Wednesday, 1 June 2011

Militarising the internet

There's been some interesting coverage over the last day or so about the emergence of the Pentagon's "cyber strategy", trying to bring cyber attacks in line with traditional kinetic attacks. This was a pretty inevitable move, considering that the word "cyber" has been bandied about to an almost ridiculous degree in the last few years, but what does it mean?

The most interesting part is that cyber attacks will now be ranked up there with physical attacks, meaning that if you (as a nation state) do some nastiness that impacts upon American infrastructure (e.g. you shut down a power station, aka Stuxnet), you can expect a cruise missile to be visiting you very soon.

The Pentagon is also reportedly producing a list of "cyber weapons" so they can fit these tools into their force architecture. Here's what a senior military source had to say:
“So whether it’s a tank, an M-16 or a computer virus, it’s going to follow the same rules so that we can understand how to employ it, when you can use it, when you can’t, what you can and can’t use,”
This is actually a useful concept, as it codifies when certain tools can be used and who needs to sign off on their use. For the first time meaning that there is an actual structure as to how state based cyber war is carried out.

But therein lies the problem. State based cyber war is already an archaic idea. During the Russia-Georgia conflict in 2008 there was a concerted cyber attack on Georgian websites in order to disrupt information flow. This was of course extremely useful to the Russian state, but it doesnt appear that they in fact ordered it, at least not in the conventional way. Instead nationalist Russian hackers chose to do it themselves.

Its less clear if this is true of the major Chinese hacking organisations. These may be more directly aligned with the state itself, but even that is only a possibility, not a certainty. Certainly the groups appear to operate in ways friendly to the state, but its very hard to make the direct link between that an actual state direction.

The issue is that "cyber" is just too damn easy. The tools are literally anywhere, and can be accessed by anyone. They arent even that hard to use. Take a look, for example, at Backtrack, an entire operating system which exists to facilitate "penetration testing". Its based on Linux, so its relatively easy to use, has a graphical interface, and requires only time to learn how to use it.

Now, that doesnt mean you're going to be a mafiosa cybercriminal if you download this software, but it does show how easy it is to get onto the bottom rung. It only takes tenacity and an inquiring mind to take it to the next level.

The difficulty of trying to militarise and protect the internet is analogous with the difficulties of militarising space. Its actually really easy to do, but you'll screw yourself if you try. If you wanted to deny your enemy access to space (at least to a meaningful degree) you can do it, throw a couple of hundred tons of gravel into orbit and its done. Unfortunately you now can't use space either, so thats a bugger.

The same goes for the internet. You can put up as many walls as you like, but in the end you will do yourself just as much harm as you do your enemy. Consider the upcoming attempts in America to "civilise" the internet using the PROTECTIP act. This tool will fundamentally undermine the architecture of the internet itself, and according to pretty much everyone who knows what they're talking about, it won't work. And thats just civilians.

There is also a fundamental misunderstanding about the tools of cyberwar. They are not weapons, but they can be used as weapons. Less than a decade ago, in the wake of 9/11 the US started banging the drum (again) claiming that encryption was being used as a weapon and as such should be banned from civilian use. This would have severely undermined an unbelievably large number of civilian applications, whilst "bad guys" would just have gone on using encryption tools.

In this new world, where "cyber" is the new cool, its increasingly important to ensure that the internet itself is not militarised and that the desires of those who understand the least, but fear the most, are not brought to the fore. There needs to be a real debate not just on the threat, but on how we can best fit the response into a coherent strategic narrative. Dealing with the distributed threat of cyber attacks requires more than a list of the threats and vague claims that they will be treated the same way as weapons of war.