Vulnerabilities / Threats
9/3/2013
10:03 PM
Tom Parker
Tom Parker
Commentary
Connect Directly
RSS
E-Mail
50%
50%

An Unrestricted Syria

Cyber on the table for Syria's possible response to a U.S. missile strike?

As the world waits to see what the U.S. and its allies will do in response to Syria's purported chemical weapons attacks and much of the media mulls the repercussions of action versus doing nothing at all, the usual talking heads have started their inevitable riff on the usual cyberconflict hype playlist (attacks against the power grid and so on). In contrast to the relatively well-informed dialogue on most news channels regarding Syrian weapons systems and trade agreements with allies such as Russia, dialogue around how cyber may play a role seems to lack any sophistication or depth whatsoever. Since mainstream media is missing a trick here, it seemed like a good opportunity for a little more dialogue on the subject.

In 1999, a pair of Chinese PLA colonels published a book entitled "Unrestricted Warfare." The topic of the publication was to document ways in which a technologically inferior nation-state (such as China), may overcome its disadvantage through the use of unconventional warfare. In many ways, Unrestricted Warfare is a modern adaptation of the more subtle philosophies discussed in the Art of War. Methods discussed include economic warfare, terrorism, "lawfare" (a term for political activism aimed at causing legislative change) and electronic warfare.

Strategically speaking, in lieu of an ability to mount a conventional militarily response to action by the U.S., such an approach puts cyber front and center in terms of a viable response for Syria. Further to this, if we consider the political turmoil faced both in the U.S. and Britain as to how the world might respond to a chemical attack, consider the challenges and political collateral associated with similarly conceiving a proportionate response to a cyber-counter-offensive by Syria. I can't imagine that UN weapons inspectors have a great deal of experience attributing exploit payloads.

Thus far, most of what we know (in the public domain) about Syria's cyber capability is limited to the Syrian Electronic Army (SEA), who have been responsible for a handful of DDoS attacks, website defacements, and perhaps most notably, the compromise of an Associated Press's Twitter account, which was utilized to post misinformation regarding an act of terrorism that led to a $200 billion dip in the stock market.

Although many of the capabilities demonstrated by the SEA are far from those that we might expect from a state-level information operations program, there is currently very little evidence that the SEA is any way representative of the cyber muscle that Syria may be able to bring to bear if sufficiently provoked. Further to this, it is almost impossible to fully account for the cyber technology transfers that may occur, if Syrian sympathizers such as Iran elect to come to Syria's aid in the event of a US or allied military strike.

Although a successful offensive against the U.S. media's favorite cyber warfare target (the power grid) is extremely unlikely, if nothing else, the SEA was able to undeniably prove the viability, potential effectiveness and their ability to couple two of the key principals discussed in the Chinese colonels publication: electronic and economic warfare. While I find it unlikely that Syria is sufficiently prepared to affect a cyber counteroffensive of any significance by itself, unlike arms transfers in the kinetic warfare domain. Allies and groups sympathizing with the Syrians could likely prove a significant force multiplier, without drawing the attention that conventional military assistance may result in, possibly making such a strategy an even more attractive option for the Syrian regime.

Should a cyber-orientated cyber offensive occur, Syria may very well attempt to cast the same uncertainty and doubt on who is behind the attack, which they have rather successfully applied to the reported chemical weapons attacks. The media response, public outrage, and political circus that would likely follow would unlikely put an end to their troubles, but may throw a curve ball that few are prepared to fully address.

Tom Parker is CTO at FusionX

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

CVE-2014-4197
Published: 2014-08-22
Multiple SQL injection vulnerabilities in Bank Soft Systems (BSS) RBS BS-Client 3.17.9 allow remote attackers to execute arbitrary SQL commands via the (1) CARDS or (2) XACTION parameter.

CVE-2014-5097
Published: 2014-08-22
Multiple SQL injection vulnerabilities in Free Reprintables ArticleFR 3.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) get or (2) set action to rate.php.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.