My apologies for not updating the site the last few days, but alas was at SC Congress (Canada)...as a booth babe of course...

By Kenneth Geers, 1/24/2012



The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into military doctrine as soon as possible.

The world’s most influential military treatise is Sun Tzu’s Art of War. Its compelling and adaptive wisdom has survived myriad revolutions in technology and human conflict. And its tactics and strategies have been applied to other disciplines, including business, sports, and personal relationships. Future cybercommanders will also find Sun Tzu’s guidance beneficial. For example, on defense, he warns leaders never to rely on the good intentions of others or to count on best-case scenarios. This is sound advice in cyberspace, because computers are attacked from the moment they connect to the Internet.

Here’s a quote from the section “Variation in Tactics”:

The Art of War teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

On offense, cyberattacks are likely to play a leading role in future wars, where the nature of the fight could be, above all, over IT infrastructure. A cyber-only war might even please Sun Tzu, who argued that the best leaders can attain victory before combat is necessary: "The best thing of all is to take the enemy’s country whole and intact… Supreme excellence consists in breaking the enemy’s resistance without fighting."

In theory, cyberwarfare might be a good thing for the world if it makes future conflicts shorter and costs fewer lives, which could facilitate economic recovery and post-war diplomacy.

However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider:

1. The Internet is an artificial environment that can be shaped in part according to national security requirements.
2. The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.
3. The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.
4. Software updates and network reconfigurations change cyberbattle space unpredictably and without warning.
5. Contrary to our historical understanding of war, cyberconflict favors the attacker.
6. Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.
7. The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.
8. The “quiet” nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.
9. The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.
10. There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.

The world’s top military thinkers, including Sun Tzu, can help modern organizations fill the holes in their cyberdefenses, but it will take many years to incorporate all the revolutionary aspects of cyberconflict into military doctrine.

— Kenneth Geers, NCIS Cyber Subject Matter Expert

http://www.internetevolution.com/author.asp?section_id=628&doc_id=237983

---

The Art of Cyberwar II

By Kenneth Geers, 5/9/2012

My blog, The Art of Cyberwar, posted on Internet Evolution this past January, described 10 revolutionary aspects of conflict in cyberspace. Based on the feedback I received, I've decided to revisit each of the 10 aspects with a new view based on what I've learned from many comments. Here is my list:

1. Environment
My original statement: The Internet is an artificial environment that can be shaped in part according to national security requirements.

What I've learned: How free or politically stable a country is will help to determine its network security and its preparations for cyberwar. Authoritarian governments will take draconian action, which increases security in the short run, but decreases it in the long run.

2. Proliferation
My original statement: The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.

What I've learned: Other types of weapons also proliferate quickly. The key for cyberdefense is to organize the attacks into logical groups and defend them as a class of attacks. For example, there are many types of SQL injection, but the same basic defenses are effective against most of them.

3. Proximity
My original statement: The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.

What I've learned: Similar to air power, cyberwarriors can attack but may not be able to seize and hold ground. However, information is an increasingly tangible asset and Denial of Service -- perhaps the "go to" cyberweapon of future conflicts -- can deny its use. Large bandwidth matters when the aggressor is using brute force, but most other cyberattacks fall within normal bandwidth.

4. Unpredictability
My original statement: Software updates and network reconfigurations change cyber battlespace unpredictably and without warning.

What I've learned: This dynamic benefits cyberdefense -- attackers cannot be sure their plans will succeed until they pull the trigger. Cyberattackers benefit from the ability to quickly shift the point of their attack, but defenders can create a unique, deceptive environment, which may be the equivalent of a "home field" advantage to a sports team. For both sides, military doctrine emphasizes hoping for the best and planning for the worst.

5. Advantage
My original statement: Contrary to our historical understanding of war, cyberconflict favors the attacker.

What I've learned: Like pirates, cyberattackers possess a short-term, tactical advantage, but not a long-term strategic advantage. When the element of surprise is gone, and especially if positive attribution is made, more traditional advantages (size, strength, etc.) will determine the victor in a major conflict. Unfortunately for tactical defenders, some critical infrastructure IT is so old that it is no longer under warranty and cannot be upgraded.

6. Flexibility
My original statement: Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.

What I've learned: This dynamic highlights the fact that cyberwar is not separate from physical war, but just one aspect of many different ways of making war. Cyberespionage does not really steal something, just copies it, but potentially millions of times over. Speaking of which, propaganda may be the most powerful cyberattack due to the pure amplification power of the Internet.

7. Attribution
My original statement: The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.

What I've learned: This is more difficult in traditional conflict than we think. For example, spies use stolen passports. A crucial difference in cyberspace is the ease of entry onto the battlefield -- this makes the number of potential adversaries much higher. However, if and when real cyberwar takes place, the attacker's identity will be clear.

8. Quiet
My original statement: The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.

What I've learned: This is also more true of traditional conflict than we know -- most wars do not have embedded reporters and 24/7 TV coverage. Cyberwar evaluation may be effects-based. If nothing happens in meat space, who cares? If there is property destruction or loss of human life, someone should be held accountable.

9. Subjectivity
My original statement: The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.

What I've learned: Commercial enterprises cannot defend against nation-state attacks or afford the cyber equivalent of surface-to-air missiles. Is the military destined to defend public utilities and even our home computers? Is legislation required to mandate best-practices? For companies, profit is far more important than security -- but at what point is inattention to security a crime?

10. Morality
My original statement: There are few moral inhibitions to cyberattacks because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.

What I've learned: The existence of vulnerabilities does not justify an attack. Short-term gains from hacking are undermining the long-term integrity of the Internet. We must try to avoid the unnecessary militarization of cyberspace. Civilians, far from any battlefront, are a logical cybertarget. How about an international non-aggression pact covering national critical infrastructures?

http://www.internetevolution.com/author.asp?section_id=628&doc_id=243679&f_src=internetevolution_gnews

---