293-Military Strategy in Cyberspace

7/29/2019 293-Military Strategy in Cyberspace

1/38

Military Strategy in

Cyberspace

Stuart Staniford

Nevis Networks08/12/[email protected]


2/38

Introduction to this exercise

This is my attempt to predict what cyberwar willlook like in 5-20 years Ie. This is all gross speculation

Like trying to think about air war in 1912

No real cyberwars have happened

Cyberwar will develop rapidly once it starts to reallyhappen

There will be surprises

Useful nonetheless: forewarned is forearmed


3/38

Relevant Expertises

Network security,Network ops,

Cryptography, IDS,Vulnerability AsessmentDDOS, worm defense

Military Strategy,

Military History

Economics,Management Science,

OrganizationalPsychology

No-one is an expert in all of these


4/38

Five Levels of Strategy

Due to Luttwak, Liddell-Hart

Technological

Iron swords, longbows, railroads, aircraft, tanks Exploits, DDOS, worms, firewalls, IDS

Tactical Tanks in formation (WWI/WWII), longbows in

dismounted ranks behind stakes (Crecy, Agincourt)What we do with a DDOS tool, or an IDS?


5/38

Five Levels of Strategy

Operational (individual battle level)Waterloo, Crecy, Midway, Carshemish

Individual organization (utility, bank, ISP, carrier battlegroup)

Theatre StrategyWWII: Pacific, European, North African

Cyberwar same (but opens new theatres for attack)

Grand Strategy National level strategy - decisive military defeat,

econonomic exhaustion, nuclear blackmail, erosion ofwill


6/38

Scenario: China vs US

Why did I choose this?Because its fun! Because I can!

China finally invades TaiwanHas been sabre-rattling for yearsRegular exercises in Taiwan straitsTaiwan and China have been in consensus

that they are ultimately one countryJust temporarily two administrations with two

systemsConsensus slowly breaking down in Taiwan

starting to want to be independent

Creating great anxiety in China


7/38

Sequence of Events

Chinese troop/naval buildups 2 US carrier groups en route to area Heavy Chinese missile attacks on Taiwanese AF bases

to suppress air resistance Chinese invasion force sets across straits

Establishes beachhead US aircraft inflict substantial damage on operation

Small US marine expeditionary force flies to Taiwan to

help reinforce. US involvement can make the difference between

success and failure for China.


8/38

Chinese Grand Strategy

Inflict enough pain on US to make us goaway, so they can

Reintegrate Taiwan without interference

NB China and US both have crediblestrategic nuclear deterrent

So neither side can use nuclear weaponsexcept as a last resort.


9/38

Chinese Grand Strategy (II)

Suppose for purpose of this exercise They launch a large scale cyberattack on US

homeland.

Opens a North American theater to war In addition to south-east Asian Theater

They can only do via cyber-means

Goal is to make the war intolerable to us

Our choices are nuclear exchange Invade China

Counter with cyberattacks on China

Give up on Taiwan

Last is much the cheapest and most practical solution


10/38


11/38

Concentration of Force

Why doesnt China go after everything?

Traditional doctrine of concentration of force

Create local huge superiority of forces in favor of attackers Win completely at those key points

Rest of resistance crumbles

If they defeat defense in electric power and oilrefining/distribution, dont need to win anything else

Choose both so arent completely dependent on one

succeeding.


12/38

Tel El Kebir (1882)

Egyptians: 23000 under Col Ahmed Arabi

70 field artillery pieces

British: 17000 under Lieutentant GeneralSir Garnet Wolseley

36 field pieces

About 3000 cavalry


13/38

Egyptians

British

Tel El Kebir


14/38

Lessons of Tel El Kebir

Victory of smaller force Deception

Maneuver

Surprise

Concentration of force

All these factors will be critical too

Challenge for defense in cyberdomain:Defense has to protect all critical infrastructures

Attackers get to pick 1-2 to throw all their resourcesagainst.


15/38


16/38

Is the Vulnerability There? Almost certainly

SCADA done over IP/Windows these days

Developers not used to a hostile environment Labor in obscurity

So just about certain to be plenty of vulnerabilities Machinery trusts its control system to look after it

Internet

Corporate

Scada


17/38

Is the Attack Trivial Then?

Could a small band of hackers pull this off?

No!

Huge amounts of obscurity

Great diversity in SCADA systems Need vulnerabilities in most of them

Lots of testing needed

No public community working on this to help

Great diversity in deployments Which IP range is power station XYZ?

Attackers know none of this ab-initio Either reconnoiter up front

Or find out on fly


18/38

Attacker Information Needs

For each of O(100) operational targets, need

Fairly detailed map of network/organization

What assets are where on network? What software is in use for most critical purposes?

Brand/version

Where defenders are?

Where key operational execs are?

To have developed vulnerabilities For all key software systems in use

Requires being able to get copies of them

Pretend to be a customer


19/38

Advance Reconnaissance Options

InsidersGet spies jobs as (preferably) IT staff.Over time, stealthily map network and organization

Ideally want several in different areas for 1-2 yrsGives layer 8 view.

Cyber-surveillance Remotely compromise some desktops internally

Use them to map network at layer 2-7Capture keystrokes etcMust be stealthy and untraceable

No Chinese strings in Trojan Communication path home must be convoluted


20/38


21/38


22/38

Balance of Force in operations

Attackers: 150-1000 attackers

Defenders (today): Security group: 1-10

Network group: 10-20 End-host sysads: 100s-1000s

Attackers have surprise,

superior organization

Defenders know terrain better

Have physical access (sort of)

Could your organization survive this kind of assault?


23/38

Defense Response (today)

Reboot the company Disconnect from network

Turn everything off

Unplug every phone cable

Bring things up and clean and fix them one at a time

A single Trojan left untouched lets attacker

repeat the performance Likely to take weeks

Cannot have confidence that we fixed all thevulnerabilities the attacker knows.


24/38

Attacker Requirements

Discipline, training

Hard to get hundreds of people to execute a complexplan.

Everyone must understand the plan Everyone must be extensively trained on tactics/technology so

its second nature

Must follow plan and replans flawlessly

And yet be creative enough to improvise

Plan never survives contact with the enemy Fog of War

These issues have always been critical in military operations

And have to repeat this for O(100) simultaneousoperations


25/38

Crecy (1346)

French: 60,000 under Phillip VI

15000 armored knights

8000 Genoese Crossbowmen

English: 11,000 under Edward III

6000 longbowmen


26/38


27/38

Lessons of Crecy

Victory of vastly smaller force

Technology (longbow)

Tactics Ranks of longbowmen behind stakes

Fight on defensive

Training (indenture)Organization (single military command)

Discipline (extensive experience)

All these factors will be critical in cyberwar


28/38

Total Chinese Effort Required

Force of about 50,000 attackers Strong shared culture of how to fight Disciplined and trained

Detailed planning Takes ~10 years to develop this institution Maybe 3 years as all-out effort during a war Strong visionary leadership required

Hard to do with no in-anger experience Internal war-gaming only Would much prefer a Spain, but reveals capability


29/38

Cyberwar Myths (I)

Small teams can do enormous damage

Best hope of a small team is O($10b) in wormdamage Cannot target anything other than commonly available

systems

Cannot manage broad testing of attacks

Only penetrate


30/38

Cyberwar Myths (II)

Attacks in cyberspace can be anonymousTrue at micro-scale of individual technological

attackNot true at macro-scale

Will be completely clear in grand strategic contextwho is conducting attack

Will be very large amounts of control traffic that willbe hard to miss 50,000 Chinese all doing something in US will get

noticed

Attacker will generally want to be known


31/38

Cyberwar Myths (III)

Cyberspace erases distance

Mobility is more like land/sea than air Contrast to other thinkers

Battlefield is all information/knowledge Expertise on disabling power turbines

Takes years to acquire

Is not instantly transferrable to, say, crippling banks

transactional systems

Similarly defenders need deep understanding of thenetworks they defend.

First day on new network, will be pretty useless True for attackers and defenders


32/38

Defensive Implications

The networks of critical organizations will needto be run as a military defense at all times.

Constant alertnessWell staffed

Regular defensive drills

Standing arrangements for reinforcement under

attack Extensive technological fortification

Excellent personnel and information security


33/38

Hygiene

Patches, AV, external firewalls etc

Failsafe design of critical machinery:

Not just idiot-proof but enemy-proof

All critical, but

There will still be a way in

There will still be vulnerabilities

Current paradigm will be inadequate


34/38


35/38

Segmentation

Network must be internally subdividedContain worms

Loss of some systems does not lead to loss ofeverything

Networks within network within networks

Critical resources must be proxied

everywhere (not DOSable)

Network must give highly deceptiveappearance

Subdivisions small!


36/38

Recovery

Software damage

Integrity checkers

Backup/rollback systems

Hardware damage

Supply of spares and spare parts

Distributed appropriatelyMilitary logistics approach


37/38

Cyberwar defense system

Must exist throughout network

Enforce segmentation

Quantitative resistance to worms/DDOS/etc Provide deceptive view of anything IP is not

allowed to see

Proxy critical resources

Facilitate recovery Allow management of all this

Allow for defensive extemporization


38/38

Implications

Defending nation in cyberspace is a militaryproblem.

Will require militarizing critical infrastructures.

Will require new paradigms and tools

Critical infrastructure is in private hands.

Huge tension - not a good outcome for civil

society Deeply ironic that this is result of network

promoting openness

Luttwaks Paradoxical logic of strategy

Documents

293-Military Strategy in Cyberspace