Cyberwarfare: Real Bullets for Digital Attacks
Posted on 09. Feb, 2012 by CWZ
Tag: argent, consulting, Cyberwarfare, deterence, government, security
In May of last year, the US Government published its International Strategy for Cyberspace. The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table.
More specifically, the US government stated that it ‘encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate’ [emphasis mine].
This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems. Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.
Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation’s Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF).
In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn’t have to read it all to get to the end. One especially important aspect of this discussion is the much-debated problem of attribution. Since retalliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern.
Libicki describes various scenario’s such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences. Suffice to say that if you, as an attacker, hide your tracks well enough (don’t forget the cyber intelligence aspect!), you won’t have much problems with retalliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage.
Considering that retalliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.
You might be wondering what the point is of declaring retalliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution – No problem. So why make a public statement about how you’re going to strike back if everyone knows its highly unlikely? Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won’t copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides. Besides, and here is the succint point of it all, even though you declare that you may use kinetic military options as a retalliatory measure doesn’t mean you are immediately obliged to actually do so.
In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy.
It doesn’t worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it. See the “Questions from .GOV” series.
I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?
About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA at Nyenrode Business University. Among a long list of professional certifications he obtained are the titles CISSP, CEH, MCITPro and MCSE.He has over a decade of professional experience in designing and securing IT infrastructures. He is the Founder and CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.
Tweet
Memorial
Knowledge is suppressed because of its power to change.
Online since 30-jan-2010
Security tips #1
Donate
Donate & Help us out. Server(
cost money.
Security tips #2
Avoiding Social Engineering and Phishing Attacks
Dealing with Cyberbullies
Preventing and Responding to Identity Theft
Recognizing and Avoiding Spyware
Recovering from Viruses, Worms, and Trojan Horses
Understanding Denial-of-Service Attacks
Understanding Hidden Threats: Corrupted SoftwareFiles
Understanding Hidden Threats: Rootkits and Botnets
Who's new
- ciberprov
- michael.nguyen
- mornjinfeng
- aniketdaptardar
- hadriker
- Alanw
Security vids #1
Team Cymru Research NFP is a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. Team Cymru helps organizations identify and eradicate problems in their networks, providing insight that improves lives.
Team Cymru the video series 1 to 10
Team Cymru the video series 11 to 20
Team Cymru the video series 21 to 30
Team Cymru the video series 31 to 40
Team Cymru the video series 41 to 50
Team Cymru the video series 51 to 60
Who's online
There are currently 0 users and 11 guests online.
Security vids #2
The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world’s leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure.
CERIAS is unique among such national centers in its multidisciplinary approach to the problems, ranging from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them.
CERIAS Security: Attribute-Based Access Control
CERIAS Security: Information Flow Analysis in Security Enhanced Linux
CERIAS Security: Towards Mining Syslog Data
Weapons of Mass Disruption Gallery Launch: Reitinger Remarks
Weapons of Mass Disruption: Mike McConnell on The Nightmare Scenario
Comments
Post new comment