Network Security, Threat Management

Who will be to blame for the loss of a cyberwar?

Cyberwarfare and EMP (electromagnetic pulse) blameshifting

Today we're going to talk about cyberwarfare in regional terms everyone can understand and we're going to use two well publicized disasters – Hurricane Katrina and the 1992 riots in Los Angeles after the police beating of Rodney King as a scalable reference model. We'll also compare the hot topic of 2009 – EMP – to the even hotter hot topic of 2010 – cyberwarfare.

To recap EMP's threat to the CIO or IT manager it's seen as a showstopper:

EMP and high powered microwave (HMP) weapons offer a significant capability against electronic equipment susceptible to damage by transient power surges. This weapon generates a very short, intense energy pulse producing a transient surge of thousands of volts that kills semiconductor devices.

The conventional EMP and HMP weapons can disable non-shielded electronic devices including practically any modern electronic device within the effective range of the weapon.

Cyberwarfare is different and potentially much more dangerous than EMP due to the ease of delivery. Instead of physically delivering EMP ordnance, which can fry electronics, the actual SCADA architecture is used like Stuxnet proved feasible: program the machinery to tear itself apart from anywhere in the world.

Yet EMP and cyberwarfare share one common bond. Both are seen as nonlethal methods of warfare.

Would that change? Some sources say yes, considering the scale of the attack.

EMP weapons do not rely on in-depth knowledge of the systems they strike, attacking all electronic systems without prejudice. Second, they are effective in all weather. Third, they are area weapons, with scalable footprints. One weapon can kill electronic systems in an area the size of a tennis court or throughout the entire United States. [original house.gov source]

Cyberwarfare has a similar nonlethal comparison: where a single fighter jet's avionics get zapped by a targeted cyber attack (and this is a reality right now) it would be seen as a "soft kill" since the fighter jet can still fly, but can no longer attack. Extend the nonlethal cyber attack up to collapsing critical infrastructure, such as banking, transportation and the power grid, and the same nonlethal tactics will contribute to the deaths of many.

As for cyberwarfare compared to EMP – most sources asked specifically about cyberwarfare stated their damage assessments ran the gamut – merely knocking out the payment systems of banking for example, wouldn't hurt much until people ran out of food and couldn't pay for more food. In that instance the equivalent of a regional April 1992 Rodney King Riot was given – 10 of which would equate the Hurricane Katrina level of mayhem and destruction.

Los Angeles riots of 1992. By the time the police, the U.S. Army, the Marines and the National Guard restored order, the casualties included 53 deaths, 2,383 injuries, more than 7,000 fires, damages to 3,100 businesses, and nearly $1 billion in financial losses. Smaller riots occurred in other cities, such as Las Vegas in neighboring Nevada, and as far east as Atlanta.

EMP and power grids: Nonlethal – at least right away

We'll compare this nonlethal extension of EMP to one sources' first-hand knowledge of a 2010 Army War College event and the damage estimates their group presented.

As some sources who recently attended the 2010 Army War College think tank on EMP related to me, an extensive EMP attack could collapse 80 percent of the existing power and communication networks. This would result in an estimated minimum 10 percent fatality in the first six months, potentially upwards of 40 percent after 18 months. Those percentages equal 30 million to 120 million Americans, but a solution exists.

Right now sources relate that the United States has a $200 million solution at their fingertips which can't quite become enacted. The proposed solution – fix all the custom-built transformers, just like Canada has done, and move on knowing that the risk of losing 10 to 40 percent of the nation's population has been mitigated tenfold. The solution would probably mean the difference between total grid collapse and smaller [Hurricane Katrina-sized] regional grid collapses, which could be recoverable over a period of weeks and months, not years.

Yet this threat – and the solution – remain bogged down due to blameshifting. The buck doesn't stop anywhere. Therefore, unless the executive branch makes an executive order mandating action, EMP power grid and communication vulnerability, which could easily be preventable, will continue.

Special note: If you're an IT manager or CIO who has the unfortunately tough task of analyzing backup storage facilities and needs an explanation of EMP defensive strategy, try this site as a primer. Or this Air Force paper. Press on with your RFP details enlightened!

2010: Year of cyberwarfare and Stuxnet

In the same vein, coordinated cyber attacks on the power grid will likely result in Katrina-sized regional issues rather than nationwide – but how many of these could we sustain without economic collapse?

Let's look at why we're not acting on cybersecurity policy from several perspectives – military, corporate and judicial.

Military: That's crime, not war, unless we prove intent

As the military states – there are laws like Posse Comitatus which prevent an over-reach of authority in cyberwarfare or cybersecurity provisions.

The Act prohibits most members of the federal uniformed services (today the Marine Corps, Army, Navy, Air Force, and State National Guard forces when such are called into federal service) from exercising nominally state law enforcement, police, or peace officer powers that maintain "law and order" on non-federal property (states and their counties and municipal divisions) within the United States.

Although it is a military force,[7] the U.S. Coast Guard, which operates under the Department of Homeland Security, is not covered by the Posse Comitatus Act. The Coast Guard enforces U.S. laws, even when operating as a service for the U.S. Navy.

One has to wonder how big a cyberattack gets until it is declared an act of war. Fortunately, the Constitution provides a framework; if Congress declares war, it's war. If the president authorizes action by the military against a non-nation state entity, it's legal. Think "Shores of Tripoli" and Google Barbary Pirates and Marine Corps for one example.

Since Katrina, there is increased participation for the military for action within our borders:

On Oct, 1, 2008, the U.S. Army announced that the 3rd Infantry Division's 1st Brigade Combat Team (BCT) will be under the day-to-day control of U.S. Army North, the Army service component of Northern Command (NORTHCOM), as an on-call federal response force for natural or man-made emergencies and disasters, including terrorist attacks.

USNORTHCOM's area of responsibility (AOR) includes air, land and sea approaches and encompasses the contiguous United States, Alaska, Canada, Mexico and the surrounding water out to approximately 500 nautical miles (930 km).

This gets a little interesting Constitutionally to say the least, but it does provide damage control support for 21st Century warfare like EMP and cyber. However, two other limitations handcuff the military from proactive response and limit it to reactive response – proportionality and collateral damage. Under these provisions, response from the military is limited and reactionary with few exceptions.

Proportionality is the rule, which limits the military's response to an act. Defined in a single sentence: If I ran over your dog or cat, under proportionality you couldn't respond by blowing up my house.

Collateral damage is something easier to understand. Anyone watching the news knows when a bomb goes off target, something else gets blown up. If a bomb is too big for the target, other non-targets are affected.

For the first time since the Cold War, collateral damage from threats such as EMP or cyberwarfare could very well affect a large number of civilian corporations and, in turn, affect us all.

Judicial: Stand back or the Constitution gets it!

Malware and botnet traffic could be filtered through the ISP infrastructure of the internet, but it is not. As the judiciary currently states, the power of the federal government may not infringe on ISPs to secure themselves. These ISPs must internally take responsibility for the malware and botnet related traffic yet there is no incentive for them.

2010's FCC v. Comcast ruling is one recent example of a hand slap for the feds trying to overstep their Constitutional power and regulate components of internet delivery.

Instead of being compelled by oversight and regulations, couldn't the ISPs simply "Just Do It"? It's not that simple. Let's examine motivation for inaction.

Corporate: No money in it

The benefits of doing nothing for a company usually outweigh the risk of involvement on a balance sheet.

Corporations are under attack constantly, yet they silo critical attack-related information, which could help to coordinate defense on a regional or corporate sector level. Additionally, the whole global economy shivers when stateside economic indicators move. Read any annual report from IBM to Adobe and discover that the majority of purchases financing these global corporations are derived from United States clients.

As the commercial/corporate sector often states – we're not the ones to blame for policies our global corporations make, the decision-makers in our company are overseas and [apparently] not subject to United States law for actions which may not be in this nation's best interest – or even for actions which don't support executive orders of the United States.

One theoretical example of how corporate responsibility from ISPs would work is to screen out botnet channels and quickly restrict the influence of established malware from self-propagating. However, that action probably wouldn't be considered net neutral.

Solutions: It takes a village to prevent idiocy

Communities are strong. Online communities are even stronger, and with the force multiplier of technology they move faster than government or corporate communication channels. Consider researching these recent and successful online movements:

  1. The success of Wikipedia's model as compared to MSFT Encarta.
  2. The current campaign by Anonymous called Operation Payback.
  3. Russian army vs. Georgia.
  4. Russian citizens vs. Estonia.

Consider the positive side of the matter: Where Russian cyber militias sowed confusion in Estonia a defensive security force leveraging skills of the best cybersecurity folks would have a reverse effect and harden the target.

Recommendation: Get involved early

On the longer side of things, critical infrastructure has long been tightly bound to federal guidelines – NERC is an example, yet even this level still seems too reactive given the EMP example and the lack of capital outlay for cyberwarfare solutions.

Nobody wants to pay, yet everyone suffers should it go unaddressed.

While the military has at least 20,000 troops currently deployable, should a massive cyberwar event occur this is barely enough to contain a single Katrina-sized event with kinetic world consequences, such as food shortages and communication outages, let alone multiple ones sure to occur in a persistent cyberwarfare attack on SCADA and electrical grid.

In a not-quite related post, one blogger laid the ultimate responsibility for the nation's failure right at the feet of the electorate – all of us little people:

In a Republic we, its citizens, bear the final responsibility. We're the problem. The American people today want reform, but not the cost and work it requires. Anger might be a precondition or result of that self-insight. After that comes the real work.

A profound revulsion at what we have become is a necessary, perhaps even sufficient, first step to reform.

The persistent threats to corporations, individuals and infrastructure may not be attributable, yet they must become addressable. Threats don't go away because of inattention, instead they grow larger and larger.

By using a public-private partnership as an umbrella to shelter the necessary dialogue between corporations, volunteers and government, fear, uncertainty and doubt (FUD) can be dispelled. The rapid communication of the value proposition of Wikipedia-like voluntary cyber defenders to their employers will then become easier and our defensive structure will become enhanced.

Full Disclosure: As I related in previous articles, my grandfather worked for Sandia for 30 years after his duties in the Manhattan Project. Sandia is Shawn Carpenter's former company. Shawn Carpenter and I also served in the same branch of military service, and although we both lived in New Mexico I have never met him.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.