Platt Perspective on Business and Technology

Stuxnet and the democratization of warfare

Posted in business and convergent technologies, in the News by Timothy Platt on October 4, 2010

This is my third posting in a short series on a News story that has become a more significant issue. And I start this posting by updating a point I raised in my second in this series: Stuxnet and beyond – and even knowing when you have been compromised.

When I wrote that I stated that the cause of the May 6, 2010 Flash Crash was yet to be fully determined, and the next day a very important piece to that final determination was publically announced. According to the Securities and Exchange Commission and the Commodity Futures Trading Commission, this event began with the sudden sale of a very large block of futures totaling some $4.1 billion in contracts with all pertinent sales originating from a single mutual fund organization. The fund in question has been reported to be Waddell & Reed Financial of Overland, Kansas. This appears to have been initiated when a computer-based automated sell algorithm was set up in such a way as to dump some 75,000 contracts over a 20 minute period. So when I suggested that an event of this type could develop as “a concerted, organized attack or as a more random consequence of a wrong combination of flaws simultaneously expressing themselves in certain automated trading systems and other financial market infrastructure components – an unplanned and completely unanticipated accident” it in fact turned out to be by that second source cause.

One crucial detail I stress here is that even when this type of event happened completely by accident and with absolutely no attempt at concealment, misdirection or subterfuge it still took five months to even determine the initial cause and much still has to be done to fully understand all of the steps in the chain of events that transpired subsequent to that. So this was not an act of cyber warfare or cyber terrorism. But it took quite a while to even rule that out. OK, I admit I had heard preliminary word on that several weeks ago and well before the release of this report as did many others that this event developed out of a trading systems accident if you will. But the same basic scenario could in principle have been intentionally launched as well. And this brings me to the core message I would convey with this posting. There is a very dangerous assumption that I have seen expressed in the news, and a myth that we have to reconsider and lay to rest when looking at conflict in a cyber context. This is:

• The myth that well organized conflict and attacks that reach a level of impact that would qualify as warfare can only be conducted at the nation state level, or at the very least at the level of large and highly structured organizations – think larger and more organized terrorist organizations there.
• When cyber enters warfare this no longer holds, and that fact is as crucial to understand and to plan for as is the fact that the source of an attack and even the nature of an attack can be all but impossible to determine, until well after the fact if at all.

When we look to online business, and to development of effective web site and social media driven business models it was once the assumption and perhaps with some reason that only established businesses could effectively participate. The advent of templated web sites and other easy to set up and maintain online capabilities, and of widely distributed core knowledge as to how to do business online quickly changed that, and it rapidly became a truism that even the smallest startups with thought and planning can launch a very effective online presence that can create and build sales and capture real market share.

Many cyber security professionals probably still speak disparagingly of “script kiddies” – would be criminal hackers who find and secure malicious code online that they would not know how to build themselves, but that they adapt for their own use and even if simply by running them with their own targets in mind. But that perspective overlooks some crucially important truths.

• Many malicious code resources for computer viruses, worms and other weapons, as well as commercialized database sources of personal information on millions of people and businesses are available to purchase and use.
• Much of this that is available shows a high level of sophistication – the cyber-resources and targeting information and resources that “script kiddies” would buy and use are no longer simple or easily blocked.
• Given that, a dangerous and significantly damaging attack can easily be mounted using what amounts to off-the-shelf and purchased resources – just as a legitimate business person can purchase use of a pre-built but customizable and brandable web template to quickly launch an effective online business presence.

We are facing an age where cyber warfare will also be commoditized as a more generally available option, and for a much wider range of initiating players than just nation states and larger and more organized national and international groups and organizations. And that is why this myth that I write of is so damaging.

I raised the question as to whether the April, 2007 cyber-attacks on Estonia were an incident of cyber warfare and I would answer that here with an emphatic yes. In this it does not matter whether Russia or any other nation state was in any way involved or participating, or whether this was simply a product of a self-assembling social network-based botnet attack, launched by a much more informal network of initiating participants. We have to collectively come to view warfare, at least from a cyber perspective from a very different perspective and based on a more wide-ranging threat assessment.

Was Stuxnet a cyber warfare weapon and was it used as a part of a cyber warfare attack? It does not matter whether Israel or any other nation state was involved for that to be answerable with an affirmative yes, too. In this, warfare is not as much a matter of who builds and launches the attack as it is of overall intent and result.

This is my third posting in this In the News series on Stuxnet and its context, and I have focused here on issues of definition and have touched briefly on a few issues related to strategy. I am debating posting a fourth installment that would be more operational in focus.


2 Responses

Subscribe to comments with RSS.

  1. […] • Part 1: Stuxnet, Cyber Warfare and the Challenge of the Intelligent Infrastructure, • Part 2: Stuxnet and Beyond – and Even Knowing When You Have Been Compromised and • Part 3: Stuxnet and the Democratization of Warfare. […]

  2. […] The person I was talking with in this conversation was thinking entirely in terms of simple linearly scalable models and in terms of finding magic bullets from packet authentication and a few other low level approaches. The system he envisioned, I argued, could be readily overcome and if for no other reason than because it could not be scaled on the defender side with anything like the technology or cost-efficiency that an attacker could deploy – even just a loosely organized but serious non-governmental attacker as I discuss here in part 3 of this series: Stuxnet and the Democratization of Warfare. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: