Information security and warfare metaphors: a toxic mix made in hell

I once found myself staying in a small hotel with a "State Department" family whose members clearly all worked for some kind of three letter agency (the family patriarch had been with USAID with the tanks rolled into Budapest) and I had some of the weirdest discussions of my life with them.

The big one was about "cyberweapons" and whether the US should be developing them and what could go wrong from such a program. It was clear to me that these folks knew a lot about classic Cold War deterrence theory, and deep experience with how the military-industrial complex functioned (and didn't function) but that they knew virtually nothing about computers, and this deficit meant that they were terribly, awfully misled in their thinking on the matter.

It was clear that for them, a "cyberweapon" was just another R&D project: just as with the Manhattan project or the labs where they make better cruise missile guidance systems, cyberweapons were an invention that turned on discovering some property of physics and then using engineering to weaponize that property in order to project force over your adversary.

But that's not what a cyberweapon is at all. While it's exciting to read 40-year-old cyberpunk novels where console cowboys wield "ice breakers" to pierce their enemies' electronic defenses, the reality is a lot weirder and more mundane at the same time.

A cyberweapon begins with the discovery of a defect in a piece of software, preferably a widely used piece of software, like the Windows operating system. Read the rest