August 3, 2015
If the United States were involved in a major cyberwar, just how badly would it be hit? Could the U.S. survive? Could modern civilization survive? In this thought experiment, David Gewirtz explores such a scenario in-depth.
While there are many aspects of cyberwar worthy of discussion, one area rarely explored is just how dangerous a full-on cyberwar could be to the U.S., and to global society. Could a cyberwar knock us back to the Stone Age?
A THOUGHT EXPERIMENT
Consider this article a thought experiment. Rather than exploring individual vulnerabilities or examining named exploits, let's explore what aspects of modern technology define our Information Age, and what might happen if some of those relied-upon technologies were no longer available to us.
For the purpose of our exploration, we will assume that cyberwar doesn't lead to a nuclear or biological war, that the effects resulting from the conflict remain within the bounds of digital means of destruction rather than traditional NBC (nuclear, biological, and chemical) warfare.
BLACK HAT 2015
Violet Blue has a shortlist of the hottest talks slated for this year's largest domestic professional infosec conference.
Even so, in some ways this exercise is akin to exploring the effects of nuclear weapons and various post-apocalyptic scenarios that result from nuclear war. While we won't be looking at surviving radioactive fallout and the devastation of target cities, we do need to look at the fallout that may come from aggressive espionage, and sabotage to financial and infrastructure systems.
THE EFFECTS OF CYBERATTACK
A few years ago, I led a cyberattack simulation. On my team were former members of the White House national security team, and a Secret Service supervisor. We looked at what would happen if something like the Stuxnet virus were launched against the United States, along with concurrent distributed denial of service attacks and other digital assaults.
There were two clear conclusions from that simulation: our financial system is clearly at risk, and so are elements of our infrastructure. Particularly vulnerable are all the infrastructure systems based on older technology that either cost too much -- or are too much work -- to upgrade.
Other systems, including defense-related systems, are also vulnerable. One particularly disturbing example is the United States Navy, which entered into a multi-million dollar contract with Microsoft to continue to supply hotfixes to warfighting systems based on the extremely-porous-to-penetration Windows XP.
While the simulation results exposed substantial economic cost from a comprehensive cyberattack, it also presupposed national systems to be moderately resilient. The expectation was that after some time -- probably a few days at worst -- daily 21st century modern life would resume across the United States.
This is the prevailing wisdom. Most cybersecurity analysts and threat assessors see the potential for enormous damage in cyberwar and cyberattacks, but extinction events are rarely discussed. We have all assumed that if we got hit, we'd regroup, rebuild, and recover.
For the purpose of our thought experiment, what if that were not the case?
THE OPM BREACH
Most examinations of cyberwar threat took place before the enormous breach at the U.S. Office of Personnel Management. OPM is, essentially, the American government's HR department.
Extinction events are rarely discussed. We have all assumed that if we got hit, we'd regroup, rebuild, and recover.
In June, OPM announced it had been the victim of a persistent penetration that went back at least to March of 2014. More than 21.5 million individual, highly-personal personnel records were stolen from the agency, including confidential disclosures by government personnel with security clearances.
In addition to the other data stolen, 1.1 million fingerprint patterns were also grabbed. This means, if you think about it, that since enemy actors had access to fingerprint and personnel systems, they not only could take information, they could plant fake information, as well.
In a theory sound enough for our thought experiment, the bad guys could have embedded identity information good enough to allow them to implant human agents into top secret government installations.
All of our normal evaluations of threat assume that the deep and carefully considered systems the United States has put into place, in case of events ranging from natural disaster to global pandemic to nuclear war, would exist in the case of cyberwar. The assumption has been that systems like continuity of government, essential communications, and financial system continuity would protect us from even the worst attacks.
That all relies, however, on our ability to trust government workers to do their jobs when it's most important. My experience has been that the vast majority of government workers (aside from politicians) are truly patriotic and dedicated professionals, so we are generally in good hands.
But we've seen the damage even one or two rogue workers can do. Witness the damage Bradley Manning and Edward Snowden have caused, and they were just two relatively low-level government workers. Imagine, instead, the damage that could be caused by workers turned -- either because of blackmail based on the stolen OPM data, or enemy agents (complete with government IDs that are confirmed by the now falsified OPM data) inserted into critical positions.
SPECIAL FEATURE
The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.
This takes our thought experiment to a whole new level. What would happen if we were hit by a devastating cyberattack and the government's continuity systems did not function as expected, because they, too, were compromised?
I know, it's a stretch. But remember that this is a thought experiment, and that clever enemies are capable of playing a long game. We're trying to explore the what-ifs of a postulated situation.
