Feeds

Forget the word 'cyberwar' says Marcus Ranum

If nobody can win, it's not a war

Internet Security Threat Report 2014

Security veteran and CSO at Tenable Marcus Ranum has made a plea* for the world to stop using the expression “cyberwar”, for the very good reason that there's nearly no way in which it resembles war in the physical world.

“How can you call something a domain of warfare when the most important properties of warfare cannot properly be applied to it?” Ranum asked delegates to the AusCERT 2013 last Friday.

A land war, he said, includes the ability to win, defences that might actually work, and manoeuvrability – none of which are tenable concepts in trying to defend computers from attack. He also voiced a deep suspicion that the word “cyberwar” exists solely so that the military can lay claim to it, and all the responsibilities and budgets that go with it.

“Anyone talking about cyberwar is trying to enlarge their influence,” he said.

There are, he added, a lot of people in the US military concerned that “someone's going to ask 'why do you have all this expensive cyber security stuff, when you keep getting owned by 14-year-old kids?'”

Whereas victories in a topological war might involve a surrender by one side, he said, “What does 'winning' even mean in cyberspace? What does the concept of victory mean?

“As far as I can tell, the only way you can really declare victory in a cyber-battle is if you are Intel, Microsoft and Cisco combined, and you can say to the other side, “you lose” and they agree.

“It's not going to happen. You cannot conclusively drive your opponent away. In topological warfare, if you attack me with a thousand tanks and I destroy them, then you need another thousand tanks.”

The failure of any defence in cyberspace is just as inevitable as the ultimate failure of every castle ever built, because if an attacker cannot take a position by storm, there's always bribery or subterfuge.

“The dymanics of warfare simply do not apply in cyberspace. You cannot cost your attacker so much that they can never come back,” Ranum said.

“I do not think of cyberspace as a military thing,” he said, and the use of “cyberwar” represents militaries, companies and governments “Desperately trying to find analogies in old thinking that apply to a new field”. ®

*Bootnote: the usual press cliché is to describe it as an “impassioned plea”. It was the first keynote on the last day of the conference, after the gala dinner, and heads were so sore nobody was being impassioned. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.