Friday, October 16, 2009

Cyberdeterrence and Cyberwar

Cover: Cyberdeterrence and CyberwarCyberdeterrence and Cyberwar (Martin C. Libicki) is a RAND report for the US Airforce which details the difficulties of dealing with attacks on military and civilian computer infrastructure. It argues that the traditional military doctrine of a threat of a cyber attack to deter an aggressor will not be effective in cyberwarfare. Also conventional military force will have limited value in responding to a cyberattack, due to the difficulty of identifying the attacker.

The book is available as a free e-book: Summary Only (File size 0.3 Mbytes) and Full Document (1.8 Mbytes, 240 Pages), as well as a printed paperback.

Preface iii
Figures ix
Tables xi
Summary xiii
Acknowledgements xxi
Abbreviations xxiii

Chapter One
Introduction 1
Purpose 5
Basic Concepts and Monograph Organization 6

Chapter Two
A Conceptual Framework 11
The Mechanisms of Cyberspace 12
External Threats 13
Internal Threats 20
Insiders 20
Supply Chain 21
In Sum 22
Defining Cyberattack 23
Defining Cyberdeterrence 27

Chapter Three
why Cyberdeterrence Is Different 39
Do We Know Who Did It? 41
vi Cyberdeterrence and Cyberwar
Can We Hold Their Assets at Risk? 52
Can We Do So Repeatedly? 56
If Retaliation Does Not Deter, Can It at Least Disarm? 59
Will Third Parties Join the Fight? 62
Does Retaliation Send the Right Message to Our Own Side? 64
Do We Have a Threshold for Response? 65
Can We Avoid Escalation? 69
What If the Attacker Has Little Worth Hitting? 70
Yet the Will to Retaliate Is More Credible for Cyberspace 71
A Good Defense Adds Further Credibility 73

Chapter Four
why the Purpose of the Original Cyberattack Matters 75
Error 76
Oops 76
No, You Started It 77
Rogue Operators 78
The Command-and-Control Problem 78
Coercion 79
Force 82
Other 86
Implications 90

Chapter FIve
A Strategy of response 91
Should the Target Reveal the Cyberattack? 92
When Should Attribution Be Announced? 93
Should Cyberretaliation Be Obvious? 94
Is Retaliation Better Late Than Never? 96
Retaliating Against State-Tolerated Freelance Hackers 98
What About Retaliating Against CNE? 102
Should Deterrence Be Extended to Friends? 104
Should a Deterrence Policy Be Explicit? 106
Can Insouciance Defeat the Attacker’s Strategy? 108
Confrontation Without Retaliation 109
The Attacker’s Perspective 112
Signaling to a Close 114

Chapter Six
Strategic Cyberwar 117
The Purpose of Cyberwar 118
The Plausibility of Cyberwar 121
The Limits of Cyberwar 122
The Conduct of Cyberwar 125
Cyberwar as a Warning Against Cyberwar 126
Preserving a Second-Strike Capability 127
Sub-Rosa Cyberwar? 128
A Government Role in Defending Against Cyberwar 129
Managing the Effects of Cyberwar 131
Terminating Cyberwar 135
Conclusions 137

Chapter Seven
Operational Cyberwar 139
Cyberwar as a Bolt from the Blue 143
Dampening the Ardor for Network-Centric Operations 149
Attacks on Civilian Targets 153
Organizing for Operational Cyberwar 154
Conclusions 158

Chapter eight
Cyberdefense 159
The Goal of Cyberdefense 160
Architecture 165
Policy 167
Strategy 169
Operations 170
Hardware 171
Deception 171
Red Teaming 173
Conclusions 173

Chapter Nine
Tricky Terrain 175
viii Cyberdeterrence and Cyberwar

A. what Constitutes an Act of war in Cyberspace? 179
B. The Calculus of explicit versus Implicit Deterrence 183
C. The Dim Prospects for Cyber Arms Control 199
references 203 ...

The establishment of the 24th Air Force and U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space. All this might lead to a belief that the historic constructs of war—force, offense, defense, deterrence—can be applied to cyberspace with little modification.

Not so. Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must reflect such understanding. Attempts to transfer policy constructs from other forms of warfare will not only fail but also hinder policy and planning.

What follows focuses on the policy dimensions of cyberwar: what it means, what it entails, and whether threats can deter it or defense can mitigate its effects. The Air Force must consider these issues as it creates new capabilities.

Cyberattacks Are Possible Only Because Systems Have Flaws

As long as nations rely on computer networks as a foundation for military and economic power and as long as such computer networks are accessible to the outside, they are at risk. Hackers can steal information, issue phony commands to information systems to cause them to malfunction, and inject phony information to lead men and machines to reach false conclusions and make bad (or no) decisions. ...

Operational Cyberwar Has an Important Niche Role, but Only That

For operational cyberwar—acting against military targets during a war—to work, its targets have to be accessible and have vulnerabilities. These vulnerabilities have to be exploited in ways the attacker finds useful. It also helps if effects can be monitored. ...

Strategic Cyberwar Is Unlikely to Be Decisive

No one knows how destructive any one strategic cyberwar attack would be. Estimates of the damage from today’s cyberattacks within the United States range from hundreds of billions of dollars to just a few billion dollars per year. ...

Cyberdeterrence May Not Work as Well as Nuclear Deterrence

The ambiguities of cyberdeterrence contrast starkly with the clarities of nuclear deterrence. In the Cold War nuclear realm, attribution of attack was not a problem; the prospect of battle damage was clear; the 1,000th bomb could be as powerful as the first; counterforce was possible; there were no third parties to worry about; private firms were not expected to defend themselves; any hostile nuclear use crossed an acknowledged threshold; no higher levels of war existed; and both sides
always had a lot to lose. Although the threat of retaliation may dissuade cyberattackers, the difficulties and risks suggest the perils of making threats to respond, at least in kind. Indeed, an explicit deterrence posture that encounters a cyberattack with obvious effect but nonobvious source creates a painful dilemma: respond and maybe get it wrong, or refrain and see other deterrence postures lose credibility. ...

Can retaliators hold assets at risk?

It is possible to understand the target’s architecture and test attack software in vivo and still not know how the target will respond under attack. Systems vary by the microsecond. Undiscovered system processes may detect and override errant operations or alert human operators. How long a system malfunctions (and thus how costly the attack is) will depend on how well its administrators understand what went wrong and can respond to the problem. Furthermore, there is no guarantee that attackers in cyberspace will have assets that can be put at risk through cyberspace. ...

will third parties stay out of the way?

Cyberattack tools are widely available. If nonstate actors jump into such confrontations, they could complicate attribution or determining whether retaliation made the original attackers back off.

Might retaliation send the wrong message?

Most of the critical U.S. infrastructure is private. An explicit deterrence policy may frame cyberattacks as acts of war, which would indemnify infrastructure owners from third-party liability, thereby reducing their incentive
to invest in cybersecurity. ...

Responses to Cyberattack Must Weigh Many Factors

In many ways, cyberwar is the manipulation of ambiguity. Not only do successful cyberattacks threaten the redibility of untouched systems (who knows that they have not been corrupted?) but the entire enterprise is beset with ambiguities. Questions arise in cyberwar that have
few counterparts in other media.

what was the attacker trying to achieve?

Because cyberwar can rarely break things much less take things, the more-obvious motives of war do not apply. If the attacker means to coerce but keep its identity hidden, will the message be clear? If the attack was meant to disarm its target but does so only temporarily, what did the attacker want to accomplish in the interim?

Military Cyberdefense Is Like but Not Equal to Civilian Cyberdefense

Because military networks mostly use the same hardware and software as civilian networks, they have mostly the same vulnerabilities. Their defense resembles nothing so much as the defense of civilian networks—
a well-practiced art. But military networks have unique features ...

Implications for the Air Force

The United States and, by extension, the U.S. Air Force, should not make strategic cyberwar a priority investment area. Strategic cyberwar, by itself, would annoy but not disarm an adversary. Any adversary that merits a strategic cyberwar campaign to be subdued also likely possesses the capability to strike back in ways that may be more than annoying. ...

From: Cyberdeterrence and Cyberwar, Martin C. Libicki, RAND, 2009

No comments: