sign in sign up
<<
Home , Sony Pictures hack

Calhoun: The NPS Institutional Archive

Faculty and Researcher Publications Selected Student Papers and Publications, not including Theses and Dissertations

2016-06 Cyber Weapons are not Created Equal

Bartos, Christopher A.

Bartos, Christopher A.. "Cyber Weapons are not Created Equal". U.S. Naval Institue Proceedings 142/6/1 (2016): 30-33. http://hdl.handle.net/10945/49618 U.S. NAVAL INSTITUTE Since 1873 WWW.USNI.ORG /' PROCEEDINGS The Independent Forum of the Se. Servk:e. June 2016 Vol. 1421611 ,360

The U. S. Naval Institute is a private, self-supporting, not-for-profit professional society that publishes Proceedings as part of the open forum it maintains for the Sea Services. The Naval Institute is not an agency of the U.S. government; the opinions expressed In these pages are the personal views of the authors. FEATURES

18 The Fourth Battle of the Atlantic By Vice Admiral James Foggo. USN. and Alarik Fritz The Russian bear is stirring anew, and NavylNATO vigilance is all the more crucial in European waters.

24 'launch the Flyswatter!' By Lieutenant Jeff Vandenengel, USN Submitted for your consideration: a subsurface-to-air missile for U.S. submarines. 34 The lives of a Chinese Gunboat By Ryan D. Martinson Cyber Weapons Are Not Created Equal 30 With in-your-face swagger, YZ-3JO made a name for herself By Captain Christopher A. Bartos. USMC throughout the maritime-dispute hot zone. "Cyber attack" is the buzz-phrase, but the real meat of the matter is "cyber defense." 42 Bronco 12, Cleared Hot By Captain Andy Walton, USN The irregular-air warfare lessons of Combat Dragon IT: adaptability, flexibility, innovation.

48 Containing the Nuclear Threat By Captain Geoff P. Gagnier. USCG, and Captain Larry LeGree, USN Domestic port security does not begin at home, but before a. nuke-filled cargo container ever reaches U.S. shores.

ENL:STED ESSAY CONTEST WINNER CAPSTONE ESSAY CONTEST WINNERS

40 Share Who We Are 54 Submarines Reign Supreme By Hospital Corpsman Second Class Crystal Tao, USNR By Ensign Gavin Fuller. USN It is up to veterans and active-duty personnel to make the Now more than ever, U.S. nuclear-powered submarines public aware of the military's important role- a receptive "have an overwhelming fighting advantage in the maritime audience awaits. domain."

58 Embrace the Digital-Native Marines By Second Lieutenant Robert Vachon, USMC In an increasingly data-centric battlespace, data-centric THIS MONTH'S COVER millennial are the answer to a prayer. The Los Angeles-class submarine Pivot to the Pacific-at Hypersonic Speed USS Toledo (SSN-769), assigned to 62 Commander, Task Force (CTF) 54, transits By Ensign Shane Kravetz, USN through the Persian Gulf early this year. "Scrarnjet" and other advances will be key to preserving U.S. NAVY (TORREY w. LEE) freedom of the seas in the Indo-Asia-Pacific. 66 SEAL Training Is a Choice By Ensign Joseph Dinkel. USN Few roads are more arduous, few honors so great.

www.usni.org PROCEEDINGS • 1 CYBER W APONS ARE NOT CREATED EQUAL By Captain Christopher A. Bartos, U.S. Marine Corps

Despite public phobia to the oday's prevailing wisdom, both inside and out­ side the Department of Defense, is that offense contrary, cyber attacks are no dominates in the cyber domain. I Determining the balance between offense and defense arises with simple thing; great sophistication the emergence of every new military technology. Driv­ ing the current belief in cyber's offensive dominance is is required to bridge the 'Iogical­ the idea that digital weapons-which rely primarily on manpower- are cheap to create, while society's overall physical divide,' where defense has dependence on the Internet creates a plethora of vulnera­ bilities for intrusion, exploitation, and attack. 2 The primary a distinct advantage over offense. benefit to the offense in the cyber domain is the lack of

