Inside Cyber Warfare (converted from EPUB) (Jeffrey Caruso) (Z-Library)

📄 File Format: PDF

💾 File Size: 15.1 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

Inside Cyber Warfare THIRD EDITION Mapping the Cyber Underworld Jeffrey Caruso Foreword by Dan Geer

📄 Page 3

Inside Cyber Warfare by Jeffrey Caruso Copyright © 2024 Jeffrey Caruso. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800- 998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Virginia Wilson Production Editor: Clare Laylock Copyeditor: J.M. Olejarz Proofreader: Krsta Technology Solutions Indexer: BIM Creatives, LLC Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea December 2009: First Edition December 2011: Second Edition

📄 Page 4

September 2024: Third Edition Revision History for the Third Edition 2024-09-16: First Release See http://oreilly.com/catalog/errata.csp? isbn=9781098138516 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Inside Cyber Warfare, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-098-13851-6 [LSI]

📄 Page 5

Dedication This book is dedicated to my brothers Max (aka Nomad) and Dima (aka Apostle) in Ukraine. Your ingenuity and bravery in war have been and remain a constant source of inspiration for me.

📄 Page 6

Foreword YOU ARE IN A MAZE OF TWISTY LITTLE PASSAGES, ALL ALIKE. —Adventure (1976 video game) Things are seldom what they seem, Skim milk masquerades as cream.... —Gilbert & Sullivan, H.M.S. Pinafore This book is a guide—not a guide for those twisty little passages, not a guide for detecting skim milk in the crockery, not a tour guide, more like a wilderness guide. We are near an inflection point, a place where a curve changes from one regime to another. A declaration of inflection is a claim more than an observation—it is very nearly impossible to confirm that you are at a moment of inflection except in retrospect. Any such announcement can only be early or late. Your informed risk tolerance determines your preference for being early or being late. The inflection described in this book is that of moving from a regime where cybersecurity capabilities are contributory yet ancillary to a regime where they are primary, from a regime where cybersecurity technique operates at the perimeter without real power to determine outcomes to a regime where cybersecurity technique is the broadly dominant power, a metamorphosis where cybersecurity passes from “useful” through “necessary” on to “sufficient.” An inflection begins in specific edge cases first; Jeff covers that in the first chapter with the authority of a John von Neumann. Once begun, inflections spread ever faster and in every direction, the central feature of self-reinforcing processes. As the spread picks up speed, the inflection point is passed. The inflection point which Jeff declares is

📄 Page 7

occurring in the here-and-now, what with the skies of the Donbas dense with drones, nearly every hospital under ransomware pressure, and everything in between. The sharpest bend in the curve may be just ahead, depending on whether the autonomy granted to AI artifacts includes their ability to reproduce. Regardless of whether it is just past, just now, or just over the horizon, it’s proximal. Cyber conflict up to and including cyber war is a reality. Ever more precise application of ever more compute power guarantees that every aspect of computing’s inherent dual- use nature will be explored. The rate of advance will be heady—make that is heady. A world of connected endpoints, a swiftly declining fraction of which will be human, is the regime waiting on the downstream side of this inflection. Just as militaries deploy massed artillery wars and psyops, cyber conflict comes in all grades. That some particular conflict is underway may be obvious or it may be hidden. Much of the weaponry will be repurposed civilian capabilities, it being somewhat irrelevant if the repurposing came from an authoritarian state’s predilection for intervention or from a liberal state’s unwillingness to put its foot down. If the explainability problem in AI is as unsolvable as it looks, it won’t matter that there is no human in the loop. Catastrophizing? No. We know so much now that there is no shortage of things to do or that we could be doing. This book is a guide to a way of thinking usefully, looking backward so that you see forward. These are perilous times; to be a master of your fate you must study conflicts up to and including warfare if you are to deliver a lasting peace. Looking back is neither optional

📄 Page 8

nor a new idea, and what John Adams wrote to Abigail Adams in 1780 rings true even yet: I must study Politicks and War that my sons may have liberty to study Mathematicks and Philosophy. My sons ought to study Mathematicks and Philosophy, Geography, natural History, Naval Architecture, navigation, Commerce and Agriculture, in order to give their Children a right to study Painting, Poetry, Musick, Architecture, Statuary, Tapestry and Porcelaine. Study well. Daniel E. Geer, Jr., Sc.D.

📄 Page 9

Preface The first edition of this book focused on the use of cyber warfare by Russia during its invasion of Georgia on August 1, 2008. The war lasted 12 days, but it colored what we thought we knew about cyber warfare and the Russian playbook for more than a decade—13 and a half years, to be exact—until February 24, 2022, when Russia-backed forces invaded Ukraine. This entire third edition was researched and written during wartime, and took two years and four months to complete. And as I write these last few words on June 20, 2024, there are no signs that the war will be ending anytime soon. There are some major differences between the first and second editions and this one, the biggest being that this edition contains 100% fresh content. If you’ve read the book’s prior versions, this will be an entirely new experience for you. As a researcher in 2008, my access to details about Russia’s cyber warfare operations was limited to the activities of the StopGeorgia.ru website and forum, plus various open sources. For this book, I had an exclusive over-the-shoulder look at a number of secretive offensive cyber operations (OCOs), aimed at critical Russian infrastructure, run by a special unit in Ukraine’s military, which I cover in Chapter 6.1 Likewise, Chapter 5, “The New Enmeshed War Strategy”, was largely informed by my efforts to support the work of Col. Andrew Milburn’s volunteer rescue and training organization, the Mozart Group, which was operating on

📄 Page 10

the front lines of the war in Ukraine. I had a bird’s-eye view of the impact of information and kinetic warfare campaigns run by the late Wagner Group founder Yevgeny Prigozhin against Milburn and his team. I also witnessed the impact of local corrupt business leaders who appeared to be supporting the work of the Mozart Group while leveraging it for their own selfish interests. That latter aspect isn’t addressed in this book; more about it is, however, available for reading at the Inside Cyber Warfare newsletter. Here’s a quick overview of what’s in the book. WARNING This book covers the topic of war and includes some graphic descriptions of violence. The Foreword was written by my friend Dan Geer, the longtime chief information security officer for the CIA- founded venture capital firm In-Q-Tel and a true icon in the world of information security. Back in 2003, Dan was fired by the consulting company where he was employed for cowriting a paper that called Microsoft a threat to national security. Twenty-one years later, DHS did exactly the same thing.2 In Chapter 1, “How Did We Get Here?”, I begin with mathematician John von Neumann’s prediction about high- speed computing being a “monster whose existence is going to change history, providing there is any history left.” Almost every piece of critical infrastructure in the world is governed by software, a fundamentally flawed and unregulated system that is so awry that the more we spend on cybersecurity, the more incidents there are. 

📄 Page 11

In Chapter 2, “Who Did It?”, I address the risks of private- sector attribution of cyber attacks due to commercial incentives and a lack of accountability.  In Chapter 3, “Establishing Corporate Accountability”, I show what happens historically when industries are left to regulate themselves (they don’t do it), and what is typically required to bring regulation to an industry (the media and general public put relentless pressure on government to act due to an unacceptable level of human lives lost).  In Chapter 4, “The Legal Status of Cyber Warfare”, I look at the potential repercussions for civilian hackers to engage in offensive operations against a nation-state at war, and provide a tool that will tell you if you’re at risk of being considered an enemy combatant. In Chapter 5, “The New Enmeshed War Strategy”, I show how traditional warfare has changed to leverage our reliance on an internet-based information infrastructure that powers and tracks everything we do on a minute-to- minute basis. Chapter 6, “Cyber Attacks with Kinetic Effects”, you’ll read examples of recent real-world cyber attacks that have generated kinetic effects including explosions, fires, and in some cases loss of life, with nothing more than internet access to the target’s automated control system(s).  In Chapter 7, “AI”, I explore innovations in artificial intelligence and detail the most pressing present risks and the harms that have resulted from them. I also explore future risks and provide recommendations for prevention and mitigation.

📄 Page 12

Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. NOTE This element signifies a general note. WARNING This element indicates a warning or caution. O’Reilly Online Learning NOTE For more than 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in- depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+

📄 Page 13

other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/InsideCyberWarfare3e. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly- media. Watch us on YouTube: https://youtube.com/oreillymedia.

📄 Page 14

Acknowledgments I couldn’t have written this book without the insights that I received from my brave friends in Ukraine and dozens of experts across multiple disciplines, including Dan Geer, Sc.D., who took time away from many more important things to write the Foreword for this edition, as well as Matt Georgy; Marcus Ranum; H. D. Moore; Hector Monsegur; David Thorstad, Ph.D.; Ellie Pavlick, Ph.D.; Suhail Balasinor; Olav Lysne, Ph.D.; Jorge Reyes; Alex Urbelis, J.D.; Drinor Selmanaj; Kathryn Ballentine Shepherd, J.D.; Emilio Iasiello; Anil Sood; Mukund Sarma; Boldizsar Bencsath, Ph.D.; and Col. Andrew Milburn (United States Marine Corps, retired). I’m sure there are others who I’ve forgotten to mention, but thank you so much for your time and assistance. Also, thank you to my patient and amazingly insightful editor, Virginia Wilson, and the entire team at O’Reilly for their assistance and guidance as I struggled with winnowing down a mountain of material into a book that I hope people will find both interesting and informative.   Lastly, and most importantly, thank you to my astoundingly patient spouse, Lilly Andersen, for being so understanding and supportive in the midst of the constant uncertainty that comes with being married to a writer. You’re living proof that angels walk among us. 1 See my article for O’Reilly Radar, “D-Day in Kyiv”, for more information about this. 2 “Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023,” April 20, 2024, The U.S. Department of Homeland Security

📄 Page 15

Chapter 1. How Did We Get Here? Figure 1-1. J. Robert Oppenheimer (left) and John von Neumann at the October 1952 dedication of the computer built for the Institute for Advanced Study. Oppenheimer, who was head of the Los Alamos National Laboratory during World War II, became the institute’s director in 1947. 1 What we are creating now is a monster whose existence is going to change history, provided there is any history left. —John von Neumann2 In this chapter, I depict the cybersecurity industry as a super ouroboros: a snake that not only eats its own tail but also grows larger with every bite. Red (offensive) and blue (defensive) teams have been perpetually squaring off and creating new products and services for roughly 25 years

📄 Page 16

while the customer (the technology enterprise, financial institution, hospital, power station, automobile manufacturer, etc.) pays the price.  This chapter will show you that there has never been such a thing as a “secure” or “healthy” network, from the first high-speed computer, known as MANIAC, to the present time; that the business of exposing vulnerabilities only makes the attacker’s job easier; and that, when used in medicine, the model of finding new ways to attack a network, advising the company about it, and then publishing your findings, which lets bad actors use that information, would be not only illegal but a crime against humanity.  By the time you’re finished you’ll have learned that software programming is inherently insecure, that the multibillion-dollar cybersecurity industry exploits that fact, and that it pays much better to play offense than defense. von Neumann’s Monster There is a marker in the history of civilization at which our future security became more perilous than ever before. Logic and math combined to form a new type of computing that enabled the creation of a thermonuclear weapon, a weapon so powerful that if used today it would result in an estimated two billion people dying if a nuclear war happened between India and Pakistan, and five billion people dying if the war was between the United States and Russia, due to the global effects that radiation would have on crops, marine fisheries, and livestock.3 Many would argue that the successful detonation of the first ever thermonuclear device in 1952 would certainly

📄 Page 17

qualify as that marker, but the risk of such a war happening is extremely low thanks to the doctrine of mutually assured destruction (MAD).4 MAD relies on the theory of rational deterrence, which says that if two opponents each have the capability of using nuclear weapons, and that both players would die if either player used it, then neither will use it. However, John von Neumann wasn’t nearly as worried about the bomb that he helped build as he was about the high-speed computer that he invented in order to mathematically prove that such a bomb was possible. The “monster” in von Neumann’s quote at the start of this chapter wasn’t the bomb. It was his stored program architecture code that ran the MANIAC computer at Los Alamos National Laboratory, an architecture that was inspired by his former student Alan Turing’s paper “On Computable Numbers.”5 Stored-program architecture went on to become the basis for digital computing worldwide.  With thermonuclear war, while the potential for harm was astronomical, the risk of it happening was very low thanks to MAD. Computing, on the other hand, was a seductive charmer that only a select few understood fully in the beginning. As computing became more pervasive and complex, no one knew more than their specialty. The average person can assess risk when it comes to things that they understand, but no one completely grasps how computing works, even the experts, and so our collective risk has grown to the point where online sabotage, extortion, theft, and espionage are unstoppable. Cyber insurance companies are now worried about claims so large that they could result in bankrupting the industry. In order to understand just how unsafe the world is today because of the perils inherent in software and hardware,

📄 Page 18

we need to return to Los Alamos and the MANIAC computer (see Figure 1-2). Figure 1-2. The MANIAC’s chassis under construction in 1950. 6 MANIAC’s primary purpose was to run mathematical models to test the thermonuclear process of a hydrogen bomb explosion. It successfully achieved that with a single mathematical operation that ran nonstop for sixty days. Then on November 1, 1952, IVY MIKE, the code name for the world’s first thermonuclear device, had a successful detonation on Elugelab, an island that was part of the Enewetak Atoll of the Marshall Islands. 

📄 Page 19

NOTE MANIAC also went on to become the first computer to beat a human in a modified game of chess; there were no bishops because of the limitations of the machine. MANIAC’s entire memory storage was five kilobytes (about the size of a short email), sitting within a six- foot-by-eight-foot beast weighing one thousand pounds. MANIAC went through three iterations between 1952 and 1965.  New challenges swiftly arose in the area of software because programs were haphazardly written without any formal rules or structure, and it all came to a head in 1968 at the NATO Software Engineering Conferences at Garmisch-Partenkirchen, a resort in the Bavarian Alps (see Figure 1-3). It should come as no surprise that there were serious differences of opinion among the attendees, all of whom came from the elite universities in their respective countries as well as Bell Labs and IBM.  Figure 1-3. An unidentified photographer captured this image at the NATO Software Engineering Conference in 1968. 7

📄 Page 20

One side viewed the use of the phrase “software crisis” as unwarranted and unnecessarily dramatic. Sure, there were some supply problems, and there were “certain classes of systems that are beyond our capabilities,” but—their view went—we can handle payroll and sort routines perfectly well! Douglas Ross, a pioneer in computer-aided design at MIT, and one who believed there was a serious software programming crisis at hand, had a perfectly succinct response to the critics: “It makes no difference if my legs, arms, brain, and digestive tract are in fine working condition if I am at the moment suffering from a heart attack. I am still very much in a crisis.”8 Around that same time, the US Department of Defense was struggling with how to do secure programming on a shared server provided by IBM. A task force, chaired by Willis Howard Ware from the RAND Corporation and including representatives from the US’s National Security Agency, Central Intelligence Agency, and Department of Defense, as well as academia, spent two years on the problem. The Ware Task Force produced a report in 1970 that advocated for a system of document flags representing the four levels of clearance: Unclassified, Confidential, Secret, and Top Secret. They would also program a rule that they called “No Read Up,” basically what we call “least privilege access” today.  Unfortunately, the Ware report concluded that it would be very difficult to secure such a system; one would have to delineate each method whereby the No Read Up rule could be defeated, and then create a flowchart that solves the security problem for each method of compromise. And that process would be next to impossible because, according to