About a decade ago, I did a series of talks at various conferences entitled “cyberwar is bullshit” – the problem, I felt, was that the US was talking about being deeply afraid of cyberattack from Eurasia (or was it Eastasia?) but there was considerable irresponsible talk about “weapons of mass destruction-like capability.” Industry insiders like myself wound up divided as to whether it was likely/practical, or good marketing/a chance to make a fast buck. There were a lot of fast bucks made.
Now that the world has managed to learn a bit about what’s been going on in the rogue state called “The US Intelligence Community” it looks a lot more like the talk of cyberwar was mostly projection: the US was preparing to do exactly that sort of thing to other countries, so “missile gap, ho!” just like in the 1960s – a great deal of money spent and it turns out that we were mostly preparing to battle our own imagined capabilities. At the time when I was first speaking out against cyberwar, I was still looking at the problem defensively; in other words I granted the US’ concerns a degree of legitimacy and investigated whether or not they made sense.
Of course, they did not. Here’s the problem: if you’re concerned about having your critical infrastructure crashed by a foe that can attack on their own schedule, with no advance warning* – but, wait, there’s more: you have an infinity of potential foes and since attribution is genuinely difficult it is impossible to deter them. The normal strategic dynamics of war would look something like: (telephone call happens on the red line) “Uh, look, I notice you’re massing tanks and troops on our southern border. We are concerned and our bomber drivers really want to pre-empt you, can you tell us what’s going on?” During the early cold war, the US used nuclear weapons to threaten an entire power-bloc – if you were part of the Warsaw Pact, you’d get nuked along with everyone else** – deterrence was possible because we were aligned against a single discernable enemy. It was then that I realized the only plausible strategy was full dominance: you try to deter everyone all the time because you’re insanely over-capable and willing to attack anyone, any time. The military dictum “the best defense is a strong offense” only really works in 1:1 engagements where your offensive moves can disrupt your opponent’s own offensive moves. If you’re in a strategic environment where you have many unknown enemies, “the best defense is a strong defense.” That’s why castles were all the rage in the dark ages, whereas force-on-force blitzkriegs and national level wars were worthwhile once Europe had congealed into aligned power-blocs of nation-states.
So, what in the hell is going on in Washington?
The NSA (primarily) and CIA (less so) appear to have been let completely off the leash, and the NSA has made a pretty good stab at hacking the entire world. Meanwhile, the FBI and the rest of the government complain bitterly about Chinese, North Korean, Russian, whatever hackers threatening the US. It’s utterly bizzare: the US is trying to sell smart-grid power systems to China, while the FBI is bleating about Chinese cyberspies prepared to crash the US grid: you simply cannot buy marketing like that:
USA: “That stuff we’re trying to sell you? It sucks so badly, you control it.”
China: “We do?”
So, today’s news tidbit that catches my eye:
U.S. military hackers have penetrated Russia’s electric grid, telecommunications networks and the Kremlin’s command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News.
American officials have long said publicly that Russia, China and other nations have probed and left hidden malware on parts of U.S critical infrastructure, “preparing the battlefield,” in military parlance, for cyber attacks that could turn out the lights or turn off the internet across major cities.
It’s been widely assumed that the U.S. has done the same thing to its adversaries. The documents reviewed by NBC News — along with remarks by a senior U.S. intelligence official — confirm that, in the case of Russia.
In other words, “that thing we did to you? You’d better not do that to us.” It’s what I call a “weapon of privilege” – as Mr White in Reservoir Dogs says:
“You shoot me in a dream, you’d better wake up and apologize”
That’s the US Government’s “strategy” If you dream you use cyberweapons on us, you’d better wake up and apologize. We are so mighty and powerful that we are going to deter everyone, all at once, against any attack.
How well do you think that’s going to work?
As NBC News reported Thursday, the U.S. government is marshaling resources to combat the threat in a way that is without precedent for a presidential election.
It must hurt to be a journalist for NBC, and to have some government spokesperson slip their hand so far up your anus that they can use you as a sock-puppet and make you make silly mouth-noises.
If the US was concerned with having an election that couldn’t be tampered with by outside powers, it wouldn’t have gerrymandered districts, crappy voting machines that cost a ton of money, and a political system that enshrines the idea of buying votes and influence.
In a speech to an annual gathering of Russian and foreign politicians and analysts in Sochi on Thursday, Putin attacked the US over its foreign policy in recent years. “Does anyone seriously think that Russia can affect the choice of the American people? What, is America a banana republic? America’s a great power. Correct me if I’m wrong,” he said.
I understand why Trump looks up to Putin; Putin is everything Trump wishes he was – including: truly wealthy, vastly powerful, smart, articulate, and aware of current events.***
Putin said the US had a number of problems, including huge debt and gun crime, and that politicians had no answers. “There is nothing to calm society with, and so it’s easier to distract people with supposed Russian hackers, spies and agents of interest.”
One of the deeply disappointing aspects of the US’ attitude toward Russian hackers disrupting the election is: so what? I doubt it’d be plausible anyway, but if the election systems were being disrupted, they could just keep the polls open for an entire week. The media would be thrilled, anyway.
As someone who deals with threat models all the time, I am constantly expected to be thinking of all the things that could go wrong, and having a counter-strategy or avoidance strategy. If the fear is really that someone might mess with the power to the voting machines, I expect to see gasoline-powered generators (or trucks with inverters, c’mon American Ingenuity!) ready near the polling locations. In fact, their absence is absolutely rock-solid evidence that the very people who are fluttering about this “threat” don’t really believe in it. And, yes, if your polling machines are connected to the internet and are using google docs as the backend, then you don’t deserve to have nice fake democracy any more.
(* Tanks can be seen massing on the border; logistical requirements practically guarantee that it’s impossible to get strategic surprise such as was possible in WWI and WWII – though, as we know now, many of the “surprise attacks” of WWII were only surprises to the incompetents who ignored solid intelligence that an attack was coming.)
(** Though now we know that the use Strategic Integrated Operations Plan – SIOP – called for nuclear obliteration of China as well as the USSR in the event of an exchange; it wouldn’t do to have the Chinese be the last humans left standing, right?)
(*** Also: doesn’t mind losing his hair, and rides bears.)
The Guardian: “Vladimir Putin Dismisses Claims of Meddling in US Election”
Marcus Ranum: “Cyberwar – You’re Doing it Wrong” RSA Conference 2012.
Marcus Ranum: “Never Fight a Land War in Cyberspace” AusCERT 2013
Marcus Ranum: “In Cyberspace, the Best Defense is a Strong Defense“