Game Theory and the Cyber domain

According to this leak:

Russia alleged that an arms control race was unfolding in cyberspace and that constraints on state capabilities were necessary

Now where had I heard that before? It was in 2009 while watching a presentation given by iDefense’s Eli Jellenc. In it he presented the following variation of the Prisoner’s Dilemma:

The basic premise of the model is that efforts to increase your own security makes others insecure. In Cyber warfare it is easier to attack than to defend a complex system (or at least it feels that way since time is on the side of the persisent, patient attacker). It is also very difficult at times to distinguish between offense and defense and the fact of the matter is that both the digital underground and the private sector have well established offensive capabilities for hire. The result of the situation is that everybody is forced to deploy offensive capabilies with a spiral of mistrust being built at the same time as a side effect.

Indeed an example of why such a spiral of death is formed is given in “Strategy and the Revolution of Military Afairs: From Theory to Policy“:

“Why, foreign leaders ask, would the world’s only superpower seek radical improvement of its armed forces in the absence of a clear threat? Given the expense of accumulating national power, some may assume it is meant to be used and conclude that the United States is improving its military capabilities in order to impose its will on others. The United States can either accept such suspicions or find a new, less intimidating method of pursuing the revolution in military affairs, perhaps through greater cooperation with potential allies. The problem is that such cooperation could speed the dissemination of new technology, techniques, and ideas, and thus contribute to the emergence of challengers. But if the United States unilaterally pursues the RMA, other states will respond, whether symmetrically or asymmetrically. In turn, knowing the benign intentions of the United States, American leaders and planners will consider this threatening. Why, they will ask, would other states seek to improve their military capability unless contemplating aggression? Vigorous American pursuit of the RMA may make other nations feel less secure and their response will make the United States feel less secure. The result may be a spiral of mutual misperception and a new arms race, albeit a qualitative rather than quantitative one.”

Ironic how I was scolded in a meeting a couple of months ago for mentioning Game Theroy as a tool to study strategies (“Theory is one thing, reality is another”) when in fact we see how such simple models are suited to study reality.

But what do I know dear officer? In his “How cyberattacks threaten real-world peace” TEDxParis talk (a quick summary of which you can read here), Guy-Philippe Goldstein presented the following 1978 model by Rober Jervis in “Cooperation under the security dilemma“:

As Jervis puts it:

“The fear of being exploited is what drives the security dilemma”

Game Theory and the Cyber Domain? What do I know. I simply read about stuff.

on internal users

With BYOD (Bring Your Own ~~Disaster~~ Device at the workplace) gaining traction, there is no point in having three sets of users / user machines (internal, external and the DMZ plus spaghetti policy exceptions). You only have external users and the DMZ.

Internal users and insider threats “do not exist”. It makes life simpler and you get rid of hybrid characterizations for consultants and outsourcers…

A vision so noble

Vasilis Katos at the 1st Athens Chapter ISACA Conference argued that we do not need cyber security experts, rather we need champions on the multitude of the different and complex areas that this domain encloses. He is not alone in believing this about experts. With the domain being new, hot and with commitment from Governments for financial backing of projects, the landscape is open for expertship claim. And since we are at the infant stages, many try to establish themselves as the strategists who set the pace, no matter how disconnected from reality they may be.

Whenever a new domain is introduced, until it is sufficiently comprehended people try to use analogies to make the connection. It is a no brainer then that since anything colored “cyber” starts to get a military approach, analogies with highly successful strategists of the past and relevant studies of them will appear. Think of it: Sun Tzu seems to fit every subject, from the battle ground, to sports, to (non military) management. I’ve seen efforts for both Sun Tzu (although far from a complete treatment) and Clausewitz and I am sure that others exist too. It is no wonder then that John Boyd and his OODA Loop would receive treatment too.

Since I found the OODA Loop concept interesting I set out to learn a bit more about it. This is not an easy task for a civilian for Boyd did not really leave much written work behind with the exception of a continually refined set of slides that when finalized took about 15 hours to present. To understand the loop, I read “A vision so noble” by Dan Ford. It’s chapter 2 contains a longer explanation of the OODA Loop than Wikipedia does and even includes a hand written sketch of it:

ooda-by-boyd — The OODA Loop as John Boyd sketched it toward the end of his life

For a more understandable version of the loop see the Wikipedia drawing and article.

Boyd is mostly an attacker and not a defender and indeed one can find cyber similarites in his work, where in page 40 Ford uncovered from his boxes:

Infiltration
* Blitz and guerrillas infiltrate a nation or regime at all levels to soften and shatter the moral fiber of the political, economic and social structure. To carry out this program, a la Sun Tzu, Blitz and Guerrillas:

* Probe and test adversary to unmask strenghts, weaknesses, maneuvers and intentions.

* Shape adversary’s perception of the world to manipulate or undermine his plans and actions.

Purpose
* To force capitulations when combined with external political, economic and military pressures.

or

* To minimize the resistance of a weakened foe for the military blows to follow.

Do not all the above match Cyber Warfare aims? So there exists value in studying Boyd and his tactics, but not a one-to-one mapping as many would hope that would make the transition to a cyber domain easier. The OODA Loop is there, one has to understand that it is not completely linear (OODA means Observation, Orientation, Decision, Action but you are constantly in an observation state that provides feedback) and is valuable.

Boyd believed that People not weapons win wars. Not very far from the observation that a good friend has made that people and not machines get hacked or my belief that people are the actual cyber weapons.

A good 70 page book based on Ford’s MSc Thesis that definitely helps expand our thoughts on the matter.

Off to read “The Dynamic OODA Loop: Amalgamating Boyd’s OODA Loop and the Cybernetic Approach to Command and Control” now.

PS1: An earlier version of Ford’s book seems to be available on Lulu as PDF.

PS2: Boyd on management

“There will be blood”

Jeffrey Carr concludes his 2012 cyber predictions by writing:

“The very worst part of this prediction is that its inevitable. CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has refused to do what’s necessary to protect our nation’s critical infrastructure because it’s 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice. In the words of Upton Sinclair and the movie based upon his book Oil! – “there will be blood”. It’s just a matter of time”.

What is missing is the State’s ability to run the show. Had the State the ability to run the show, it would not have been that much dependent on such a fragile operation mode for the critical infrastructure. But as it is a waste to maintain an idle workforce capable of “doing the job” while actually not doing it (the other option being running the show, which also means a totally different kind of economy), Government resorts to regulation which again is problematic, since there cannot exist a Good Regulator (the Good Regulator can run the show; how many regulatory authorities actually can?) again this is problematic. To counter the problem new rules are placed on top of older ones and thus the Regulatorium emerges.

Blood? The Critical Infrastructure interdependencies are no less complex than the global Economy (imagine the CIP of a nation being attacked because it exports energy to another which is the actual target) so it is going to be rivers of it.

Revisiting “Reflections on trusting trust revisited”

In 2003, Diomidis Spinellis in “Reflections on trusting trust revisited” concluded:

“Those of us who distrust the centralized control over our data and programs that TC platforms and operating systems may enforce can rest assured that the war for total control of computing devices cannot be won.”

Well it is the end of 2011 now and I think we are losing. The computer is being substituted by the tablet and the tablets are dominated by markets (Kindle, iTunes, Android, webstore, Opera, …). Yes you can jailbreak, but really how many do? Since almost every computer related trend seems to be a periodic phenomenon (just think of how many times you’ve seen the thin client vs fat client fashion come and go), we are now reliving the walled garden times. Centralized control is all over the commodity tablets and smartphones (is it really a phone or just a computer who by the way dials too?) “for our good”. The market owners do it “for the customer’s benefit”, not for the money. The developers like it for they push their products through a single channel. And most of the consumers like it for they cannot be bothered to search for applications elsewhere than the store.

Variety kills variety and we’re at the killing stage. We like having options, but we do not like many options and therefore we willfully assigned central control to the industry. It is a periodic phenomenon. We’ll reboot when the industry’s grip gets too tight. In the mean time we who distrust the centralized control over our data and programs are vastly outnumbered by the rest of the consumers.

It has already begun

Not a post, but my response to “How Would We Know if a Cyber War Started?“:

Well one way to answer the title’s question is this: One can view Cyber War as a highly computerized evolved form of the Cold War. It has begun years ago, it is being conducted right now by various players (state and non-state actors) and will continue in the future. So it has already begun.

Other than that, I’m with @JeffreyCarr on the article’s relevance.

Embracing the Kobayashi Maru

It seems that I am not the only one who has thought† that the Kobayashi Maru can be used in a cyber security context. “Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat” describes the tricks employed by the students when they were given a very short notice to memorize the first 100 digits of π and then write them down. The students were allowed to cheat, but if they were caught they would fail the exercise. This as part of a class that aims to help students build adversarial thinking.

While the discussed solutions were indeed innovative, I strongly believe that the average Greek University student would come up easily with a few working plans :) Next time, if the authors want to make the exercise harder, they should use the previous students as proctors and grade them too. That would develop adversarial thinking even further and could become the Prison Experiment for cyber security.

Hat tip to GK for showing me the article!

[†] – Cyberdefense and the Kobayashi Maru.

on cyber attack attribution

Whenever an attack is traced back to Russia (like this one) or China, the attribution decay is very fast. One cannot be very sure of whether this is an attack that was initiated from “within” these countries, or whether they were used as hops conveniently pointing to the usual suspect. Another interesting observation is that although

“states that deny involvement in a cyberattack, but refuse to open their investigative records to the victim-state, end up casting doubt on their willingness to stop cyberattacks and cannot expect to be treated as a state living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are unwilling to prevent cyberattacks and have declared themselves a sanctuary state“†

this does not seem to (openly) apply to super-powers.

Update: It seems that this specific incident of critical infrastructure failure was not a cyber attack:

The failure was due to a faulty command inputted by a contractor several months ago who accessed the system remotely while travelling through Russia on personal business. Over time, his mistake caused greater and greater errors until, several months later, the pump failed.”

We should never attribute to malice what can be attributed to a mistake.

[†] – Solving the Dilemma of State Responses to Cyberattacks

Observations from a house broken into

Schneier’s Law holds for households. No matter where you’ve hidden it, the burglars will find it. They’ve seen it before.
If you want a post assessment on what inside your house has some street value, just make a list of what is missing.
A friend observed that people probably do not upgrade their locks as frequently as their software.
Why did this happen to me? Why not, indeed.
Every day you discover another thing missing. Confusion: Was it stolen or is it just misplaced?

On separate networks and air-gaps

If anything, Stuxnet and Duqu have proved that separate (via air-gap) “more secure” networks do not exist. There exists only one network, the Internet, with some parts labeled as classified and with various degrees of slow connectivity to the rest of the World. And yes sometimes the networking device is just a human with a (USB) stick.

This and exceptions that I have to deal with daily drive me closer to a firewall-less world. I am not there yet though.