Reflections on Possible Futures for Cyber: Four issue areas that require attention Herb Lin National Research Council 2011 USSTRATCOM Cyber and Space Symposium Omaha, Nebraska November 15, 2011
SOURCE MATERIAL 2009 2010NRC, cyberattack, policy NRC, deterring cyberattacks
A reminder of a few key technical points about offensive cyber operations Offense will always beat defense, given enough time. Cyberattack and cyberexploitation are technically very similar and look very similar to the victim. Cyber operations can be selective or broad in targeting. Selectivity implies long lead time, complex intelligence requirements, specialized skills, higher cost. Bias towards early use in conflict against target of our choosing rather than as response in active defense Successful cyber operations require very substantial analytical and intelligence support (cf., kinetic operations), and policy making apparatus to be in place. – Technically fast but operationally slow; hence most suitable in non-time- urgent operational scenarios (e.g., early use); “speed of light” vs “speed of law/thought/analysis”
Escalation dynamics in cyberspace• Deterring escalation is just as important (perhaps more so) as deterring onset of conflict.• Exploitation and attack – new twist on old problem – How can the adversary know if we are exploiting or attacking (exploitation during crisis is stabilizing for us, but destabilizing for them)• Unintended escalation particularly dangerous when – operational actions are less visible to senior decision makers – outcomes of actions are more uncertain (e.g., cascading effects)• How can cyberconflict be terminated? – Requirements for “termination” – how to de-mine? – How to suppress patriotic hackers? – How to implement a “cyber cease-fire”?
On cyber arms control• Restricting acquisition of offensive capabilities essentially impossible. – Can’t restrict code, expertise/knowledge, underlying technology – Infrastructure needed to develop weapons/conduct attacks is small, easily hidden – Verification task essentially impossible• Restricting use of offensive capabilities? – “Verification” not an issue (cf., Geneva conventions) – “No cyberattacks on critical infrastructure” similar to “no kinetic attacks on hospitals” – Many complications • Why would adversaries agree given asymmetrical advantages? • Misinterpretation of cyberexploitation vs attack during crisis • Do we want to live with restrictions on use?
The meaning of attribution• Attribution very hard or impossible if – Attack techniques are unprecedented, AND – Attacker has left no clues, AND – Attacker has maintained perfect operational security (no one else knows), AND – No circumstances suggest identity of attacker.• Some degree of attribution may be possible if some conditions do not hold.• Attribution has many meanings: – ID of the machine that launched/initiated the attack – ID of the individual who pressed the keys on the initiating machine – ID of the nation of jurisdiction for the individual – ID of the entity under whose auspices the individual acted.• The relevant meaning depends on the intended purpose, and confusion over purpose clouds discussion of attribution.• Attribution is not nearly a silver bullet – Does little against high-end threat, which is likely to compromise attribution.
Private sector involvement in offensive cyber operations• As facilitator of government cyber operations – Preparation for cyberattack may require cooperation of IT vendors and service providers to cooperate• As beneficiary/unintended victim of government cyber operations – If US Cyber Command can take offensive actions can help protect .MIL, why not offensive actions to protect .COM? • Who should conduct such operations? (Gov’t? Private sector?) • National responsibility for private actions that rise to “use of force”• As conductor of offensive cyber operations – What actions should private sector be allowed to take? (What does actually happen today is uncertain. – Consider also • Possible interference with national cyber operations • Adversary response to national cyberattack may target ISPs and critical infrastructure.
Some concluding observations The public process for “net assessment” of cyber power is inherently biased against us – “Their” offensive capabilities are matched against “our” defensive capabilities only. – Uncertainties drive worst-case analysis – “Our” offensive capabilities and “their” defensive vulnerabilities are never discussed in public.• Offense is largely irrelevant to defense in cyberspace – We don’t know how to do good cyber defense. – We don’t know how to do good cyber deterrence. – We don’t know how to do offensive operations that will enhance defense (even preemption not helpful) – The only thing left is offensive cyber operations for non-defensive purposes. Cyber conflict is not separate from other spheres of potential conflict. Many possible forms of offensive operations have not yet been seen. Secrecy clouds necessary public discussion.
For more information…Herb LinChief Scientist, Computer Science and Telecommunications BoardNational Research Council202email@example.com