[Infowarrior] - Response to: A Pearl Harbor by keystroke? (Washington Times)

[Richard Forno]

(anyone care to pass this to the author in question, feel free to do  
so with my compliments.  --rick)

A Pearl Harbor by keystroke?
Thomas M. Skypek
http://washingtontimes.com/news/2009/may/07/a-pearl-harbor-by-keystroke/

First off:  the author of this op-ed is a "Washington-based defense  
analyst who specializes in military transformation, deterrence and  
U.S. defense policy" -- his level of knowledge in cybersecurity- 
anything is unknown.
(Source: Jamestown Foundation -- http://tinyurl.com/os6u7y)

  Having said that....
> Without a cyberdeterrence policy in place, the United States can  
> expect more and larger cyberattacks on its interests. It was  
> reported in the Wall Street Journal on April 21 that a  
> cyberintrusion breached the Pentagon's $300 billion Joint Strike  
> Fighter (JSF) program. The attackers copied critical design  
> information which could make it easier for an adversary to defend  
> against the aircraft in a conflict.
>
How does "theft of proprietary data" constitute an "attack" ?   Since  
the piece uses this as its intro, that's the logic upon which this  
person bases the rest of his argument on?  That was an INCIDENT of  
data loss, not an "attack" -- but it seems "attack" is DC-speak for  
"someone we probably don't know doing something we don't like in  
cyberspace."
> An effective cybersecurity strategy must include a clearly  
> articulated cyberdeterrence policy. When responding to a  
> cyberattack, Washington should move beyond cybercounterattacks to  
> include full kinetic attack options.
>
Cyberdeterrence?  How is that anything other than a component of  
traditional deterrence mechanisms of national power?  By this  
phraseology, do we need biodeterrence for biowarfare, chemdeterrence  
for chemical warfare? A response using cyber is a just another  
mechanism and method at our disposal!
> In other words, cruise missiles or precision guided munitions should  
> be used to retaliate against facilities where cyberattacks are  
> launched with the complicity of an enemy state. All options should  
> be on the table when it comes to responding to attacks in cyberspace.
>
Your data center is believed to be the source for an "attack" on SCADA  
Site X.   Let loose the JDAMs?  PGMs in the physical world are  
sledgehammers in the cyber world.....one server (or a few) are a  
target, so you want to kinetically destroy 50, 100, or 1000 in the  
data center that have nothing to do with the aggressor?  Have you even  
considered the notion of collateral damage in cyberspace?
> A declaratory cyberdeterrence policy will not eliminate the threat  
> of cyberattacks, but it will limit the number of attacks -  
> particularly from state actors such as China. Lone-wolf hackers are  
> much more difficult to deter, but deterring state-sponsored  
> cyberattacks will make an incredibly complex problem more manageable  
> as resources can be diverted to focusing on lone-wolf hackers. The  
> deterrent piece of U.S. cybersecurity strategy should focus on state  
> actors. States who sponsor cyberattacks - or allow nonstate actors  
> to launch attacks from within their borders - should be held  
> responsible for such attacks.
>
So how will you know when a non-state actor is using China or Russia  
in a false-flag operation?  Does this not start us down a very  
slippery slope?  You say later that attribution is key --- in this  
case, misattribution can be more dangerous, but it's a very easy thing  
for the talented aggressor to get us to do!
> Deterrence is a simple concept to grasp, but its execution is much  
> more difficult. This thought can be boiled down to a simple if-then  
> statement: If you attack me, I will attack you. The message: Don't  
> attack me in the first place. Successful deterrence requires the  
> ability to credibly threaten that which an adversary values and the  
> capability to follow through if the adversary crosses predetermined  
> red lines.
>
Credibile attribution, too.  But unless you lock down the internet in  
ways that break it on a variety of technical, social, and cultural  
methods that nobody is going to endorse, 100% correct attribution is  
impossible. It's not like seeing a missile launch somewhere and  
retaliating because you know the geographic location and who controls/ 
owns the missile launch facility.   The level of attribution you know  
of and rely on in the nuclear deterrence world isn't directly (or even  
remotely easily) transferrable into the cyber realm, and even in cases  
where it might be, how can you be 100% sure you're correct?
> Just what are those red lines? Policymakers need to think seriously  
> about this issue and what types of attacks warrant kinetic  
> responses. A state-sponsored campaign should certainly be on that  
> list. However, deciding what exactly constitutes a red line is a  
> major policy decision which will need to be debated heavily and then  
> clearly communicated to the rest of the world.
>
That alone will tie the lawyers up for decades.  How appropriate a  
solution for Washington.  Meanwhile, Rome still burns.
> By telling the world that all options are on the table when it comes  
> to responding to cyberattacks, most states will likely find the  
> costs of launching cyberattacks against the United States  
> unacceptably high and thus be deterred.
>
They will more likely snicker and see that we are posturing aimlessly  
because the true state aggressor -- or other competent cyber adversary  
--  will make it look like we're attacking ourselves, and they'll have  
their tracks quite well concealed.
> For this to work, however, Washington's threats must be credible.  
> This means that the first state to seriously attack the U.S. in  
> cyberspace after the U.S. deterrence policy is articulated must be  
> attacked with conventional munitions. Selected military targets that  
> enable cyberoperations against the United States should be destroyed.
>
Since the DOD, or some DOD leaders, think a "ping" of a DOD host from  
a certain country as an "attack" in quoting their "millions of attacks  
a week" metrics to the media, that might lead to some unfortunate  
consequences. (Note muted sarcasm.)
> Moreover, states will have a powerful new incentive to find and root  
> out nonstate actors operating within their borders.
>
This assumes you can locate every miscreant in cyberspace.  Good  
luck.  You are assuming a systems-oriented rational actor  
adversary....the joy of cyberspace is that you can operate outside  
traditional organizational frameworks and constraints.  As to  
detecting and 'rooting out' cyber-adversaries effectively and  
efficiently? The game of Whack-a-Mole comes to mind here.
> Of course, for cyberdeterrence to work, attribution is critical. We  
> need to know who perpetrated the attack. Cyberattacks can be  
> launched from anywhere, making targeting a difficult task.  
> Unsurprisingly, this makes intelligence an absolutely critical part  
> of the cyberdeterrence equation. Sophisticated hackers are easily  
> able to cover their tracks. Significant investments should be made  
> into improving our attribution capabilities.
>
Given what you just said, while the pawns and other "low hanging  
fruit" might be easily detected and countered,  what do you think the  
success rate will be of detecting (and more importantly, CORRECTLY  
attributing) the truly sophisticated adversaries?
> Attacks in cyberspace are not going away. The Pentagon has spent  
> more than $100 million in the last six months repairing damage from  
> by cyberattacks, according to Gen. John A. Davis, deputy commander  
> of the Joint Task Force for Global Operations. Cleaning one infected  
> computer can cost between $5,000 and $7,000.
>
What's the breakdown of that cost?  Dollars to donuts I bet it's  
because the computer is classified for no legitimate reason, which  
necessitates 'special handling' to disinfect. (Of course this info  
likely is classified.)  How many new computers could DOD buy instead  
for that price?

