At the Churchill Club top 10 tech trends debate I disagreed with the propositions that “Cyber Warfare Becomes a Good Thing” and that “US is the Supreme Cyber Security Force in the World and its Primary Force; citizens accept complete observation by the functions of a police state. A devastating electronic attack results in govt. militarization of major gateways and backbones of the Internet.” I have problems with the “goodness” in the first prediction, and while the U.S. may argue that it is the best, I don’t think the trend is toward a sole superpower in cyberspace.

The NSA TAO group that performs the cyber–espionage pulls 2 petabytes per hour from the Internet. The networking infrastructure to support this is staggering. Much of it is distributed among the beige boxes scattered about in plain view, often above ground on urban sidewalks. When President Obama receives his daily intelligence briefing, over 75% of the information comes from government cyberspies. (BusinessWeek)

Cyber-offense may be very different than cyber-defense. Some argue that open disclosure of defense modalities can make them stronger, like open source software. But offensive tactics need to be kept private for them to be effective more than once. This leads to a lack of transparency, even within the chain of command. This leaves open the possibility of rogue actors — or simply bad local judgment — empowered with an ability to hide their activities and continual conditioning that they are “beyond the law” (routinely ignoring the laws of the nations where they operate). We may suspect that rogue hacking is already happening in China, but why should we expect that it wouldn’t naturally arise elsewhere as well?

Since our debate, the Washington Post exposé reported:

“Chinese hackers have compromised the designs of some of America’s most sensitive and advanced weapons systems—including vital parts of the nation’s missile defenses, fighter aircraft and warships… Also compromised were designs for the F/A 18 fighter jet, V-22 Osprey, F-35 Joint Strike Fighter, UH-60 Black Hawk helicopters and the Navy’s new Littoral Combat Ship meant to prowl the coasts.”

And today, a new report from the U.K. Defense Academy, entitled The Global Cyber Game suggests that my mental model may be a bit antiquated.

Shall we play a game?

“When the Internet first appeared, the cultural bias of Western countries was to see it as a wonderful and welcome innovation. The fact that it created security problems somewhat took them by surprise and they have been reluctant to respond.

In contrast, states such as Russia and China saw the Internet as a potential threat from the outset, and looked at the problem in the round from their perspective. They formulated strategy and began to move pre-emptively, which has allowed them to take the initiative and to some extent define the Cyber Game.

As a result, cyberspace is now justifiably seen by Western countries as a new and potentially serious avenue of international attack, which must logically be militarized to protect the nation.

But what if information abundance is so deeply transformative that it is changing not only the old game between nations but the global gameboard itself? In this case, we need a different approach, one that seeks to fully appreciate the new game and gameboard before making recommendations for national security.

The ability of national governments to understand and tame the Global Cyber Game, before it takes on an unwelcome life of its own, may be the crucial test for the effectiveness and even legitimacy of the nation state in the information age.” (p.107)

The China Hypothesis

“It makes extensive state-bankrolled purchases of many critical parts of the local economies and infrastructure under the guise of independent commercial acquisitions. These include contracts for provision of national Internet backbones, and equity stakes in utility companies. These enable it to control ever larger parts of the target economies, to install national-scale wiretaps in domestic networks and, in effect, to place remote off-switches in elements of critical national infrastructure.

Finally, to round off the effort, the ‘competitor’ simultaneously makes a massive effort to build its own domestic knowledge industry, sending students around the world in vast numbers to learn local languages and acquire advanced technical skills. In some cases, these students even manage to obtain funding from the target country educational systems. This effort, which only pays off on long timescales, allows it to consolidate and make full use of the information it has exfiltrated from around the world.

If it is allowed to continue for long enough, the target countries will find that they have lost so much autonomy to the ‘competitor’ country that they are unable to resist a full cultural and economic take-over, which is ultimately accomplished without open hostilities ever being declared, or at least not of a type that would be recognizable as industrial-era conflict.

National geopolitical strategy can be disguised as normal commercial activity and, even if this is noticed, it cannot be challenged within the legal systems of target countries. Thus an international-scale offensive could be mounted without it ever being understood as such.

These difficulties are somewhat reminiscent of the industrial cartelization strategy pursued by Germany in the years running up to the Second World War. This carefully orchestrated form of economic warfare was effectively invisible because it was positioned in the cognitive blind spot of British Empire industrialists. Until war broke out, and the deliberately engineered shortage of materials became apparent, they were unable to see it as anything but apparently profit-seeking industrial strategy on the part of German industry.

What sort of response should be made to a strategy like this… is retaliation of any kind appropriate? Should the Cyber Game be played as a zero-sum game? The essential problem is that the strategy involves IP theft on a grand, indeed global scale. This is real destruction of value for those companies and agencies who have been targeted

Is there any other way of looking at this? Possibly the one thought that trumps Western outrage at the idea of information theft is to recall that it can be stolen without being lost, though it may be devalued. It may not be the knowledge itself but how we create it and use it that is important. In this view, the Cyber Game, being ultimately knowledge-based, is genuinely a non-zero game. Among economic players of the Cyber Game, this understanding is gradually turning into an approach that author Don Tapscott calls ‘radical openness’.

A true knowledge-era strategy may not be stealing information but sharing it, playing the Cyber Game high on the gameboard, as Internet pioneers have been doing all along. Maybe Western democracies should respond to China’s alleged actions in the same way. Dare they choose to reframe in this way?” (pp.52-8.)

The Future

“The most likely form of conflict is now civil war in countries with governments referred to as anocracies, neither fully democratic nor fully autocratic.

Income polarization is rising within wealthy countries, as a side effect of globalization, and is hollowing out the middle class. Commentators and researchers have noted this effect particularly in the US. Whether this rising polarization could raise the risk of civil war in wealthy countries is questionable, as long as their governments remain effective. This itself will be a function of how well they adapt to the evolving information environment. If they fail, and a combination of financial, economic and environmental crises threaten the ability of governments to maintain the quality of life, then internal conflict is entirely possible.” (p.74)

And as I try to look farther to the future, the offensive cyber-code and autonomous agents of today are not so different from the bio and then nano-weapons of tomorrow. The cell is but a vessel for the transmission of code.

I think humanity will cut its teeth on cultural norms and responses (police state, cyber-counter-guerillas (beyond governments to posses and bounty hunters), and a societal immune system for the crazy ones) in response to the imminent cyber threats… and then we will face bio threats… and finally nano threats. So there is little reason to focus on the latter until we have solved the former.

14 responses to “Cyberwarfare between the U.S. and China”

  1. jurvetson Avatar
    jurvetson

    Some additional graphics from the report:Screen Shot 2013-06-12 at 2.59.44 PMImplications for Intelligence Agencies
    Screen Shot 2013-06-12 at 3.03.08 PMTwo end-game scenarios
    Screen Shot 2013-06-12 at 3.00.56 PMNot so good N-crashScreen Shot 2013-06-12 at 3.03.48 PMMaybe good N-topiaScreen Shot 2013-06-12 at 3.04.12 PM"Cyberpower and cyber security are conceptualized as a ‘Global Game’ with a novel ‘Cyber Gameboard’ consisting of a nine-cell grid. The horizontal direction on the grid is divided into three columns representing aspects of information (i.e. cyber): connection, computation and cognition. The vertical direction on the grid is divided into three rows representing types of power: coercion, co-option, and cooperation. The nine cells of the grid represent all the possible combinations of power and information, that is, forms of cyberpower.

    The Cyber Gameboard itself is also an abstract representation of the surface of cyberspace, or C-space as defined in this report. C-space is understood as a networked medium capable of conveying various combinations of power and information to produce effects in physical or ‘flow space’, referred to as F-space in this report.

    Game play is understood as the projection via C-space of a cyberpower capability existing in any one cell of the gameboard to produce an effect in F-space vis-à-vis another player in any other cell of the gameboard. By default, the Cyber Game is played either actively or passively by all those using network connected computers. The players include states, businesses, NGOs, individuals, non-state political groups, and organized crime, among others. Each player is seen as having a certain level of cyberpower when its capability in each cell is summed across the whole board. In general states have the most cyberpower.

    The possible future path of the game is depicted by two scenarios, N-topia and N-crash. These are the stakes for which the Cyber Game is played. N-topia represents the upside potential of the game, in which the full value of a globally connected knowledge society is realized. N- crash represents the downside potential, in which militarization and fragmentation of the Internet cause its value to be substantially destroyed. Which scenario eventuates will be determined largely by the overall pattern of play of the Cyber Game.

    States have a high level of responsibility for determining the outcome. The current pattern of play is beginning to resemble traditional state-on-state geopolitical conflict. This puts the civil Internet at risk, and civilian cyber players are already getting caught in the crossfire. As long as the civil Internet remains undefended and easily permeable to cyber attack it will be hard to achieve the N-topia scenario.

    Defending the civil Internet in depth, and hardening it by re-architecting will allow its full social and economic value to be realized but will restrict the potential for espionage and surveillance by states. This trade-off is net positive and in accordance with the espoused values of Western-style democracies. It does however call for leadership based on enlightened self-interest by state players." (p.2.)

    Reply
  2. jurvetson Avatar
    jurvetson

    p.s. it is so strange to see flickr become a social ghost town… I have 16 million unique page views here, and some small fraction of that on Facebook, yet, over there a rich discussion ensues

    Reply
  3. seatonsnet Avatar
    seatonsnet

    I have been with Yahoo since the early, Geocities days, but I have to admit that Yahoo has the smell of death about it now.

    Reply
  4. Kathy E. Gill Avatar
    Kathy E. Gill

    Steve – I think it’s because this hasn’t really been a place to talk about things other than photos. At least in my experience. Thanks for posting this. (I shared it on FB.)

    Reply
  5. leake61 Avatar
    leake61

    true enough – my first flickr "read" and troll…

    Reply
  6. gsikich1 Avatar
    gsikich1

    This is timely. I will be speaking and moderating at The Global Conference on Disaster Management and cyberthreats are one of my top 11 things that one should be concerned with. See: http://www.disasterconference.org for more details. Thanks for posting this.

    Reply
  7. Jim Rees Avatar
    Jim Rees

    I’m afraid the recent Flickr changes are driving me away. I suspect the same might be true for others as well. I haven’t completely given up, but I only check in to Flickr every two or three days now.

    Reply
  8. sbove Avatar
    sbove

    Flickr is not a social ghost town, it’s the photography site you’ve always loved 😉 This post by you is awesome and is a "blog" entry that can certainly live here, but is probably more suited to G+ or blogger or a wordpress site (as I think you have used for this sort of post on other occasions). To get it traffic here (stating the obvious to be clear), you would need to to extensively cross link it to twitter, fb, other social sites. Unfortunately, that means the discussion will likely take place on those other sites…or be scattered about between them. Also, I’d note, this is a post that only ~ 0.01% of US citizens would read half of (generous?), much less form an interesting opinion about. 😉

    As for Flickr, if you have any pull with the new Tsars of Yahoo, I’d like to pass on the following as comments from an "early flickr power user with over 35,000 images posted" 1) The new iPhone app and new UI are ambitious and exciting…very aggressively rolled out…which is good; however, the team is breaking things all over the place…needs to SLOW DOWN, back track, bug fix, finesse for a few months. And especially use metrics and well-crafted user surveys targeted to the various types of user, to figure out which new stuff worked/didn’t. Damn the torpedoes full speed ahead has HUGE benefits, but sometimes, ya gotta slow down and make sure the ship is holding together! 2) The user-state issue between Flickr/Yahoo that has persisted since the Flickr acquisition (yes) is now worse than ever! If I log into yahoo mail, I am not yet logged into flickr (should be). When I log into flickr, it logs me OUT of yahoo. Uugh. Then I log back into yahoo and everything is fine. This is the kind of bad programming/state-management that google would have fixed in a few months following an acquisition. It is a total drag.

    Reply
  9. sbove Avatar
    sbove

    As for an opinion on this post’s issue: Need to get to the "Maybe good N-topia." The USA as a/the major current global player has some work to do to help this happen: 1) The US government needs to get out of the stone age with its DEFENSE. Its networks are swiss cheese, and worse, its policies with employees and sub contractors are an utter disaster zone. There is horrible definition of what is/should be classified and more horrible management of who needs access to things that are legitimately classified. Fixing this is first order. You can’t have total secrecy if you make everything secret. 2) The OFFENSIVE strategy of ingesting the entire ocean of Internet transmissions (2 petabytes a hour – as per SteveJ above!) is completely unconstitutional, not to mention unsustainable. The USG needs to learn how to cast a much more accurate and narrow net. Any good cyber-agent is going to be using encryption, VPNs, TOR, etc. to get at the swiss cheese govt. network access points in ways that do not show up in normal IP traffic and leave little trace of origin. They’re not going to be picked up by the NSA’s mega dragnet. Nor are "terrorists" planing attacks – unless they complete idiots – in which case they are not the kind of terrorists to worry about. The real danger is not even "electronic" per se, but social attacks on the tens of thousands of poorly managed contractors and agency staff who have high level clearances. Bottom line: the current state of national cyber security in the USA is REACTIONARY and poorly managed. Those who can benefit from this situation are using it to build systems and methods that may be good for them and their ulterior motives (endlessly escalating and expensive cyber-cold-war games, offensive/defensive surveillance power over domestic and international enemies of all kinds), but are BAD for the privacy, constitutional rights, and security of all US citizens, IMHO.

    Reply
  10. JC-Matt Avatar
    JC-Matt

    Compelling analysis.

    Unfortunately, I see incentives in the US strongly pushing us toward N-crash. To a too-great extent, the harms of having bad security remain externalities, at the individual and corporate level.

    At the corporate level, firms routinely escape responsibility for their insecure systems, and so they CHOOSE not to secure them because the financial incentives to have secure systems aren’t adequate to motivate a different choice. Typical Example: I uncovered exfiltration and abuse by hackers of TD Ameritrade’s main customer database. This database contains 6.3 million+ customers’ names, addresses, …, account numbers, account balances .. social security numbers. AMTD knew of, COVERED UP, and failed to fix the problem for TWO YEARS. The SEC did zilch. I took ’em to court, had plenty of hard evidence (of the breach, abuse and cover-up), and even information from an insider, and fought hard, but no matter what I did, I couldn’t get them to agree to pass a third party security audit, and they got off with a slap on the wrist. (See this blog) So from a financial perspective, when executives like the CFO and then-Chief Security Officer, Bill Edwards decided to cover up the breach, even in hindsight, they probably made the financially correct decision. The message to executives from my case is the exact opposite of the one I had hoped to send. I had hoped to send the message that companies should work hard to maintain system security. The only laws about security with teeth are the ones that only protect the integrity of the records that investors analyze – P&L, etc. (And I’m sure you know more about the flaws in those laws than I, Steve.)

    Similarly, owners of individual PCs that are part of a botnet often decide they don’t care, and won’t do anything about it. I’ve come across lots of first hand examples of this.

    At the software development level, the harms of having bad security remain externalities to a great extent, for example, Microsoft maintained its lion’s share of the PC OS market even when its security was far worse (yes, some debate that, but come on, let’s be real and not get sidetracked; it’s just an example) than the competition. Laws doesn’t make developers responsible for security breaches due to even egregiously badly written software, and neither do market forces.

    P.S. FYI, I came here via a photo of yours in ‘Google’ on Wikipedia – which couldn’t have happened if you hadn’t CC-licensed the photo.

    Reply
  11. jurvetson Avatar
    jurvetson

    hmmm… after posting this, a distant dot connected in my head. In 1997, we led the Series A and I joined the board of a company called Cognigine that built Network Processors for deep packet inspection at fiber line speeds. It was state-of-the-art with a pipelined VLIW (variable length instruction word) processor. In short, it used dedicated silicon to inspect the content of internet packets coming from OC-192 fiber as fast as the routing decision itself, so it would introduce no detectable lag in throughput. We struggled to find a market for this technology that could do so much, but our minds were constrained to commercial applications.

    Cognigine architecture

    So, the company pared back, and looked for a buyer. It finally found one, and ten years ago, sold itself to Huawei.

    Fellow investor Matt Ocko circled back a couple years later with an update from China — our fledgling technology was being used extensively in Huawei routers, at a pace of over $100 million a year (calculated as the unit volume * chip price when it was independent; perhaps Matt can recall the specifics).

    I still have one of the Cognigine chips. So NSA – if you want to do an inspection of the inspector’s architecture, just call my cell, and I’ll happily trade it for a drone or something cool. =)

    Another strange memory, as I searched my archives on Cognigine: I found the flickr post on my first trip to Huawei’s R&D center in 2005. They had row after row of product displays of networking equipment, from fiber optic to cable TV to cellular, and it was overwhelming. For each segment, they had a market share pie chart where they were the largest segment. Cisco was not listed on the graph. Instead, for many of them, the grey “Other” category was huge, sometimes making up the majority of the pie chart.

    But they also had a map showing the countries around the planet where they were the dominant supplier of networking equipment — Africa and the Middle East, and, and then it struck me, most of the “Axis of Evil” countries as they were called at the time. I just assumed this was market segmentation at work, that Huawei could make the biggest inroads in places where Cisco would not or could not focus their sales efforts. Reading the British report on the long-game of Chinese cyber-warfare, I have to wonder:

    Reply
  12. m.p.moody Avatar
    m.p.moody

    [http://www.flickr.com/photos/stephenbove] – good post, however it’s a mind-boggling 2 petabytes per HOUR not per day according to Steve above. Reminds me of the Way-Back Machine project. However, as of Oct. 2012, the WayBack Machine had only amassed 10 petabytes over many years (5 hours worth of NSA data collection).

    Steve – Yesterday Peter Neumann (SRI researcher) presented to our VPE group. He is leading the Darpa funded CRASH project with the goal of designing computer systems that are;
    – highly resistant to cyber-attack
    – can adapt after a successful attack to continue rendering useful services
    – learn from previous attacks how to guard against and cope with future attacks, and
    – can repair themselves after attacks
    Here is also a link to a recent NYTimes article on Peter and his work, as well as his discussions with Einstein on the subject of complexity.
    http://www.nytimes.com/2012/10/30/science/rethinking-the-compute...

    Wikipedia also credits Peter with coining the Unics acronym which evolved into Unix. Having worked
    with NSA since the early 70s and testified to Congress on multiple occasions on the topic of Cyber Security I asked him for his opinion on this post and he provided the following perspective:

    "Two comments.
    1. It’s a fine example of oversimplification.
    2. A picture is often worth a thousand words,
    but each viewer may come up with completely
    different words with different meanings.

    But I like it as an introduction to a complex discussion,
    especially in applying it to topics such as surveillance,
    electronic voting machines, control systems, and so on."

    Reply
  13. sbove Avatar
    sbove

    [http://www.flickr.com/photos/15752486@N07] Thanks for pointing out my error in quoting SJ on the 2 petabytes per hour (not day) 😉 I read that correctly but quoted incorrectly…such a huge number. Corrected above.

    Reply
  14. jurvetson Avatar
    jurvetson

    and sure enough… now from the WSJ:
    White House Expands Use of Cyber Weapons but Stays Secretive on Policies.
    Congress remains largely in the dark

    "Past presidential administrations have been accused of being overly secretive about their use of offensive cyber capabilities, and even some former intelligence officials have criticized what they have described as overly zealous efforts to keep information classified.

    “In no other domain of warfare has an administration prevented congressional review of the guiding policy documents regarding the employment of military capabilities,” said Rep. Jim Langevin (D., R.I.), who serves on the House Armed Services Committee and led bipartisan efforts to pressure the administration to furnish the cybersecurity memo."

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *