FW: [Dailydave] Myth: The US is more vulnerable to information warfarebecause it is more reliant on information technology

From the Daily Dave list

—–Original Message—–
Subject: [Dailydave] Myth: The US is more vulnerable to information
warfarebecause it is more reliant on information technology

http://video.zdnet.com/CIOSessions/?p=165

If you listen to Colonel John Hayes in the above interview, he says that
oddly enough, they found that one of the most important applications they
implemented for mission support was “Text Chat”. He also noted that although
he spent a lot of money building up wireless, people aren’t using it. That’s
probably because wireless never works.
Ever sat next to the door in your hotel because that’s the only place you
could get connectivity? Anyways, back to the main point: busting a myth.

Myth: The US is more vulnerable to information warfare because it is more
reliant on information technology. Some people like to say the US is
“uniquely vulnerable”. I hear this all the time from various weblogs and
every time I hear it I wonder why people keep repeating it.

For background, the IATAC has this to say:
“””
The United States is vulnerable to Information Warfare attacks because our
economic, social, military, and commercial infrastructures demand timely and
accurate as well as reliable information services. This vulnerability is
complicated by the dependence of our DoD information systems on commercial
or proprietary networks which are readily accessed by both users and
adversaries. The identification of the critical paths and key
vulnerabilities within the information infrastructure is an enormous task.
Recent advances in information technology have made information systems
easier to use, less expensive, and more available to a wide spectrum of
potential adversaries.

The security of our nation depends on the survivability, authenticity, and
continuity of DoD information systems. These systems are vulnerable to
external attacks, due in part to the necessary dependence on commercial
systems and the increased use of the Internet. The survivability,
authenticity, and continuity of DoD information systems is of supreme
importance to the Warfighter.
“””

My intuition strongly disagrees with the idea that the US is specially
vulnerable. So with that in mind, let’s go through a little exercise in
iconoclasty.

Counter arguments:
1. Hacking has an economy of scale.
2. The US is a hard system to model.
3. Complexity breeds resilience.
4. Technology is adopted quickly in the US, making it a fast-moving target.
5. Having a “target rich environment” overwhelms an attacker’s analytical
capability.
6. Everyone repeats this Myth yet no one has any data to back it up.

Some details:

1. Hacking has an economy of scale. 10 hackers working together are more
productive than 10*1 hacker. Less advanced countries have easier technology
to hack – NT 4.0 has unpatchable remote roots on it.
Management software is more easily used on modern stuff than old crusty
stuff. Technology rots, in other words. And rotted stuff is easy to break.
We all know very well how to write Windows 2000 heap overflows. Nico is just
getting Vista heap support into Immunity Debugger now.

Of course, you only get an economy of scale when all your hackers can talk
to each other. If Clay Shirky[1] was commissioned to tell you what kind of
tools you need to maintain compartmentalization while still getting that
kind of economy of scale the results would be quite interesting I think.
Someone at DARPA needs to do that.

2. The US is a hard system to model. Hacking is easiest when you can model
your target. Modeling a MIG is easier than modeling an F-22 because you can
purchase an old one on eBay and fit it up to act like whatever your target
looks like. Likewise with information systems that drive things you’d want
to target with IW attacks. Owning a Cray is hard. Why? Because you have to
own a Cray. MMM,vector’d shellcode.
:>

3. Complexity breeds resilience. People say that hacking the United States
and causing damage is easier because more of what the US does is connected,
in many cases, to the Internet. However, it’s also more resilient – a SCADA
system in a country that is less dependent on network technology is harder
to reach initially, but you’re more likely to find a single point of failure
once you do reach it.

4. Technology is adopted quickly in the US, making it a fast-moving target.
Hacking is a continual treadmill. New techniques have to be invented
constantly to cope with changing technology. The US’s technology treadmill
is set on 10 with a 15 degree incline. Countries that change less will be
easier to hack. There’s a number X for any given system, network, or
organization where X is how fast things you’ve owned get updated and your
knowledge about them, exploits, and trojans become worthless. [2]

5. Having a “target rich environment” overwhelms an attacker’s analytical
capability. Even understanding one branch of the US military’s IT
infrastructure is too large a project for even the most well funded non-US
attacker.

6. Everyone repeats this Myth yet no one has any data to back it up.
This isn’t a “classification” problem necessarily. Very few people have
experience hacking at all, let alone on a scale that would afford them the
ability to make generalizations like this.

_________________________________________________________

[1] Clay Shirky is the person you read when you want to know how people
react to social software. He can be found here.
http://many.corante.com/archives/authors/Clay.php

[2] This number X is something I was looking for in the John Arquilla’s
Networks and Netwars. Although the book started off really well, it veered
far from anything to do with hacking. Maybe one of his other books has
something on it.
http://www.amazon.com/Networks-Netwars-Future-Terror-Militancy/dp/0833030302
(I don’t necessarily recommend it unless you are very interested in the
Zapatistas).
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave