

The United States is completely unprepared to fight a cyberwar - tptacek
http://www.slate.com/id/2252391/

======
heresy
I hardly think this problem is unique to the US, media just talks about it
more openly.

Despite their "cyber-war" offensive units, I venture that the Chinese are just
as vulnerable, if not more so.

At least the military culture in the US allows admission of shortcoming and
failure.

Try talking about the weakness of Russia or China against "cyber" attacks in
those countries and see how long it is that you get to remain alive and out of
jail.

And while I think the US may be initially surprised by the enemy capability
were a "cyber" blitzkrieg to eventuate, I think the experience the US has with
conducting war and the adaptability of US forces would far outweigh the
advantages of initial surprise.

US wars since WWII are no indication of US behavior in an engagement where it
matters. Not that Vietnam, Korea, Iraq, Afghanistan, etc did not matter to the
people who lived there, far from it.

But they were not really wars where the US felt its very survival under
threat, or really had much skin in the game. Things are different in such a
war.

~~~
hga
Agreed on all your points.

Traditionally the US military, especially the Army, has started out the
greenest and learned the fastest. The tragedy of Vietnam is that the learning
part was short-circuited.

In the case of a "cyberwar", or more likely it being part of a greater action,
say "The Battle of the Taiwan Straits" or whatever, things would be messy but
it's silly to say that we're either 100% unprepared _or_ sitting ducks.

As for "skin in the game", one analysis I like is that the intensity of the
nation's commitment to a war goes like this, based on the three cultural
groups that matter in this area:

The Jacksonians are always ready and willing to fight.

Next are the New England Moralists.

And if the Midwestern Pragmatists decide that fighting the enemy is better
than continuing to do business with him, well, it's all over (for the enemy).

You can find at least one good essay out there discussing this.

~~~
tptacek
Regarding whether or not we're sitting ducks: support that argument with
evidence. In opposition to your argument, I supply this assertion: our
commercial and industrial IT infrastructure is riddled with horrible
vulnerabilities. Virtually no penetration test against any entity running
critical infrastructure fails.

~~~
hga
Well ... how about "not all of the country's targets are sitting ducks"? There
has been a variety of hardening, in part due to the many attacks that have
already been made by a variety of actors.

Part of it is that the defense will be active and I have some faith in our
ability to respond to and recover from attacks.

But what you're saying and most especially implying could well be true, but we
won't really know unless and until we're seriously attacked.

I do say that we won't start to get serious about this sort of thing only
after a particular software bug or vulnerability kills thousands of Americans.

~~~
tptacek
I just don't know what you're trying to get at here. Are there "targets" that
are adequately defended? I'm sure. I have no insight, for instance, into
theater military communications. Actually, I have very little insight into DoD
or the agencies at all.

What I have a fair bit of insight into is the industrial and commercial
infrastructure which this article about Clarke is talking about. When Clarke
suggests that a foreign actor could cause targeted blackouts, he's simply not
wrong. If you want to allude to defenses, I'm going to have to ask you to be
specific, because I don't know what you're talking about. Shutting the whole
Internet off might not totally remediate the threat.

~~~
hga
By defenses I mean people like you and me fixing things, in a less violent way
than shutting off the whole Internet.

Ad hoc, on the fly ... hard if your part of the grid isn't up ... I'm just
saying that in a timetable measured in hours to days the defenses against such
an attack won't be entirely static.

~~~
tptacek
It often takes _months_ to deploy fixes _inside of enterprises_ for _known
problems_. The idea that we're going to be crazy ninjas dealing with
nationally distributed attacks using vectors most people haven't even thought
of yet strikes me as deeply unrealistic.

~~~
hga
But we as humans work at at least two clock speeds, normal as above and
"wartime" literally and figuratively. The Yorktown was repaired in record time
after Coral Sea and was available for Midway. I've heard a story about a Bell
System machine room fire that zapped a bunch of PDP-11s that did ... 411
service? Something important. Anyway, DECs initial estimate was vastly
exceeded in a Maximum Effort that got the system replaced in a short period of
time.

Now, we'd need some software examples to really support this, it scales very
differently than the hardware repairs that I cited above. I can't think of any
off hand ... was the Patriot clock drift problem "solved" by frequent enough
rebooting?

Anyway, my point is that the months problem you refer to is happening in
situations that are not existential, right? I don't think you can be confident
we'll be as slow when the stakes get _really_ high.

