The Macrosite for News, Analysis and Opinion about the Future of the Internet
Kenneth Geers

The Art of Cyberwar II

Written by Kenneth Geers
5/9/2012 11 comments
no ratings
DISCUSS     Email This

My blog, The Art of Cyberwar, posted on Internet Evolution this past January, described 10 revolutionary aspects of conflict in cyberspace. Based on the feedback I received, I've decided to revisit each of the 10 aspects with a new view based on what I've learned from many comments. Here is my list:

1. Environment
My original statement: The Internet is an artificial environment that can be shaped in part according to national security requirements.

What I've learned: How free or politically stable a country is will help to determine its network security and its preparations for cyberwar. Authoritarian governments will take draconian action, which increases security in the short run, but decreases it in the long run.

2. Proliferation
My original statement: The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.

What I've learned: Other types of weapons also proliferate quickly. The key for cyberdefense is to organize the attacks into logical groups and defend them as a class of attacks. For example, there are many types of SQL injection, but the same basic defenses are effective against most of them.

3. Proximity
My original statement: The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.

What I've learned: Similar to air power, cyberwarriors can attack but may not be able to seize and hold ground. However, information is an increasingly tangible asset and Denial of Service -- perhaps the "go to" cyberweapon of future conflicts -- can deny its use. Large bandwidth matters when the aggressor is using brute force, but most other cyberattacks fall within normal bandwidth.

4. Unpredictability
My original statement: Software updates and network reconfigurations change cyber battlespace unpredictably and without warning.

What I've learned: This dynamic benefits cyberdefense -- attackers cannot be sure their plans will succeed until they pull the trigger. Cyberattackers benefit from the ability to quickly shift the point of their attack, but defenders can create a unique, deceptive environment, which may be the equivalent of a "home field" advantage to a sports team. For both sides, military doctrine emphasizes hoping for the best and planning for the worst.

5. Advantage
My original statement: Contrary to our historical understanding of war, cyberconflict favors the attacker.

What I've learned: Like pirates, cyberattackers possess a short-term, tactical advantage, but not a long-term strategic advantage. When the element of surprise is gone, and especially if positive attribution is made, more traditional advantages (size, strength, etc.) will determine the victor in a major conflict. Unfortunately for tactical defenders, some critical infrastructure IT is so old that it is no longer under warranty and cannot be upgraded.

6. Flexibility
My original statement: Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.

What I've learned: This dynamic highlights the fact that cyberwar is not separate from physical war, but just one aspect of many different ways of making war. Cyberespionage does not really steal something, just copies it, but potentially millions of times over. Speaking of which, propaganda may be the most powerful cyberattack due to the pure amplification power of the Internet.

7. Attribution
My original statement: The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.

What I've learned: This is more difficult in traditional conflict than we think. For example, spies use stolen passports. A crucial difference in cyberspace is the ease of entry onto the battlefield -- this makes the number of potential adversaries much higher. However, if and when real cyberwar takes place, the attacker's identity will be clear.

8. Quiet
My original statement: The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.

What I've learned: This is also more true of traditional conflict than we know -- most wars do not have embedded reporters and 24/7 TV coverage. Cyberwar evaluation may be effects-based. If nothing happens in meat space, who cares? If there is property destruction or loss of human life, someone should be held accountable.

9. Subjectivity
My original statement: The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.

What I've learned: Commercial enterprises cannot defend against nation-state attacks or afford the cyber equivalent of surface-to-air missiles. Is the military destined to defend public utilities and even our home computers? Is legislation required to mandate best-practices? For companies, profit is far more important than security -- but at what point is inattention to security a crime?

10. Morality
My original statement: There are few moral inhibitions to cyberattacks because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.

What I've learned: The existence of vulnerabilities does not justify an attack. Short-term gains from hacking are undermining the long-term integrity of the Internet. We must try to avoid the unnecessary militarization of cyberspace. Civilians, far from any battlefront, are a logical cybertarget. How about an international non-aggression pact covering national critical infrastructures?

Related posts:

- Kenneth Geers, NCIS Cyber Subject Matter Expert
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Page 1 of 2   Next >
Mike Acker
Rank: Cyborg
Friday May 18, 2012 8:10:10 AM
no ratings

MJ:="Hopefully, we have learned that war can be more destructive than constructive. I agree with Kenneth below that political agreements may forestall active cyber combat."

?

we should have learned that by now,-- but: it's not in us to make it

"War is politics by other means"
( V.I. Lenin )

This morning's Suggested Reading is on ArsTechnica and deals with cyber war

Here on IEv we ponder "Whither the InterNet". will it be controlled by haquers or by government?

"The world wonders"

I would add: if the government attempts to "control the internet for the safety of citizens" control will be effected by a gang of political appointees.  It is safe to predict these will be less than competent the result of which will be haquers will continue to haq the net like crazy

effective action

an industry council should be formed to write the necessary RFCs to define Computer Network Security Requirements (CNSR)

CNSR should define Control of Software Distribution, Sandboxing of Executable Documents, Software Auditing, and response.  The Council would giude the transition of the RFCs into FCC rules.

The Council should be compose of stake holders from medical and financial interests.

Mary Jander
Thinkernetter
Monday May 14, 2012 10:02:22 AM
no ratings

Yes indeed, Mashka. But we no longer live in a feudal society. Hopefully, we have learned that war can be more destructive than constructive. I agree with Kenneth below that political agreements may forestall active cyber combat.

Mashka
Researcher
Saturday May 12, 2012 4:22:30 AM
no ratings

Mary,  I guess, the expression " The art of war ( or cyberwar) comes from the famous Chinese treatise " The art of war" by Sun Tzu.

 

 

Mr. Roques
Researcher
Friday May 11, 2012 5:04:26 PM
no ratings

I've been involved with creating a CERT and one of the first things we did was identify the critical infrastructure that we were protecting and the ways in which a hacker might attack it. This depends on the industry, it might be credit card databases but it could be automated controls for dams.

Once you identify this, you need to determine what are the ways in which someone might attack that. Maybe protecting yourself against DDoS attacks is not as important as worms or trojans.

Kenneth Geers
Thinkernetter
Thursday May 10, 2012 4:20:02 PM
no ratings

Kim, That's right. Timing - and creativity - are critical, amplifying factors that could turn an ordinary cyber attack into a national security crisis. - Kenneth

Kenneth Geers
Thinkernetter
Thursday May 10, 2012 4:11:25 PM
no ratings

DukeW, Thanks for your post. I wonder if we can get this thing "fixed". IF modern software is too complicated to secure, we cannot disconnect it from the Net, and traditional deterrence does not work because of anonymity and asymmetry, then I think we may be stuck with political agreements not to attack each other.

Kim Davis
Thinkernetter
Thursday May 10, 2012 11:55:23 AM
no ratings

I think you're right, Kenneth, that the advantage enjoyed by cyber-attackers is short-term.  When it comes to DDoS attacks, once the victim understand what's happening it's usually possible to overpower the attacking botnet.

The danger, of course, is that if the target is important enough - the power grid, say - that short-term advantage might cause enormous damage.

Mary Jander
Thinkernetter
Thursday May 10, 2012 9:38:36 AM
no ratings

First of all, I agree that we do need to prepare defensively for cyberattack. No doubt we aren't doing half enough in that regard.

I have never heard my family members (veterans of active combat) use the word art relative to war. Tactic, strategy, yes. Hell, yes. Art, no.

DukeW
IQ Crew
Wednesday May 9, 2012 7:29:09 PM
no ratings

Mary, I'm sorry to disagree, but I have several friends who jump out of aircraft for a living that would disagree with your basic premise.  There is indeed an art to war, and these gents practice it so the rest of us don't have to.  The world is not a pretty, happy place, and there are some who would do us harm.  Note Mr. Hasib's observation: he would like to prevent the UNNECESSARY militarization of the Internet.  When we can all agree on what is necessary, we'll be in business.  Until then, Sun Tzu's ancient tome holds sway -- we cannot prepare for what our enemies WILL do, so we must prepare for what they CAN do.  To quote another wise-but-dead guy (Vegetius), "Si vis pacem, para bellum" ("If you wish for peace, prepare for war.")  When I think of all the SCADA-based electrical grids and dam spillways wired up to the Internet, I just cringe.  We need to be thinking about getting this fixed before it bites us in the butt.  The most ironic part is that the Internet was originally designed as a communication medium that could survive nuclear warfare.  When we came to our senses and put away the big, nasty toys, we gave the Internet to the world as a gift.  Now, our enemies want to turn it into a dagger aimed at our hearts.  Let's at least try not to make it too easy for them to hurt us, okay?

Mary Jander
Thinkernetter
Wednesday May 9, 2012 5:42:23 PM
no ratings

Thanks for the thought-provoking followup, Kenneth. Reading through your new thoughts reinforces my sense that cyberwar is another aspect of human destructiveness that we can live without. As you put it: "We must try to avoid the unnecessary militarization of cyberspace."

