A „Cool War“ is not cool
The term „Cyberwar“ carries a dark fascination. Most people think of it as „war lite“. You get all the benefits of a real war, but the casualties are limited to bits, bytes and maybe pixels. No one dies, only the targets get destroyed. This sounds too clean to be true. There is even an article called „Cool War“ that glorifies the concept of digital battles even further. The author suggests that a cool war could prevent a „real“ armed conflict by digital preemptive strikes.
The good news is that a preemptive cyber attack on the military command-and-control systems of two countries getting ready to fight a “real war” might give each side pause before going into the fight. In this instance, the hackers mounting such attacks should probably publicize their actions — perhaps even under U.N. auspices — lest the disputants think it was the enemy who had crippled their forces, deepening their mutual antagonism.
Another advantage in the eyes of the author are the detection, tracking and disruption capabilities of „cyber weapons“ in order to pursue the „tracking of transnational criminal and terrorist networks“. While this looks promising on first glance, this is an extension of „cyberwar“ into other domains. Paraphrased this statement means that cybercrime and digital insurgents could be fought by military-grade „cyberweapons“. In reality this isn’t as easy as it sounds. The idea seems to be influenced by the use of drones and digital threat analysis.
The Cool War Theory disregards the use of offensive security necessary to attack systems and to deploy „cyberweapons“. You have to breach defences or you cannot insert „cyber probes“ such as trojan horses. All detected software used for „cyberwar“ operations so far used vulnerabilities to get access to networks and systems. This basic mode of operation will not change. This means that maintaining offensive security capabilities relies on finding exploits and keeping them secret (the exploits are also called 0-day or 0-day attack, because they are unknown at the time they are deployed). There’s no big surprise, cybercrime relies on exploiting unpublished bugs, and this has been this way for ages. „Cyberwar“ activities have enlarged the market for these vulnerabilities and turned a part of the black market for these goods white. This is exactly the collateral damage for enterprises and organisations wishing to secure their infrastructure and safeguard their digital assets we have been writing about in a past blog article. Keeping critical bugs in soft- and hardware secret is dangerous for businesses. Bruce Schneier also argues that the new market may give software developers the motivation to deliberately include weaknesses in software. Hide bugs, push the application to production level and sell the weaknesses. The risk may be even low since the information will be kept secret to include them into „cyberweapons“.
We believe that a „Cool War“ is anything but cool. Preparing for a „Cool War“ and maintaining the strike capabilities weakens your infrastructure on purpose – without you knowing about it. This is clearly a contradiction to security research and all efforts to improve the defence of „all things cyber“.