Cyber war is sexy
Setting up the scene
Cyber war is real.
I am not a cyber warrior.
Let’s have fun.
Headlines in news
Matrix is coming
“World looks exactly like a Bruce Sterling novel”
New World Order is here
Cyber war affects the society
Cyber war is wrapped in myths
Problem of informed decision
State is involved
Different lyric, same song
Cyber war is not something completely
Cyber war is new rather then alien
The more cyber changes things, the
more they remain the same.
Real, not virtual impact
Same people in charge
Everything is new
War never changes
Offense is easy.
Defense is hard.
Cyber war is cheap.
Attack vectors and attack surface are
critical to understand.
This is what defender protects
The more developed country, the larger attack
surface, the less realistic defense
This is what attacker uses
There is not finite number of attack vectors
Attack vectors can be of technology, social,
conceptual or other quality
Cost of cyber war
Computer, brain and network connection is all the
Cost of “the western way”
Hidden cost of technology advancements
Democracy as a weakness
Information as a target
Two-Face of information
Information can be the target of cyber
campaign or a tool – or both.
Denial of information
Information as a weapon
Offensive cyber strikes
Information as an environment
Adaptability & swarming (Arquilla, 2005)
Information supremacy (Arquilla, 2011)
Multiple attack vectors are cheap
Cylons were right. Network everything
cannot be wrong!
Underground economy supplies demand
Botnets for hire – or taking
Weaponized malware, zero day vulnerabilities
Attack surface is wide
Air gap does not work
USA pioneering smart grid faces issues
What should never be connected to the internet – is.
USA infrastructure rigged with logical bombs
Government capabilities are unmatched
Key actors are states and international
organizations, including organized
crime and terrorists. Individuals are
playing the role of collateral damage.
Because of legal options for governments
Different power levels are incomparable
Money always helps
Hiring people working for profit
Cyber terrorists are like child porn
Cyber is perfect weapon for them
Scarce if any success stories
Interaction in underground economy
Actors meet in the gray area
If we don’t buy it – the bad guys will!
States of interest
USA, China, Russia & Northern Korea –
this is the big four.
Czech republic is zero. Almost exactly.
Most advanced in technology
Strong in attack
The biggest threat (Mandiant, 2013)
Denies everything (US Congress, 2012)
No one can do anything about them
Cyber war is cheap
2003, Iraq war
Battlefield online, information supremacy
History of cyber war
Starting with information supremacy
on the battlefield, going through
information denial and propaganda
towards cyber weapons and
weaponized malware. In ten years.
Russia “patriots” targeting banks, media and state
NATO wake up call
No nuclear plant, Korean workers, AA defense and Israel
Russian “patriots”, information blackouts
Well documented (US-CCU, 2009)
Targeting Iran’s nuclear program
Admitted by USA – Barack Obama, project Olympic games
Cyber espionage attack from Russia (Ministry of Justice of
2013, Czech Republic
It’s a wild west right now. The rule of
the strongest. No legal framework.
Espionage vs. sabotage
Preparation of the battlefield loophole
Act of war, kinetic response
Leading the progress – in good or bad ((Clarke & Knake,
International legal framework
Does not exist
History of fails (for example Russian proposal to UN in
One sided claims (DoD, 2011)
Bilateral agreements (USA-Russia since 2011)
Ad hoc only
Aims towards responsibility for cooperation
The need for strategy on international
as well as state level is recognized. One
shared idea is not, though.
Who to nuke?
Problems with escalations in decisive first-strike
scenarios (nuclear weapons analogy)
Tallinn manual – where cyber war was born
The latest input for discussion
Defenseless against governments
Demands protection, refuses regulation
Privately owned critical infrastructure
Problem of trust between unequal partners
Direction goes to prescribed level of security,
without regulated means how to do it
Cyber warrior wanted!
People with cyber security skills are in
high demand. This presents and will
present unique opportunity to be part
of something great. Also – these
people are a bit crazy. Wanna join?
Lack of skilled professionals in private and
government sector (and underground as well)
There is a space for both highly specialized experts
as well as cross-border generalists
USA universities opening sponsored programs for
cyber warriors (sponsored by NSA, CIA, various
USA plans to quadruple current (2013) force by 2015
Different services are looking for those special
talents – to hire them or at least persuade them
to harm the opponents
Cyber war seems like victimless and
clean – but it is not. Simulations, war
games and debates are going on to
test the waters. What is the price of
privacy and security for a human
Is drone killing people or the operator?
Are civilian targets legit?
Where is the line between human rights and
Regularly held by military and private organizations
Red and Blue teams
Mostly focused on the problems of escalation and
kinetic force involvement
Impact on civilians
Problem of helpless bystander – no one wants to be
Cascading effects (power plant, power grid,
How can civilians influence the discussion?
I hope you enjoyed the ride. If not –
blame the speaker, not the topic and
give it a second chance. It is worth it.
Security conferences (Defcon, Blackhat)
Governments (USA, NATO, EU)
Security companies reports (Mandiant, Prolexic,
Security, military and political think tanks
Blogs (Schneier, Krebs)
Twitter (strong hacking community)
Author@ Petr Špiřík
Twitter @ HidenatNet
Email @ email@example.com
Robertson, A., 2013, ‘It's Bruce Sterling's novel, we just live in it’ [online], available from:
Clarke, R.A. & Knake, R., 2012, ‘Cyber War: The Next Threat to National Security and What to
Do About It’, Ecco
Arquilla, J., 2011, ‘From blitzkrieg to bitskrieg: the military encounter with computers’,
Communications of the ACM, vol. 54, no. 10, 2011
Arquilla, J., 2005, ‘Swarming and the Future of Conflict’ [online], Available from:
Mandiant, 2013, ‘Exposing One of China’s Cyber Espionage Units’ [online], Available from:
US Congress, 2012, ‘Investigative Report on the U.S. National Security Issues Posed by Chinese
Telecommunications Companies Huawei and ZTE’ [online], Available from:
US-CCU, 2009, ‘Overview by the US-CCU of the Cyber Campaign Against Georgia in August
2008’ [online], Available from: http://www.registan.net/wpcontent/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf
Sanger, D. E., 2012, ‘Confront and Conceal: Obama's Secret Wars and Surprising Use of
Leverett, E.P.,2011, ‘Quantitatively Assessing and Visualising Industrial System Attack Surfaces’
[online], Available from: http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverettindustrial.pdf
Gorman, S., 2009, ‘Electricity Grid in U.S. Penetrated By Spies’ [online], Available from:
DoD, 2011, ‘Department of Defense Cyberspace Policy Report’ [online], Available from:
CCDCOE, 2013, ‘Tallinn manual’ [online], Available from: http://www.ccdcoe.org/249.html
Ministry of Justice of Georgia, 2012, ‘CYBER ESPIONAGE Against Georgian Government’
[online], Available from: