Re: Persistence and Strategic Effects

[the grugq via Dailydave <dailydave () lists aitelfoundation org>]

Cyber is Calvinball.

I gave a talk back in 2015 [1] which I think has held up rather well. My argument was that cyber is evolving in 
unpredictable ways as we learn more about the domain. That the current state of the art has huge blind spots we aren’t 
even thinking about. The next year was, of course, the 2016 disinformation campaign fed by cyber loot.

I feel that a great deal of cyber war literature is based on knowledge derived from interviews with people who no 
longer operate, or were just managers. This wisdom gets written up and then cited so frequently it becomes “laws of 
cyber.” The reality, of course, is that it is no such thing.

One example of these laws of cyber is: cyber capabilities are ephemeral and using them means possibly (probably?) 
losing them. I believe this is derived from first principles and rules of thumb for a specific offensive cyber 
operational context.

A good rule of thumb for an operator is: a capability used is at risk of being discovered. If that operator values 
stealth extremely highly, they will treat discovery as a fatal condition for that capability. It gets “burned” and they 
can no longer use it. This is completely reasonable given the operator’s priorities.

However, if the operator values effects on target and isn’t concerned about discovery or even attribution, then there 
is no such thing as “burned.” Indeed, 0day versus n-day ceases to be relevant either. 

Yet academics frequently cite the rule of cyber war that a capability is ephemeral, sometimes even “single use” only. 
Anyone who has done any penetration testing knows this is true only in the broadest possible sense. Ephemeral might 
mean “5 years after the patch was released less than 50% of targets are still vulnerable.” 

For example, WannaCry had a huge impact, even though it was released long after the patch was pushed out via automated 
channels. Months later, NotPetya exploited the same vulnerability and was an even bigger cyber event. 

According to the immutable laws of cyber, these attacks should not have been possible because the vulnerability was 
patched in February of that year. It was burned. 

A quick joke to summarise.

A neighbour goes to the Mullah Nasreddin’s house and asks to borrow his donkey. The Mullah tells him “the donkey isn’t 
here.” Just then the donkey brays loudly. Mullah Nasreddin: “who are you going to believe, me or the donkey?!” 


Cheers,

—gq

[1]: the grugq, On Cyber. “Power of Community” 2015 https://www.youtube.com/watch?v=qlk4JDOiivM

> On 16 Aug 2024, at 01:10, Dave Aitel via Dailydave <dailydave () lists aitelfoundation org> wrote:
>
> Before there were words, calculated as the softmax of a list of possible tokens, there were just vectors of 
> nano-electrical potential in cells soaked in a hormonal brew of electrolytes, operating on a clock cycle of "slow, 
> but fast enough". In this sense, as we now know, we generate words and we know, in our heads, what we are, in the 
> same way as we generate limbs, with each cell knowing from its electric field what to be next. A tumor is in that way 
> of thought a confabulation or as we now say, a hallucination. But then, also, so are you.
>
> Recently I spent some time reading this year's Research Handbook on Cyberwarfare. One of the forms I filled out 
> recently asked me if I was a certified Master Operator, which of course, I am not, any more than an Archaeopteryx is 
> a certified Bald Eagle, even though both know the smell of the sky and the taste of freshly caught fish. But I do 
> occasionally pay attention to the "state of the art" academic view of cyberwar and the Handbook was a good way to 
> catch up.
>
> For example if you read Nadiya Kostyuk and Jen Sidorvova's Handbook paper on Military Cybercapacity they will say 
> that "a cyber attack may provide a defender or third party with a good estimate of the attacker's capabilities, but 
> it is not clear how many of these capabilities the attacker has in their arsenal". This is, to my primitive 
> cyberwarfare mind, so old that I still use "screen" instead of "tmux", a bit of a misstep when it comes to how 
> cyberwar works and what a capability is. I don't know how to say it any clearer than this: Behind every wooden horse 
> is a woodshop. 
>
> An example in my head is that right now the Ukrainian army is rumored to be sitting on top of a major gas terminal in 
> Kursk, one responsible for supplying Russian gas to Europe. You have to assume that, having learned from the Russian 
> attacks against their electrical infrastructure, the Ukrainian Army is traveling not just with a screen of FPV drones 
> but with a few USB keys containing implants for the specialized equipment that runs a gas network. 
>
> It's hard to disconnect OT networks that are presumed to be segmented physically, and temporary physical control can 
> easily translate to permanent cyber control. And cyber control, despite what Quentin E. Hodgson's Handbook paper 
> (Cyber coercion as a tool of statecraft: how often, how effective?) wrongly concludes, is extremely useful for state 
> coercion.  
>
> Perhaps the problem with the Handbook, like all academic writing on cyberwar, is that it is meant to be sterile. But 
> that's not how cyberwar works, held in the space that is a melange of electrons and intentions. As tumors confabulate 
> within flesh, so too do our digital dreams hallucinate new worlds, both the virus and the firewall, the wooden horse, 
> and the workshop that births it. Certified or not, we are masters of a domain we cannot fully comprehend, sailing on 
> seas of raw data, guided by stars we ourselves ignite. 
>
>
>
> _______________________________________________
> Dailydave mailing list -- dailydave () lists aitelfoundation org
> To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org