30 • June 2016 www.usni.org Military students man the computers in Pyongyang, , where in the system, and finally exploit that foothold to obtain Supreme Leader Kim Jong-Un has hailed cyber warfare as a "magic the objective. Smart defenders can, and often do, spoil weapon ." The North Koreans did succeed in engineering the Infamous 2014 Pictures hack- but ultimately such a stunt Is "nothing more attacks on networks by interrupting this process at any of than a cyber prank." the four steps.6 This process will become even more dif­ fICUlt as cyber defenses are strengthened. Material losses from hacks have brought visibility from top-level corpo­ physicality. Cyber, unlike the other domains, is a hybrid rate executives, prompting cyber defenders to strengthen of the logical and the physical, which means that intru­ their shielding structures even more and build network sions, attacks, and defense occur at the "speed of light."3 architectures with redundancy in mind- a principle every Yet cyber's greatest offensive advantage is the same factor good communications officer in the military has imple­ that limits its overall effectiveness as a weapon, namely, mented for years. the logical-physical divide. Bridging this steep divide is Offensive cyber weapons also face the dual problems required if digital operations are to significantly impact of "perishability" and obsolescence. Perishability is when the physical world. a cyber weapon is no longer effective after it has been used. Obsolescence refers to a cyber weapon becoming Cyber Misperceptions ineffective because of time. The vulnerability in a system When compared to traditional arms manufacturing, the that is exploited when an attacker uses a cyber weapon im­ creation of mo t cyber weapons is not only cheap, but also mediately becomes well known to system administrators easy to hide. Computers, Internet access, and manpower and those who developed the original code. Patches are with the right education and skills are all one needs to written and, when installed, close the gap that the attack begin hacking computers. This is likely the reason why originally used. A cyber weapon is perishable because it even Kim Jong-Un, the leader of reclusive North Korea, is impossible to reuse as long as the system is updated. calls cyber warfare a "magic weapon."4 Cyber attacks will Obsolescence occurs by the same process except that only increase as more computers connect to the Internet the vulnerability is discovered and fixed before an attacker and more people gain the skills to hack them. uses the cyber weapon. Unlike weaponry in the physical Misperceptions about cyber warfare are fueled by a cog­ world, the development of cyber weapons and countermea­ nitive bias with regard to cyber intrusions and attacks. On sures happens at an incredibly rapid pace, meaning that any given day there are millions of attempted malicious attackers in cyberspace must constantly update their arse­ operations within the cyber domain; any approximation nals to have any hope of conducting a successful attack. for all attacks will likely be under­ estimated, considering the billions of people connected to the Internet and the automated way the simplest of searches for and attacks targets. Many of these attempts are blocked before they even can gain access to a system. Even if on a per­ centage basis the number of effec­ tive attacks is small, news reports of these attacks gamer media attention, increasing the perception that suc­ cessful cyber attacks are easy. Cyber attacks are hard for the same reason any attack is diffi­ cult-there are many steps involved in skirting the defenses of the ad­ versary. For military operations in ~ urban terrain, the Marine Corps ~ uses a template for successful at- i tacks: reconnoiter the objective, iso- ~ late the objective, gain a foothold, ~i and secure the objective.5 Success­ ful cyber· attacks require the same t process. must first conduct ~ reconnaissance on a tar et isolate Cyber enlisted students at the Naval Postgraduate School are training for the contingencies of the . g , new high-tech balliespace. ''To take full advantage of our nalion's substantial defensive and offensive that target from potential cyber de- cyber capabilities, planners must account for the proper strategic balance between the two." fensive support, gain the foothold www.usni.org PROCEEDINGS • 31 Since it is difficult for an attacker to know if a developed Attacks on confidentiality, commonly referred to com­ weapon has become obsolete, it is extraordinarily difficult puter network exploitation (CNE) in the Department of to plan a truly effective cyber attack. Though these same Defense, are effectively a form of espionage. Breaches of factors affect the defender, who must constantly update confidentiality are actually intrusions rather than attacks, systems and fix gaps in the defense, the burden of action because they do not cause any damage per se. CNE is rests on the shoulders of attackers. typically used to gather intelligence on computer systems Minimal vulnerability also makes cyber weapons more as well as for any of the other myriad p«rposes crimi­ defensive in nature. Missiles in hardened silos and ships nals and nation-states want information. Intrusions into a in harbors are relatively well defended, reducing the incen­ system can serve a dual purpose in that they not only en­ tive to strike first because able information extraction, each side can reasonably but they can also provide a expect to use its weapons way to plant malicious code and defend itself success­ within a system or corrupt fully. Cyber criminals and its data without the owner nation-states can effectively knowing. According to some hide and protect their cyber cyber experts, this highlights arsenals from other actors the offensive nature of all because of the complex na­ malicious cyber actions.9 ture of cyber geography and Just because intrusions are good encryption. With cyber necessary to further attack weapons moored safely in computer systems, however, their cyber harbors, nation­ does not mean that CNE tips states have little advantage the offensive-defensive bal­ to striking first against an ance in favor of the offense. opponent.7 At first glance, Espionage networks his­ the effects of obsolescence torically have the same would seem to undermine capabilities of gathering this stability in the cyber intelligence as well as pro­ world because a weapon has viding a network for po­ a "use it or lose it" advan­ tential covert, malicious tage. Not all cyber weapons, action. Espionage networks however, are created equal. in themselves, however, do The logical-physical divide not change the offensive­ between the cyber domain defensive balance because, Iranian President Mahmoud AhmadlneJad (front and center) takes a and all the other domains 2008 tour of the Natanz uranium enrichment facilities-soon to be the outside of the intelligence separates out low-level from target of one of the most destructive cyber attacks to date, courtesy of gathered, it would be dif­ high-level cyber weapons. the virus. ''The Stuxnet attack was effective because II focused ficult to obtain a strategic on the Interface between the logical and the physical. .•.• Only complex, higher-order advantage large enough to cyber weaponry can mean- prompt a nation to strike ingfully bridge this divide, making them less susceptible first and initiate a war. Intelligence gathering may even than low-level weapons to obsolescence. promote stability between. nations by reducing the amount of private information held by each side, creating a defen­ Bridging the Cyber Divide sively favored relationship. 10 Design, planning, and implementation of effective Another option of a cyber attacker is to deny authorized cyber attacks must take into account the three basic ele­ users the availability of their systems. The most common ments to cyber security: confidentiality, integrity, and uses a technique known as distributed denial-of-service availability. 8 Confidentiality assures that only the appro­ attacks, where hackers shut down computers or web sites priate owner can operate the system and that messages by overloading a system's capacity with digital traffic. sent to and from that system can only be read by the Availability attacks are commonly used by non-state ac­ intended recipient. Integrity refers to the completeness tors but are also used by nation-states, such as when the and accuracy of data used by the system for its various "Guardians of Peace," later unveiled as North Korea, took functions. Availability means an authorized user can use down the website of Entertainment in De­ a system as anticipated. A cyber attack is an action that cember 2014.11 These attacks garner a lot of attention but compromises any of these three legs of the security triad. ultimately amount to nothing more than a cyber prank. Only attacks on the integrity of systems, however, are Losses did occur, and effort was expended to correct the capable of bridging the logical-physical divide in any problem. From a strategic perspective, however, these at­ meaningful way. tacks hardly affect the offensive-defensive balance. As

32 • June 2016 www.usnLorg network architects design systems with inherent resiliency, challenge of defending against high-level attacks pales in the actual usefulness of such cyber pranks will diminish. comparison to the difficulty of conducting them estab­ Only with a massive, concerted effort to simultaneously lishes that cyber is actually defensively oriented. bring down mUltiple systems could an availability attack Cyber presents a whole new arena for interactions be­ have significant impact. tween nation-states. Current U.S. policy purposely has Attacks against the integrity of computer systems aimed avoided opening the Pandora's Box of escalation and re­ at translating digital information into real-world effects taliation in the cyber domain, despite calls by some to hold the greatest promise for cyber attackers. To date, the "come back at them."15 To take full advantage of our na­ most effective known cyber attacks were the ones against tion's substantial defensive and offensive cyber capabili­ Iran's nuclear program using the malicious computer ties, planners must account for the proper strategic balance worm Stuxnet. Stuxnet offers an excellent example of an between the two. Abandoning the "cult of the offensive" integrity attack, where the software of the programmable­ in cyber is the first step toward achieving effective cyber logic controllers was altered to change the rate of spin in operations, prudent policy, and real security. • centrifuges used to enrich uranium. 12 The Stuxnet attack 1. Henry Farrell, "The Difference Between Offense and Defense in Cybersecu· was effective because it focused on the interface between rity," Washington Monthly, 5 July 2013, www.washingtonmonthly.com/ten-miles the logical and the physical-by corrupting the data that square/2013/07/the_difference_between_offense045666.php. Jan Van Tol, Mark directly controlled how fast the centrifuges spun, the at­ Gunzinger, Andrew Krepinevich, and Jim Thomas, "Air Sea Battle: A Point of Depar· ture Operational Concept," Center for Strategic and Budgetary Assessments, 18 March tack destroyed the equipment necessary to produce weap­ 2010, http://csbaonline.org/publications/201 0/05/airsea-battle-concepl. William J. ons-grade uranium. 13 Another example is the now-famous Lynn III, "Defending a New Domain: The Pentagon's Cyberstrategy," 28 March 2016, Aurora exercise, where the Department of Homeland Se­ http://archive.defense.gov/home/features/201 01041 O_cybersecllynn-articlel .aspx. 2. Erik Gartzke and Jon R. Lindsay, "Weaving Tangled Webs: Offense, Defense and curity destroyed an electric generator by inputting data Deception in Cyberspace," Security Studies, vol. 24, no. 2 (June 2015), 316-17. that closed a breaker with the grid out of phase, thereby 3. Gregory Rattray and Jason Healey, "Categorizing and Understanding Offensive placing a catastrophic amount of torque on the generator. 14 Capabilities and Their Use: in Proceedings of a Workshop on Deterring Cyberat· tacks: Informing Strategies and Developing Options for U.S. Policy (Washington DC: Cyber attacks targeting the integrity of systems are the National Academies Press, 2010), 78-79, www.nap.edu/read/12997/chapter/8#79. most potent, but they are also the most difficult to success­ 4. Flora Drury, "North Korea's 'Ruthless Magic Weapon': The Cyber Warrior Fac­ fully execute. An effective attack not only requires unau­ tory 'Behind Sony Attack,' Which Handpicks Genius Children to Target Enemies of Kim Jong-Un: The Daily Mail, 18 December 2014, www.dailymail.co.uklnews/ thorized entrance into the system, but also purpose-built article-2877589lNorth·Korea-s-Bureau-21-cyber-warriors-trained-secretive-hacking­ malware that merges detailed knowledge of the target with unil.html. excellent programming designed to exploit flaws in physical 5. Marine Corps Reference Publication 3-11.1A, Commander's Tactical Handbook, (Quantico, VA: Marine Corps Combat Development Command, 1998), 33. systems. The significant increase in expert manpower and 6. P. W. Singer and Allan Friedman, "Cult of the Cyber Offensive," Foreign Policy, time needed to create these weapons, as well as the in­ 15 January 2014, http://foreignpolicy.comI2014/01/15/cult-of-the-cyber-offensive. creased security needed to prevent their disclosure, signifi­ 7. Andy Beckett, "The Dark Side of the Internet," , 25 November 2009, www.theguardlan.comltechnologyI2009/nov/26/dark-side-internet-freenet. cantly increases their cost. Even if an adversary overcomes 8. P. W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone these difficulties to develop a potentially effective weapon, Needs to Know, (New York: Oxford University Press, 2014),35-36. execution of the plan must be flawless. The increased intri­ 9. Bruce Schneier, "There's No Real Difference Between Online Espionage and Online Attack," The Atlantic, 6 March 2014, www.theatiantic.comllechnology/archlvel2014103/ cacy makes the overall attack more vulnerable where even theres-no-real-difference-between-online-espionage-and-online-attackl284233. the slightest hint that something is awry could throw the 10. Michael Kapp , "Spying for Peace: Explaining the Absence of Fornnal Regulation whole operation. Proponents of offensive dominance in the of Peacetime Espionage," master's thesis, University of Chicago, June 2007, HH3, 17. Russel Buchnan, "Cyber Espionage and International Law," In Research Handbook realm of cyber argue that the cost of offensive weaponry on International Law and Cyberspace, ed. Nicholas Tsagourias and Russel Buchnan, is far cheaper than defensive measures. The truth is that (Northampton, MA: Edward Elger Publishers, 2015), 174-75. meaningful offensive weapons incur the high cost while 11. Andrea Peterson, "The Sony Pictures Hack, Explained," , 1B December 2014. "Update on Sony Investigation," Federal Bureau of Investiga­ the defender can easily and cost-effectively protect through tion press release, 19 December 2014, www.fbi.gov/news/pressrellpress-releases/ good information practices, design, and the safeguarding of update-on-sony-investigation. the critical logical-physical interface. 12. William J. Broad, John Markoff, and David E. Sanger, "Israeli Test on Worm Called Crucial in Iran Nuclear Delay," , 15 January 2011. 13. David E. Sangar, "Obama Order Sped up Wave of Against Iran," The 'Defensively Oriented' New York Times, 1 June 2012. Only the most sophisticated cyber attacks-requiring 14. Jeanne Meserve, "Sources: Staged Cyber Attack Reveals Vulnerability In Power Grid," CNN, 26 September 2007, www..com/2Q07/USl09126/power.at.riskiindex. significant investments of manpower, expertise, time, html?iref=tonews. Joe Weiss, "Misconceptions About Aurora: Why Isn't More Being money, and coordination-can bridge the logical-physical Done," Infosec Island, 13 April 2012, www.infosecisland.com/blogviewl20925-Mis­ divide between the cyber domain and other domains to cre­ conceptions-about-Aurora-Why-Isnt-More-Being-Done.html. 15. William Petroski, "Kasich Talks Tough on Cybersecurity at Iowa Forum," The Des ate strategic, real-world effects. Even simple cyber attacks Moines Register, 26 September 2015. must incorporate multiple stages allowing the defender op­ portunities ttl break the offensive momentum. This is not Captain Bartos is a national security affairs student at the Naval to say that low-level attacks cannot have impacts-they Postgraduate School pursuing an MA in East Asian security studies. can, and do, inflict damage and cost on the victim-but A ground Intelligence officer by training, he has deployed twice to Afghanistan in support 01 Operation Enduring Freedom. He Is training those impacts do not cross the threshold required to tip to be a Northeast ASia Foreign Area Officer. Captain Bartos won the the balance in favor of the offense. Understanding that the NPS Foundation Essay Contest Award for this contribution.

www.usnLorg PROCEEDINGS • 33 --