My blog, The Art of Cyberwar, posted on Internet Evolution this past January, described 10 revolutionary aspects of conflict in cyberspace. Based on the feedback I received, I've decided to revisit each of the 10 aspects with a new view based on what I've learned from many comments. Here is my list:
My original statement: The Internet is an artificial environment that can be shaped in part according to national security requirements.
What I've learned: How free or politically stable a country is will help to determine its network security and its preparations for cyberwar. Authoritarian governments will take draconian action, which increases security in the short run, but decreases it in the long run.
My original statement: The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.
What I've learned: Other types of weapons also proliferate quickly. The key for cyberdefense is to organize the attacks into logical groups and defend them as a class of attacks. For example, there are many types of SQL injection, but the same basic defenses are effective against most of them.
My original statement: The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.
What I've learned: Similar to air power, cyberwarriors can attack but may not be able to seize and hold ground. However, information is an increasingly tangible asset and Denial of Service -- perhaps the "go to" cyberweapon of future conflicts -- can deny its use. Large bandwidth matters when the aggressor is using brute force, but most other cyberattacks fall within normal bandwidth.
My original statement: Software updates and network reconfigurations change cyber battlespace unpredictably and without warning.
What I've learned: This dynamic benefits cyberdefense -- attackers cannot be sure their plans will succeed until they pull the trigger. Cyberattackers benefit from the ability to quickly shift the point of their attack, but defenders can create a unique, deceptive environment, which may be the equivalent of a "home field" advantage to a sports team. For both sides, military doctrine emphasizes hoping for the best and planning for the worst.
My original statement: Contrary to our historical understanding of war, cyberconflict favors the attacker.
What I've learned: Like pirates, cyberattackers possess a short-term, tactical advantage, but not a long-term strategic advantage. When the element of surprise is gone, and especially if positive attribution is made, more traditional advantages (size, strength, etc.) will determine the victor in a major conflict. Unfortunately for tactical defenders, some critical infrastructure IT is so old that it is no longer under warranty and cannot be upgraded.
My original statement: Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.
What I've learned: This dynamic highlights the fact that cyberwar is not separate from physical war, but just one aspect of many different ways of making war. Cyberespionage does not really steal something, just copies it, but potentially millions of times over. Speaking of which, propaganda may be the most powerful cyberattack due to the pure amplification power of the Internet.
My original statement: The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.
What I've learned: This is more difficult in traditional conflict than we think. For example, spies use stolen passports. A crucial difference in cyberspace is the ease of entry onto the battlefield -- this makes the number of potential adversaries much higher. However, if and when real cyberwar takes place, the attacker's identity will be clear.
My original statement: The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.
What I've learned: This is also more true of traditional conflict than we know -- most wars do not have embedded reporters and 24/7 TV coverage. Cyberwar evaluation may be effects-based. If nothing happens in meat space, who cares? If there is property destruction or loss of human life, someone should be held accountable.
My original statement: The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.
What I've learned: Commercial enterprises cannot defend against nation-state attacks or afford the cyber equivalent of surface-to-air missiles. Is the military destined to defend public utilities and even our home computers? Is legislation required to mandate best-practices? For companies, profit is far more important than security -- but at what point is inattention to security a crime?
My original statement: There are few moral inhibitions to cyberattacks because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.
What I've learned: The existence of vulnerabilities does not justify an attack. Short-term gains from hacking are undermining the long-term integrity of the Internet. We must try to avoid the unnecessary militarization of cyberspace. Civilians, far from any battlefront, are a logical cybertarget. How about an international non-aggression pact covering national critical infrastructures?
- Kenneth Geers, NCIS Cyber Subject Matter Expert