Tuesday, August 27, 2013

What is Cyber?

As a term, Cyber has a broad spectrum.  It has been applied to subjects ranging from low voltage microchips to international law.  In the context of security, when does it apply? Consider a situation where an operator from hundreds of miles of away initiated events that shredded a turbine and killed 75 people.  This was not an attack, it was an accident.  But, what it a cyber accident?
Is this #cyber?
After seeing articles about SCADA and ICS security citing the Sayano accident (among others) I was compelled to ask the community a series of questions about the definition of cyber, which I tweeted over the course of a single day and tagged #whatiscyber.  What follow are those tweets.  I received some good feedback and I outline some thoughts here.

 A modern computer is attached to the Internet and communicates daily with the cloud, is this #cyber?

The most basic of definition is that cyber means computing technology, and in particular, computers that are networked.  There is no larger example than the organic Internet full of people of all intentions, and has the cyber punk aspects of a wild west, even pseudo-intelligent computer viruses.

A LAN party is disconnected from the Internet, is this #cyber?

If one accepts the previous definition, which clearly many do given the basis of the accepted Wikipedia entry, then what about smaller networks?  A LAN party involves hosting a group of people, complex computing hardware, protocols for communication, and probably more than once harbored its share of viruses.  Is this a tiny fractal of the Internet?  Is it cyber?  This introduces the concept of space – a cyberspace being a place where computing occurs.  But, what scale of space is required before it can be called cyberspace?

Is this #cyber?
You have an old 1980's-era, isolated, stand-alone computer not attached to any networks, is it #cyber?

Now we break down.  Many people are thinking this doesn't match the fantastic vision of cyberspace that spawned in science fiction.  This is boring and dusty.  But, while some say nay, some imagine the awesome complexity of that machine.  Look inside.  Systems and subsystems are dancing in electric light, data in motion.  A data bus is connecting peripheral hardware with a multitude of software entities in a field of RAM. Ask yourself how two modules communicating over a bus are different than two computers communicating over a CAT5 cable?  In this, scale is just a matter of abstraction.  The scale and complexity is vast if you zoom in.

Is this #cyber?
A robotic arm is remotely controlled over wires from 50 feet away, is it #cyber?

This is just a variation of isolation that introduces remote control, perhaps by a human operator.  There are obviously computers involved, and there is a cable - perhaps the CAT5 cable from my previous example.  There is a communication protocol of unknown complexity. There is also an industrial device.  But, the operators are probably confined to a warehouse, and not attached to any large network.  This is where the parallel to the Sayano disaster starts, except that with Sayano the connection was made from 500 miles away, not fifty feet. 

Is this #cyber?
You dial up to the robotic arm using a modem, and give it commands, is it #cyber?
Nearly exactly the same as the previous example except that the connection can be made from a great distance. Does distance matter? The modem is interesting, because the Internet used to run on them.  By exposing this dialup, one exposes a system to the world.  One could say that even the BBS networks that predated Internet adoption were a form of cyberspace.  Telephone networks are complex and span the globe, so they very much smell like cyberspace.  If you think a modem makes it cyber, you are in effect saying that cyber requires networking.  And, not just networking, but also networking of a certain scale.  If you define it this way, then ask where the threshold lies?

Is this #cyber?
You have a line of sight network with a homemade model airplane that carries a video camera, is it #cyber?
Modern in terms of technology, but small in terms of networking.  Not altogether different than the robotic arm example.

Is this #cyber?
The military has a fleet of remotely controlled drones over a city, is it #cyber?
The drone programs used by the military are 100% cyber if you use the media as the yardstick.  There is no better poster child flaunted by the modern, technically advanced military.  Any distinction between the small UAV's controlled by a single soldier and the big UAV's controlled by teams of soldiers seem superficial, don't they?  The context of cyber here is not the scale of networking, but the laws of warfare.  Nation states using computers for war is often called cyber, without regard to the details of the technology itself. 

A cloud computing infrastructure running millions of lines of code, but isolated in the lab and not being attacked by anyone, is it #cyber?
The isolation case is being beaten to death here, but now consider the idea of the system being attacked.  Even if a complex system is not networked, if it's being attacked by someone does that make it a cyber attack? What if it’s a criminal, not a nation state, is it still cyber?  Cyber is used in conjunction with criminal law all the time. “Cyber-crime” is widely accepted to mean non-state actors operating for personal gain, and has little to do with details of the computing technology used.  Cyber is being applied to both state and non-state computer attacks. And, hacktivism has blurred the ideological lines between warfare and crime.

The above mentioned cloud infrastructure is a server running the lastest virtual-reality MMO with over 10 million users, is it #cyber?

OK, this was a loaded question - we can all agree on a MMO that has over 10 million users.  We can probably agree that this virtual world can be called a "cyberspace".  It, after all, is the closest real representation of the fantastic imagined world of cyberspace spawned in science fiction many years ago.  An attack on this system would most assuredly be called a cyber attack in the media. 

By this definition, cyberspace is a computing environment where structure can be visualized (at least in the mind). There is some level of interaction between forms, the most basic being programs interacting with data, and evolving to programs that act as an extension to a human operator.  The MMO example is simply the evolved case of a virtual reality space.

Starting with isolation again…

There is an old, isolated, non-networked computer, but it has a USB port, is it #cyber?

All we did here was introduce a non-networked interface into the otherwise isolated computer.  If this is cyber, then so is the old 1980's-era computer from above if it has a floppy drive.

Is this #cyber?
If it's an old, isolated computer with a USB port, controlling a SIEMENS S7 PLC, is it #cyber?

Yeah.  So if old isolated computers are not cyber, then the Stuxnet attack on the Iranian nuclear plant isn't cyber either.  That is, unless cyber is defined as a malicious attack.  But if it’s only defined as attacks, that means an accident that wipes out 10 million users in that MMO isn't a cyber event, just an IT accident.  Albeit, an IT accident that just wiped out a cyberspace by most accounts. 

If cyber has to be a malicious attack, then Sayano was not cyber.  But, if cyber merely means networking of a certain scale, or remote connections, or is independent of the age of the system, then Sayano was a cyber accident.  And more importantly, a cyber accident that illustrates what could happen to a hydroelectric dam if it were under cyber attack.

A computer of any age with a backdoor installed by a foreign intelligence service, is it #cyber?

Just introducing motive and ideology - a nation state sponsored attack on a computer system would definitely be called a cyber attack by most accounts.  And, it wouldn't matter if that system were a complex computing environment, or a lowly embedded system on a security camera.

Is this #cyber?

An experimental and 100% _mechanical_ computer is backdoored by a foreign nation using sabotaged punch cards, is it #cyber?

Of course it is.