James Lewis: “Non-state actors do not have the capabilities to launch a serious cyber attack”
Last Updated on Monday, 26 October 2009 06:34 Written by Jeffreycarr Monday, 26 October 2009 06:34
James Lewis, a senior Fellow at the Center for Strategic and International Studies just published a paper that he appears to be sole author of entitled “The Korean Cyber Attacks and their Implications for Cyber Conflict“. Actually, it’s less of a paper and more of an opinion piece.
There are so many things wrong with this paper that I hardly know where to start. For some reason he named it after the Korean DDoS attacks of last summer but spends hardly any time on that incident. Instead he moves around from cyber terrorists to non-state actors to State-protected cyber criminals to identifying the six nations that he thinks have advanced cyber warfare capabilities (only six?). It’s more like a casual conversation with a well-educated neighbor about current events.
Nevertheless, I’m wondering about the following specific claims:
1. The Six Nations:
Only a few nations –Russia, China, Israel, France, the United States, and the United Kingdom, and perhaps a small number of the most sophisticated cyber criminals – have the advanced capabilities needed to launch a cyber attack that could do serious and long-term damage equivalent to sabotage or bombing and thus rise to the level of an act of war.
There are many nations developing a cyber component for their military. Why did James Lewis pick these six? Did he do a survey? No. How did he measure relative capabilities? He doesn’t say. Why did he leave out Germany and North Korea? North Korea in particular since he named the paper after the attacks wrongly attributed to the DPRK. What about Taiwan, Singapore, Malaysia, India, and Pakistan? Why rule them out?
More importantly, this statement assumes that only a nation state can launch a cyber attack that would cause sufficient harm to rise to the level of meriting an armed response, but on what basis is that claim made? A multi-million node botnet like Conficker or Zeus can lock up an entire Western nation’s networks. There are multiple examples of successful hacks penetrating the Power grid, not just in the U.S. but in other nations as well.
2. Non-state actors lack the capabilities to do harm:
A sophisticated attack against infrastructure requires planning, reconnaissance, resources and skills that are currently available only to these advanced cyber attackers. Such attacks are not yet within the scope of capabilities possessed by most non-state hackers.
The only rationale that Lewis offers for his opinion is that because it hasn’t happened yet, that proves that the capability isn’t there. For that statement to be true, Lewis would have to list and refute every single scenario that might account for his observation.
Here are just a few possibilities that spring to mind:
- You don’t know that “it” hasn’t happened yet because cyber attacks against critical infrastructures (for example) are not reported with any reliability, and successful penetration attacks based on 0days may not be known about at all.
- Non-state actors (NA) are utilizing a guerrilla strategy which purposefully avoids direct confrontation opting instead for multiple small engagements that eventually will have a major impact.
- NA are raiding U.S. financial institutions and are exacting their revenge that way.
- NA have tried to attack and failed, have learned from it, and are modifying their approach accordingly.
- They have attacked and succeeded, but did not claim credit preferring to keep the exploit path a secret thus allowing them to repeat their attacks indefinitely.
3. The all-seeing eye of the Kremlin
The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were cut off, his door was smashed down and his computer confiscated.
Is the Kremlin collecting everything published on Runet? Yes. Do they successfully filter it all? Absolutely not. The Kremlin has serious problems with its own citizens who are members of opposition parties and who deliberately hack into Russian government web sites exposing confidential information on Runet or selling it for a profit. The CSIS librarian should contact me for a subscription to IntelFusion FLASH Traffic. We spend a lot of time on Runet identifying just those issues (and the opportunities they pose for the US Intelligence Community).
Finally, the point of view expressed in this paper is, in my opinion, precisely why cyber security is slipping further and further down the priority ladder in Congress and the White House. To put it simply, it is a DC insider’s perspective instead of a Silicon Valley perspective. No one from “Langley West”* would ever have written such a piece.
—-
* Langley West is a term that I used last August in an email exchange with one of Palantir’s forward-deployed engineers. It refers to the growing number of technology startups based along the West coast that provide services to the IC. A few examples are Palantir, Kapow, GreyLogic, Visible Technologies, Social Kinetics, and more.
