How I came to read “Inside Cyber Warfare”
2011/09/01
From time to time I am privileged enough to attend presentations on cyber warfare that are not so open to the public. In one of such presentations the speaker spoke of Schmitt’s criteria, a set of rules that can help a state decide when dealing with a cyber attack, whether it is an act of war or not.
I set off to learn more on Schmitt’s criteria and eventually found out that they are coded in “Computer network attacks and the use of force in International Law”. I contacted Professor Schmitt asking for a copy of the paper and he directed me to HeinOnline. It seemed that I should pay $30 for 24 hours of access on HeinOnline in order to download the paper. Serious books cost less than that!
So I decided to contact the person who gave the presentation from which I learned about the criteria. He recommended that I should read “Inside Cyber Warfare“. The ebook cost $30. It also happened that the very same day O’Reilly was running a special offer campaign to help the Japanese Red Cross and their Fukushima efforts, so I even bought it for less.
Whose is the loss now HeinOnline?
I cannot stress enough how much I loved “Inside Cyber Warfare”. The author analyzes recent Cyber War incidents, talks a lot about Project Greygoose and the insight that it offered to analysts. It details the three major cyber doctrines and strategies (Russia, China and the US) with lots and lots of references. It contains an analysis on the Law of Armed Conflict and how it correlates to cyberspace and in my humble opinion, it predicts both stuxnet and the RSA hack.
Jeffrey Carr (@jeffreycarr) tweeted to me that a second edition is in the works. I am eagerly waiting for it since the first one covers cyber conflicts up to 2009. And for the third. And for the rest of the editions to come. For this is a continuous book; a lifetime’s work. The landscape is changing rapidly and Jeffrey Carr has positioned himself as one of those few who can accurately and objectively depict it anytime.
PS: For those who want to read about Schmitt’s criteria, Denning’s “The Ethics of Cyber Conflict” is a good place to start:
When Does a Cyber Attack Constitute the Use of Force?
Not all cyber attacks are equal. The impact of a cyber attack that denies access to a news website for one hour would be relatively minor compared to one that interferes with air traffic control and causes planes to crash. Indeed, the effects of the latter would be comparable to the application of force to shoot down planes. Thus, what is needed is not a single answer to the question of whether cyber attacks involve the use of force, but a framework for evaluating a particular attack or class of attacks.
For this, we turn to the work of Michael Schmitt, Professor of International Law and Director of the Program in Advanced Security Studies at the George G. Marshall European Center for Security Studies in Germany. In a 1999 paper, Schmitt, formerly a law professor at both the US Naval War College and the US Air Force Academy, offered seven criteria for distinguishing operations that use force from economic, diplomatic, and other soft measures. (Schmitt, 1999) For each criterion, there is a spectrum of consequences, the high end resembling the use of force and the low end resembling soft measures. The following description is based on both Schmitt’s paper and the work of Thomas Wingfield, author of The Law of Information Conflict. (Wingfield, 2000, 120-127)
1. Severity. This refers to people killed or wounded and property damage. The premise is that armed attacks that use force often produce extensive casualties or property damage, whereas soft measures do not.
2. Immediacy. This is the time it takes for the consequences of an operation to take effect. As a general rule, armed attacks that use force have immediate effects, on the order of seconds to minutes, while softer measures, such as trade restrictions, may not be felt for weeks or months.
3. Directness. This is the relationship between an operation and its effects. For an armed attack, effects are generally caused by and attributable to the application of force, whereas for softer measures there could be multiple explanations.
4. Invasiveness. This refers to whether an operation involved crossing borders into the target country. In general, an armed attack crosses borders physically, whereas softer measures are implemented from within the borders of a sponsoring country.
5. Measurability. This is the ability to measure the effects of an operation. The premise is that the effects of armed attacks are more readily quantified (number of casualties, dollar value of property damage) than softer measures, for example severing diplomatic relations.
6. Presumptive Legitimacy. This refers to whether an operation is considered legitimate within the international community. Whereas the use of armed force is generally unlawful absent some justifiable reason such as self-defense, the use of soft measures are generally lawful absent some prohibition.
7. Responsibility. This refers to the degree to which the consequence of an action can be attributed to a state as opposed to other actors. The premise is that armed coercion is within the exclusive province of states and is more susceptible to being charged to states, whereas non-state actors are capable of engaging in such soft activity as propaganda and boycotts.
Sandworms of Dune
2011/08/31
After suffering the shock of reading “Hunters of Dune”, the final book in the saga was a lot better. Almost as good as the House Trilogy. It still is no match to Frank Herbert’s brilliance, but it proves that had Brian Herbert and Kevin J. Anderson devoted their time and effort to create just the final chapter of the Dune saga instead of creating a cash-cow, they would have achieved something comparable.
I guess I am not a talifan after all. Just disappointed.
Feynman
2011/08/30
Hunters of Dune
2011/07/31
How painfully boring! How totally disrespectful of the original series.
Oh how much I am not buying your excuses (from both of you).
Brian Herbert publish Frank Herbert‘s bare Dune 7 notes if you dare!
God Emperor of Dune [haiku]
2011/05/17
Finished God Emperor of Dune
The BeBook is lighter than the book
Time passes in the bus
These days I am reading “Inside Cyber Warfare” (among other things). Chapter 4 (Responding to International Cyber Attacks as Acts of War) is written by Lieutenant Commander Matthew J. Sklerov. It is a rewrite of his 111-page thesis on the subject which is available online:
Like I said, I have not read the Thesis, but I am reading Chapter 4 from “Inside Cyber Warfare”. It is highly explanatory of the US strategic and military dogmas, including running cross-border operations against enemies who are non-state actors.
Dimitris sent me “The Deadline” as a gift for my birthday. Written by Tom DeMarco (author of “Peopleware“) it is a novel that aims to introduce the reader to the complicate and cruel world of software project management. It also explains why most software projects fail. Clearly. In a buy-this-book-for-your-manager-to-open-his-eyes way. Team formation, design, quality control, unrealistic deadlines, goals and schedules, it is all in there. So if you need psychological support when a project goes bad, you should read the book. It is a good bus read.
It is also a book that opens doors to new worlds. Thanks to the book I learned about the adventures of Mr. Tompkins by George Gamow in which he aims to explain modern scientific theories to a popular audience. I see my stack of unread books getting higher again. I also learned about iThink which seems pretty cool (but then again I find Systems Thinking interesting enough). Pity though that iThink costs as much as it does (should I write my half-baked hack of systems thinking software? Damn! When I cannot buy, I try to write code instead and thus pay in time).
What would I change in the book? I would completely discard the very last chapter. Totally unnecessary. But no harm done, since the story is only the vehicle for the project management message and the message does get through. I’ve been lucky enough to have worked with managers like Mr. Tompkins; for this I want to end this post with the very first notes in Mr. Tompkins’s journal:
Four essentials of Good Management:
- Get the right people
- Match them to the right jobs
- Keep them motivated
- Help their teams to jell and stay jelled
(All the rest is Administrivia)
Amen to that!
A New Kind of Science
2011/04/07
I first learned about Wolfram’s “A New Kind of Science” while reading Chaitin’s “Meta Math! The Quest for Omega“. And from there is all that I know about NKS, for its volume is prohibiting for my spare time. However, for anyone interested, NKS is available online and there’s an iPad version too.
My review on “Algorithms on strings”
2011/03/23
My review on “Algorithms on strings” (for which I’ve blogged before) for the ACM SIGACT News is out. There’s a typographical error though: I did not review “Algorithms on strings” by Dan Gusfield, but “Algorithms on strings” by Crochemore, Hancart and Lecroq.
Thank you Bill Gasarch for the opportunity and thank you for fixing the typo too!
PS: You can download the review PDF from Bill Gasarch’s site.
Update: The review entry is corrected in the ACM site: Like Bill Gasarch wrote to me: “There is no such thing as a final version of anything anymore!“
I think I read the text version of “The Social Organization of the Computer Underground” sometime between 1993 and 1995. Recently I found out that the author has written an anniversary edition with a new introduction to the text (plus PDF and ePub versions).
While information in the text is dated (it was published in 1989) it is still a useful reading for those who wish to understand just a little deeper what went on (and some of what goes on) in the Digital Underground. Even better the introduction offers a methodology on how to do this the right way. I still consider it mandatory reading. My best part of the text is how the following typology from Best and Luckenbill’s 1982 “Organizing Deviance” is used to describe the Computer Underground:
| Form of Organization | Mutual Association | Mutual Participation | Division of Labor | Extended Organization |
| Loners | no | no | no | no |
| Colleagues | yes | no | no | no |
| Peers | yes | yes | no | no |
| Mobs | yes | yes | yes | no |
| Formal Organizations | yes | yes | yes | yes |
I think that people who will read the text will agree that the above typology most probably stands even today. Formal organizations for example do not appear in Meyer’s study, however these days almost every nation is investing in building a cyberwarfare capability (and this is not an “overground” operation).
It is a pity, I think, that such a work cannot be repeated today. If it could, it could provide us with some glimpse into modern cybercrime networks and even espionage (industrial or national) ones. But then again one can hope that there exists the sociologist who will prove me wrong.
PS: Revisiting the text I was reminded of the Cu Digest to which I was a subscriber for quite some time.
Update: Reading the description about the Anonymous group behind the HBGary hacks, I kind of appreciate the above table even more:
“Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. With that diversity in age and experience comes a diversity of expertise and ability.”
