Your SlideShare is downloading. ×

USSTRATCOM Cyber & Space 2011 Herbert Lin


Published on

Session Seven: Panel: Alternative Futures for Cyber and Space - Herbert Lin

Session Seven: Panel: Alternative Futures for Cyber and Space - Herbert Lin

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Reflections on Possible Futures for Cyber: Four issue areas that require attention Herb Lin National Research Council 2011 USSTRATCOM Cyber and Space Symposium Omaha, Nebraska November 15, 2011
  • 2. SOURCE MATERIAL 2009 2010NRC, cyberattack, policy NRC, deterring cyberattacks
  • 3. A reminder of a few key technical points about offensive cyber operations Offense will always beat defense, given enough time. Cyberattack and cyberexploitation are technically very similar and look very similar to the victim. Cyber operations can be selective or broad in targeting.  Selectivity implies long lead time, complex intelligence requirements, specialized skills, higher cost.  Bias towards early use in conflict against target of our choosing rather than as response in active defense Successful cyber operations require very substantial analytical and intelligence support (cf., kinetic operations), and policy making apparatus to be in place. – Technically fast but operationally slow; hence most suitable in non-time- urgent operational scenarios (e.g., early use); “speed of light” vs “speed of law/thought/analysis”
  • 4. Escalation dynamics in cyberspace• Deterring escalation is just as important (perhaps more so) as deterring onset of conflict.• Exploitation and attack – new twist on old problem – How can the adversary know if we are exploiting or attacking (exploitation during crisis is stabilizing for us, but destabilizing for them)• Unintended escalation particularly dangerous when – operational actions are less visible to senior decision makers – outcomes of actions are more uncertain (e.g., cascading effects)• How can cyberconflict be terminated? – Requirements for “termination” – how to de-mine? – How to suppress patriotic hackers? – How to implement a “cyber cease-fire”?
  • 5. On cyber arms control• Restricting acquisition of offensive capabilities essentially impossible. – Can’t restrict code, expertise/knowledge, underlying technology – Infrastructure needed to develop weapons/conduct attacks is small, easily hidden – Verification task essentially impossible• Restricting use of offensive capabilities? – “Verification” not an issue (cf., Geneva conventions) – “No cyberattacks on critical infrastructure” similar to “no kinetic attacks on hospitals” – Many complications • Why would adversaries agree given asymmetrical advantages? • Misinterpretation of cyberexploitation vs attack during crisis • Do we want to live with restrictions on use?
  • 6. The meaning of attribution• Attribution very hard or impossible if – Attack techniques are unprecedented, AND – Attacker has left no clues, AND – Attacker has maintained perfect operational security (no one else knows), AND – No circumstances suggest identity of attacker.• Some degree of attribution may be possible if some conditions do not hold.• Attribution has many meanings: – ID of the machine that launched/initiated the attack – ID of the individual who pressed the keys on the initiating machine – ID of the nation of jurisdiction for the individual – ID of the entity under whose auspices the individual acted.• The relevant meaning depends on the intended purpose, and confusion over purpose clouds discussion of attribution.• Attribution is not nearly a silver bullet – Does little against high-end threat, which is likely to compromise attribution.
  • 7. Private sector involvement in offensive cyber operations• As facilitator of government cyber operations – Preparation for cyberattack may require cooperation of IT vendors and service providers to cooperate• As beneficiary/unintended victim of government cyber operations – If US Cyber Command can take offensive actions can help protect .MIL, why not offensive actions to protect .COM? • Who should conduct such operations? (Gov’t? Private sector?) • National responsibility for private actions that rise to “use of force”• As conductor of offensive cyber operations – What actions should private sector be allowed to take? (What does actually happen today is uncertain. – Consider also • Possible interference with national cyber operations • Adversary response to national cyberattack may target ISPs and critical infrastructure.
  • 8. Some concluding observations The public process for “net assessment” of cyber power is inherently biased against us – “Their” offensive capabilities are matched against “our” defensive capabilities only. – Uncertainties drive worst-case analysis – “Our” offensive capabilities and “their” defensive vulnerabilities are never discussed in public.• Offense is largely irrelevant to defense in cyberspace – We don’t know how to do good cyber defense. – We don’t know how to do good cyber deterrence. – We don’t know how to do offensive operations that will enhance defense (even preemption not helpful) – The only thing left is offensive cyber operations for non-defensive purposes. Cyber conflict is not separate from other spheres of potential conflict. Many possible forms of offensive operations have not yet been seen. Secrecy clouds necessary public discussion.
  • 9. For more information…Herb LinChief Scientist, Computer Science and Telecommunications BoardNational Research