Jeff,
Your specific criticisms are well-founded but at the end of your piece you write the following:
Finally, the point of view expressed in this paper is, in my opinion, precisely why cyber security is slipping further and further down the priority ladder in Congress and the White House.
Is it? The final paragraph of the CSIS report would seem to agree with the general thrust of your statement:
The implications for the United States are troubling. We have, at best, a few years to get our defenses in order, to build robustness and resiliency into networks and critical infrastructure, and to modernize our laws to allow for adequate security. Our current defenses are inadequate to repel the attacks of a sophisticated opponent. The United States will need to define doctrine for the use of the cyber attack as a tool of national power. It would benefit from an effort to reshape the international environment for cyber conflict in ways that could reduce risk, to win consensus (as we did with proliferation) on a set of norms and constraints for cyber conflict and on the relations of states with criminals and terrorists. Frankly, many colleagues do not believe we as a nation will be able to do this and only a successful major attack will spur the United States to make the needed changes.
Why is this point of view so abhorrent to you?
Tim,
Without responding for Jeff, here is a post that I gave in response to this article on the CWFI. I think it explains why a lot of people where not happy with the tone of the article. James Lewis is a very knowledgeable observer of the US Cyber-scene but in an attempt to get the present “tone” correct he seems (perhaps unjustly) to pander to the “apologist”.
(post follows)
While Lewis’s argument that terrorists tend to use all the instruments at hand is a valid one, the idea that there has “not been a serious cyberattack to date” is getting slightly tedious.
If I read another post stating that the Estonian or Georgian attacks were “irrelevant nuisances” I might contact Gartner and ask them for their rights to Hype Cycle, as everyone else seems to use it.
While these attacks did not result in much 1st order physical damage (a melted server, if I remember correctly), the 2nd order damage was immense: don’t forget, Estonian government communications was in part reduced to radio for a number of days, many banks could not authorize withdrawals or approve of transactions, one major Scandinavian bank was theoretically bankrupt as it was not able to access or even monitor a large chuck of its capital. Can you imagine what the 3rd order damages were? Well people can’t, apparently.
The Swiss use “Damage to Reputation” as one of their main criteria in a Information Assurance threat matrix, at least they seem to understand how damaging even a stupid website outage looks.
Tim, sorry for the long delay in responding. I didn’t mean to suggest that I found nothing of value in Lewis’s article. I agree with the quote you pulled, for instance. I just found the other issues so distracting that they are the ones I commented on.
Alex, I completely agree with your comments on Estonia. I hate it every time someone attempts to minimize the impact of the 2007 attack in particular.
@Alex,
Your reference to the Hype Cycle is a really interesting one but I wonder at what stage we might be as regards both the commission of attacks and responses to them. I suspect they don’t map to one another.
Estonia was significant. No question. If it had happened in one of our countries, the government would be called to account very swiftly, and almost certainly would be found lacking. There are few people who would deny that, and I’m certainly not one of them. I wonder though, whose responsibility it is to minimise ‘Damage to Reputation’? Industry and government disagree as to who should secure elements of infrastructure, and who should respond to attacks, and you know these debates as well as anyone.
It is a category error for anyone (not you) to suggest that Lewis is pandering to the apologist. Simply untrue. Lewis’ assertions may be incorrect in many people’s eyes (and I also wrote that I don’t agree with much of what he says) but I do not think he is suggesting taking the foot off the gas, or allowing NSAs free rein or impunity. That would be the realm of the wrong-headed. An apologist would go further, of course.
@Jeff,
I agree with your post, generally, and Lewis does make a rather clumsy point about NSAs. I think it is valid to raise his point about capability of NSAs, but I would add ‘intent’ to that. No-one can seriously dispute that the threat environment is pretty serious (though, as you say, reporting is scant at best) but the question we have to ask about terrorism is why such attacks have yet to succeed, if indeed they have occurred?
I took Lewis’ article to be a plea for action, actually, and he warns – in the section I quoted – that inaction is not acceptable. Not the words of a man suggesting everything’s A-OK. I do think he miscalculates some of his statements, and you rightly criticise those.
It’s worth mentioning that a lot of the reporting of the report obscures some of the subtlety of Lewis’ ideas. It’s a complex world out there …