Sunday, March 21, 2021

Cyber is perfectly fine for Signaling

The other day I read an article about cyber signaling. Signaling in international relations contexts confuses me because so much of it is about an uncertain reality, and the truth behind intensions is never know, and it weaves so much geopolitical and military context together.

I pasted a section of the article, including links to the authors, below.

To quickly summarize the article's arguments, as I saw them, I also include the following bulleted list:
  • Cyber Signals are easily muddled or misconstrued, such as with overall noise or system outages.
  • Reliance on "attribution" may make Signals delayed (and hence, less powerful)
  • Hard to say what a cyber event was intended to Signal
  • Most cyber events don't cause big visible effects which makes them cheap (and hence, basically worthless)

The article mentions that yes, nations can call each other on the phone after a cyber event has happened, and point out why that event happened and provide additional threats and context.

I would say these arguments are unpersuasive, and that cyber both IS and HAS BEEN great for signaling between nations and often also between non-state actors.

First I think signaling can be split nicely into warnings and demonstrations of capabilities, and these are not the same things. But to start off, I want to tell a few stories of yesteryear.

Back in 2002, there was a mailing list known as Bugtraq that was used the way Twitter is used now - to post flotsam and jetsam about information security, including exploits. At the time, ISS XForce was, as the name might imply, a pretty powerful force. They released a number of great exploits and had a lot of talent that went on to do great things, but that's not the story I'm trying to tell.

Back in 2002 ISS XForce announced a vulnerability in the Apache Webserver - one that was only exploitable on Windows. This was essentially a "good" bug, but worthless in the sense that most people running Apache were not on Windows. 

Then, out of nowhere, a hacking group known mostly for shitposting published a working and reliable exploit for that same vulnerability, but that affected Apache on Unix operating systems, complete with an advanced shellcode, as you can see from the article below and this made people reassess the situation.

I don't mean "reassess the situation about Apache". What I mean is that a lot of us were thinking "Hey, maybe the best in the world doing commercial work and releasing exploits to vendors are not, in fact, ahead of this game". This wasn't about Signaling in the sense that one nation was trying to deter or coerce another. But it was Signaling in the sense that one community ("hackers") was pushing back on another community ("the commercial security market").  

That brings me to TianFu Cup. 

If you don't know about it, the TianFu Cup follows in the tradition of Pwn2Own and other hacking contests in which you use an 0day on a product in a demonstration, and then you get money as a prize and the contest gives the 0day to the vendor to be fixed (in most cases). These contests are often watched carefully and vendors often drop patches to their products right before them, in an attempt to make exploiting them difficult. 

Except that while even the highest end contests in the US have notable successes, none have ever reached as high as TianFu Cup does effortlessly, when one of the researchers owns every major browser, and every other hard target falls as well. You can compare this to the 2020 Pwn2Own here.

Again, this is a stunning display of not coercion or deterrence, but capability. 

But there ARE lots of examples of coercion and deterrence in cyber. I will list them below in my favorite thing, a bullet-list:

If anything cyber signals (and other covert but demonstrable effects) are extra powerful because they can say "KNOCK THIS OFF" without saying who sent it, or HOW they managed to send that signal - which in some cases is a lot scarier. 

Likewise, countries signal with policy changes. They announce quite clearly when the move to a more aggressive posture, or when they step back. You can't go two weeks without some country or another, like New Zealand, announcing their own private interpretation of how international law applies to Cyber. 

But that doesn't mean signals aren't also done with restraint, or through side notes in Track 2 meetings. The HolidayBear attack is a lot less transgressive than the NotPetya attack. The Exchange server hacks are an element of continued relationship breakdown between the US and China. Leaking data as a "signal" is an element of the original terminology of the cyber domain ("Dropping a mailspool" being the traditional term). And we continue to see that to this day. It's probably worth pointing out that while leadership-to-leadership is often required for traditional military capability signaling, Twitter with its pseudonymous accounts is often good enough for cyber.

Incident response can also be used for signaling. Many major anti-virus or endpoint protection firms make efforts to signal, by exposing US or allied operations, that they are international companies, wishing to do business in China or other locations. And this can get even more complicated, since many incident response firms will downplay the findings from particular countries they wish to curry favor with or exaggerate those from "adversaries". 

In conclusion, signaling with cyber is both effective and likely to continue.