Considering a Cyberstrike Against Syria

As America crawls toward retaliation against Syria for its government’s use of chemical weapons on its citizens, debate rages over what form it should take. Could cyberweapons be part of such an action?

“Cyberweapons are just another piece of our military arsenal and should be considered along with every other military option,” security expert and author Bruce Schneier told TechNewsWorld.

Cyberweapons can destroy equipment without harming people, he noted, but they can be hard to target and they can hurt innocents — not only in the country at which they’re targeted but in other countries as well.

“Additionally, cyberattacks are a new aspect of warfare, and one not under any existing international agreements or treaties,” Schneier pointed out. “The routine use of cyberattacks will continue to fuel the Internet arms race. It will destabilize the Internet to the detriment of the entire world.”

Calculus of War

In the past, cyberweapons may have been considered outside the order of battle for a conventional engagement, but that’s not the case any more.

“If a decision is made to take some military action against Syria, then a modern component even of limited warfare right now is cyberwarfare, and I’m sure that’s going to be part of the calculus of how best to respond to the gas attacks in Syria,” said Jamie Barnett, a former Navy rear admiral and head of the cybersecurity practice at Venable.

The decision to use cyberweapons could hinge on existing cyberespionage activity in the Arab nation.

“Americans may already be inside Syria’s networks, and they may want to preserve that ability to gather intelligence — so they may not want to use cyberweapons if they would interfere with that ability,” Barnett noted.

That makes a cyberattack highly unlikely, maintained Mikko Hypponen, chief research officer of F-Secure.

“I’m sure the USA is doing cyberespionage to follow what’s happening inside Syria, but I’m not holding my breath to see Stuxnet 2 hit Damascus,” he told TechNewsWorld.

Although cyberweapons may be used, they may be a stealth component in an attack.

“Certain capabilities in the cyberattack world will likely be used, although the public may never know they were used,” Denim Group Principal John Dickson, a former Air Force intelligence officer and an advisor to the Air Force Commanders Group, told TechNewsWorld.

“The same might hold true for the Syrians,” he added.

Hacked Radars

There could be some hesitancy to use cyberweapons in Syria, because once they’re used, their surprise value disappears.

“Cyberweapons, in most cases, are very intelligence-dependent and in certain cases take months, if not years, to prepare,” Dickson explained.

“At the highest levels, there might be some reluctance to use cyberweapons, lest we tip our hand to more formidable potential future threats, like Iran or China,” he said. “We might need those capabilities more in those scenarios.”

Syria is no stranger to being the target of cyberweapons, observed John Murphy, a network security researcher with FlowTraq. During an Israeli action against Syria in 2007, news surfaced that a kill switch had been planted in the Arab nation’s radar installations.

“It was widely reported that this ensured the secrecy of missions and the safety of the jets,” Murphy told TechNewsWorld.

“Less remarked but just as important is that it meant Israel was able to more precisely target those radar installations from a closer distance. Fewer bombs dropped from a closer distance mean fewer bombs gone astray, and in turn fewer civilian casualties,” he explained.

“However, one aspect will weigh heavily on the minds of anyone deploying these technologies: Very often they are single-use,” Murphy pointed out.

“The kill switch trick Israel reportedly used will probably never work again,” he said. “Whatever the U.S. does, it will tip its hand to its capabilities. Every other government on the planet, friend or foe, will watch what the U.S. does and then check to see whether a similar attack would work on them.”

Pandora’s Box

The military may consider cyberweapons just another tool, but whether they should be used at all in a Syrian action is debatable.

“This is the wrong time and the wrong weapon for Syria,” David Bodenheimer, head of the homeland security practice at Crowell & Moring, told TechNewsWorld.

International law bars the use of offensive cyberweapons, he argued. “Anybody that has reviewed the existing treaties and laws for international warfare would conclude that there is at least doubt about the international authority to use cyberweapons offensively.”

Use of offensive cyberweapons could open a Pandora’s box.

“Openly using cyberweapons against Syria will legitimize cyberattacks and open up the rest of the world to use them even when there is serious doubt about whether the weapons are being used for self-defense or not,” Bodenheimer explained.

It’s not in the best interests of the United States to use cyberweapons against Syria, he maintained, because it has more to lose should its cyberattack have unintended consequences.

“The U.S. has more targets for cyberattacks than any country in the world,” Bodenheimer said. “If we pick a cyberwar on Syria, we have a lot more at stake should they open up offensive attacks on us.”

What’s more, once cyberweapons are unleashed, they don’t disappear. They can be scrutinized by the enemy and others.

“Stuxnet, for example, was captured, extensively analyzed, broken down and then became available for reuse,” Bodenheimer observed.

“We have other options beyond cyberweapons for use in Syria,” he added. “It seems to me that it would be prudent to preserve our current arsenal of cyberweapons — whatever they may be — in reserve for a time and scenario where we have few if any other options to stop a threat.”

Breach Diary

  • Sept. 3. Class action lawsuit against Barnes & Noble for 2012 data breach dismissed by federal district court judge, who said revelation of a data breach alone was insufficient to support claim of injury in the case.
  • Sept. 3. Citibank agrees to pay Connecticut US$55,000 for data breach that compromised some 360,000 of its customers’ accounts. About 5,066 accounts belonged to Constitution State’s residents.
  • Sept. 3. U.S. Department of Energy confirms data breach suffered in July and reports some 53,000 past and present employees, their dependents and some contractors were affected by the incident. Information compromised included names, Social Security numbers and birth dates.
  • Sept. 3. Florida-based AvMed announced settlement in case stemming from 2009 data breach. Terms of the settlement were not released. Plaintiffs in the litigation claim they suffered losses from identity theft connected to the theft of improperly secured laptops and information on some 1.2 million customers of the healthcare provider.
  • Sept. 5. Federal appeals court flips lower court ruling barring financial institutions from suing Heartland for negligence in 2008 data breach. Incident was one of the largest of its kind in U.S. history with information on more than 100 million consumers compromised.
  • Sept. 5. California legislature sends to governor bill amending state’s breach notification law to require any individual or company that keeps computerized data on clients or customers to alert them if data breach occurs that compromises their user name and password.
  • Sept. 5. Illinois-based Advocate Medical Group, currently under investigation by federal and state regulators for data breach resulting from the theft of four computers and compromising information on more than 4 million patients, is sued in state court for failing to adequately protect their privacy.
  • Sept. 5. Medical University of South Carolina discloses that credit card records of some 7,000 customers was stolen after overseas hackers compromised systems of Blackhawk Consulting Group, an Illinois-based credit card processing company.

Upcoming Security Events

  • Sept. 10. AT&T Cyber Security Conference. New York Hilton Midtown Hotel, Avenue of the Americas, New York City. Free with registration.
  • Sept. 11-13. 4th Cybersecurity Framework Workshop. The University of Texas at Dallas, 800 West Campbell Road, Richardson, Texas. Free with registration.
  • Sept. 12. Inside the Mind of a Hacker, 9:30 a.m. ET. Webinar sponsored by WatchGuard. Free with registration.
  • Sept. 12. Mobile Work Exchange Fall 2013 Town Hall Meeting. Walter E. Washington Convention Center, Washington, D.C. Registration: government, free; non-government, $495 (Aug. 16-Sept. 11), $595 (Sept. 12).
  • Sept. 16-18. eCrime 2013. Argonaut Hotel, 495 Jefferson Street, San Francisco. Sponsored by Anti-Phishing Work Group. Registration: $475.
  • Sept. 17. The Size and Shape of Online Piracy. 9 a.m.-10:30 a.m. Room 485, Russell Senate Office Building, Constitution Ave. NE and 1st Street NE, Washington, D.C. Sponsored by The Information Technology & Innovation Foundation. Free with registration.
  • Sept. 18-20. Gartner Security & Risk Management Summit 2013. London. Registration: 2,325 euros + VAT; government, 1,800 euros + VAT.
  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.
  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian/The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; standard to Oct. 3, $995/$875 government.
  • Oct. 2. Visa Global Security Summit — Responsible Innovation: Building Trust in a Connected World. Ronald Reagan Building and International Trade Center, Washington, D.C. Free with registration.
  • Oct. 5. Suits and Spooks. SOHO House, New York City. Registration: Early Bird, $395 (July 5-Aug. 31); $625 (Sept. 1 and after).Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: $495; government, free; academic faculty, $295; student, $55.
  • Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros + VAT delegate/495 euros + VAT one-day pass; Discount from July 27-Sept. 27, 995 euros + VAT delgate/595 euros + VAT one-day pass; Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros + VAT one-day pass; On site from Oct. 28-31, 1,295 euros + VAT.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels