Ralph Langner, the industrial control systems expert who first identified Stuxnet’s target, dissects the worm into its active ingredients:

Most people think of Stuxnet’s exploits as some complex, but structured hacker stuff on the operating system level, plus some mushy, arcane 70s-style controller code that cracked centrifuge rotors. In reality, the automation side of Stuxnet is as modular, structured and complex as the coding that can be found at the operating system level.  So let’s try to break down Stuxnet’s exploits in categories:

1. Operating system exploits (generic)
1.1 Two stolen digital certificates
1.2 Four zero-day vulnerabilities plus at least one known vulnerability
1.3 Peer-to-peer update logic

2. Windows application exploits (generic)
2.1 Default database password for SCADA application, plus SQL injection, plus forced SQL execution
2.2 Hijacking the legitimate driver DLL (s7otbxdx.dll)
2.3 Executing arbitrary code in project folders of the engineering software

3. Controller exploits (generic)
3.1 Code injection to any operation block, taking priority over legitimate code
3.2 Hooking system functions
3.3 I/O Filter & faker

4. Physical process exploits (mostly target specific)

From all the exploits listed, only exploit category four is tied to a specific target configuration.

In short, Langner believes that a lot of this stuff is more reusable than people appreciate, and worries about the proliferation risk.  In the worst case, he thinks that we may soon see the free availability of pre-packaged, fully configurable cyberweapons to “immoral idiots and geniuses alike,” much like the arming of the “script kiddies” in the prior decade.

I personally suspect that he may place too much weight on weapon engineering (and underestimates the intelligence and targeting activity that presumably preceded it), but read his whole argument.

Tags: cyberwar

In my last post I mentioned that the focus of our model would be on “strategic cyberwar,” and then, inserting a handful of marbles in my mouth, I mumbled something unintelligible about “a level of decision-making” residing “several layers above” all of that horrible technical stuff that somehow always involves doing something obscure to the Windows registry.

Of course, there is a good reason for such evasiveness:  trying to be too precise about whether a certain form of cyberwar is “strategic” rather than “operational” or “tactical” leads us straight into a definitional swamp.  I won’t try to drain the swamp here; however, it strikes me that it might be useful to spend some time getting a little more resolution on what we mean by “strategic” (and, correspondingly, what will be directly addressed in our model, and what will be abstracted away).

The traditional rule of thumb about the levels of war (drawn from the world of kinetic violence) is that tactics are about battles, operational art is about campaigns, and strategy is about wars. Unfortunately, this amounts to more marble-mouthed garble when it comes to the gray zone that cyberwar inhabits.  None of the traditional military intuitions of time, scale, or geography really apply here:  is a sustained DDoS attack conducted over several days against the servers of a dozen companies a battle, a campaign, or a war?

To try to address this, we can adapt the old aphorism to the technical particulars, which would produce something like this:  If tactical cyberwar is about attacks on a particular network, and operational cyberwar is about attacks on a system of related networks, then strategic cyberwar is about attacking the adversary’s system of systems.

But that does not seem any more helpful.  Depending on how one chooses to define “network” and “system,” that proposition could mean anything (or nothing) at all.  Part of the problem is that there is no particular relationship implied between the scale of the “network” or “system” and the size of the strategic actor.  Indeed, taken literally, nothing prevents any operator of a “system of systems” from becoming a strategic actor.  Intuitively, this is not what we mean.  An iPhone is a complex device with many different component systems.  But we do not generally view the teenager who has “jailbroken” her iPhone as having committed an act of strategic cyberwar.

Where do these intuitions come from?  I think that the answer is found not in “strategic,” but in “cyberwar.”  In the end, cyberwar is still war. There may be plenty of strategic behavior in cyberspace, just as there is plenty of strategic behavior in the kinetic world, but only a subset of that strategic behavior pertains to a prosecution of a war.

That declaration, of course, does not wholly solve the problem; questions of exactly what constitutes a war in our age of global terrorism, insurgency, international sanctions, etc., continue to vex academics and lawyers.  But we need not decide the precise boundaries of war and peace; our purpose is only to set up a scale for our model.

So, to put it all together:

• In the levels-of-war hierarchy, the strategic layer sits atop the operational layer, which in turn rests on the tactical layer.
• At that top level, the applicable scope of concern is attacks upon a “system of systems.”  This implies high complexity and subspecialization near the top level of organization  — in effect, the “macroinfrastructure” of the affected strategic actor.
• Cyberwar is still war.  War implies violence.
• Nation-states continue to enjoy a monopoly on legal violence.  The entities that purport to wage war are either nation-states or those who aspire to the sovereign status of nation-states.
• Therefore, “strategic cyberwar” relates to attacks upon the macroinfrastructure of either (a) nation-states; or (b) entities that aspire to the sovereign status of nation-states.

This is not to say that other actors will not have important roles; in fact, I expect to see nation-states employ “tactical delegates” to a much greater extent than is the case in the kinetic world.  And there will be no shortage of “non-aligned” marauders roaming through the substrategic (operational and tactical) levels of cyberspace; most crime, for instance, is an essentially tactical endeavor.  But I believe the nation-states and their aspiring peers will set the strategic agenda.

Admittedly, there is a circular feel to some of this reasoning:  cyberwar is war; by definition, only nation-states can wage war; ergo it must be that nation-states constitute the important level of analysis.  Part of this may also be the result of the Westphalian bias that afflicts students of modern military history.

But I think that there is at least one other reason to believe that nation-states, rather than private subnational entities or even public transnational entities, will continue to occupy the seat of decision when it comes to cyberstrategic warfare.  I believe that the nature of cyberweapons — or at least the kind we can reasonably call “strategic” — will be such that they will effectively require the sovereign authority of a nation-state to develop and maintain.  This is not so much because national governments have abundant financial and technological resources (wealth and genius are not the sole province of national governments).  Rather, it is because the intelligence requirements to design, construct, test, and maintain a strategic cyberweapon may be so extensive (and require such intrusive and likely illegal measures to collect) that only a sovereign entity will be capable of doing it on a competitive scale.  We will consider this issue in a future post on the nature of strategic cyberweapons.

Tags: cyberwar

In early 2009 I began thinking about a decisional model for the conduct of “strategic cyberwar.”  By “strategic,” I’m talking about a level of decision-making several layers above the technical particulars that dominate most of today’s discussions about cyberwarfare.  The particular vulnerabilities of today’s information networks, and the morphology and lifecycle of today’s worms, viruses, and botnets, are interesting and important, but I regard all of these matters as essentially tactical in character.  Some attributes of today’s cyberweapons will become irrelevant as the underlying technology inevitably changes; other attributes are more fundamental and will tend to persist regardless of technological change.  It’s the latter category that I’m most interested in, because those factors will continue to shape strategy and doctrine beyond the next operating system release.

Until I stopped work due to other real-life priorities, I had articulated a crude set of general principles which addressed, among other things:

• A basic model of a strategic cyberattack weapon (what I’m tentatively calling a “logic attack weapon” or “LAW”)
• The minimum intelligence requirements for a strategic LAW
• The essential need to reliably predict a LAW’s effects on a complex target system
• The notion of a “shelf-life” of a given LAW against a given target system
• The need for a wide array of supporting “live” interactions with the enemy in cyberspace (for intelligence, testing, and strategic pre-positioning purposes)

I also sketched out a physical map concept intended to describe the strategic geography of the battlespace, with discrete “terrain” elements denoting civilian non-critical infrastructure, civilian critical infrastructure, and military infrastructure.  Naturally, the map wasn’t intended to portray physical distance, but rather an “attack distance” determined by weapon effectiveness, network architecture, defensive arrangements, and so on.  I borrowed from the safecrackers’ view of the world and decided that the appropriate metric of attack distance for these purposes was time.  Predictably, the mechanics get a little bit complex with a two-dimensional paper map since the attack distances between different elements might change at different rates — and, after getting a headache, that’s about where I left things.

In any event, I had all but forgotten about this shelved work until I recently ran into Bruce Costello (designer of the First Strike and Dropshot I/II/III strategic nuclear wargames) on the consimworld forums.  Bruce also has been thinking about cyberwar concepts for a number of years (and in fact is working on a new game design).  This inspired a conversation about these topics, and I’ve been inspired to pick this effort up again.  Strategy is a timely subject, with the U.S. DoD taking its first baby-steps toward articulating a doctrine of cyber-retaliation.

My objective over the next few months is to think about and articulate a complete set of principles for this strategic model of cyberwar.  I don’t know that this will result in a playable “game,” per se (I have no game design experience and really am only a fledgling wargamer).  However, if it provides some useful vocabulary and concepts to the broader discussion, I think it will have been a worthwhile exercise.  Let’s see where this all goes.

Tags: cyberwar

I converted over the long table of Russian ship names last weekend, a task that, remarkably, turned out to be even more tedious than I had imagined.  Somewhere in the course of doing endless find-and-replace searches to strip out useless tags inserted by Microsoft FrontPage, I realized that managing these things would be a lot easier if only I would step out of 1998 and actually put some of this stuff into a database.  (This would also simplify updates to the air campaign tables, which currently exist as five separate hard-coded web pages.)

So, the lunacy continues: I am now learning MySQL/PHP.  Hope to have a test database up this weekend.

In more substantive news, the Chinese appear to have flown the J-20.  More interesting is the manner of the reveal:

Ma Xing and Zhang Jun may believe their obsession with all things military is just a hobby. That may be true but earlier this week, they saw something that made headlines across the world, and turned them into celebrities.

They got some of the earliest glimpses of China’s first stealth fighter plane.

In December, after word about a possible radar-evading plane circulated on the Internet, both men began monitoring a local airport widely considered the home base of such planes.

This is the PRC, mind you, where traditional attitudes toward “state secrets” are not ordinarily conducive to amateurs watching “local airports” where unannounced fifth-generation stealth fighters happen to be based.  Especially amateurs with websites:

Each time he saw something worthy of sharing, he told his friend, who passed it on to Zhang, 32, another military fan in Jiangsu Province. Zhang posted the information on fyjs.cn, a military forum he established in 2004.

On Tuesday, after Ma saw the J-20, he immediately called his friend, and Zhang did not wasted a moment before he posted the news on his website.

Domestic newspapers, such as Shanghai-based Oriental Morning Post, referred to Zhang’s website. Zhang was surprised that even the Wall Street Journal quoted his website.

“I thought the website was just a platform for interaction between military enthusiasts. I did not think that both the domestic and foreign media will be concerned about it,” Zhang said. “The military strength of China is enhancing, which enables the country to have an impact on the international stage.”

Official, unofficial, or “unofficial,” the proliferation of open sources on Chinese military modernization makes for an interesting picture.  The times, they do change.

Tags: airpower, China, HTML/CSS, PLA

Echo-chamber issues aside, the flip side of research in the Internet age is that from time to time, you make the unexpected connection that suddenly provides an information windfall.  Something like that just happened today, when a random “people you may know” suggestion on Facebook put me in touch with a fighter pilot who scored a kill in 1991.  Within a few hours he provided confirmation of a data point that I’ve been trying to verify for years (specifically, the callsign for his sortie, which had been conspicuously absent from the official USAF sources).  Thanks, “Meat.”

Tags: airpower, Desert Storm, research

With most of the technical and setup issues for the new site resolved, I spent a few hours updating some research that I did fifteen years ago on the roughly three dozen air-to-air engagements that occurred during the 1991 Gulf War.  This is historian’s grunt work:  combing through conflicting accounts, guessing as to the most likely ways in which memories dim or reports fail, filtering out errors that have been handed down from source to source.  One remarkable thing was discovering how far my own work had propagated without citation, leaving me in the mildly entertaining position of seeking to verify my original work using sources that seem to derive from that same work, errors and all.  Circular verification (or, if you like, “fact-checking by echo”) has to be one of the principal challenges of historical research in the Internet age.

In any event, with the new information on the Desert Storm air war available, I’ve applied several different “filters” to the original kill matrix, which reveal some interesting facts about those engagements.  For example, a surprising number of engagements using the AIM-7 Sparrow (a medium-range missile most associated with beyond-visual-range (BVR) fights) were actually made within visual range.  There were also quite a few kills made by wingmen (in some cases where their flight/element leads did not also score), underscoring a tactical fluidity that was very different from the rigid fighter doctrine prevalent in Vietnam, at least in the USAF.

Ultimately I would like to collect and chart more data on these engagements, including geographic locations, precise range of shots, day/night, etc.  But unfortunately I think this may have to wait—while some of the necessary information can be gleaned from pilot accounts, I imagine that the complete dataset is probably still classified, even after twenty years.  Might be worth considering a FOIA request, as both the AIM-7M and AIM-9M have been superseded by newer weapons in the U.S. inventory.  We’ll see.

Tags: airpower, Desert Storm, research

…I seem to have installed WordPress.  What is happening to me?

Tags: admin, WordPress