Page 1 of 2   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Kenneth Geers
Kenneth Geers
Kenneth Geers   3/4/2013   31 comments
Cyberattacks are back in the news, but there is still legitimate skepticism regarding their true threat to national security.
Kenneth Geers
Kenneth Geers   8/15/2012   18 comments
National security thinkers are still debating whether a"“Digital Pearl Harbor" is possible. But in the ongoing revolution in Syria, the cyber battleground is already strewn with interesting proofs-of-concept.
Kenneth Geers
Kenneth Geers   1/24/2012   25 comments
The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into military doctrine as soon as possible.
Kenneth Geers
Kenneth Geers   12/13/2010   18 comments
World leaders fear that cyber-terrorism and cyber-warfare may pose a real threat to national security. In the future, unknown hackers might target everything from electricity to elections.
5
of
Beau Brendler
Terrorism Expert Says US Gave Away Stuxnet Tech
4|4|12   |   3:29   |   9 comments

US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
what.the.ferraro
CMAS Alert! Something's Wrong! Or Not!
11|2|11   |   03:18   |   27 comments

If you have a CMAS-enabled handset, be prepared to receive scary alerts from the government.
Wisdom of the Big Chair
Facial Recognition Looms on the Horizon
7|27|11   |     |   4 comments

Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Full Nelson
The New Cyber War
10|8|09   |   3:06   |   4 comments

Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
Second Shooter
Europe Considers One Network to Cover them All
1|17|13   |   1:45   |   12 comments

EU operators are considering joining up to create a pan-European network to reduce competitive overbuild and cost. This might lower costs and focus operators on higher-level, more interesting services.
Kim Davis
Aaron Swartz, RIP
1|14|13   |   2:36   |   6 comments

The Internet freedom activist, threatened with jail time, seems to have taken his own life last week.
Second Shooter
Moratorium on Internet Regulation Could Be Dangerous
12|6|12   |   2:15   |   No comments

Congress is considering a bill to extend a moratorium on Internet regulation changes for two years. But with issues like service quality, cloud performance, and privacy looming, we risk contaminating the Internet with fraud.
Kim Davis
British Hacking Report Is 'Bonkers'
12|5|12   |   2:20   |   3 comments

Prime Minister David Cameron pledged to accept the hacking report’s recommendations unless they were “bonkers.” He’s rejecting the main one.
Second Shooter
Don't Be Scared of the ITU
12|4|12   |   2:04   |   8 comments

The risk of the ITU taking over the Internet is overblown. First, it's almost certain its goals are simply to create orderly interconnect and settlement. Second, how good a job has ICANN done anyway? If we don't like international control we should clean up our own processes in both governance and interconnect!
Mary E. Shacklett
Financial Services Policies Lag Tech Advances
12|4|12   |   2:18   |   6 comments

Regulations haven't kept up with advances in mobile devices and credit cards.
IETV: the thinkerNet on film
5
of
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Second Shooter
Locked Handsets Aren't the Problem – Subsidies Are the Problem
3|13|13   |   2:09   |   10 comments

Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   5/17/2013   1 comment
It's been 17 years since I've visited the city of Dublin, but I still have some very distinct impressions from my one and only visit.
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
Intel's Haswell On-Die GPU Is Lean, Powerful & Built for Cloud
Jason Mick
Whether you’re an engineering firm that uses CAD for parts design, or an e-business that leverages Photoshop for user-interface graphics, you likely require a modest graphics-processing unit. In the old days, this was a daunting hurdle to innovation, but today, the situation has improved thanks to technologies like NVIDIA’s GRID and Microsoft’s RemoteFX. Such virtualized graphics protocols allow you to load-balance graphics-intensive workloads from virtual desktops on a server-side graphics card.
CLICK FOR MORE
IT Suffers From Obama Admin's Jekyll & Hyde Approach to Privacy Rights
Ron Miller
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
CLICK FOR MORE
IT Suffers From Obama Admin's Jekyll & Hyde Approach to Privacy Rights
Ron Miller
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
CLICK FOR MORE
Baking Up Business With Facebook Advertising
Harry Hawk
Facebook advertising is a lightning rod. It seems neither brands nor consumers are 100 percent happy about the social media site's policies, placement, or procedures. But the real controversy about Facebook ads and promotions is over whether they work.
CLICK FOR MORE
IT Suffers From Obama Admin's Jekyll & Hyde Approach to Privacy Rights
Ron Miller
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
CLICK FOR MORE
Websites Should Consider Tougher ID Verification Policies
Alan Reiter
The apartment and house sharing service, Airbnb, now requires members to verify their identities by demonstrating a presence on the web, and by either scanning a government ID or entering detailed personal details. Other enterprises should take a close look at Airbnb's verification policies.
CLICK FOR MORE