Spend less on cyber-defense, not more, the RAND Corp. advises in a recent position paper prepared for the U.S Air Force that also concludes that the best defense is not a good offense -- just a really good defense. But wait... won't that cost money?
Author Martin Libicki's 240-page monograph, "Cyberdeterrence and Cyberwar," has been praised and vilified across the blogosphere. But whether you agree with Libicki's analysis and conclusions, the report makes abundantly clear how freely the laws of unintended consequences operate when the Internet is the battleground.
The ascent of cyberspace as a military domain has led some to conclude that the same principles that have guided land, sea, air, and space defense can be applied to the Internet and military or corporate networks. "Not so," Libicki writes. "Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must reflect such understanding."
While Libicki's discussion is largely in the theoretical realm, the world has already seen instances of cyberwarfare (official or not) in the last couple of years: Russian Federation attacks against Chechnya, Kyrgyzstan, and Georgia; and attacks and counter-attacks between Israelis and Palestinians. Chinese intelligence (military?) has reportedly infiltrated electrical grids and other critical infrastructure around the globe. Only a fool would assume that the world's other major powers aren't working in this same realm.
Hacking: The new nukes. But as Libicki forcefully argues, all the deterrence measures and policies that grew out of the Cold War nuclear threat aren't really applicable here, and they could mean needless expenditures with little or no protection, safety, or actual deterrence:
Can strategic cyberwar induce political compliance the way, say, strategic airpower would? Airpower tends to succeed when societies are convinced that matters will only get worse. With cyberattacks, the opposite is more likely. As systems are attacked, vulnerabilities are revealed and repaired or routed around. As systems become more hardened, societies become less vulnerable and are likely to become more, rather than less, resistant to further coercion. Those who would attempt strategic cyberwar also have to worry about escalation to violence, even strategic violence.
All this leads Libicki to conclude that strategic cyberwar should not be a priority investment area. "Strategic cyberwar, by itself, would annoy but not disarm an adversary," he writes in the report. "Any adversary that merits a strategic cyberwar campaign to be subdued also likely possesses the capability to strike back in ways that may be more than annoying."
No small amount of ominousness there.
What's the takeaway for corporate security professionals? A Libicki footnote mentions a "fiendish variant" that attacks computers that control manufacturing processes to retard the production of, ruin, or render dangerous the products of the processes. No manufacturing process should be exposed to the outside world without "very high levels of network protection," Libicki warns.
As security expert (and Internet Evolution video tutor) Richard Stiennon says, there's plenty of reason for concern. "From my discussions with manufacturers, they have done little to segregate their production environments from the Internet. They have even deployed Windows systems down to the machine cell for management and reporting -- systems that do not lend themselves to frequent patching/rebooting schedules. Manufacturing is very vulnerable to these 'fiendish variants.' "
How well can military, utility, and corporate systems be locked down against state-sponsored hacking and warfare? And can any solution ever be considered airtight? Clearly not. But the Libicki paper is a great catalyst for getting this issue in front of military planners, policymakers, chief security officers, and others who have a stake in protecting networked assets -- without going broke in the process.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. To join the Security Clan,register here.
And thanks for the call out Terry. The importance of Libicki's mongraph is that it is the first cool headed look at cyber deterrence. He does not fall into the trap of thinking of "cyber space" as a place or as the military calls it a "domain". The genii may already be out of the bottle though as the militaries of the world re-organize under the cyber rubrick.
Geoffc, nice point. Makes you think about the theory that countries who are tied closely together in economic and business ventures together would not so easily want to wage a physical war on one another.
I think conventional military doctrine is essentially built around the concept of physical space and territory. Cyberspace transcends national boundaries, so a company in Singapore could typically have it's servers located in the US, and a computer attack on the company's servers actually occurs on US soil. This issue gets even more complicated when we start talking about cloud computing.
Nowadays we talk about the disappearing perimeter around corporate networks, apply that concept to a country and the scope of your problem has just grown exponentially. But the concept of cyberwarfare is not a new concept. You just have to read Information warfare by Denning and you will get a good glimpse into traditional warfare applied to information.
Could it be we are trying to do too many things, be too many things, to all people equally, that we (we the people, corporately "the government") are not getting the basics covered and dithering over the tough decisions?
Reflecting over the post again, after a restful nights sleep, I am reminded of my favorite Herzog quote: "In Security, any type of ignorance is malicious. To anybody that says I didn't do it because I didn't know : if it's your job then it's your job to know." I think it was an Air Force general who recently said that the US is constantly under cyber attack, 24/7. The Air Force requested this study and I look forward to hearing more about what they ultimately decide to do with the information.
What a sobering and scary post. It would be comforting to think that a new military/industrial effort was underway to combat the threats to manufacturing Terry alludes to, but it seems that we're all asleep at the switch when it comes to a few very serious Internet threats.
As consumers we're giving away our privacy, for example; as companies we're ignoring some glaring security holes. As countries we seem to be focused on other issues.
"Strategic cyberwar, by itself, would annoy but not disarm an adversary," he writes
I don't think any state sponsored cyberwar would be the sole effort, but part of a coordinated attack - as we've seen evidence of in recent years. By itself, perhaps, as part of asymmetric or terroristic attacks by a small actor against a larger one - but outright cyberwar would be accompanied by more traditional methods as well, or soon escalated to. Previous (and current) wars have been fought via multiple channels. Taking out communications, manufacturing, utilities, media, etc. while conducting a shooting campaign would only futher the adversary's ultimate aims, to force the military, political and populace all to capitulate.
Too late to read the full paper tonight, but looking forward to it, and the responses you link to.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
If you were serious about good dental hygiene, you wouldn't floss, brush, then gargle only to tear into a package of Oreos five minutes later. Why, then, are so many of the world's biggest companies essentially doing the same thing where enterprise security is concerned?
Since security startups that scan baggage and passengers are all the rage now, this is probably as good a time as any to reconcile ourselves to racial profiling and other stereotyping that will come with them.
Google (Nasdaq: GOOG) is engaging in some very high-stakes gamesmanship, and it's picked an appropriately formidable opponent in the shape of the Chinese government.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Some of the "cool" people are testing a new Web service: Blippy. It could be a great data source for corporations to glean info about customers’ credit card purchases. But it has all sorts of possible privacy and security problems. Buyer beware!
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