~~~
tptacek
I think we've hit the point where, to conclusively disprove any of the (no
offense) handwaving you're doing, I'd have to break confidences.

If you ask around your social circle for someone who's done SCADA work, you
may find someone who can enlighten you with specifics.

------
wmeredith
I'd be interested in seeing what the 'militia' response was. True cyber war to
break out. I'd imagine that Google, for one, would do some interesting things
inresponse go a US cyber attack.

------
mkramlich
We are probably _somewhat_ prepared to fight a cyberwar. Saying we are
completely unprepared sounds like hyperbole.

~~~
tptacek
We're completely unprepared to defend ourselves, but we're probably much
better at retaliating than this article implies.

~~~
PostOnce
I've been wondering about civilian involvement in cyberwarfare lately. I think
it's pretty likely that some regular citizens would love to throw some cheap
cyber-shots at a nation with whom we were at war. If we were to war with
China, for example, how many American amateurs and hobbyists would spend their
evenings trying to hack some part of the Chinese military infrastructure?

Another thing that pops into my head is people trying to organize, only to
have real-life enemy intelligence agents read the plans on a forum and thereby
develop countermeasures, and/or disrupt, sabotage, or steal what is developed
in order to use it against them.

Not to mention people tweeting troop movements, etc. :P

War might not be pretty, but it sure is fascinating.

------
pmb
Cyberwar? I still don't understand what that would be. Dueling TCP stacks?
Bluetooth snipers? DDOS?

The word gets used as if it's well defined, but I have never heard a non-
metaphorical description. "A war fought in cyberspace"? That means nothing. "A
shootout on the info superhighway"? That means even less.

~~~
tptacek
It's a stupid name for the non-stupid concept of paralyzing the economy and
core productivity of first-world countries by shutting down power, comms, and
markets.

~~~
bediger
So, "cyberwar" can happen once (we fix stuff so the second time doesn't
happen), and the cyberwar has to happen all at once, with no preliminary
"skirmishes", and no warning "shots", otherwise, we fix stuff so it doesn't
happen again.

And yes, I've read about Titan Rain, Ghost Net, Operation Aurora, Coolswallow,
Giving Wings to the Tiger, The Dark Visitor, Estonia's "Web War One" and more.
All of this talk of "cyberwar" strikes me as merely a modern-day regurgitation
of Cold War Boogie Man Stories, like Missile Gaps, and Bomber Gaps, Bears in
the Forest, and Yellow Hordes, and stoic Spetznaz supermen. The emergent
behavior seems to be lining up a successor magic funding word to "terrorism",
should bin Laden die.

~~~
tptacek
I have no idea what "Titan rain", or most of the rest of your second graf, is.
I only know how susceptible our commercial and industrial infrastructure is to
attack, because people pay me to find flaws in the software running it.

------
brown9-2
The Wired article on this book makes it sound completely absurd:
[http://www.wired.com/threatlevel/2010/04/cyberwar-richard-
cl...](http://www.wired.com/threatlevel/2010/04/cyberwar-richard-clarke/)

Has anyone here read it yet and willing to add their own two cents?

~~~
tptacek
The Wired article and Clarke's book are wrong in completely opposite
directions, but the Wired article is more wrong than Clarke is. "Chinese
hackers" don't need secret backdoors; 15+ years of shoddy engineering have
created all the secret passages anyone could need.

The power grid, in particular, is _not_ a fantasy scenario.

~~~
qeorge
Good point. For example, the vector for the recent Google "hack" seems to have
been good old IE6:

[http://arstechnica.com/microsoft/news/2010/01/microsoft-
want...](http://arstechnica.com/microsoft/news/2010/01/microsoft-wants-you-to-
ditch-windows-xp-and-ie6-for-security.ars)

