Saturday, April 13, 2013

Issues in Cybersecurity, Part 2.



As we have seen, the challenges facing those who want to increase security in the cyber-realm are steep. How can we apply theory to give us some direction on solving these problems?

If we treat a cyber attack as a variant of military, state, or covert attack (instead of as a crime) we can examine it through the offense/defense lens. By determining who has the advantage when it comes to "battle", we can apply the best sort of strategy.

When it comes to protecting yourself from attack, you have two options: defense, or deterrence. Often times, a "defense" can also be used as an offense. This is why the US Department of "Defense" runs all offensive military operations. But in terms of actually defending, what it requires is the ability to prevent an enemy from hurting you when he attempts to do so. So, a high wall counts as defense, so does a trench, or an army to repel invaders. All of these are defensive measures. By having a strong defense, it is likely the enemy will not attack, because he can see that you have the ability to repel him. But, if he does not think your defense will stop his attack, he might attack anyway.

Some attacks are particularly hard to defend against. In the real world, we have determined that ballistic missiles are difficult to defend against. They will almost always hit and do damage. At a certain level of power (nuclear) there is basically no defending against them. No wall is thick enough, and if they launch enough (or advanced enough) missiles, we can't stop them mid-flight. They invalidate all concepts of "defense". Even non-nuclear missiles will do hideous damage to non-hardened targets, like cities, the average military base, or nearly any other installation. How then do we prevent an enemy from using an attack we cannot defend against?

Enter deterrence. Deterrence theory states, in effect, if we can threaten the enemy with enough violence in reprisal that he won't risk attacking us, even though the attack would work. In the real world, this played out with nuclear ballistic missiles: no one nuked America, even though we were helpless to stop them, because we would nuke them back, and they were just as helpless to stop us. No one wanted to risk being nuked, so no one fired their missiles first. As long as everyone understands what is going on, the situation holds, no war is started, and life goes on.

How does all this apply to cyber? Well, let's determine which analogy holds better? Can we use defense to stop cyber-attacks? So far, it seems like no, we cannot. There is no real defense to a cyber attack, we either have enough security to stop it, or we do not, but the hacker risks nearly nothing in the attempt. It is like an army attacking a medieval city that ONLY has a stone wall defending it. It costs nearly nothing to see if the wall is breakable, and if there is nothing threatening behind it, why not try and break it down?

Of course, it's even worse than that. By using viruses, bot-nets, and other tools, the attackers have much more powerful tools than the defenders. As discussed last time, there are also many, many points of vulnerability. Imagine the same stone wall, but now it has thousands of gates. And the enemy has modern artillery and aircraft. And if any hole is made in the defense, the city is pillaged. Clearly, defense is not a viable strategy unless something changes drastically in the cybersecurity field. There are sci-fi novels that introduce ideas of active defense, things that will attack a hackers system if he tries to break in…but in the real world, bot-nets invalidate that anyway. Destroying a hacker's computer is not a defense if it is not his computer doing the attacking, but a thousand random computers that were infected with a virus. So, again, unless technology radically changes, defense is just not a really good option, offense is dramatically more powerful.

That leaves deterrence. If offense is so powerful, than just like nuclear weapons, shouldn't we be able to threaten reprisals? If you hack our systems, we will hack yours back, erase your hard drive, infect you with viruses, and overheat your processor. This certainly SOUNDS effective, if the threat could be clearly communicated and feel credible. In theory, a credible threat, understood by all parties, should keep attacks at bay. Why then are we still being attacked?

Answer: Attribution. Unlike with a ballistic missile, which we can track back to its launch point, cyber attacks, as stated before, often come from unknown sources with unknown agencies behind them. Even if we absolutely know that a cyber attack came from China, we can't know for sure WHO in China is responsible. Is it the government? A private company? A random criminal? A terrorist organization? Who do we attack back? This is the major problem, if we solved this, the rest could be solved with it. A credible threat could be made, and the US has the ability to use far more than cyber to threaten with. Imagine if the attribution problem could be solved, and the US made a clear declaration: Any cyber attack of a certain magnitude would put you on a list of known terrorists and trigger a military response, a drone strike or sniper's bullet. What hacker is willing to risk this?

Of course, that is only if the attribution problem is solved. That MUST be the number one goal of US policy makers and private interests alike. But apparently the conventional wisdom is "deterrence doesn't work, cyber is an offense dominated paradigm". Well, that isn't good enough! If you don't want to hurt the enemy, what good does offense do you? We think China (or Chinese firms) are stealing our technology. What can we do with our offensive abilities? They have nothing for us to steal! Randomly destroying things in reprisal doesn't help either, blowing up a factory that makes goods that US consumers buy only hurts those very consumers. No, an offense-only world is not a world we want to live in, and that should not be a theoretical stopping point that anyone accepts. The problem is not that the world is offense-dominated and deterrence does not work, it's just that we ARE NOT DETERRING. We haven't solved the attribution problem, and we have not communicated any threats or policies to the world about the consequences of hacking American firms. The result: today's world.

I will admit, the nature of cyber is extremely different from anything we have faced before. It is a weapon with global reach, extreme destructive possibilities, but unlike nuclear weapons, can be used by almost anyone who puts their mind to it. The proliferation of cyber-weapons is like the proliferation of small arms, except each of those guns can shoot all the way to America. And because of the speed and connectivity of the internet, these weapons are being upgraded and modified all the time. It is a scary thought, but at the end of the day, these weapons are controlled by people not machines. This isn't terminator. Deterrence would work, IF we can make a credible threat. Working on how to make those threats must be a top priority, because it is unlikely that the nature of cyber space is going to change in such a way as to make a defensive strategy viable. 

No comments:

Post a Comment