{"id":7923,"date":"2015-01-23T06:00:29","date_gmt":"2015-01-23T14:00:29","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=7923"},"modified":"2020-04-21T14:31:25","modified_gmt":"2020-04-21T21:31:25","slug":"cybersecurity-canon-inside-cyber-warfare-mapping-cyber-underworld","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2015\/01\/cybersecurity-canon-inside-cyber-warfare-mapping-cyber-underworld\/","title":{"rendered":"The Cybersecurity Canon: Inside Cyber Warfare: Mapping the Cyber Underworld"},"content":{"rendered":"<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red.png\"><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:43.6%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-9648 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red-500x218.png\" alt=\"cybersec canon red\" width=\"500\" height=\"218\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red-500x218.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red-230x100.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red-510x223.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red-91x40.png 91w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2015\/07\/cybersec-canon-red.png 786w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/a><\/p>\n<p><em>The Cybersecurity Canon is official, and you can now see our website <a href=\"https:\/\/www.paloaltonetworks.com\/threat-research\/cybercanon.html\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. We modeled it after the Baseball or Rock &amp; Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.\u00a0<\/em><\/p>\n<p><em>The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!<\/em><\/p>\n<p><strong>Book Review:\u00a0<\/strong><em>Inside Cyber Warfare: Mapping the Cyber Underworld<\/em> (2009, 2010) by Jeffrey Carr<\/p>\n<h3>Executive Summary<\/h3>\n<p>I recommend this book for cybersecurity historians and cyber warfare lawyers. It is a bit disorganized and much broader in scope then the title implies. I valued the sections on the importance open source cyber intelligence, the legal issues involved to conduct cyber warfare operations and the detailed discussion around Russia\u2019s attacks on Estonia, Georgia and Kyrgyzstan. The details around North Korea\u2019s attacks on South Korea and the US are also very good. But, if you are looking to understand the idea of cyber war more thoroughly, this is not the book for you.<!--more--><\/p>\n<h3>Introduction<\/h3>\n<p>Out of the three books I have read on Cyber Warfare \u2013 <a href=\"http:\/\/terebrate.blogspot.com\/2013\/01\/book-review-cyber-warfare-next-threat.html\" target=\"_blank\" rel=\"noopener noreferrer\">Clarke and Knake\u2019s<\/a>, <a href=\"http:\/\/terebrate.blogspot.com\/2013\/01\/book-review-cyber-warfare-techniques.html\" target=\"_blank\" rel=\"noopener noreferrer\">Andress and Winterfeld\u2019s<\/a>, and now <a href=\"https:\/\/www.goodreads.com\/book\/show\/9083545-inside-cyber-warfare?ac=1\" target=\"_blank\" rel=\"noopener noreferrer\">Carr\u2019s<\/a> \u2013 <em>Inside Cyber Warfare<\/em> is by far the weakest of the lot. Do not get me wrong, there is some good stuff in here, but the book often feels like a committee wrote it. Carr\u2019s name is on the title but he has adroitly pulled in some deep thinkers to write some of the chapters for him.<\/p>\n<ul>\n<li><a href=\"http:\/\/www.dvidshub.net\/video\/211141\/ltcmdr-matthew-sklerov#.UU2UqxesiSo\" target=\"_blank\" rel=\"noopener noreferrer\">LT Cdr Matt Sklerov<\/a>, a Military Lawyer who wrote his <a href=\"http:\/\/www.dtic.mil\/cgi-bin\/GetTRDoc?AD=ADA517821\" target=\"_blank\" rel=\"noopener noreferrer\">Master\u2019s thesis<\/a> on Cyber Warfare law (Chapters 4 and 13).<\/li>\n<li><a href=\"http:\/\/www.scribd.com\/doc\/13442963\/Project-Grey-Goose-Phase-II-Report\" target=\"_blank\" rel=\"noopener noreferrer\">Project Grey Goose Investigators<\/a>, <a href=\"http:\/\/articles.latimes.com\/2012\/may\/16\/news\/la-pn-excia-tracker-now-targeting-poachers-with-project-grey-goose-20120516\" target=\"_blank\" rel=\"noopener noreferrer\">Open Source Intelligence investigation<\/a> on the Russia \u2013 Georgia Cyber Wars (Chapter 5).<\/li>\n<li><a href=\"https:\/\/twitter.com\/Moranned\" target=\"_blank\" rel=\"noopener noreferrer\">Ned Moran<\/a>, a Shadow Server alumnus and Georgetown Adjunct professor (Chapter 12).<\/li>\n<li><a href=\"http:\/\/www.watsoninstitute.org\/events_detail.cfm?id=2038\" target=\"_blank\" rel=\"noopener noreferrer\">Alexander Klimburg<\/a>, an Austrian Institute for International Affairs Fellow (Chapter13).<\/li>\n<li><a href=\"http:\/\/explore.georgetown.edu\/people\/lotrionc\/?PageTemplateID=156\" target=\"_blank\" rel=\"noopener noreferrer\">Catherine Lotrionte<\/a>, Visiting Law Professor at Georgetown University (Chapter 18).<\/li>\n<\/ul>\n<p>This is not a bad approach, but these kinds of books often are a hodgepodge of writing styles and ideas. I have been involved in a lot of these writing projects in my own career \u2013 some successes but many spectacular failures - and in order for it to work, the primary editor has to work hard to tell a coherent story. In my opinion, Carr falls short in that goal.<\/p>\n<h3>The Story<\/h3>\n<p>The book title is misleading. It says it is about Cyber War but Carr covers way more than the Cyber Warfare topic. In the preface, Carr says that,<\/p>\n<h5 style=\"text-align: center;\"><em>\u201cInternational acts of cyber conflict (commonly but inaccurately referred to as cyber warfare) are intricately enmeshed with cybercrime, cybersecurity, cyber terrorism and cyber espionage.\u201d<\/em><\/h5>\n<p>I fundamentally disagree with this notion. Hacktivism is not warfare. Crime is not warfare. Espionage is not warfare. Terrorism is not warfare. These are all very different things and require nuanced and apportioned thinking to deal with them.<\/p>\n<p>Carr points out that it is likely that a couple of governments have coopted some of their local hackers involved in cybercrime and cyber hactivism to participate in cyber warfare (Russia) and cyber espionage (China) activities. He also observes that the tools used by these actors in all four activities are similar in nature. But then he implies that because both of those things are likely to be true, then that ties all four motivations (cybercrime, cybersecurity, cyber terrorism and cyber espionage) into a tangled Gordian knot. I do not think this is true. Cybercrime is enmeshed with cyber war in the same way that other kinds of violent crime are enmeshed with \u201cregular\u201d war because both activities use guns. It is just not that entangled. Or if it is, Carr does not make the case for it.<\/p>\n<p>He does make a good case for the power of Open Source Cyber Intelligence -- a subject that is near and dear to my heart (I was the iDefense Intelligence Director for many years and later the GM. <a href=\"http:\/\/www.verisigninc.com\/en_US\/products-and-services\/network-intelligence-availability\/idefense\/index.xhtml?loc=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">Open Source Intelligence is what we did<\/a>). Carr has a nice overview of Russia\u2019s Cyber Warfare Capabilities. Sklerov\u2019s chapter on the legalities of warfare and cyber warfare are probably worth the price of admission alone although it\u2019s worth noting that you can just <a href=\"http:\/\/www.dtic.mil\/cgi-bin\/GetTRDoc?AD=ADA517821\" target=\"_blank\" rel=\"noopener noreferrer\">download his thesis and read it for yourself<\/a>. His discussion of the two key legal principals of war,<\/p>\n<h5 style=\"text-align: center;\"><em>\u201cJus ad bellum: governs the transition from peace to war\u201d<br \/>\n<\/em><em>\u201cJus in bello: governs the use of force during war\u201d<\/em><\/h5>\n<p>and how they might apply in cyber space, is fascinating.<\/p>\n<p>Carr recaps Estonia and <a href=\"http:\/\/scholarcommons.usf.edu\/cgi\/viewcontent.cgi?article=1123&amp;context=jss\" target=\"_blank\" rel=\"noopener noreferrer\">Georgia<\/a>, the examples that many experts roll out when they are looking to describe cyber warfare. He also includes the <a href=\"http:\/\/www.guardian.co.uk\/world\/2009\/jul\/11\/south-korea-blames-north-korea-cyber-attacks\" target=\"_blank\" rel=\"noopener noreferrer\">North Korea DDOS attacks against South Korea and the US<\/a> as a potential example.<\/p>\n<p>With Carr\u2019s book and other sources, it is useful to list a <a href=\"http:\/\/www.csmonitor.com\/USA\/2011\/0307\/Cyberwar-timeline\" target=\"_blank\" rel=\"noopener noreferrer\">timeline<\/a> of cyber warfare milestones:<\/p>\n<ul>\n<li>(1999): \u201c<a href=\"https:\/\/www.goodreads.com\/book\/show\/855077.Unrestricted_Warfare?ac=1\" target=\"_blank\" rel=\"noopener noreferrer\">Unrestricted Warfare<\/a>\u201d Book by Chinese military leaders that crystalizes China\u2019s thoughts on asymmetric warfare.<\/li>\n<li>(2003): <a href=\"http:\/\/terebrate.blogspot.com\/2013\/01\/book-review-cyber-warfare-next-threat.html\" target=\"_blank\" rel=\"noopener noreferrer\">US Compromises Iraq Email System prior to launch of 2d Iraq War<\/a>.<\/li>\n<li>(2007): <a href=\"http:\/\/www.youtube.com\/watch?v=fJyWngDco3g\" target=\"_blank\" rel=\"noopener noreferrer\">Industrial strength generator destroyed by Malcode in a Lab<\/a>; US contractor proves cyber destruction is possible.<\/li>\n<li>(2007): <a href=\"http:\/\/www.csmonitor.com\/USA\/2011\/0307\/Cyberwar-timeline\" target=\"_blank\" rel=\"noopener noreferrer\">DDOS attack against Estonia<\/a>; <a href=\"http:\/\/arstechnica.com\/security\/2007\/05\/massive-ddos-attacks-target-estonia-russia-accused\/\" target=\"_blank\" rel=\"noopener noreferrer\">attribution: likely Russian government<\/a>.<\/li>\n<li>(2007): <a href=\"http:\/\/www.theregister.co.uk\/2007\/11\/22\/israel_air_raid_syria_hack_network_vuln_intrusion\/\" target=\"_blank\" rel=\"noopener noreferrer\">US-Israeli DOS attack against Syrian Air Defense Systems<\/a>.<\/li>\n<li>(2008): <a href=\"http:\/\/scholarcommons.usf.edu\/cgi\/viewcontent.cgi?article=1123&amp;context=jss\" target=\"_blank\" rel=\"noopener noreferrer\">DDOS attack against Georgia<\/a>; attribution: likely Russian government.<\/li>\n<li>(2009): <a href=\"http:\/\/www.guardian.co.uk\/world\/2009\/jul\/11\/south-korea-blames-north-korea-cyber-attacks\" target=\"_blank\" rel=\"noopener noreferrer\">DDOS attack against US-South Korea<\/a>; attribution: likely North Korean government.<\/li>\n<li>(2009): <a href=\"http:\/\/www.theregister.co.uk\/2009\/01\/28\/kyrgyzstan_knocked_offline\/\" target=\"_blank\" rel=\"noopener noreferrer\">DDOS attack against Kyrgyzstan<\/a>; attribution: likely Russian government.<\/li>\n<li>(2010): <a href=\"https:\/\/www.goodreads.com\/book\/show\/13535210-confront-and-conceal?ac=1\" target=\"_blank\" rel=\"noopener noreferrer\">Sabotage attack (Stuxnet) against Iran<\/a>; <a href=\"http:\/\/www.vanityfair.com\/culture\/features\/2011\/04\/stuxnet-201104\" target=\"_blank\" rel=\"noopener noreferrer\">attribution: likely US-Israeli governments<\/a>.<\/li>\n<li>(2012): <a href=\"http:\/\/www.wired.com\/2014\/12\/evidence-of-north-korea-hack-is-thin\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hackers destroy 30,000 hard drives (Shamoon) at the state-owned Saudi Aramco. Researchers initially attributed the attacks to Iran but was probably some form of hactivism<\/a>.<\/li>\n<li>(2013): <a href=\"http:\/\/www.wired.com\/2014\/12\/evidence-of-north-korea-hack-is-thin\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hackers struck computers at banks and media companies in South Korea (Dark Seoul). Researchers initially attributed the attacks to China and North Korea but was probably some form of hactivism<\/a>.<\/li>\n<\/ul>\n<p>When you look at that list, what jumps out at me is that the US, Russia and Israel are all over it. China normally gets all of the headlines because of that country\u2019s cyber espionage activities and Carr highlights those in the book too. But there is a good reason he spends so much time on Russia\u2019s capabilities in this book. Russia has been active in the cyber warfare space since at least 2007. But the US operation called Olympic Games (Stuxnet) is the first use of cyber weapons that could actually meet a decent definition of cyber warfare.<\/p>\n<h3>The Tech<\/h3>\n<p>What exactly is cyber war? The security community has been debating this topic for over a decade and nobody can agree. The three books I have read so far on the subject have wide ranging definitions. <a href=\"http:\/\/terebrate.blogspot.com\/2013\/01\/book-review-cyber-warfare-techniques.html\" target=\"_blank\" rel=\"noopener noreferrer\">In the Winterfeld\/Andress book<\/a>, the authors review many of the published definitions but throw their hands up in frustration and refuse to define it themselves. <a href=\"https:\/\/www.goodreads.com\/book\/show\/9083545-inside-cyber-warfare?ac=1\" target=\"_blank\" rel=\"noopener noreferrer\">Carr defines it as this<\/a>:<\/p>\n<h5 style=\"text-align: center;\"><em>\u201cCyber Warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood.\u201d<\/em><\/h5>\n<p>I do not like this one. This implies that anybody can conduct war: hacktivists, commercial entities, non-state actors. Those guys can do damage for sure, but what they are doing is not warfare. I think Carr\u2019s definition is too broad.<\/p>\n<p>In Clarke\u2019s book, <a href=\"http:\/\/terebrate.blogspot.com\/2013\/01\/book-review-cyber-warfare-next-threat.html\" target=\"_blank\" rel=\"noopener noreferrer\">he says it is this<\/a>:<\/p>\n<h5 style=\"text-align: center;\">\u201c[T]he term \u201ccyber war\u201d \u2026 refers to actions by a nation-state to penetrate another nation\u2019s computers or networks for the purposes of causing damage or disruption.\u201d<\/h5>\n<p>I think this is pretty close for two reasons. First, Clarke insists that nation states pursue cyber war activities and nobody else. This is important when countries deal with the legal authorities required to conduct such operations. I am pretty sure that the cyber criminals, hacktivists and terrorists of the world are not running their plans through their legal department before they execute them. But a nation state must if it wants to interact on the global stage.<\/p>\n<p>In <a href=\"https:\/\/www.goodreads.com\/book\/show\/13535210-confront-and-conceal?ac=1\" target=\"_blank\" rel=\"noopener noreferrer\">David Sanger\u2019s book <em>Confront and Conceal: Obama\u2019s Secret Wars and Surprising Use of Military Power<\/em><\/a>, Sanger describes President George W. Bush\u2019s decision to move Operation Olympic Games (Stuxnet) away from military channels and into intelligence channels. President Bush made that decision because he did not have the authority to use military forces against a nation that the US was not officially at war with. But, he did have the authority through the intelligence arm in the same way he has the authority to conduct drone strikes in foreign lands.<\/p>\n<p>Second, Clarke says that cyber war activities must cause some sort of physical damage. I think that is dead-on because it separates propaganda activities (web defacements), espionage activities (document exfiltration) and criminal activities (credit card number theft) out of the warfare category. The only weakness in Clarke\u2019s definition is that it says nothing about why a nation state would want to do such a thing.<\/p>\n<p>I would tweak it a bit to say this:<\/p>\n<h5 style=\"text-align: center;\"><em>Cyber Warfare involves one or more nation states using cyber weapons to destroy each other\u2019s national treasure to achieve some political purpose.<\/em><\/h5>\n<p>There must be some political goal in mind for any cyber activities to rise to the level of warfare. As <a href=\"https:\/\/www.goodreads.com\/book\/show\/117031.On_War_Indexed_Edition?ac=1\" target=\"_blank\" rel=\"noopener noreferrer\">Carl von Clausewitz said in his book, <em>On War<\/em><\/a>,<\/p>\n<h5 style=\"text-align: center;\">\u201c[\u2026] war is simply the continuation of policy by other means.\u201d<\/h5>\n<p>That is true for cyber war also. But as Winterfeld and Andress would likely point out, there are probably many issues with my definition too. I do think that Carr\u2019s definition is too broad and because of this, his book is much broader than the topic of cyber warfare. There are things that I did like though and the book is worth the read for them. As long as the reader understands where Carr is coming from, there are things to learn here.<\/p>\n<h3>Conclusion<\/h3>\n<p>Carr\u2019s book is worth the read although it is a bit disorganized and much broader in scope then the title implies. I valued the sections on the importance of open source cyber intelligence, the legal issues involved to conduct cyber warfare operations and the detailed discussion around Russia\u2019s attacks on Estonia, Georgia and Kyrgyzstan. The details around North Korea\u2019s attacks on South Korea and US are also very good. It is a must-read for cybersecurity historians and I would recommend it to cybersecurity lawyers for Sklerov\u2019s legal chapters. But, if you are looking to understand the idea of cyber war more thoroughly, this is not the book for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Cybersecurity Canon is official, and you can now see our website here. We modeled it after the Baseball or Rock &amp; Roll Hall-of-Fame, except for cybersecurity books. We have 20 books &hellip;<\/p>\n","protected":false},"author":43,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,4521],"tags":[271,251,1024],"coauthors":[791],"class_list":["post-7923","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-2","category-canon","tag-cyber-warfare","tag-cybersecurity-canon","tag-jeffrey-carr"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/7923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=7923"}],"version-history":[{"count":8,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/7923\/revisions"}],"predecessor-version":[{"id":109932,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/7923\/revisions\/109932"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=7923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=7923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=7923"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=7923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}