Military Strategy in Cyberspace Stuart Staniford Nevis

1
Military Strategy in Cyberspace

• Stuart Staniford
• Nevis Networks
• 08/12/04
• stuart_at_nevisnetworks.com

2
Introduction to this exercise

• This is my attempt to predict what cyberwar will
  look like in 5-20 years
• Ie. This is all gross speculation
• Like trying to think about air war in 1912
• No real cyberwars have happened
• Cyberwar will develop rapidly once it starts to
  really happen
• There will be surprises
• Useful nonetheless forewarned is forearmed

3
Relevant Expertises
Network security, Network ops, Cryptography,
IDS, Vulnerability Asessment DDOS, worm defense
Military Strategy, Military History
Economics, Management Science, Organizational Psyc
hology
No-one is an expert in all of these
4
Five Levels of Strategy

• Due to Luttwak, Liddell-Hart
• Technological
• Iron swords, longbows, railroads, aircraft,
  tanks
• Exploits, DDOS, worms, firewalls, IDS
• Tactical
• Tanks in formation (WWI/WWII), longbows in
  dismounted ranks behind stakes (Crecy, Agincourt)
• What we do with a DDOS tool, or an IDS?

5
Five Levels of Strategy

• Operational (individual battle level)
• Waterloo, Crecy, Midway, Carshemish
• Individual organization (utility, bank, ISP,
  carrier battle group)
• Theatre Strategy
• WWII Pacific, European, North African
• Cyberwar same (but opens new theatres for attack)
• Grand Strategy
• National level strategy - decisive military
  defeat, econonomic exhaustion, nuclear blackmail,
  erosion of will

6
Scenario China vs US

• Why did I choose this?
• Because its fun! Because I can!
• China finally invades Taiwan
• Has been sabre-rattling for years
• Regular exercises in Taiwan straits
• Taiwan and China have been in consensus that they
  are ultimately one country
• Just temporarily two administrations with two
  systems
• Consensus slowly breaking down in Taiwan
  starting to want to be independent
• Creating great anxiety in China

7
Sequence of Events

• Chinese troop/naval buildups
• 2 US carrier groups en route to area
• Heavy Chinese missile attacks on Taiwanese AF
  bases to suppress air resistance
• Chinese invasion force sets across straits
• Establishes beachhead
• US aircraft inflict substantial damage on
  operation
• Small US marine expeditionary force flies to
  Taiwan to help reinforce.
• US involvement can make the difference between
  success and failure for China.

8
Chinese Grand Strategy

• Inflict enough pain on US to make us go away, so
  they can
• Reintegrate Taiwan without interference
• NB China and US both have credible strategic
  nuclear deterrent
• So neither side can use nuclear weapons except as
  a last resort.

9
Chinese Grand Strategy (II)

• Suppose for purpose of this exercise
• They launch a large scale cyberattack on US
  homeland.
• Opens a North American theater to war
• In addition to south-east Asian Theater
• They can only do via cyber-means
• Goal is to make the war intolerable to us
• Our choices are nuclear exchange
• Invade China
• Counter with cyberattacks on China
• Give up on Taiwan
• Last is much the cheapest and most practical
  solution

10
Chinese Theater Strategy

• Stop two critical infrastructures functioning
• For a period of weeks
• They pick
• Electric power
• Oil refining and gasoline/diesel distribution
• US economy pretty much stops without these
• 2.5 of US population involved in agriculture
• Food production completely dependent on
  automation/energy.
• 75 of Chinese population involved in agriculture
• Food production unaffected by lack of
  oil/electricity

11
Concentration of Force

• Why doesnt China go after everything?
• Traditional doctrine of concentration of force
• Create local huge superiority of forces in favor
  of attackers
• Win completely at those key points
• Rest of resistance crumbles
• If they defeat defense in electric power and oil
  refining/distribution, dont need to win anything
  else
• Choose both so arent completely dependent on one
  succeeding.

12
Tel El Kebir (1882)

• Egyptians 23000 under Col Ahmed Arabi
• 70 field artillery pieces
• British 17000 under Lieutentant General Sir
  Garnet Wolseley
• 36 field pieces
• About 3000 cavalry

13
Tel El Kebir
Egyptians
British
14
Lessons of Tel El Kebir

• Victory of smaller force
• Deception
• Maneuver
• Surprise
• Concentration of force
• All these factors will be critical too
• Challenge for defense in cyberdomain
• Defense has to protect all critical
  infrastructures
• Attackers get to pick 1-2 to throw all their
  resources against.

15
How Many Operations in Theater

• Have to pick enough companies/organizations
• That infrastructures cant function except in
  small pockets
• SWAG O(100) largest energy companies
• Simultaneous surprise attacks on them
• Forces required are 100x forces for one
• Now move down to operational level

16
Is the Vulnerability There?

• Almost certainly
• SCADA done over IP/Windows these days
• Developers not used to a hostile environment
• Labor in obscurity
• So just about certain to be plenty of
  vulnerabilities
• Machinery trusts its control system to look after
  it

Internet
Corporate
Scada
17
Is the Attack Trivial Then?

• Could a small band of hackers pull this off?
• No!
• Huge amounts of obscurity
• Great diversity in SCADA systems
• Need vulnerabilities in most of them
• Lots of testing needed
• No public community working on this to help
• Great diversity in deployments
• Which IP range is power station XYZ?
• Attackers know none of this ab-initio
• Either reconnoiter up front
• Or find out on fly

18
Attacker Information Needs

• For each of O(100) operational targets, need
• Fairly detailed map of network/organization
• What assets are where on network?
• What software is in use for most critical
  purposes?
• Brand/version
• Where defenders are?
• Where key operational execs are?
• To have developed vulnerabilities
• For all key software systems in use
• Requires being able to get copies of them
• Pretend to be a customer

19
Advance Reconnaissance Options

• Insiders
• Get spies jobs as (preferably) IT staff.
• Over time, stealthily map network and
  organization
• Ideally want several in different areas for 1-2
  yrs
• Gives layer 8 view.
• Cyber-surveillance
• Remotely compromise some desktops internally
• Use them to map network at layer 2-7
• Capture keystrokes etc
• Must be stealthy and untraceable
• No Chinese strings in Trojan
• Communication path home must be convoluted

20
Cyber Battalion (1 operation)
21
During Attack

• All major teams must deploy quickly from small
  beachhead
• Backdoor team (highest priority)
• Compromises utility systems for other teams to
  use
• Installs backdoors, remote dial-ups, etc to get
  back in later
• Owns RAS servers, access routers etc
• Preferably 100s-1000s of systems so every system
  in enterprise must be thoroughly cleaned
• Defense Suppression Team
• DOS, disabling, and destruction of systems used
  by defenders
• Firewalls, IDSs, desktops and laptops used by
  sysads
• Offensive operations groups
• Cripple actual infrastructure assets (turbines,
  pumps, etc, etc)
• Physical damage where possible,
• Disable/corrupt control systems
• Logic bomb group inserts logic bombs in many
  systems and turns them off

22
Balance of Force in operations

• Attackers 150-1000 attackers
• Defenders (today)
• Security group 1-10
• Network group 10-20
• End-host sysads 100s-1000s
• Attackers have
• surprise,
• superior organization
• Defenders
• know terrain better
• Have physical access (sort of)
• Could your organization survive this kind of
  assault?

23
Defense Response (today)

• Reboot the company
• Disconnect from network
• Turn everything off
• Unplug every phone cable
• Bring things up and clean and fix them one at a
  time
• A single Trojan left untouched lets attacker
  repeat the performance
• Likely to take weeks
• Cannot have confidence that we fixed all the
  vulnerabilities the attacker knows.

24
Attacker Requirements

• Discipline, training
• Hard to get hundreds of people to execute a
  complex plan.
• Everyone must understand the plan
• Everyone must be extensively trained on
  tactics/technology so its second nature
• Must follow plan and replans flawlessly
• And yet be creative enough to improvise
• Plan never survives contact with the enemy
• Fog of War
• These issues have always been critical in
  military operations
• And have to repeat this for O(100) simultaneous
  operations

25
Crecy (1346)

• French 60,000 under Phillip VI
• 15000 armored knights
• 8000 Genoese Crossbowmen
• English 11,000 under Edward III
• 6000 longbowmen

26
Crecy
Stream
English
Crecy Forest
French
27
Lessons of Crecy

• Victory of vastly smaller force
• Technology (longbow)
• Tactics
• Ranks of longbowmen behind stakes
• Fight on defensive
• Training (indenture)
• Organization (single military command)
• Discipline (extensive experience)
• All these factors will be critical in cyberwar

28
Total Chinese Effort Required

• Force of about 50,000 attackers
• Strong shared culture of how to fight
• Disciplined and trained
• Detailed planning
• Takes 10 years to develop this institution
• Maybe 3 years as all-out effort during a war
• Strong visionary leadership required
• Hard to do with no in-anger experience
• Internal war-gaming only
• Would much prefer a Spain, but reveals
  capability

29
Cyberwar Myths (I)

• Small teams can do enormous damage
• Best hope of a small team is O(10b) in worm
  damage
• Cannot target anything other than commonly
  available systems
• Cannot manage broad testing of attacks
• Only penetrate lt10 of enterprise systems
• Cannot seriously disrupt the economy
• Takes large sophisticated institution to cause
  serious economic disruption
• Only nation states can play at this level

30
Cyberwar Myths (II)

• Attacks in cyberspace can be anonymous
• True at micro-scale of individual technological
  attack
• Not true at macro-scale
• Will be completely clear in grand strategic
  context who is conducting attack
• Will be very large amounts of control traffic
  that will be hard to miss
• 50,000 Chinese all doing something in US will get
  noticed
• Attacker will generally want to be known

31
Cyberwar Myths (III)

• Cyberspace erases distance
• Mobility is more like land/sea than air
• Contrast to other thinkers
• Battlefield is all information/knowledge
• Expertise on disabling power turbines
• Takes years to acquire
• Is not instantly transferrable to, say, crippling
  banks transactional systems
• Similarly defenders need deep understanding of
  the networks they defend.
• First day on new network, will be pretty useless
• True for attackers and defenders

32
Defensive Implications

• The networks of critical organizations will need
  to be run as a military defense at all times.
• Constant alertness
• Well staffed
• Regular defensive drills
• Standing arrangements for reinforcement under
  attack
• Extensive technological fortification
• Excellent personnel and information security

33
Hygiene

• Patches, AV, external firewalls etc
• Failsafe design of critical machinery
• Not just idiot-proof but enemy-proof
• All critical, but
• There will still be a way in
• There will still be vulnerabilities
• Current paradigm will be inadequate

34
Preventing reconnaissance

• An attacker who can develop a detailed
  well-informed plan at leisure will win.
• Personnel security
• Background checks for power company staff should
  be
• Comparable to security clearances for
  military/intel
• Prevent scans
• Critical information is on a need-to-know basis
• (Turbine manuals are not on internal web)
• Extensive internal deception/honeynet efforts
• Reconnaissance will find all kinds of bogus
  things
• Force attack to be extemporized.

35
Segmentation

• Network must be internally subdivided
• Contain worms
• Loss of some systems does not lead to loss of
  everything
• Networks within network within networks
• Critical resources must be proxied everywhere
• (not DOSable)
• Network must give highly deceptive appearance
• Subdivisions small!

36
Recovery

• Software damage
• Integrity checkers
• Backup/rollback systems
• Hardware damage
• Supply of spares and spare parts
• Distributed appropriately
• Military logistics approach

37
Cyberwar defense system

• Must exist throughout network
• Enforce segmentation
• Quantitative resistance to worms/DDOS/etc
• Provide deceptive view of anything IP is not
  allowed to see
• Proxy critical resources
• Facilitate recovery
• Allow management of all this
• Allow for defensive extemporization

38
Implications

• Defending nation in cyberspace is a military
  problem.
• Will require militarizing critical
  infrastructures.
• Will require new paradigms and tools
• Critical infrastructure is in private hands.
• Huge tension - not a good outcome for civil
  society
• Deeply ironic that this is result of network
  promoting openness
• Luttwaks Paradoxical logic of strategy