The $100m spent on repairing damage?  Again, what kind of  
damage.....worms, viruses, trojans, and other stupid user actions, or  
SERIOUS STUFF that we need to worry about that indeed is state- 
sponsored or comes from known adversaries?  (Of course this info  
likely is classified.)

Since some DOD cyber-leaders continually offer suspiciously-high  
statistics of how many times the department is under "attack" yet   
never articulated clearly exactly what constitutes an "attack" I have  
to question any statistic they cite until they do.
> It is difficult to overstate our dependence on networked computers  
> and other information technologies. Laptops, personal computers and,  
> of course, the ubiquitous BlackBerry are the lifeblood of business,  
> personal communications and global information sharing. And that's  
> just in the civilian world.
>
Beg to differ.  Many thought leaders in this world, including me,  
don't use Blackberries.  ;)
> While the Pentagon's computer networks are hardened from  
> cyberattacks, they clearly are not impervious to intrusions.
>
Because of a variety of reasons, most of which are self-inflicted by  
the so-called "good guys" we're paying to allegedly secure our systems  
in the name of national security.
> The United States cannot afford a Pearl Harbor in cyberspace.
>
Danger, Will Robinson! Danger!  The minute anyone invokes "Pearl  
Harbor" in a discussion about cyberspace (and means it) they should be  
viewed as having no understanding of how the net works or any concept  
of cybersecurity. By using that sensational phrase, they are, either  
wittingly or not, sowing unsubstantiated fear and needless hysteria in  
the eyes of the public and national policymakers.
> A distributed denial-of-service campaign against critical  
> infrastructure targets such as power, water and transportation would  
> be catastrophic - so too would be a coordinated attack on the  
> financial services and banking industries. Worse yet, a pre-emptive  
> cybercampaign could be used to negate our overwhelming military  
> advantage, making us more susceptible to the conventional military  
> power of near-peer competitors.
>
Two points:  First, how have people in American towns and cities  
survived when blizzards, floods, or hurricanes knocked out power to  
their communities for days or weeks? Something tells me that my  
neighborhood will survive even if some cyber-varmint launches a DDOS  
against my power company and we 'go dark' for a while.  Happens fairly  
frequently, thanks to Mother Nature --- which, according to your  
article, means we should be developing a Mother Nature Deterrence  
Posture as well.

Secondly, why would such a critical system - power, water, transport -  
be on the public network if it's deemed a critical infrastructure?  If  
they are on a public-access network, it tells me loud and clear that  
security, resilience, and survivability of a public-safety  
infrastructure resource are being sacrificed for operatior convenience  
and cost-cutting.   If we consider some system "critical" to public  
safety, than we need to treat it as such, and that means PAYING FOR  
APPROPRIATE SECURITY AND RESILIENCY.   Security for such networks /  
systems should not take a back seat to cost-savings, and that means  
they should NEVER, EVER be on a public network!!!

As for the damage caused by the financial system.....well, they didn't  
need hackers to wreak havoc in this country, did they?  (Sorry,  
couldn't resist.)
> Crafting an effective cyberdeterrence policy will not be easy task.  
> But right now, our lack of a coherent deterrence policy is a hole in  
> our overall cybersecurity strategy. We will be able to leverage some  
> of the lessons we have learned from our six-decade policy of nuclear  
> deterrence. However, cyberspace is a unique domain and will require  
> fresh ideas to make a new kind of deterrence effective.
>
No, we need to get rid of our six-decade-old mentality of applying  
conventional solutions to unconventional problems.  We need to  
understand....truly understand....the nature of the network and not  
just the points that interest us.  We need to get rid of the fear- 
mongering based on security stereotypes and baseless fears and fix -  
not 'address' - the root problems of our current cyber insecurity.   
That means designing and administering truly survivable and resilient  
software and systems, not letting convenience win out over security,  
and taking actual measures to ensure that our cybersecurity problems  
and vulnerabilities are not the result of self-inflicted wounds --  
which they are, unfortunately.

Absent these and other processes, any attempt at "cyber-deterrence"  
will be met with hoots of increduous laughter by those we are seeking  
to deter.
> Thomas M. Skypek is a defense policy analyst. The views expressed  
> are solely those of the author.
>

Rick Forno has been involved in IA / IO / CIP / and more for the past  
15 years.  The views expressed are his alone, but likely are shared by  
other competent cybersecurity thought leaders as well.