Cyber is Calvinball.
I gave a talk back in 2015 [1] which I think has held up rather well. My argument was that cyber is evolving in unpredictable ways as we learn more about the domain. That the current state of the art has huge blind spots we aren’t even thinking about. The next year was, of course, the 2016 disinformation campaign fed by cyber loot.
I feel that a great deal of cyber war literature is based on knowledge derived from interviews with people who no longer operate, or were just managers. This wisdom gets written up and then cited so frequently it becomes “laws of cyber.” The reality, of course, is that it is no such thing.
One example of these laws of cyber is: cyber capabilities are ephemeral and using them means possibly (probably?) losing them. I believe this is derived from first principles and rules of thumb for a specific offensive cyber operational context.
A good rule of thumb for an operator is: a capability used is at risk of being discovered. If that operator values stealth extremely highly, they will treat discovery as a fatal condition for that capability. It gets “burned” and they can no longer use it. This is completely reasonable given the operator’s priorities.
However, if the operator values effects on target and isn’t concerned about discovery or even attribution, then there is no such thing as “burned.” Indeed, 0day versus n-day ceases to be relevant either.
Yet academics frequently cite the rule of cyber war that a capability is ephemeral, sometimes even “single use” only. Anyone who has done any penetration testing knows this is true only in the broadest possible sense. Ephemeral might mean “5 years after the patch was released less than 50% of targets are still vulnerable.”
For example, WannaCry had a huge impact, even though it was released long after the patch was pushed out via automated channels. Months later, NotPetya exploited the same vulnerability and was an even bigger cyber event.
According to the immutable laws of cyber, these attacks should not have been possible because the vulnerability was patched in February of that year. It was burned.
A quick joke to summarise.
A neighbour goes to the Mullah Nasreddin’s house and asks to borrow his donkey. The Mullah tells him “the donkey isn’t here.” Just then the donkey brays loudly. Mullah Nasreddin: “who are you going to believe, me or the donkey?!”
Cheers,
—gq
[1]: the grugq, On Cyber. “Power of Community” 2015 https://www.youtube.com/watch?v=qlk4JDOiivM
On 16 Aug 2024, at 01:10, Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:
Before there were words, calculated as the softmax of a list of possible tokens, there were just vectors of nano-electrical potential in cells soaked in a hormonal brew of electrolytes, operating on a clock cycle of "slow, but fast enough". In this sense, as we now know, we generate words and we know, in our heads, what we are, in the same way as we generate limbs, with each cell knowing from its electric field what to be next. A tumor is in that way of thought a confabulation or as we now say, a hallucination. But then, also, so are you.
Recently I spent some time reading this year's Research Handbook on Cyberwarfare. One of the forms I filled out recently asked me if I was a certified Master Operator, which of course, I am not, any more than an Archaeopteryx is a certified Bald Eagle, even though both know the smell of the sky and the taste of freshly caught fish. But I do occasionally pay attention to the "state of the art" academic view of cyberwar and the Handbook was a good way to catch up.
For example if you read Nadiya Kostyuk and Jen Sidorvova's Handbook paper on Military Cybercapacity they will say that "a cyber attack may provide a defender or third party with a good estimate of the attacker's capabilities, but it is not clear how many of these capabilities the attacker has in their arsenal". This is, to my primitive cyberwarfare mind, so old that I still use "screen" instead of "tmux", a bit of a misstep when it comes to how cyberwar works and what a capability is. I don't know how to say it any clearer than this: Behind every wooden horse is a woodshop.
An example in my head is that right now the Ukrainian army is rumored to be sitting on top of a major gas terminal in Kursk, one responsible for supplying Russian gas to Europe. You have to assume that, having learned from the Russian attacks against their electrical infrastructure, the Ukrainian Army is traveling not just with a screen of FPV drones but with a few USB keys containing implants for the specialized equipment that runs a gas network.
It's hard to disconnect OT networks that are presumed to be segmented physically, and temporary physical control can easily translate to permanent cyber control. And cyber control, despite what Quentin E. Hodgson's Handbook paper (Cyber coercion as a tool of statecraft: how often, how effective?) wrongly concludes, is extremely useful for state coercion.
Perhaps the problem with the Handbook, like all academic writing on cyberwar, is that it is meant to be sterile. But that's not how cyberwar works, held in the space that is a melange of electrons and intentions. As tumors confabulate within flesh, so too do our digital dreams hallucinate new worlds, both the virus and the firewall, the wooden horse, and the workshop that births it. Certified or not, we are masters of a domain we cannot fully comprehend, sailing on seas of raw data, guided by stars we ourselves ignite.
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org