THE EFFECTS OF EXTINCTION-LEVEL CYBERATTACK
Let's assume, through a combination of malware, espionage, denial of service, and sabotage, that our national systems were to break down. What then?
Our path down the rabbit hole requires us to identify what sorts of systems would be interrupted. So let's start by assuming the financial system would come to a halt. Stock exchange transactions would stop, and all electronic fund and electronic banking transactions would cease. At that point, checks and credit cards would no longer have value, businesses would no longer be able to operate, and even cash would likely lose its transaction value.
What about communications? Over the past ten years, most of us have moved off of land lines and away from over-the-air broadcast TV (notwithstanding a small group of HD antenna owners). Most of us communicate over mobile services and the Internet. In a catastrophic cyberwar, and for the purpose of our thought experiment, let's assume all communications with the possible exception of ham radio would go offline.
You really, really don't want to make yourself a target of thousands upon thousands of pissed off IT professionals.
Without financial support and communications, our supply chains would be toast. Goods and services would no longer move across the country. There would be mobs storming supermarkets, hardware stores, and gun shops. Gasoline for vehicles would run out in a matter of days.
National government would cease to function. Instead, the primary governance touch points would be some responsible local law enforcement officers. More likely, we would see feudal governance take hold, where those with the most firepower, survival resources, and physical strength would take power.
But what about other governments? Surely other governments would jump in to lend a hand, if for no other reason than a precipitous decline in the U.S. economy would have devastating results worldwide.
Here's where the scenario branches. If the cyberattack were limited to the United States, then it's likely that other governments would involve themselves to a limited extent, if only to regain access to our ability to buy their goods.
This includes China, by the way. Since China's economy is so dependent upon America's (and us upon them), it is unlikely that China would engage in extinction-level cyberwar. In fact, so much of the world's economy is intermingled, that it is actually quite unlikely that most major countries would engage in terminal cyberwar.
That leaves activists, crazies, and highly-isolated rogue nations like North Korea. In fact, it mostly leaves North Korea, because even Iran and Russia rely on a functioning world economy.
THE STONE AGE
Before we discuss North Korea, let's get one other factor out of the way: the Stone Age. This article asked whether cyberwar could knock us back to the Stone Age. Rather than letting the hyperbole of the question stand, let's understand that the Stone Age preceded humanity's ability to work metal. Cyberwar (without an accompanying NBC event) would not deny us the ability to work metal, even iron and steel.
SPECIAL FEATURE
As big data, the IoT, and social media spread their wings, they bring new challenges to information security and user privacy.
In fact, if we were to look at how far back something like a universally-devastating cyberwar might take us, we'd probably land right around the technology level of World War II. Unfortunately for our postulated post-cyberwar society, nations in World War II were highly structured. For example, England, even during the worst of the London Blitz, was able to function as a nation.
We might not be able to replicate that level of functioning, primarily because our existing modes of communication are now nearly universally reliant on the Internet and digital technology. So we'd have to move back a few centuries, even before the telegraph that Lincoln used so powerfully in the Civil War, to a world where communications relied on fast horses and capable riders. At least bicycles are relatively common in the modern world.
Our worst case, therefore, is a society largely feudal in nature, knocked back in some ways to a technology base roughly akin to those the Founding Fathers had when they revolted against King George.
But could North Korea (again, without nukes or EMP weapons) generate a cyber-event devastating enough to take out all major nations and knock us all back to a pre-telegraph world?
NOPE. NOT A CHANCE
My analysis of North Korea shows the country is indeed capable of mounting a cyberattack, especially if they use resources and agents located outside the nation's physical borders. But could North Korea simultaneously take out digital systems worldwide? First, they don't have the resources. Second, it's far more likely the OPM breach was by China, rather than North Korea.
Any total cyberwar extinction event would have to remove the United States' deep contingency operations, and while China or Russia might be able to turn a few more Snowdens, that's way out of North Korea's capability level. Plus, breaking U.S. contingency planning would take more than a handful of blackmailed government employees.
The enemy's reach would have to be deep and pervasive, and that's simply not going to be able to happen with the depth and pace necessary to unhinge all our preparatory measures.
So let's conclude our thought experiment with a few observations and conclusions. The simple answer is no, cyberwar would not knock us back to the Stone Age. There is no rogue nation or organization with the reach to hit all of modern society across nations, and that's what would be required to push modern society out of the Information Age.
There is no doubt that cyberwar and cyberattacks can be devastating, and have a high financial and operational cost. But there's also little doubt that we would recover, in time.
Frankly, the worst case is a substantial financial cost and an enormous army of very pissed off IT folks. Here's a warning to both our rational and irrational enemies. You really, reallydon't want to make yourself a target of thousands upon thousands of pissed off IT professionals.
No comments:
Post a Comment