Debunking Cyber Deterrence as a Strategy

October 31, 2009 by ADMIN

Share |

By Richard Stiennon, Chief Research Analyst, IT-Harvest

Martin Libicki’s “Cyberdeterrence and Cyber War” has been released as a RAND monograph and in book form on Amazon.

This is the first cogent look at the efficacy of waging strategic cyber war and I hope will serve to slow the rhetoric coming from the US Defense community about acquiring cyber offensive capability.

I wrote before about the National Resource Council’s report, Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities.

That report explored many of the same difficulties addressed by Libicki but came to different conclusions.

An introductory statement from Libicki:

All this might lead to a belief that the historic constructs of war—force, offense, defense, deterrence—can be applied to cyberspace with little modification.

Not so.

Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must reflect such understanding.

Attempts to transfer policy constructs from other forms of warfare will not only fail but also hinder policy and planning.

And:

As long as nations rely on computer networks as a foundation for military and economic power and as long as such computer networks are accessible to the outside, they are at risk.

Hackers can steal information, issue phony commands to information systems to cause them to malfunction, and inject phony information to lead men and machines to reach false conclusions and make bad (or no) decisions.

Continuing:

Yet system vulnerabilities do not result from immutable physical laws. They occur because of a gap between theory and practice. In theory, a system should do only what its designers and operators want it to. In practice,

it does exactly what its code (and settings) tells it to.

The difference exists because systems are complex and growing more so. In all this lies a saving grace.

Errors can be corrected, especially if cyberattacks expose vulnerabilities that need attention.

The degree to which and the terms by which computer networks can be accessedfrom the outside (where almost all adversaries are) can also be specified.

There is, in the end, no forced entry in cyberspace. Whoever gets in enters through pathways produced by the system itself.

It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to the extent they want to be. In no other domain of warfare can such a statement be made.

Elaborating:

The salient characteristics of cyberattacks—temporary effects and the way attacks impel countermeasures—suggest that they be used sparingly and precisely.

They are better suited to one-shot strikes (e.g., to silence a surface-to-air missile system and allow aircraft to destroy a nuclear facility under construction) than to long campaigns (e.g., to put constant pressure on a nation’s capital).

Attempting a cyberattack in the hopes that success will facilitate a combat operation may be prudent; betting the operation’s success on a particular set of results may not be.

Questioning:

But can strategic cyberwar induce political compliance the way, say, strategic airpower would? Airpower tends to succeed when societies are convinced that matters will only get worse.

With cyberattacks, the opposite is more likely.

As systems are attacked, vulnerabilities are revealed and repaired or routed around. As systems become more hardened, societies become less vulnerable and are likely to become more, rather than less, resistant to further coercion.

Answering:

Can cyberattacks disarm cyberattackers? In a world of cheap computing, ubiquitous networking, and hackers who could be anywhere, the answer is no.

Warning:

Can escalation be avoided? Even if retaliation is in kind, counterretaliation may not be. A fight that begins in cyberspace may spill over into the real world with grievous consequences.

And concluding:

The United States and, by extension, the U.S. Air Force, should not make strategic cyberwar a priority investment area.

Strategic cyberwar, by itself, would annoy but not disarm an adversary.

Any adversary that merits a strategic cyberwar campaign to be subdued also likely possesses annoying. the capability to strike back in ways that may be more than.

Lubicki is careful to make the distinction between espionage (CNE) and cyberattack which seeks to disrupt or corrupt.

He also makes the point that attack is cheaper than defense. Thus deterrence could save money needed for defense but goes on to say:

The better one’s defenses, the less likely it is that an attack will succeed and so the less often a cyberdeterrence policy will be tested. The longer such a policy goes untested, the more credibility it acquires, if only through precedent.

Another good point:

…a good defense adds credibility to the threat to retaliate, much in the way Herman Kahn argued that having bomb shelters made nuclear deterrence more credible.

Libibki is not omniscient though. Footnote 20 on page 11:

A fiendish variant is to attack computers that control manufacturing processes to retard the production of, ruin, or render dangerous the products of the processes.

Such an attack could have nasty echoes.

It is not clear, however, why any manufacturing process should be exposed to the outside world without very high levels of network protection.

From my discussions with manufacturers they have done little to segregate their production environments from the Internet.

They have even deployed Windows system down to the machine cell for management and reporting. Systems that do not lend themselves to frequent patching/rebooting schedules.

Manufacturing is very vulnerable to these “fiendish variants”.

Moving on, Libicki’s conclusion from chapter 6:

It is thus hard to argue that the ability to wage strategic cyberwar should be a priority area for U.S. investment and, by extension, for U.S. Air Force investment.

It is not even clear whether there should be an intelligence effort of the intensity required to enable strategic cyberwar.

And I cannot resist lauding a final conclusion that I have oft said:

This investigation suggests that, in this medium, the best defense is not necessarily a good offense; it is usually a good defense.

* * *

Stay Informed With ISR News Alerts:

* * *

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.