel and the United States may have more money and more talented hackers. Their software engineers may be more skilled and exhibit more creativity and critical thinking owing to better training and education. However, each new cyberattack becomes a template for other nations — or sub-national actors — looking for ideas.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

125 comments

GAY (-1)

Anonymous Coward | about 2 years ago | (#40261571)

SUCK MY BALLS. Cyber this. Cyber that!
 
Let's make a big commotion over some absurdly retarded abstract concept that doesn't have any solid realization.
DERP! OOOOh, Cyber!!!

Re:GAY (0)

Anonymous Coward | about 2 years ago | (#40261837)

Wow, -1? I was thinking exactly the same thing, but you beat me to posting.
Parent should have been +5 informative

Re:GAY (1)

CanHasDIY (1672858) | about 2 years ago | (#40261949)

Wow, -1? I was thinking exactly the same thing, but you beat me to posting. Parent should have been +5 informative

Seconded, and with the cajones to say so without going AC.

Granted, OP could have gone about it much more elegantly, but I think they got the point across.

Re:GAY (1)

poetmatt (793785) | about 2 years ago | (#40261993)

This is exactly accurate.

"cyber" claims are purely hype and designed to turn a profit about something that isn't even a real threat. May as well say "cyber epsionage" is some magic new threat as if you know, espionage had never existed before it went cyber.

Re:GAY (0)

Anonymous Coward | about 2 years ago | (#40263227)

To be more explicit.i think the term cyber is essentially used to gain more money for US companies.

Europe recently budgeted 53 million hard earned tax payer euros for cyber defense. For a system that is to be completed by 2012. What can you possibly build in just one year that is of value of 53 million? I'd like to know, how much of this money goes to European companies and how much to US companies. And by European companies I don't mean UK owned fronts that are owned by the US.

Re:GAY (1)

gweihir (88907) | about 2 years ago | (#40263289)

My sentiments exactly. Cyber-BS is the new red, apparently. At least it makes identifying the nonsense-stories easier.

Re:GAY (0)

Anonymous Coward | about 2 years ago | (#40264789)

My sentiments exactly. Cyber-BS is the new red, apparently. At least it makes identifying the nonsense-stories easier.

Count me in.... (even though I have no id)
This cyber crap is killing me.........

or you could just... (1, Insightful)

JustAnotherIdiot (1980292) | about 2 years ago | (#40261587)

government agencies seek to keep weaknesses in operating systems (such as Windows) secret.

God forbid you simply keep these machines offline.
Nope, gotta keep them open for people to find and attack.

Re:or you could just... (1)

s.petry (762400) | about 2 years ago | (#40261667)

Well, you know that media tells you that you must be on line 24/7, and must use Facebook to be a person. They also tell you that you must use Windows right? At least the Windows rhetoric has slowed down a bit lately, but the hype to get people on Facebook is pretty massive.

Re:or you could just... (1)

NIN1385 (760712) | about 2 years ago | (#40262073)

I have seen at least two shows this week, that showed a fugitive and a few suspects in a murder investigation caught with the aid of facebook. These cops and bounty hunters simply logging on to their facebook pages, obtained information about them and their friends and both shows ended with the suspects and fugitives behind bars. If there was ever a deterrent to not use this "social networking" site, these are some strong reasons. It puts everything about you out there for anyone to find. These were cops... imagine what bad people could do to you or your life with this site.

Re:or you could just... (0)

lightknight (213164) | about 2 years ago | (#40262665)

Macs. Everyone must use Facebook, and own a Mac. Check out the number of Macs prominently displayed in the latest movies.

Re:or you could just... (1)

s.petry (762400) | about 2 years ago | (#40264345)

I thought it was MAC for the people of power or with money, but Windows for the rest of the world. I have to watch some TV I guess. On second thought.. nah, I'll take your word for it! Thanks for the catch!

Re:or you could just... (2)

ozduo (2043408) | about 2 years ago | (#40264415)

Macs. Everyone must use Facebook, and own a Mac. Check out the number of Macs prominently displayed in the latest movies.

it's called product placement, the cigarette industry have been paying movies to show people smoking for 50 years.

Re:or you could just... (5, Insightful)

Anonymous Coward | about 2 years ago | (#40261687)

The nuclear enrichment site at Natanz was kept offline. That didn't keep stuxnet out of there.

The problem with security in general is that no matter how many protections you put in place humans are still the weakest link. We will always make mistakes.

Re:or you could just... (1)

NIN1385 (760712) | about 2 years ago | (#40262015)

We also pay people a lot of money to ensure that mistakes happen to people we don't like and/or agree with.

Re:or you could just... (1)

couchslug (175151) | about 2 years ago | (#40261689)

We need more destructive malware that wrecks unsecured systems, or USERS WILL NEVER CARE ABOUT SECURITY.

Immune responses are built be sustained attack.

Humans aren't wired to worry about vague threats of things they will never understand. They ARE wired to worry about their machines being bricked and the loss of data they will never back up.

No profit there. (2)

khasim (1285) | about 2 years ago | (#40261853)

Where's the profit for the cracker in a dead machine?

But if that machine can be turned into a zombie ... lots of money making opportunities.

Re:or you could just... (0)

Anonymous Coward | about 2 years ago | (#40261735)

Interesting concept

captcha Spherical

Re:or you could just... (4, Insightful)

mrchaotica (681592) | about 2 years ago | (#40261737)

I interpreted that statement differently: it's not that government agencies seek to keep weaknesses secret in order to avoid being attacked, it's that they want them secret so that they can use those weaknesses to attack others.

Re:or you could just... (2, Insightful)

lightknight (213164) | about 2 years ago | (#40262645)

Indeed. Were I in the military, I'd personally ensure that any computer connected to anything remotely important did not even have an Ethernet connector.

The sad part is, the military probably thinks we are joking when IT people tell them "No, really. Just don't connect anything important to the internet. It will be cracked, no matter what the security vendor / sales guy is telling you." It can be running the most harden variant of Unix you know of, with all sorts of security schemes; but if you put it on the internet, it will be found, with people lining up to try and get in.

But I digress. The entire computer 'security' industry that has sprouted up over night is headed by people who couldn't make it as network admins, but want the same rights and privileges. Whole corporations following the advice that is found on page 209 in most 'Welcome to {insert name} Operating Systems: An Administration Guide'

I guess they need to see it from our stand-point: it's a triple face-palming (when it's so bad, you need a friend to lend you a hand) event. However, they probably just hear cursing that would make a sailor blush, and think it's those 'discontent' tech people.

Cant the US just buy a majority stake in MS (0)

Anonymous Coward | about 2 years ago | (#40261591)

And push out an update installing a govt operated backdoor to all Windows computers
That update can be disguised as some benign functionality
Similarly buy Canonical for Ubuntu and a few more major players

Re:Cant the US just buy a majority stake in MS (1)

Anonymous Coward | about 2 years ago | (#40261713)

You don't think that there aren't backdoors already, at the request of the US Government?

Re:Cant the US just buy a majority stake in MS (2)

ae1294 (1547521) | about 2 years ago | (#40262009)

And push out an update installing a govt operated backdoor to all Windows computers
That update can be disguised as some benign functionality
Similarly buy Canonical for Ubuntu and a few more major players

Https://en.wikipedia.org/wiki/NSAKEY

It's like cheap muskets! (1)

s.petry (762400) | about 2 years ago | (#40261729)

The plus side is, that creating cyber attacks is very cheap. Learning the low level instructions is not so easy, but the advent of the internet makes things easy to find. Hell, I have never coded a graphics device in my life but I can find a great number of header files that know the calls.

In the US, this is going to be extremely difficult in a year. The new NSA supercomputers will be on line spying on everything being done. They will be able to track you pretty quickly. Outside of the US, tracking someone down will be much harder. I.E. We can determine now that a great number of attacks come from China, but unless China cooperates we have no real person to address/charge/etc..

Not until someone dies. (1)

khasim (1285) | about 2 years ago | (#40261781)

The problem I have with the "cyber weapons" terminology is that they are weapons which do not kill anyone. Not that that is a bad thing.

But it places them more in the "vandalism" category rather than than the "weapon" category.

Now it may be technologically advanced vandalism delivered by double agents ... but it's still just vandalism.

The same as pouring sugar into gasoline tanks would be.

Re:Not until someone dies. (4, Informative)

Baloroth (2370816) | about 2 years ago | (#40261881)

A weapon does not have to kill someone or indeed even be able to kill someone to be a weapon. The two definitions are "a thing designed or used for inflicting bodily harm or physical damage" and "a means of gaining an advantage or defending oneself in a conflict or contest." Cyberweapons fulfill both, except, of course, it's "cyber" damage, not physical (hence the name, which of course is stupid but effective).

What Anonymous does is effectively vandalism, yes. Stuxnet, however, was a weapon.

Sugar! The deadliest weapon! (1)

khasim (1285) | about 2 years ago | (#40262013)

A weapon does not have to kill someone or indeed even be able to kill someone to be a weapon.

Except that once you go down that route EVERYTHING becomes a "weapon" and the term "weapon" becomes meaningless (since it means everything).

And while "weapon" CAN mean something else, the term that more correctly describes that action is "vandalism".

Re:Sugar! The deadliest weapon! (1)

Baloroth (2370816) | about 2 years ago | (#40262225)

Except when something like Stuxnet is deliberately designed to sabotage and damage a weapons development program, or a virus is designed to shut down the power grid. Some thought is required when assigning the term "weapon" to an object, just as with many nouns. LOIC? Not a weapon. As you say, that is vandalism. A virus that causes a reactor to explode? Weapon, not vandalism.

Flame and others are obviously subject to debate about whether they are actually "weapons" or not, especially since we have no idea what it really did, but it can be convenient to lump together all such programs that were created by some high-level organization for some specific purpose as a "cyberweapon": even if it was only intended for espionage purposes (which would make it tricky to call it a "weapon"), you can generalize a term to include things not ordinarily in the same genus if their characteristics are such that it is useful to do so. Since there is no other term widely used for such a program, "cyberweapon" will have to do, unless you can come up with some other term that will be widely accepted to refer to (likely) government-designed sophisticated malware designed to be used against foreign nations.

Re:Sugar! The deadliest weapon! (1)

s.petry (762400) | about 2 years ago | (#40262327)

Did you know that in courts, people have been convicted of using frying pans as weapons. We can add shoe laces, bricks, fishing line, and even spoons to that list. We have drones that fly by TV screen and people use Joysticks to launch weapons. In that case, computers and technology are very much weapons. As would be the radios providing the intelligence to find targets. Voices have been used as psychological weapons dating back to WW I, when we had loudspeakers on the front lines. The term weapon in this case has not become meaningless at all.

The logic is a bit flawed in your argument. What I mean is that technically anything can be a weapon. Computers are not an exception. Because it can be used as a weapon does not mean we re-classify things as weapons. A frying pan's main purpose is still for cooking, and the meaning of weapon is still the same.

Re:Sugar! The deadliest weapon! (0)

Anonymous Coward | about 2 years ago | (#40263611)

Sugar is a weapon - specificly an explosive. With the right know how, a 5 pound bag of sugar will distroy a house and just about everything in it.

Re:Sugar! The deadliest weapon! (0)

Anonymous Coward | about 2 years ago | (#40263803)

So? Weapon has been able to mean pretty much any object for hundreds of years. I don't care if your English sucks so much you thing otherwise. If I want my fist to be a weapon, it will be a weapon. If I want my bottle of wine to be a weapon, it will be a weapon. If I want my computer to be a weapon (physical, or otherwise) it will be a weapon.

Re:Not until someone dies. (1)

schlachter (862210) | about 2 years ago | (#40262641)

don't assume that cyber weapons can not inflict bodily harm or physical damage. They already have...many times over.

Re:Not until someone dies. (5, Interesting)

ThunderBird89 (1293256) | about 2 years ago | (#40261953)

The same as pouring sugar into gasoline tanks would be.

Your saboteur just "poured sugar" into the tank of every HMVV, jeep, tank, and vehicle on the eve of your invasion on the base nearest to your entry point. The defender is going to have a mighty hard time forming an effective defense with no mechanized infantry and armor. Even harder if the power grid and water pumps suddenly go down in a major city that necessitates the Army's assistance in supplying and policing the area (most countries armies double as disaster relief too). Oh, and factor in that the communication relays are suddenly transmitting garbage and white noise.
To add insult to injury, you now have the blueprints of their newest tanks, so even if they manage to clean out the turbines and get them running again, your gunners will know exactly where to shoot to take them out in one hit, and you know exactly how long their air superiority fighters can stay in the air, how high they can climb how fast, etc.
And for a final "Fuck you", your hackers broke into the enemy's central bank's network, along with a few other major banks in his country, and 'diverted' most of the country's funds, including all the foreign currency stockpiled on the central bank's accounts, to you a day or two after the first shot rang out, so the state as a whole is left penniless and unable to pay its army.

As a wise man once said, "Knowing is half the battle". Infrastructure is good 25% or more, so you're left with 25% at most that constitutes military might. Far fewer casualties on your side, and possibly fewer on the target side as well if the leaders recognize early on that they have lost the war before the first shot was fired (since they can't mount a proper defense due to the chaos and lack of funds). Cyberwarfare can certainly kill, but it need not do so, for the objective is to cripple the target so the army encounters less resistance.

Re:Not until someone dies. (4, Funny)

sdguero (1112795) | about 2 years ago | (#40262237)

I never really thought of G.I Joe as a wise man...

Re:Not until someone dies. (2)

ThunderBird89 (1293256) | about 2 years ago | (#40262453)

And I need to re-read my Art of War if I attributed that to Sun Tzu...
Although I'm sure he said something to the same effect too.

Re:Not until someone dies. (0)

Anonymous Coward | about 2 years ago | (#40262711)

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle

-Cobra Commander ;-)

Re:Not until someone dies. (1)

Anonymous Coward | about 2 years ago | (#40262777)

Amazing summary. You left the part out about how you leave your enemy so paranoid they can't trust anything or one and the cost of doing business goes through the roof.

Someone has definitely read the Art of War and taken it to our level which is so cool, I welcome the 21 century, game on.

Re:Not until someone dies. (1)

ThunderBird89 (1293256) | about 2 years ago | (#40265029)

Ideally, there's no time for the enemy to become paranoid. Should everything go according to plan, and should the plan survive first encounter, a war like this would be a literal "They don't even know what hit 'em", and should be over in less than a week with an unconditional surrender.

Re:Not until someone dies. (2)

maxwell demon (590494) | about 2 years ago | (#40262039)

The problem I have with the "cyber weapons" terminology is that they are weapons which do not kill anyone.

That's not a given. What about a malware which causes a nuclear power plant to blow up? What about one which just opens all gates at a major dam, causing a flood downstream? Or more subtle, what if some malware in a hospital is used to kill people by making machines emit too much radiation, by making life-support machines to switch off themselves, or even simply by slightly manipulating the medication plan? That may even be used for targeted killing. Not to mention the fact that cyber weapons could also be used to gain control over real weapons.

Re:Not until someone dies. (3, Interesting)

ae1294 (1547521) | about 2 years ago | (#40262057)

The problem I have with the "cyber weapons" terminology is that they are weapons which do not kill anyone. Not that that is a bad thing.

They could be made to kill people. Your local hospital is probably still running WinNT/2k on a lot of their equipment. Think of all the trouble one could cause for a nation if you infected their hospitals. Talk about a terror attack...

Re:Not until someone dies. (1)

lightknight (213164) | about 2 years ago | (#40262807)

Yes, but it's time consuming, and far too much effort for what it's worth.

Re:Not until someone dies. (1)

ae1294 (1547521) | about 2 years ago | (#40263703)

Yes, but it's time consuming, and far too much effort for what it's worth.

Eh? Isn't that the definition of a government project?

Re:Not until someone dies. (1)

lightknight (213164) | about 2 years ago | (#40266865)

*facepalms*

I agree with your assessment, but damn is that depressing to read at 4 AM.

Still the idea of bringing war to the internet is...well, you don't want to know what I think about it. Caricatures of Officer Farva (from Super Troopers, http://4.bp.blogspot.com/_a1Gr4UKmN6Y/S-nv_mdqNvI/AAAAAAAACTM/dQ0-RwCCau8/s1600/largefarva.png) come to mind when I think of the kinds of people training to be 'cyber-commandos.' The idea that they want to turn our playground into a battlefield...

Re:Not until someone dies. (1)

gorzek (647352) | about 2 years ago | (#40262091)

Although I find the tendency to prefix "cyber" to everything a very tedious practice, consider that software flaws very well can be used to inflict physical damage--Stuxnet being the perfect example of that.

As computers take over more and more tasks, I think it's inevitable that a malicious individual will use a software flaw to cause the deaths of a significant number of people. I just think it's silly to call that sort of thing "cyberwarfare." It is sabotage, plain and simple. That it's done with code rather than a wrench doesn't make it fundamentally different, though it is perhaps harder to detect.

Re:Not until someone dies. (4, Interesting)

s.petry (762400) | about 2 years ago | (#40262157)

Military doctrine states very clearly that the best weapons do not kill people at all. The best weapons will cause damage that takes people off line, so that your killers have less targets to deal with. This is why your first targets in a war are the command and control centers, radio towers, and major transit routes. The first targets are never a "Kill". This is also why the 5.56mm round is designed to wound, not kill (by no means does this mean that the round does not kill, however the size and shape are designed to do do damage without killing. If we intended to kill the round would be much larger and heavier).

In the case of espionage, this is much more complex. Gaining information on movements and targets, locations of C&C, and lastly impersonation. How many of those statements released by Egypt's leaders, or Libya's leaders were really from them? That last game is played much more often than you would guess.

Re:Not until someone dies. (4, Interesting)

Mysticalfruit (533341) | about 2 years ago | (#40262161)

Recently a vulnerability was found in a pacemaker / defibrillator that reported stats about the patients heart via bluetooth. The attackers found that they could alter the users heartrate and induce the device to attempt to defibrillate the patients heart on cue.

Likewise, vulnerabilities have been found on devices connected to CAN (Car Area Networks) were attackers could over the cellular link to the car (via something like on-star) do things like disable the air bags, engage the cruise control, etc.

Imagine the mayhem a terrorist group could cause if say they took an ultra small device and buried next to the road that randomly would insert malware into peoples cars as they drove by that after some random number of miles, locked the doors, disabled the brakes and air bags and then set the cruise control to 100mph.

[http://isutech.wordpress.com/2012/03/11/all-your-devices-can-be-hacked-2/]

Re:Not until someone dies. (1)

johnny cashed (590023) | about 2 years ago | (#40262297)

A weapon need not be lethal to be considered a weapon. A two foot length of rubber heater hose can be used as a whip, it isn't very lethal but it will hurt like hell. Sure, you could probably use it to strangle someone, so in that sense it is a lethal weapon, but so are one's hands.

A weapon is something that can be used to assault or injure someone (or destroy or damage material). Its lethality is tangental. Can be a rolled up newspaper or a computer virus attacking life supporting equipment in a hospital.

Re:Not until someone dies. (1)

lightknight (213164) | about 2 years ago | (#40262865)

Indeed, but human beings typically assign priorities to the ability of a weapon to deal damage.

Let me explain:

Nuclear / Chemical / Biological weapons score a 10 / 10.
Your average military fighter / bomber / tank...gets a 7 / 10.
Your average gun, a 5 / 10.
Your average knife, a 3/ 10.
Your average computer virus, maybe a 0.5 / 10.

The whip gets a 1 / 10.

Re:Not until someone dies. (0)

Anonymous Coward | about 2 years ago | (#40262547)

I doubt it's that easy to separate damage to infrastructure from physical harm to people. What if a compromised computer causes traffic lights to come on at the wrong time, causing accidents? Scaling up a bit, what if a compromised computer cuts off power to a hospital and people die as a result? Or scaling up even further, what if a nation-wide failure of communication infrastructure results in a famine because we can't get food from producers to consumers before it spoils?

I don't think any of these scenarios is likely, but it's important to consider the second-order effects of that vandalism.

Re:Not until someone dies. (1)

lightknight (213164) | about 2 years ago | (#40262769)

Hmm. "Cyber weapons," specially designed, might be able to kill people, but only as a side effect. It all comes down to what the system is connected to, and you need to get the 'enemy' to connect an internet enabled computer to it first.

Of course, there are other methods, but it's easier to usually do it without resorting to 'cyber' weaponry.

If I want to kill a regiment of soldiers, do I
a.) hack into a satellite, plot a trajectory that would give a super-computer a head-ache, and drop it on them? or
b.) dig a hole about 5 feet deep, sight the 'enemy,' and deploy the Davey Crockett?

Re:Not until someone dies. (1)

Johann Lau (1040920) | about 2 years ago | (#40265015)

Being able to just pour sugar into gasoline tanks would actually be a pretty sweet capability... yeah, you could even say that explosives are used mostly against armoured targets because the gasoline tanks can't be reached, and you can't get close enough to screw a lid on the barrel of the gun etc. If you could just stop stuff from moving and firing, why bomb to bits what you could keep for intelligence and spare parts?

Besides, if you take down the enemy network, you end up with soldiers you can see, who can't see you... *then* violence ensues, and something could never be considered hardly mere vandalism when it's designed to enhance combat.

what this means... (0)

Anonymous Coward | about 2 years ago | (#40261783)

...is that some scrounging businessmen with friends in government have "Cyberwar tools" to sell, and they want to suckle on the teat of Uncle Sam and his New European sibling governments.

The nuclear arms race wasn't that bad . . . (2, Insightful)

PolygamousRanchKid (1290638) | about 2 years ago | (#40261787)

. . . because both sides were scared enough not to even think about using them. Just a few isolated tests here and there in underground isolated places. No, or very limited, collateral damage.

With the Cyberweapons arms race, it seems to be like the wild west. Cyberweapons are being deployed and tested everywhere, and affecting innocent bystanders. Imagine having nukes tested in your backyard. Or Cyberweapons tested live on your Internet.

Re:The nuclear arms race wasn't that bad . . . (4, Interesting)

Baloroth (2370816) | about 2 years ago | (#40261933)

The difference is that cyberweapons inherently exploit fixable weaknesses in existing infrastructure (assuming the government isn't just inserting backdoors, which they may be doing, but they are also doing much more). The more widely they are used, the greater the pressure to fix those weaknesses and implement better security practices. Given that criminals are going to use those weaknesses even if every single government stops, that means they have fewer and fewer exploits and avenues to exploit, which is good for everyone.

It's more like a rat infestation than nuke testing. Sure, it's annoying, but the more of the bastards you get, the faster you can patch all the holes they are coming through (and the more rat poison to stop the stragglers).

Re:The nuclear arms race wasn't that bad . . . (0)

Anonymous Coward | about 2 years ago | (#40266737)

It's more like a rat infestation than nuke testing. Sure, it's annoying, but the more of the bastards you get, the faster you can patch all the holes they are coming through (and the more rat poison to stop the stragglers).

Seems like a good thing for those in the poison, hole making and hole patching industries. Not so good for everyone else, though. And if you view government malware as a good thing you must also see crackers as good. The way I see it both are bad, but one is a criminal who will try to his best to break into your system and spy on you. The other is a cracker. He'll try the same thing but without access to an unlimited budget.

Finally, an arms race for the rest of us... (0)

Anonymous Coward | about 2 years ago | (#40261799)

Next thing you know, a malicious piece of code will "go viral" and a twelve year-old kid will outgun every government on earth.

Or how about asking how many people would consciously and knowingly allow code to run on their PC (unobtrusively in the background, of course) that would disrupt or cause harm to their perceived enemies. Lots and lots, I bet.

Re:Finally, an arms race for the rest of us... (1)

plover (150551) | about 2 years ago | (#40262247)

Or how about asking how many people would consciously and knowingly allow code to run on their PC (unobtrusively in the background, of course) that would disrupt or cause harm to their perceived enemies. Lots and lots, I bet.

LOIC [sourceforge.net] , for the play-at-home version. And "lots and lots" would be a fairly accurate estimate.

Public Policy (4, Interesting)

girlintraining (1395911) | about 2 years ago | (#40261801)

Governments want to keep vulnerabilities secret so they can hit the enemy, but the enemy has the same equipment and setup as ours. If you increase resistance to attacks locally, the same happens remotely.

So the decision to be made is, what's more important: Our offensive capability, or our defensive capability? It's a zero sum equation, but with a twist: Every offensive action creates a corresponding signature which can be used to increase defense against that action next time. Effective surveillance increases the chance of detection and remediation. So the tipping point is the ratio of exploitable vulnerabilities (think of this as army size) each party possesses. If you have more than your enemy by a considerable margin, your enemy is unlikely to attack. Conversely, if you don't have sufficient resources to discover and refine vulnerabilities and the intelligence capabilities to know where to use them (and when), your best response is to form alliances with others, so that when a vulnerability is used on their infrastructure, they share their surveillance with all parties; thus creating a force multiplier in favor of defense.

I guess my point is that the problem can be framed using conventional military tactics, rules of engagement, etc.; But I would hesitate to equate it to military action. Otherwise you wind up in a legal quagmire: That would be turning that guy who keeps trying to run Reaver against my router to hack his way onto my network into an enemy combatant or a private citizen into an arms dealer for having a copy of TrueCrypt.

Re:Public Policy (2)

ThunderBird89 (1293256) | about 2 years ago | (#40262215)

That's a rather good analogy, but with a significant flaw: states know the size of other armies almost exactly (satellite imagery allows them to discern the housing capacities of bases, and lets them detect aircraft, armor, navy, etc. from orbit, or at least a close approximation of their number, and possibly even type, armaments, defenses, etc. Plus, much of that information is public or obtainable, since it's private corporations that manufacture these units), while the number and type of exploitable vulnerabilities your opponent has is unknown, otherwise you would have patched that vulnerability, and it would no longer be exploitable.

I'd say that cyberwarfare is a sort of 'supplementary warfare', designed to shorten a war and lessen casualties by causing enough confusion and chaos that the enemy can't mount an effective defense and is forced to surrender. I'm not sure it has even a remote equivalent in terms of conventional warfare, other than SIGINT or electronic warfare, which are anything but conventional.
Oh, and just saying: running Reaver will never make anyone into an enemy combatant, there's a specific set of criteria to be fulfilled. This is why the Taliban and al-Quaeda terrorists are 'free game': they are not combatants, but simple criminals, and as such, the Geneva Conventions don't apply. If soldiers catch one, and nobody's around ... well, sucks to be that guy because shooting him dead won't be a crime.

Re:Public Policy (1)

girlintraining (1395911) | about 2 years ago | (#40263929)

That's a rather good analogy, but with a significant flaw: states know the size of other armies almost exactly...

It wasn't always that way. It's not like satellites have been around since war was invented. Just because the technology and methodology has changed doesn't mean that principles behind control of terrain, force multipliers, offense versus defense, etc., are any less valid.

I'd say that cyberwarfare is a sort of 'supplementary warfare', designed to shorten a war and lessen casualties by causing enough confusion and chaos that the enemy can't mount an effective defense and is forced to surrender.

If you are able to spread a virus that attacks critical infrastructure like the electric grid, water supply, hospitals, etc., you can unbalance the civilian population, which means fewer resources can be devoted to a military response -- it's a lot harder to maintain an army when your own population is starving, in the dark, or cannot receive medical treatment. I wouldn't say it's as "supplementary" as nuclear weapons. Sure, you might not let one off the chain everytime there's a problem, but having the capability constrains the number of options the enemy has.

Re:Public Policy (1)

ThunderBird89 (1293256) | about 2 years ago | (#40264045)

I'd say that cyberwarfare is a sort of 'supplementary warfare', designed to shorten a war and lessen casualties by causing enough confusion and chaos that the enemy can't mount an effective defense and is forced to surrender.

If you are able to spread a virus that attacks critical infrastructure like the electric grid, water supply, hospitals, etc., you can unbalance the civilian population, which means fewer resources can be devoted to a military response -- it's a lot harder to maintain an army when your own population is starving, in the dark, or cannot receive medical treatment. I wouldn't say it's as "supplementary" as nuclear weapons. Sure, you might not let one off the chain everytime there's a problem, but having the capability constrains the number of options the enemy has.

That's exactly what I meant by supplementary: it doesn't (usually) kill on its own, it just weakens the enemy force, hopefully enough to force a surrender.

That's a rather good analogy, but with a significant flaw: states know the size of other armies almost exactly...

It wasn't always that way. It's not like satellites have been around since war was invented. Just because the technology and methodology has changed doesn't mean that principles behind control of terrain, force multipliers, offense versus defense, etc., are any less valid.

True, war was not always an almost-fully informed game. However, while some of the tactics and strategies discussed by Sun Tzu are still valid, most have been superseded: terrain is no longer a constraint when you can air-lift your troops into position and conduct air strikes and bombardment over strategic ranges, the traditional maxim of "Defenders are at advantage" of castles no longer stands when a single attack fighter carries enough firepower to reduce any medieval castle to rubble, just as knight were supplanted by crossbows and firearms, cavalry was supplanted by armor and small infantry squads shadowing the armor. Soon, even airspace may become irrelevant as nations will drop troops and supplies from orbit, completely bypassing enemy defenses.
Technology changes more than just the methods used to wage war, a new tool in the arsenal changes the very priorities and doctrine used, it can change everything about warfare.

More like biological weapons than nuclear, I think (4, Insightful)

JSBiff (87824) | about 2 years ago | (#40261803)

I'd say this is a bit more like biological weapons, and less like nuclear - more likely to spread, more likely that a single individual or small group can successfully develop and deploy them, some chance that once deployed, it will come back to attack its creator-state, because you can't be completely sure you can control it. (That is to say, once a given nuclear device is detonated, it's gone and can't attack again, but biological can cyber weapons can be harvested, tweaked, and re-deployed against you).

Correction! (0)

Anonymous Coward | about 2 years ago | (#40262067)

More like biological weapons than nuclear, I think

Nucular. It's spelled nucular.

cyberweapon = malware (0)

Anonymous Coward | about 2 years ago | (#40261827)

ya virii trojans , rootkits , process hiders ya ....like its new and ok for corporates and govt ....i swear i ought to unite 1000 good people and wipe every govt page off the earth for being retards....

template? not necessarily... (1)

Anonymous Coward | about 2 years ago | (#40261843)

When you drop a nuclear bomb on an enemy, is there a warhead left to analyze? Exactly. That's how cyberweaponry should be designed...one time use only, and it destroys itself, whether it's successful or not. Not only does that keep the enemy guessing, but it also keeps the minds behind the attacks active and creative.

Re:template? not necessarily... (1)

Anonymous Coward | about 2 years ago | (#40261941)

When you drop a nuclear bomb on an enemy, is there a warhead left to analyze? Exactly. That's how cyberweaponry should be designed...one time use only, and it destroys itself, whether it's successful or not. Not only does that keep the enemy guessing, but it also keeps the minds behind the attacks active and creative.

Actually, there is enough left to analyze. The decay products can tell you a lot about the material in the warhead. Arguably, enough to identify not only the nation state, but possibly even the location where the material was enriched or processed.

Which is a rather good parallel to cyberweapons. If too much of the target starts falling apart for no apparent reason, the bad guys start poking at the computers, and eventually find the root cause. A good cyberweapon wipes itself out, but much like the nuke, there's a significant risk that it will leave enough traces behind to enable its opponents to learn something about its construction. A great cyberweapon operates below the threshold of detectability both during infiltration, during its active phase, and after its mission is accomplished.

If there are great cyberweapons out there, by definition, we don't know about them. And hopefully will never find out until 25-50 years after the fact.

Re:template? not necessarily... (2)

plover (150551) | about 2 years ago | (#40262855)

When you drop a nuclear bomb on an enemy, is there a warhead left to analyze? Exactly. That's how cyberweaponry should be designed...one time use only, and it destroys itself, whether it's successful or not. Not only does that keep the enemy guessing, but it also keeps the minds behind the attacks active and creative.

Cyberweapons come in two main flavors: code that runs internally on the target system (malware such as Stuxnet, Flame, Duku, etc.) and attacks that are run external to the target (Distributed Denial of Service DDoS attacks from tools such as LOIC, disabling the routers that serve the target, disrupting their DNS, etc.) External weapons remain safely out of the hands of the target. The only thing the target gets is the SYN packets, or the RST packets, or a dead router. An analogy would be that nothing in physics says you get a copy of the gun that's shooting at you - you only get the bullets.

But it's the internal weapons that deliver the real value. They don't just deny the target from using their systems, they are weapons that do the spying, damage centrifuges, take out oil pumping stations and pipelines, shut down electric grids, etc. But to do their work, they must be delivered all the way to the target, where they are they are subject to interception and copying, and are even subject to modifications that would enable them to be used by the target against their enemies. Metaphorically speaking, in a cyber-war, every cyber-hand grenade thrown comes with a blast-proof set of blueprints for making more hand grenades. You don't get to make statements such as "weapon, destroy yourself" because they can always be intercepted and copied.

Funny (0)

Anonymous Coward | about 2 years ago | (#40261887)

This is stupid. Microsoft has already stated that it won't allow future ARMs platforms
to run both Windows and Linux. You can't haz your war if that's true, can you?

CAPTCHA = reawaken

Uhhh Redundant story (1)

NetNinja (469346) | about 2 years ago | (#40261913)

I have been hearing about the next war about cyber weapons for several years. Seems the same old tricks keeps geting them time and time again.

Cyberwarfare leads NOWHERE.. (1)

dryriver (1010635) | about 2 years ago | (#40261983)

Ok, so you work with the Israelis and Brits/Germans/French to sneak some viruses into the computers of Iran, Russia and China. You pop a couple of beers and celebrate as the targeted computer systems lockup or crumble.... --------> Two years later. Iran, Russia and China pull off a successful cyberattack against computers in the U.S., Israel, Britain, Germany, France. Now the "Allies" have to deal with computers that lockup, fuckup, or crumble. Of course, the "Allies" will regroup and launch another cyberattack against Iran, Russia, China. ----------- And so on and so forth... -----------> The NET GAIN from this back-and-forth is what exactly? NOTHING. Cyberwarfare should probably best be left alone. There is nothing to gain from it, and potentially much to LOOSE on all sides.

Re:Cyberwarfare leads NOWHERE.. (1)

Trapick (1163389) | about 2 years ago | (#40262429)

And this is different from conventional war...how?

Re:Cyberwarfare leads NOWHERE.. (0)

Anonymous Coward | about 2 years ago | (#40263427)

instead of MREs and fatigues, it's funions and Evangelion T shirts.

Re:Cyberwarfare leads NOWHERE.. (1)

ThunderBird89 (1293256) | about 2 years ago | (#40262723)

That's not the point of cyberwarfare. When done correctly, you attack with conventional forces while their systems lock up and crumble, and strike into the chaos for a quick win.

Re:Cyberwarfare leads NOWHERE.. (0)

Anonymous Coward | about 2 years ago | (#40263041)

You haven't read enough 1984. The point of cyberwarfare is to maintain a constant threat so that you can justify surveillance and censorship inside your own borders, and to waste resources so that they can't be used constructively in ways that might reduce your power over others.

Re:Cyberwarfare leads NOWHERE.. (1)

SuricouRaven (1897204) | about 2 years ago | (#40263349)

I think you just described conventional war: You hurt yourself in order to hurt your enemy more, and hope that he'll give in before you have to.

Ok slashdot, I'll bite... (1)

Anonymous Coward | about 2 years ago | (#40262047)

Why is it that almost every single article I've read lately thinks I'll like Rand Paul's story?

President is open to impeachment/arrest/jail? (1)

Yakasha (42321) | about 2 years ago | (#40262255)

I'll keep it short & simple:

  • The President believes any cyber attack is "an act of war".
  • Only congress can declare war.
  • Congress has not declared war on Iran.
  • The President engaging in "acts of war" of an offensive nature, is illegal.

terrible cybernews (3, Funny)

Trepidity (597) | about 2 years ago | (#40262319)

One more crippling cybershell hit the already beleaguered cyberdefense community when CyberIDC confirmed that cyberwarfare rates have risen yet again, now up to more than 100 percent of all servers. Coming on the heels of a recent Cybercraft survey which plainly states that cyberdefense has lost more cyberbattles, this news serves to reinforce what we've known all along. Cyberdefense is collapsing in complete cyberchaos.

Cyber-Attack Will Be The New Poison-Gas (1)

Anonymous Coward | about 2 years ago | (#40263339)

Cyber Attacks cannot be controlled once released the same way poison gas could not be controlled once released. As any idiot could foresee, and as has already been demonstrated in the first "International Warfare" "deployments". Like poison gas cyber-weapons go whichever way the wind blows, linger in low areas, in still pockets and under inversions. Their remnants continue to wreak havoc on the more sensitive, as "dispersed" gas did the pigeons used in WWI to carry messages. And, like mustard gas, and DDT, their remains, and effects, will linger in systems, to arise unexpectedly when accidentally or unknowingly triggered.

The difference will be, will it do any good to outlaw cyber-weapons? Or are cyber-attacks too easy for the able and the recipe-follower to put together from common ingredients, once they know how to?

Just one question I have (1)

Anonymous Coward | about 2 years ago | (#40263391)

I don't care about their arms race.

I just want to know:
    is nmap and wireshark protected by the second amendment?

Re:Just one question I have (0)

Anonymous Coward | about 2 years ago | (#40263857)

All firearms (protected) are weapons but not all weapons are firearms. Even in light of McDonald v. Chicago with its incorporation of the Second Amendment against the states via the Fourteenth Amendment, there is language that lets stand "reasonable regulation". That means the usual gang (Maryland, Delaware. New Jersey, New York, Connecticut Rhode Island and Massachusetts and California) need not worry about challenges to their gun-control laws. This would also apply to state computer crime laws. DC v. Heller may be more relevant because it was a federal zone issue and the Computer Fraud and Abuse Act is a federal law.

Let's face it... (1)

UltimaBuddy (2566017) | about 2 years ago | (#40263559)

... tax revenue is like a piñata for some people*, fear- and warmongers in particular.


* = read 'unscrupulous bastards'

Cyberweaponry? Cyberwarfare? (1)

eternaldoctorwho (2563923) | about 2 years ago | (#40263901)

Geez, it's like something out of Doctor Who.... ... ...Oh wait. Cool!!! How long before we have actual Cybermen fighting our wars, stomping around yelling "DELETE, DELETE!"?

US Cyberwar is a Blazing Saddles tactic.. (1)

dweller_below (136040) | about 2 years ago | (#40263991)

The great Prophet Mel Brooks predicted our Cyberwar strategy in his metaphorical vision: Blazing Saddles:

Our (that is, the US's) Cyberweapons threaten ourself more than any other target. We are the most dependent on the internet We have the most to lose. We wave these weapons of self-mutilation around in the hopes that our intimidated foes will not force us to destroy ourself.

What could go wrong?

ALL Praise Irony and His Prophet Mel!

Miles

The Under-Considered Fact Is... (0)

Anonymous Coward | about 2 years ago | (#40264007)

So-Called "low-tech" nations and parts of the world supply the "high-tech" nations' of the world the bulk of their Low-Level coders. Learning the boring basics is a way up and out for the bright and ambitious of the third world.

This means that it is the so-called "low-tech" parts of the world who have the best pools of people having practical familiarity with code and languages, and so the talents most needed to analyse at the levels malicious elements are slipped in. This means that it will be high-tech nations whose populations will be most vulnerable to cyber-attacks, for having more dependence on computer technology, and who will have fewer who are expert in reading at the levels they will need to to discover malicious elements that have been introduced..

FIND YOUR Christian Louboutin (-1, Offtopic)

lornalee (2658025) | about 2 years ago | (#40265243)

Christian Louboutins are few of the most desireable styles in the stylish world. Rivaling creaters like Jimmy Choo, Christian Louboutin has a fascinating Cheap Christian Louboutin Sandals [clshoesboots.com] flair with updated mode. He regularly creates shoe lines that drive women mad with the need to own a pair. Every womem's willingness is holding cheap christian louboutin Shoes, making them the Nike Kids Jerseys $12/pcs [jerseyshopmall.com] latest style Cheap Christian Louboutin D'orsay [clshoesboots.com] they ache for at a an reasonable cost. christian louboutin sale offers a diverse group of collections. It is something for everyone. Wholesale Christian Louboutin Flats [clshoesboots.com] Highlighting with a pair of seductive found in the collections of Short Boots, Mini Heels, High Heels wholesale Christian Louboutin Platform [clshoesboots.com] and Extremely High Heels. You can find a sensible shoe in Louboutins Flats collections. The Total Madness collection is designed for laying out a funky style.

Israel? (0)

Anonymous Coward | about 2 years ago | (#40265343)

Countries like Israel and the United States may have more money and more talented hackers

Valid to the extent that almost everything Israeli is basically rebranded American equivalent.
You'd be hard pressed to use more than one hand to count Israeli original developments (or to mention Israel without inserting America into the discussion).
Not saying they can't, just saying they haven't.

Well... that does it. (1)

ka9dgx (72702) | about 2 years ago | (#40265885)

I'm going to have to write an OS, based on capability based security. Even if it sucks, it'll be the only thing left running after skynet becomes self aware, infects everything, then gets paranoid, then kills itself in a case of mistaken identity. (Total time, 4 hours, 9 minutes, 2.3 seconds)

... owing to better training and education (0)

Anonymous Coward | about 2 years ago | (#40266073)

This contradicts the argument that the US is running out of skilled people in technology. AFAIK, hackers come from wherever there is a progressive mentality in terms of technology and a connection to the nets.

Scott Kemp ( the author) must be living in 1992... And he probably believes that the movie Hackers is based on a true story.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...