Response to Marcus Ranum HITB Cyberwar Talk

Many readers have been asking me to comment on Marcus Ranum's keynote titled Cyberwar is Bullshit at Hack In The Box Security Conference 2008 - Malaysia. (What a great conference; I think we are seeing the Asia-Pacific area really grow its digital security community. You can access the conference materials here. I'd like to point out my friend CS Lee spoke about NSM at the event.)

The article Don’t waste funds preparing for cyberwars summarized Marcus' talk as follows:

The billions of dollars spent on researching cyberwarfare can be put to better use because cyberwar is never going to be as effective as conventional war, said an IT ­security expert.

Marcus Ranum, chief security officer of Tenable Network Security said cyberattacks aren’t a good force multiplier in an actual war.

Many people, he said, talk about cyberspace as if it can be a new form of battlefield but this is not possible because you can’t occupy and hold cyberspace as you would a piece of enemy territory.

Ranum was speaking at HiTBSecConf 2008 here this week.

He said trying to overcome another country via cyberspace is impossible unless you also have a huge army that can defeat its forces in conventional warfare.

A small country, even with an army of hackers on its side, is never going to be able to defeat a big country with an extensive land, air and sea military force by attacking through the Internet.

If you search my blog for the term cyberwar you'll find plenty of posts, but let me try to summarize my thoughts.

In September 2007 I wrote China Cyberwar, or Not?:

DoD Joint Publication 3-13, Information Operations, differentiates between two sorts of offensive information operations.

1. Computer Network Exploitation. Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE.


2. Computer Network Attack. Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CNA.

You can think of CNE as spycraft, and CNA as warfare. In the physical world, the former is always occurring; the latter is hopefully much rarer. I would place all of the publicly reported activity from the last few months in the CNE category.

I'd like to add a third category not mentioned in the information operations doctrine: cybercrime. In Marcus' talk, he separates adversary action into cybercrime, cyberterror, cyberespionage, and cyberwar. I don't explicitly break out terrorism because I consider it a criminal issue, and not a military issue.

Marcus's cyberespionage and cyberwar categories relate to my points about Computer Network Exploitation and Computer Network Attack, respectively.

Marcus' slides say "packets don't hold ground." The question is whether that matters. Aircraft don't hold ground either. However, no army wants to operate without air supremacy or at least air superiority overhead. (Ask the Georgians if you doubt this.) Would you rather be able to conduct CNE, or not? If yes, why?

Combatant commanders approach the problem this way. If you're Stormin' Norman Schwarzkopf in 1991, and you want to remove the Iraqi army from Kuwait, you'll want to blind the Iraqi radar grid. If you can do so electronically instead of risking the life of a pilot or running down your missile stocks, would you want to? Most commanders I knew wanted to be 100% sure that their decision would work. Not all warfare is about holding ground.

I think the major problem with the cyberwar discussion is the idea that a real conflict could be a purely cyber conflict. This is wrong. I don't think the early air pioneers expected their role to involve purely aerial warfare. Each method of combat has been integrated into the overall ugly fabric of war. So, I don't think "cyberwar is bullshit," but I'm guessing neither does Marcus if you discuss it in the proper context.