All posts by

This Comedy Writes its Own Sequel as Tragedy

By Jon Lindsay

Sony has just announced that it will not go ahead with its planned release of “The Interview” following a spate of major breaches and threats over the past three weeks: http://money.cnn.com/2014/12/17/media/the-interview-sony-theater-owners/index.html. Circumstantial signs point to DPRK but there is no smoking gun yet. While there have been numerous instances of cyber coercion on a small scale (such as “ransom ware” against individual users, or blackmail against marginal players), and cyber used to support a broader coercive effort (e.g., Stuxnet), this seems notable to me as the first major and successful use of cyber to alter the behavior of an actor in a very public way.

This has been a bizarre and surreal story, and I guess it will continue to get stranger. The initial breach prompted Sony to alter the movie, resulting in this weird series of emails: http://defamer.gawker.com/leaked-watch-the-kim-jong-un-death-scene-sony-is-terri-1671454669.  Then Sony backed off from releasing the film in Asia and theaters in North America backed off from showing it in the US.

Two points pop out to me: (1) that this is—probably—a nation state attacker against a nonstate victim, which both inverts the conventional wisdom of how cyber attacks should play out (i.e., nonstate hackers vs. nation states) and exploits some considerable deterrent ambiguity regarding how and whether a state should protect its firms; and (2) this threat is made credible by promising actions beyond the cyber domain, notably attacks on movie theatres or other unspecified but rhetorically embellished acts of terrorism.

Instability-Stability Paradox and Cyber Attack on Gaming Firm

By Jon Lindsay

A new and notable cyber attack, allegedly from Iran and targeting an American gaming firm for disruption rather than exploitation, is being reported in the media: http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas. This is interesting for deterrence theorists for a number of dimensions: (1) it appears to be a use of cyber to inflict punishment for the political position of the firm’s CEO; (2) the attackers appear to be seeking out and avoiding the threshold which would invite retaliatory punishment, (3) they are aided in doing so by a victim striving to keep the attack secret to protect its reputation, and (4) all of this involves (allegedly) foreign targeting of a US non-state actor (firm) as a way of increasing the ambiguity of the attack to avoid a retaliatory punishment in administering the first coercive punishment.

One passage speaks directly to the stability-instability logic of CDD we have been discussing for a while: “Experts worry that America’s rivals may have found the sweet spot of cyberwar—strikes that are serious enough to wound American companies but below the threshold that would trigger a forceful government response. More remarkable still, Sands has managed to keep the full extent of the hack secret for 10 months.”

Cyber Attack: N=2?

By Jon Lindsay

There are a number of interesting things in this report of a (probably Russian) cyber attack on an oil pipeline in Turkey in 2008, more than two years before Stuxnet became public: http://www.bloomberg.com/news/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar.html.

The use of surveillance cameras as a point of entry to attack the very system they were supposed to be defending is particularly rich. The attackers also suppressed alarms of malfunction in the pipeline from reaching the control room, a trick also employed by Stuxnet among others (https://www.youtube.com/watch?v=KYAbFqkvzQA). The same information technology which is supposed to improve visibility of a system also makes the overall system more complex: this both creates vulnerabilities attackers can exploit AND creates intel and planning challenges for an attacker. Notably, this does not look like a trivial or amateurish operation. (Although, men skulking about with laptops in military uniforms? Surely a better disguise was possible?).

Whether this is the first cyber attack or not is a matter of definition. Some people cite Thomas Reed’s story of a 1982 sabotage of a pipeline in Russia—a CIA CI op against the KGB Line X industrial espionage program—but there are reasons to be skeptical about this event (no corroborating witness of this supposedly monumental explosion). I have described Stuxnet as the only publicly-known instance of cyber attack used to cause physical damage across international borders. I was hedging against the possibility of one or more unknown attacks, like this one. Surely there must be others. (You could also quibble that attacks that have bricked or locked up machines count as physical damage even before Stuxnet). Other news reports cite US military sources as having used cyber attack on the battlefield on a small scale, but there are no further details.

I haven’t been through it in depth, but this case appears to reinforce conclusions that I and others have drawn from the Stuxnet case:

–          Essentially, cyber attack is a form of covert action. It depends on deception and subversion which is scary and hard to detect and may go undetected for years, but by the same token is self-limiting. If compromise is fatal to an operation then operators have to show restraint in their objectives and take extra precautions in their planning. Deception abounds in this case but it seems to have had little meaningful political effect because the targets could just blame the usual nuisance factors like the PKK or malfunction. If a cyberwar happens in the forest but nobody hears…

–          Sophisticated attack is a nation-state game. It takes planning, pre-attack surveillance, and supporting operational infrastructure. This attack had a lot of moving parts, and the attackers knew a lot about POL control systems and the security systems protecting them.

–          Critically, adjunct support often involves human operations. Stuxnet probably needed the Mossad’s HUMINT networks to deliver the virus, or at least an unwitting contractor mule. This attack also seems to have required SOF to inject code into local controllers.

–          Stories like this dramatize the exotic art of the possible—which drives the cyber threat debate—but they also highlight how tenuous the theory of influence is in cyber attack. A lot of that tenuousness is a function of the reliance on deception, not so great for credible signaling (but maybe great for the reassurance of an ally in on the deception, which may have been as or more important in the Stuxnet case than slowing down the Iranians).

–          To the extent cyber is useful, it is usually in conjunction with something else: diplomacy and covert action and threats of air strikes with Stuxnet, and maybe with the 2008 Georgian invasion here, although the linkage is unclear, to put it lightly.

The other question this raises is why are we only finding out about this now? Sounds like US intel and various international “investigators” have known some details for a while. I suppose that it’s nice to be reminded that Russia has been playing with Little Green Men for a while and that US intel agencies are doing more than just torturing some folks.