Shostack + Friends Blog Archive


Information Warfare

As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this:
1. Exploratory hacking
2. Vandalism
3. Hactivism
4. Cyber crime
5. Information Warfare
It turns out that this hierarchy is also a predictive time line. Obviously we are well in to the era of cyber crime- have been for about two years.
But what about information warfare? When are we going to see that? Well folks, we are engaged in Information Warfare. Alan Sipress’ article in the Washington Post today is a must read. It details the ongoing attacks against the Commerce Department bureau in charge of licencing exporters to China. The attacks emanate from China. Put these recent attacks together with the “industrial scale” attacks of Titan Rain, and the targeted attacks against Sandia Labs, and you have what looks like information warfare to me.
My contention: China has been waging war with the United States and other western countries for years. The first shot fired was in May of 2001 during the so-called “hacker war” between the US and China that culminated in the release of Code Red, the IIS targeting worm that dibilitated thousands of servers in the US.
This is a very one sided war. The US has lost *all* of the battles with hardly a retaliatory shot fired. Government facilities are very poorly prepared to fight this war and the private sector cannot expect any protection whatsoever. My advise is to look to your own defense. As you invest in security think beyond viruses, worms, and Russian identity thieves. Think about massive state sponsored attacks targeting your information, your infrastructure and your people.

18 comments on "Information Warfare"

  • But what do you do when your #1 supplier of laptops is a Chinese company, and all of our suppliers build their systems there?

  • Tarandach says:

    I don’t know if it is proper in this taxonomy to point it out, but I’ll try anyways – in my view, episodes like the fauxtography on Reuters and the massive distortion of media channels seen in the latest round in Lebanon are no less Information Warfare than Code Red and all. Only that instead of targetting our infra-structure, these attacks aim at our hearts&minds – with the obvious consequences.
    Interestingly, in this context too the US and allies have not been able to win or even “retaliate”.

  • David Brodbeck says:

    I think it’s assuming a bit too much to conclude we’re not “winning.” Any actions like this taken by the U.S. would likely be covert, so the general public wouldn’t be told about them until much later. We’ve apparently had some success in this area in the past; for example, this article claims that the U.S. intentionally supplied faulty software to the Soviet Union that caused a pipeline explosion:,39020381,39147917,00.htm
    One problem with this kind of action is it can damage export markets. If a country thinks we might engage in cyber-warfare against them, they’re going to be very reluctant to purchase computer equipment and software from us — it’d be like buying weapons systems from your enemy, in conventional warfare.

  • KB says:

    David is right, the nature of this type of conflict is such that we are not going to be aware of information warfare, even if it was in the context of a real conventional war. Bletchley Park was conducting information warfare, and its existence wasn’t declassified for decades after WWII.
    And insofar as information warfare does happen (if indeed it does), it is going to be indistiguishable from cyber-crime and hactivism. How can we tell that hack attacks originating from China are actually state-sponsored aggression, as opposed to sophisticated criminals and/or jingoistic hactivists? The targets alone don’t tell us that. Sure, they may be going after sites with military significance, but there are thousands of kiddies in the US that would love to break into NIPRnet or Sandia. The only difference is kiddies in China are a lot more likely to get away with it, so they are more likely to be trying.
    I, for one, have no doubt that all major western government have trained cyberwarfare teams, who to some extent are investigating both domestic and foreign information infrastructures for weaknesses. Of course they do; the need for them is as obvious as the need for air forces was in the ’20s and ’30s. Equally obvious is that their existence and all their activity would be highly classified.
    Personally, I strongly suspect ‘information warfare’ is currently limited to espionage activities. China and the west are playing the same old Cold War games, trying to get strategic advantage for both military and economic reasons. China probably has a greater focus on industrial espionage, given their economic position, as stealing trade secrets from western companies can both speed their development and make them more competitive in the global market.

  • Gunnar says:

    “I was as distressed as anyone about the reports of alleged Chinese
    stealing of U.S. nuclear secrets. That is intolerable. But at the
    same time, I couldn’t help but feel that there was something pathetic
    about what the Chinese were alleged to be doing. Because our biggest
    secret — the real source of our strength — is one that they can’t
    steal. It’s how we live.
    It’s our rules-based system of governance, where no person or company
    is above the law, which is at the core of the American way. When the
    Chinese photocopy that, then I will start to worry about them as
    competitors. But as long as they are just trying to steal our latest
    military secret, they should know that as soon as they steal it, our
    system will produce a new and better one.”
    -Thomas Friedman, 1999

  • Iang says:

    Gunnar, that’s a great quote. It looks like the Chinese went one better; last week they successfully slipped a faulty photocopier into the US Congress. You now live how they live.

  • Iang says:

    Richard, I’d have to echo the comments of others. The notion that the article you quote is anything but a one-sided piece aimed for domestic consumption and support of some particular position has to be treated with skepticism.
    What would be really surprising is if the US hasn’t been conducting so-called cyber war attacks on other countries for as long as they have existed.
    Although I think your conclusion is spot on. Ignore the government, look to your own defence.

  • Gunnar says:

    Ian – Concur. Here is another quote
    “When a government cannot protect its citizens, its last duty is to arm them.” Dan Geer
    Guess that’s why we have something resembling working crypto.

  • nick says:

    “Information warfare” is an oxymoron. There’s not a shred of personal injury involved, much less death, and there is no demonstrated need to depend on a state to defend against it, even if the attacks come from a state or other strong enemy. Even the mere economic damages caused by state-sponsored attacks in cyberspace have been and almost surely will be trivial compared to criminal threats like phishing, identity theft, and the like.
    The “war on drugs”, itself grossly misnamed, involves far more state sponsorship and collusion, personal injury and death, and damage to property than has occurred or plausibly could occur from “information warfare”. But that is no “war” either; it is a task to be performed by (some would argue) law enforcement, and (others would argue) personal responsibility. Using “war” in these contexts is grossly misleading, politically destructive, and just plain pathetic metaphor.
    I’m all for private companies having good network security, even against foreign states. With network security, unlike defense of territory, that kind of security against a much stronger opponent is possible.
    But stop abusing our language. The word “war” is not merely some toy for poets and propagandists to play with. It has real legal and political consequences. For one thing, it implies the opposite of Richard’s suggetion. It implies that one is forced to depend on an organized military for one’s security to such an extent that one is prepared to make a variety of sacrifices, including higher military expenditures, death and injury of soldiers and civilians, and all too often the violation of domestic civil liberties. Nothing resembling any such necessity has been demonstrated here.

  • Stiennon says:

    So, war must involve personal injury to be war? What about a “war of words”? Is that using the word as a toy? Don’t get on your high horse regarding semantics. Here are three dictionary meanings/uses of the word “war” that are separate from the “armed conflict” definition.
    1. active hostility or contention; conflict; contest: a war of words.
    2. aggressive business conflict, as through severe price cutting in the same industry or any other means of undermining competitors: a fare war among airlines; a trade war between nations.
    3. a struggle: a war for men’s minds; a war against poverty.
    I use Information Warfare in the sense of state sponsored attacks that result in the loss of information or functionality of an opposing country’s information infrastructure. The re-building and replacement of computers certainly falls within that definition for me.
    The “real legal” definition of “war” requires a declaration of war from Congress. The abuse of our language comes about from calling a war a “conflict” or some other syllogistic escape clause.
    I believe, based on published reports, that China is actively and systematically stealing critical industrial and military information from at least the US and UK. In the process they are breaking numerous laws. The question is: Is that an “act of war”? In other words, is it sufficiently belligerent to require diplomatic response, or retaliation? And if so, is the current administration doing less than they should to defend the United States against attack?

  • nick says:

    “I believe, based on published reports, that China is actively and systematically stealing critical industrial and military information from at least the US and UK. In the process they are breaking numerous laws.”
    There are already two perfectly good words for this: “espionage” and “spying.” It’s a good sign that a neologism is unecessary, and a sure sign that the writer is not very literate, when in descriptive prose he uses the neologism instead of a common word spot on to the meaning. Is the U.S. at war with all the nations of the world because our spy satellites are taking pictures of them all? Espionage, legal or otherwise, is a common peacetime activity. Although it can be a part of warfare it is neither itself warfare nor an act of war.
    As for the dictionary definitions you cite, such as “war of words” and “war against poverty”, they are metaphorical, and clearly so in context. Your definition of “information warfare” mixes illiterate metaphor with a smidgin of pertinence to actual war (a state is allegedly involved performing aggressive and possibly illegal acts — but does that make crossing the line when arresting suspects, imprisoning criminals, searching the houses of suspects, and so on, all “warfare”?) It’s a hopeless mush of confusion.

  • Stiennon says:

    I am OK with being labeled “not very literate”, but I take umbrage (or to use the exact words, I object) to being labeled “illiterate”. (And by the way, you could have said “exact” instead of “spot on”, a UK colloquialism).
    But pedantic banter aside.
    Since I spent more time in school studying partial differential equations than I did becoming “literate” I will have to call in other sources to defend me from the charge of abusing our language.
    And here is a title from the supposedly literate publishers at Oxford University Press: “Cyber Terrorism and Information Warfare Threats and Responses” by Michael Swetnam and Yonah Alexander
    If I am demonstrating illiteracy by using the term “information warfare” at least I am not alone. A search of Google books reveals 13,800 uses of the term in various books and conference proceedings.

  • Adam says:

    There are a lot of definitions of warfare, ranging from “the continuation of policy by other means” to “the use of organized force to compel another state actor to alter its policies.”

    I think the first may be broad enough to include the activities: China’s policy is to boost its economy, and the means are to steal information. But that’s not very satisfying. A war which goes on with no alteration of policy isn’t very warlike. Its more espionage.

    If China were stealing US assets in order to blackmail the country, or to force the US to kowtow on Korea policy, or otherwise had a goal which transcended economics, I think the term warfare might be called for.

    Richard, why do you think this goes beyond espionage?

  • stiennon says:

    Espionage, if defined as the gathering of secret information, is a good term for a lot of what China is doing. Because many sources say espionage involves going to the *place* that the information is stored we may need a new term, say cyber espionage to describe hacking into the source.
    These actions cross over into warfare as they get closer to purposefully doing harm. In the case being discussed here harm was certainly done because Commerce has had to replace hundreds of machines. But that was inadvertent on the part of the attackers.
    What I argue is that the government of China is systematically testing the defenses of US commercial and government sites. In other words they are not only gathering industrial and military information from their targets but they are gathering information about the defenses or lack thereof. I believe that the so called hacker war of May, 2001 was actually a demonstration of the weaknesses of US defenses. It was a skirmish that was won hands down by the Chinese government. I base this on the subsequent events, in particular Titan Rain as followed by Shawn Carpenter.,294698,sid14_gci1127062,00.html
    Peruse these clippings to get the big picture:
    When regular army units are employed in launching attacks against US servers I do not think it is hyperbole to call it information warfare as opposed to espionage.

  • Adam says:

    You get one URL per post before the spam filters kick in.

  • Adam says:

    I’m really skeptical of your claim that warfare is defined by the organizational position of the entity that engages in it.
    By counter-example, if the state department bombed China, would we call that diplomacy?

  • nick says:

    “…many sources say espionage involves going to the *place* that the information is stored”
    Don’t believe such blanket statements when there is so much well known usage to the contrary, especially for the other perfectly useful word, “spying.” Spy planes, spy satellites, radio eavesdropping, and other activities that don’t involve going to the place where information is stored have always been considered a kind of spying, and usually also a kind of espionage. Not to mention “surveillance” and the even more general blanket term “intelligence gathering”. None of these constitute of themselves either warfare or an act of war.
    “Titan Rain”
    The only confirmed act of spying in this story seems to be Carpenter’s unauthorized installation of “spyware” on the computers of the alleged “organized hacking operation.” (OMG, there’s “spy” again! And Carpenter didn’t go himself to the location of the information. Shouldn’t they call it “IW ware”?) The unsworn statements of one guy mad at the employer that fired him is not very credible evidence that Chinese state officials organized even online spying on the Internet against Sandia, much less any kind of “warfare.” Especially when even said bitter ex-employee doesn’t claim to know that the Chinese government was involved; just an “organized hacking operation” is claimed, broad language which could refer to almost successful hack by almost anybody, or to any unsuccessful hack that nevertheless appeared to be organized.
    Nor is it claimed in the article than confidential information was actually obtained by these hackers, much less any sort of sabotage, much less anything that might meaningfully be called “war” or “warfare.”
    Carpenter most certainly should have been fired for using United States security resources to conduct unauthorized spying (or as some would have it, engaging in unauthorized “information warfare” “attacks” against “the enemy”. Put like that he could have started WWIII!)
    Carpenter may well also be a criminal under “cybercrime” statutes, which makes me wonder why he’s not being prosecuted. If the FBI approved of his spyware-installing acts, this means that there may be some FBI officials who also should be prosecuted for aiding and abetting a crime; it certainly does not mean that Carpenter should be left off the hook. Or does “information warfare” mean, like the “war on terror” means to some folks, that we can throw the rule of law out window like so much old garbage? Do you think government employees are magically immune from the law every other computer security professional has to follow because they fancy themselves to be “information warriors”?
    The funding for government computer security people would vastly increase if they actually produced evidence pf espionage or sabotage ordered or coordinated by a foreign state and conducted via the Internet, rather than mere hyperbolic stories. The overwhelming incentive for the military and government security people is to publicize the heck out of it rather than be “embarrassed” by it and thus bury it, just as they have publicized the heck out of a variety of scary hypotheticals in the “information warfare” mythos.

  • Cliff says:

    Well Nick, don’t you know that it’s common knowledge that TIME magazine regularly prints random uncorroborated “unsworn” rants from bitter ex-employees of nuclear weapons laboratories? They never do any proper vetting of their stories. I’m curious where, in the information publicly available, did you find the statements that Carpenter was using “United States security resources” to conduct “unauthorized spying”? What are your sources for this information?
    It is also blatantly obvious that you selectively cherry pick statements from the September 5, 2005 TIME article that ONLY support your thesis (a generous word for your meaningless conclusions). Do you really expect intelligent readers to believe your arguments when you attempt to sell yourself as an authority in cyber law, diplomacy, and federal cyber security budgets — all in one posting? If that isn’t enough, you manage to completely destroy any shred of persuasiveness you might have had by launching into conspiratorial deductions that there may be “FBI officials who also should be prosecuted for aiding and abetting a crime”.
    You might want to do a little research and try to shoot for at least one or two factual statements before you tap out your next posting. Employees of most of the U.S. Government national laboratories — including Sandia — are NOT government employees; they are at-will employees. Lockheed Martin Corporation operates Sandia National Laboratories on behalf of the Department of Energy. Lockheed Martin Corporation spun off a subsidiary entity called “Sandia Corporation” in 1993, that they incorporated in Delaware — specifically to operate Sandia National Laboratories. Sandia Corporation is an at-will employer. I’m constantly amazed by how many people buy into ignorant banter like yours, without first doing some simple Google searches.
    If you were actually interested in exploring the facts of the case, you might have taken a look at the status of Carpenter’s civil case, instead of ranting about prosecuting Carpenter and the FBI.
    And wouldn’t you know, the New Mexico State Judiciary happens to have case data available online. Imagine that!
    While you’re at it, you should do a little boning up on your jingoist (touché to your “hyperbolic”) heroes in Sandia management. I’ll even help you get started:
    I managed to dig that up in about fifteen seconds with Google, and carpal tunnel syndrome hasn’t set in yet.
    It seems that Sandia has lost every ruling thus far — weird, huh? See if you can come up with some kind of conspiracy theory where the judge in this case should be prosecuted too! Hell, why stop there? Throw in Karl Rove too! OMG, that would be radical dude! I’m sure you can find a way to work him into the plot.
    You might want to tune in to the trial next February, where you can see fisthand our wonderful country’s “rule of the law” in action. Sorry Nick — The recipe for persuasive commentary isn’t two parts arrogance and one part thesaurus. I’m just trying to help you out, so you don’t sound so silly in future postings. Good luck!

Comments are closed.