cyber_warDanger Room is doing an outstanding job covering the story regarding insurgents capturing data from drones by eavesdropping the airwaves first revealed by the Wall Street Journal. Additional stories have covered other systems potentially vulnerable, potential ramifications of insurgent data interception, and my personal favorite – a discussion with Rex Buddenberg of the Naval Postgraduate School regarding the broader problem where the DoD focuses primarily on link security (communication protection) as opposed to data security (information protection).

But most of the conversation to date has taken a traditional military view of the problem. Ask an Army General what it means when the enemy is using specific tactics to infiltrate your lines of communication, and the General is unlikely to give you any good news. Ask a cyber soldier what it means when the enemy is using specific tactics to infiltrate your lines of communication, and you might notice a slight smile cross the soldiers face. When the enemy is in your lines it means bad news in traditional military terms, but in the asymmetrical world of cyber warfare this development should be seen as an opportunity.

Consider the details surrounding this massive security breach and consider whether things are as they appear. We know a lot of detail, a shocking amount actually.

  • We know what systems are most vulnerable.
  • We know what software is being used by the enemy.
  • We know what hardware is being used by the enemy.
  • We may even have a good idea of the skill level of the cyber insurgent.
  • We have a good degree of knowledge on the devices receiving and potentially disseminating the data.
  • We have complete control over the devices expected to send the information.

In cyber warfare terms, that is a gold mine of information.

There is a phrase in cyber warfare: The distance between information dominance and disinformation dominance is measured in millimeters. The use of “disinformation” in that phrase is often confused to mean playing charades with data (or changing data), but it should be seen in the context of social engineering for information (sometimes described as lie to learn). The DoD treats information as a weapon, always has. That isn’t always a good thing for our strategic communications, but in this case, treating information as a weapon is appropriate. Unless the Wall Street Journal article is one of the best conceived disinformation campaigns in cyber military history, it is very unlikely the WSJ’s source is a cyber security expert – rather a traditional military thinker who is forgetting to channel his inner Clausewitz.

In the old days of full disclosure for computer security vulnerabilities it was common for cyber experts wearing either a white or black hat to utilize a honeypot set to detect, deflect, sometimes counteract, but always to make record of attempts at unauthorized use of information systems. The purpose of most honeypots was to learn new techniques and identify common patterns used in the internet wild. Honeypots were intentionally left undefended in many cases, because the hope was to lure the hacker in.

From a cyber warfare perspective, the short term solution to the UAV video issue is not to encrypt the data (which is the long term solution), rather to use the unencrypted video stream to go after the cyber insurgents – with the specific intention of getting inside their network. It is not complicated to have a normal UAV camera send a video signal exactly as intended for the military function, but include packet data that exploits vulnerabilities in software like skygrabber, or to include code that exploits known vulnerabilities in popular video players. I’m sticking to very common examples that are easily understood by the masses, but at many layers of the UAVs video signal the potential to exploit the unencrypted broadcasted video feed as a weapon is significant.

In cyber warfare on today’s military battlefield, the UAV would became the signaling device intended to turn every unauthorized listening laptop into a potential breached system of the insurgent network, and there are many ways to add data to the UAV video system without compromising the military use of the video system. It is entirely probable the DoD is leveraging the known vulnerabilities of the video feed to turn the insurgent satellite snooper network into a new gateway into the insurgent information network.

While this UAV data breach does represent a horribly designed, taxpayer funded military information network, there is no reason the DoD isn’t already using this “problem” to our advantage, and leveraging the detailed knowledge of the insurgent eavesdropping techniques to get the cyber insurgents unwittingly working for our side. Most of the social engineering work has already been done; we know what the target network entry point, hardware, software, and user skill level… all that is left is to develop and deliver payloads.

Our Clausewitz trained military knows the best defense is a good offense. On today’s cyber military battlefield, going offensive with cyber “smart bombs” is a legitimate response to unauthorized network intruders in a war zone, indeed it should be standard operating procedure for all unencrypted military networks moving potentially sensitive data.




Posted by galrahn in Uncategorized


You can leave a response, or trackback from your own site.

  • UltimaRatioReg

    Galrahn,

    There are a number of assertions you make in your post for which there is considerable room for doubt.

    The first is that we may have an understanding of the technical capabilities of the insurgents. I would submit that they have whatever capabilities they can buy. Like so many other entities, nation-states and NSAs, they no longer have the requirement for resident knowledge or capability. “Hacker for hire” is increasingly the prevalent modus operandi. There are plenty of eastern European folks with immense talent and knowledge willing to work for the highest bidder.

    Second, the idea that insurgent “networks” exist in the form that ours does is one of the second-order faults to the network-centric warfare concept. It is wonderful if we happen to fight the United States. But until then, our networks remain a massive vulnerability, while the insurgent “networks”, what there are of them, are likely extremely limited and focused on a short-term and narrowly-defined task. “Disruption” is unlikely, and if achieved, is far less meaningful for the enemy than for us.

    Third, and most importantly, the assertion that “cyber “smart bombs” is a legitimate response to unauthorized network intruders in a war zone” is dangerously naive.

    Attribution remains nearly impossible against a talented cyber adversary. Tracks are covered easily, intrusions and attacks (DoS, DDoS) are made by proxy, sometimes through dozens or hundreds of “bots”. Attacking and potentially disrupting a network of unwitting “bots” may have disastrous consequences. The computer that is attacking or intruding a DoD network (or other supporting architecture) may be a hospital mainframe in Seoul, or Moscow, or St. Louis. Or a SCADA host for an electric power distributor on the Eastern Seaboard. Or a DoD machine carrying critical capabilities into theater.

    Additionally, “intrusion” is often undetectable with current tools. Common tactics of cyber adversaries include introducing keystroke loggers (http://blog.usni.org/2009/12/12/dod-and-social-media/) onto network machines, thereby gleaning passwords of authorized users. This is not done at random, but focused on users who have specific network access for the functions the hacker is interested in usurping, or connections to the machine that does. Intrusion detection or anomaly detection systems have very little chance of alerting a network administrator that such a penetration has taken place. As far as the network is concerned, the hacker is an authorized user performing functions and transactions within his/her normal range of activities.

    There has been much talk in recent years of giving “offensive cyber capabilities”, a euphemism for authorizing cyber attacks, to tactical commanders. This is a course of action that courts catastrophe. Such talk has as its basis a wild overestimation on our abilities to detect and attribute cyber attacks, and a vast UNDERestimation of the capabilities of our adversaries to find/hire/rent the technology necessary to present a serious threat to our military and civilian critical cyber infrastructure.

    Decisions on authorizing and conducting offensive cyber operations need to remain at the level of National Command Authority. Cyber efforts for DoD systems, including UAVs, GPS (M-code), communications, etc., need to be focused on protection and encryption. We have built ourselves a network centric environment, for better or worse. Reducing the vulnerabilities of that environment is Job One.

    Just some thoughts….

  • http://www.informationdissemination.net/ Galrahn

    URR,

    We captured insurgents and gear, meaning we have physical evidence by which to base many assumptions. It also appears we have accumulated evidence in more than one instance.

    I am not talking about defending national infrastructure here, rather taking steps to go after those who would be snooping unencrypted airwaves of our UAV networks. Nothing suggested here is as complicated as you are making it, and none of what I am suggesting would be a guideline for national infrastructure protection.

    Maybe you see botnets and ghostnets, but what I see are specific human targets with specific hardware (which we have apparently captured) and specific software (again, captured – meaning we know which type and version) monitoring a specific signal (which we have full control over).

    It is not some feat of engineering nor does it require complex code to go after specific targets when you have so much specific information about your targets, indeed tailoring to your target is precisely what allows you to avoid the kind of problems you are suggesting may happen.

    If done right, the same methodology can also be how you insure the data from the UAV is authentic.

    In the cyber security world I know, effective payload delivery would insure those laptops would never touch the internet again without us knowing all about it. Not even sure what you are talking about in some of your response, because this is not a national infrastructure defense recommendation, rather how to deal with a specific issue in a warzone.

  • UltimaRatioReg

    Galrahn,

    For the particular instance of tapping into unencrypted video downlink, you are correct in your assertions. But that is relative tinker toys, and I am quite chagrined that we STILL have unencrypted video downlink. (We had such when I flew Pioneer UAVs for the USMC in the early 1990s!)

    But some of your assertions are clearly wider than that. Your last paragraph in particular talks about “military cyber battlefield”. One of the by-products of the flattening of communications and information architecture in a network-centric warfare approach is that the lines are increasingly blurred. This is not only true between the three levels of war, but also between civilian/military architecture.

    You also stated that “going offensive with cyber “smart bombs” is a legitimate response to unauthorized network intruders in a war zone”. Much of what my original comments address is that particular assertion, which I believe dangerous, naive, and patently false.

  • http://www.informationdissemination.net/ Galrahn

    You also stated that “going offensive with cyber “smart bombs” is a legitimate response to unauthorized network intruders in a war zone”. Much of what my original comments address is that particular assertion, which I believe dangerous, naive, and patently false.

    Then we find ourselves in disagreement. I don’t believe Cyber-conflict in the digital ecosystem can conform to an existing legal and policy context in regards to execution; in this case it appears our disagreement would be in the policy area of rules of engagement. I do not believe in a philosophical approach that suggests that posture for cyber-conflict is one of building moats and castle walls, indeed I subscribe to theories of cyber-conflict that include catapults. I believe the digital ecosystem is far too complex to be confined to traditional offensive and defensive constructs for insuring the integrity of information – and I want to emphasize the focus must be the assurance of information quality and integrity.

    Defending the digital ecosystem is like defending the Atlantic Ocean – we have to be careful not to get stuck focused on the medium and because the ecosystem is mostly a commercial space. That is why we must also be judicial in our strike packages, and why I prefer the term cyber “smart bombs”.

    Do not get lost in understanding the strategic intent of cyber warfare used in the context of this discussion – which is to insure the quality and integrity of the information, and when possible, disrupt the quality and integrity of the information stolen by our adversaries. Just as we assume risk when we broadcast unencrypted information, we should recognize that in the digital ecosystem, those who attempt to eavesdrop on our signals should be forced to assume risk as well. A “smart bomb” should not be defined “destructive payload”, indeed the best payloads would intentionally not be.

    I do recognize there are serious issues in the development of cyber warfare today; indeed I am familiar with many of them. The absence of a clear set of basic definitions only touches the surface. The challenge for organizations to optimize cyber overall and ensure synchronization and complementary interactions between offensive and defensive elements of the people, processes and products is an immense challenge that the DoD is only beginning to tackle, and will likely take many years just to build a foundation of.

    With that said, on a military battlefield, I see a future relationship where soldiers on the ground are the social engineers supporting cyber soldiers and cyber soldiers in turn support the soldiers on the ground. A simple construct, one that if put into practice, looks at exploitation of our information system as both a challenge and opportunity every time. In this case, given what we know – all I see is opportunity. I have every reason to believe – in this case – the DoD does as well.

  • UltimaRatioReg

    We will indeed disagree.

    Definitions of terms like “digital ecosystem” that are more than theoretical language might be more difficult than anticipated to validate. The concept of soldiers in the thick of the fight as a force of “social engineering”? I am a skeptic.

    I would also like to know what constitutes a “cyber soldier”, particularly with regard to what scope, reach, and authority that entity has for offensive and defensive cyber operations, and just what that support for the warfighter might entail. And how that might differentiate from current combat support and service support functions.

    Castles, moats, and catapults aside, what we have often failed to recognize is that those who look to exploit our network vulnerabilities ALWAYS have the upper hand, especially upon initial exploitation of a vulnerability.

    There are widely varied opinions as to how well DoD understands the cyber realm. DoD cyber capability often seems to be couched in terms of a digital contest reminiscent of the “guns versus armor” paradigm. In reality, the vulnerability of our networks, large and small, civilian and military, is a far more complex and interwoven set of human and cultural (and technical) factors than we tend to recognize. Certainly more complex than DoD could ever hope to influence or control.

    Whether such a landscape represents only opportunities, I will say this: Like everywhere else on the battlefield, the enemy has a vote. He is adaptable, determined, focused, and capable. Something else to remember: It is axiomatic that the more primitive our enemy, the less our technological advantage means.

    I will wait and see how much our network centricity and technological advantage means before I say it represents only opportunity. I am going to need some pretty convincing “ferinstances”.

  • UltimaRatioReg

    Hey Galrahn,

    Just some perspective…

    I called SWMBO to let her know we were busting up the furniture, and she was floating around in the sunshine in Hawaii.

    So here’s a corollary: The closer SWMBO is to Hawaii, the less she cares about the fistfights and eye-poking here….

  • http://www.usni.org admin

    URR: don’t be so sure about that.

  • RickWilmes

    If SWMBO is in Hawaii, than shouldn’t we be talking story or what Brah you like beef instead :)

  • UltimaRatioReg

    What was it that Lily Tomlin used to say?

    “I’m omnipotent. That’s ‘potent’, with an ‘omni’ in front if it.”

    It sure applies to SWMBO.

2014 Information Domination Essay Contest