Thursday, April 03, 2008

The Cyber Storm II Cyber Exercise

I first blogged about the "Cyber Storm" Cyber Exercise aiming to evaluate the preparedness for cyber attacks of several governments two years ago, and pointed out that :

"Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other."

And while I'm still sticking to this statement, a year later I also pointed out that :

"In a nation2nation cyber warfare scenario, the country that's relying on and empowering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that's dedicating special units for both defensive and offensive activities, something China's that's been copying attitude from the U.S military thinkers, is already envisioning."

Morever, Taiwan, too, copycating the U.S, performed a cyber warfare exercise codenamed "Hankuang No. 22" (Han Glory) in 2006 as well, fearing cyber warfare attacks from China.

The new "Cyber Storm" Cyber Exercise, is particularly interesting, especially the initiative to measure the response time to an OPSEC violation in the form of sensitive information leaking on blogs. A very ambitious initiative, given the many other distribution channels, which when combined in a timely manner make it virtually impossible to shut down and censor, the leaked material. What if it gets spammed? Moreover, what's a leak to some, is transparency into the process for others. Cyber Storm II is already a fact whatsoever :

"At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, with representatives from across the government and technology industry devising attack scenarios aimed at testing specific areas of weakness in their respective disaster recovery and response plans. 'The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces,' said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise. Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest."

The main issue with this type of cyber exercises is that starting with wrong assumptions undermines a great deal of the developments that would follow. Cyber warfare is just an extension of the much broader information warfare as a concept, namely, Lawfare, Econonomic Warfare, PSYOPS, to ultimately end up in an unrestricted warfare stage. Subverting the enemy without fighting with him, that's what offensive cyber warfare is all about, even if you take people's information warfare concept as an example. It's a government tolerated/sponsored activity, whereas the government itself is suverting the enemy without fighting him, but forwarding the process to their collectivism minded citizens. The strong lose, since the adversary is abusing the most unprotected engagement point, thereby underminig the investments made into securing the most visible touch points. A couple of key points to consider in respect to the cyber exercise modelling weakness :

- White hats pretending to be black hats simply doesn't work
- Frontal attack against critical infrastructure is pointless, insiders are always there to "take care"
- Passive cyber warfare such as gathering OSINT and conducting espionage through botnets
- Cyber warfare tensions engineering through the use of stepping stones
- Stolen and manipulated data is more valuable than destroyed data
- Lack of pragmatic blackhat mentality scenario building intelligence capabilities
- Unrestricted Warfare must be first understood as a concept, than anticipated as the real threat

From a strategic perspective, securing and fortifying what you have control of is exactly what the bad guys would simply bypass in their attack process, among the first rules of unrestricted warfare is that there're no rules with the idea to emphasize on the adaptation and going a step beyond the adversary's defense systems in place.