Cyberwar: A Whole New Quagmire – Part 1: The Pentagon Cyberstrategy

Summary:  In this article by guest author Marcus J. Ranum, he describes what might become one of the primary forms of conflict in the 21st century.  How real is the threat?  Is the Department of Defense approaching this in a logical way.

“Mr. President, if that’s what you want there is only one way to get it.  That is to make a personal appearance before Congress and scare the hell out of the country.”
— Senator Arthur Vandenberg’s advice to Truman about how to start the Cold War.  On 12 March 1947 Truman did exactly that.  From Put Yourself in Marshall’s Place, James P. Warburg (1948); in 1941 Warburg helped develop our wartime propaganda programs.

Unless you’ve been sleeping under a rock for the last decade, you’ve probably heard that the US Government is deeply concerned about foreign penetrations into agency networks and critical infrastructure systems. There have been accusations flung, sabers clutched (if not rattled outright) and patriotic calls for help – and money. Rehashing the whole situation is not possible in this space, nor would it be productive, but there are depressing realities about this new field of conflict that we should not sweep under the carpet.

“To prepare our military for emerging cyber threats, we have developed a DoD Cyber Strategy. This strategy holds that our posture in cyberspace must mirror the posture we assume to provide security for our nation overall. Namely, our first goal is to prevent war. We do this in part by preparing for it. And we do so while acknowledging and protecting the basic freedoms of our citizens.”

Remarks on the Department of Defense Cyber Strategy by Deputy Secretary of Defense William J. Lynn III at the National Defense University, 15 July 2011

First, and foremost among them, cyberspace is not a “battlefield” like any other. There’s a search for analogies, as people who really don’t understand computer security try to map concepts onto other, more familiar, concepts in an attempt to dumb them down, but that does not and will not work. If we wish to defend (or attack) successfully in cyberspace, our government needs to understand cyberspace, not militarize cyberspace into something comprehensible. This problem is deceptive because at the level of grand tactics some analogies work, or appear to work: yes, it’s always a good idea to see the enemy before they see you. But, does that apply in an environment in which the defender’s position is always known and the attackers’ is irrelevant?

Recently, someone I was talking to offered the position that “in cyberspace, the best defense is still a strong offense!” until I asked him “why?” All of Napoleon’s smart quips about the military art still sound smart when applied to cyberspace, but they are as useful as forming square to repel cavalry would have been in Afghanistan. Because the notion of location is arbitrary, and the size and shape of the battle-space are dynamic, and grand tactics rooted in space (and therefore time) ought to be suspect. Perhaps, in cyberspace, the best defense is a strong defense. In fact, if you think about it for a few minutes you’ll realize that because the attacker controls space and time and the defender’s location is fixed, that’s the only way it can be.

I don’t want us to get bogged down in that particular example, though; the broader point is that most of what we think we understand about warfare in cyberspace is probably wrong. For another example, we ought to be talking about logistics if we’re in a battle-space in which our enemy can upgrade their defenses from one moment to the next and disarm us of an entire stack of stockpiled weaponry. Such problems raise the question of whether we even understand what “weaponry” is in cyberspace — or whether we are choosing to avoid the pain of making a sober assessment of the issue. I have written about this more extensively elsewhere {see about the author below} so I won’t repeat myself here.

A more serious problem is that our strategic approach to Information Technology (IT) in the government (and to a lesser degree, the private sector) is running counter-current to improving our defensive posture. At the same time that the government is deeply concerned about the cyber-threat, it is in the process of the greatest-ever migration of technical skills from government employment into the private sector. While we talk about improving our network defenses, we are rushing to outsource management of those networks (and their defenses) thereby making them cheaper, on paper, for the short-term. This mirrors the way in which military logistics has been increasingly outsourced in the real world and similarly it secures its true objective: the transfer of public wealth into private hands. But, in IT you run into a problem, which is that something can be deeply broken but still appear functional until a critical time. It’s hard, in the real world, to build a supply chain that appears to work, but in cyberspace you can easily build a network that appears to be secure – but isn’t.

What we are seeing, over and over again, is that IT security breaches happen because someone was trusted to build a secure network, and they didn’t — but that its weakness went unnoticed because the people who bought and paid for the network have lost any IT security skills that they had, when their brain-trust took higher-paying jobs working for contractors. This is not a new problem, and ought to be familiar to anyone who’s ever taken their car to a mechanic and wondered “what is a ‘framis joint’ and why did I just pay $1000 for one?” If you don’t know the rudiments of how a car works, you are wearing a sign on your back that reads, “Kick me.”

I’ve worked my professional career as a cyber-weapons designer of sort, starting with firewalls in the late 1980s, intrusion detection in the 1990s, and then log analysis and vulnerability management — and I can tell you that none of this technology is special, and there’s no rocket science. It is absolutely crucial for people to understand that there is no super-secret special intrusion detection algorithm that the DoD will be able to get which is not commercially available right now: because in cyberspace, unlike in real warfare, governments have not been able to monopolize the availability of weaponry. Our government (or any other!) will not be developing whole new kind of firewall that is dramatically better than the state of the commercial art — simply because the commercial side is where the talent and the evolutionary pressure are: if a system engineer for Palo Alto Networks can figure out a better way to do application screening, they can dominate that market and make a ton of money — there’s zero benefit to keeping that technology under wraps for militarization.

From the opposite side, market pressures are co-evolving attack tools extremely quickly because the Mafiosi who are making millions on online fraud will commission new attack tools and immediately field them. Once again, cyberspace does not look like a traditional battle-space: weapons evolution is fast and furious and must be constant and deeply redundant. Microsoft could push out a new operating system patch, tomorrow, that obsoletes a whole class of attack tools — or a new bug could be discovered, outed, and fixed — all during the course of a weekend.

Imagine trying to explain to a Marine that his way cool battle rifle might suddenly cease to function if the enemy is able to develop a patch against it. Or, that your castle walls could suddenly fall down, Jericho-like, at an extremely inconvenient time. Because there is this huge army of cybercriminals and a substantial core of commercial cyber-weapons builders like myself, the rapid rate of co-evolution in cyberspace is going to make establishing a targeted set of tools extremely expensive. Additionally, a target might be highly individualized — suppose a particular country’s government gets a good deal on a locally manufactured router/switch technology — now, in order to attack them, an attacker would have to develop a whole new weapons stack if they wanted to dominate the target’s router infrastructure.

A final case in point, of which I hope to write more later: Stuxnet. It’s a very interesting combination of in-the-wild attack tools/techniques with a few custom-developed penetration techniques and a payload targeted at a specific subsystem. It is a perfect example of the kind of rapid co-evolution that I’m talking about — whoever put it together did something very timely, very customized, and knew it had a short life-span before it would be found and dissected.

The best defense against something like Stuxnet could not possibly be a strong offense – how can you pre-empt something unknown that was released without attribution? Stuxnet was exactly adequate for its job. How do you prevent such a thing from working on you? You do exactly the opposite of what we’re doing everyplace: you in-house security, in-house IT, and begin to build your infrastructure so that there are unpredictable and unknown barriers within it, including critical sections that are air-gapped and closely monitored. Yes, that is expensive and inconvenient. The question is whether the alternative is even more expensive and inconvenient.

About the Marcus J. Ranum, from his website

Marcus J. Ranum is the author of The Myth of Homeland Security (2003), and writes at his website about homeland security and computer security.

He is a world-renowned expert on security system design and implementation. He is recognized as an early innovator in firewall technology, and the implementor of the first commercial firewall product. Since the late 1980′s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR’s Network Flight Recorder intrusion detection system.

He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC “Clue” award for service to the security community, and the ISSA Lifetime Achievement Award. Marcus is Chief Of Security for Tenable Security, Inc., where he is responsible for research in open source logging tools, and product training. He serves as a technology advisor to a number of start-ups, established concerns, and venture capital groups.

Other publications:

For More Information

  1. War Logs On: Girding America for Computer Combat“, Bruce D. Berkowitz (RAND, coauthor of Best Truth: Intelligence in the Information Age), Foreign Affairs, May/June 2000 — “In Kosovo, America stumbled into the age of computer warfare. Now Washington must think hard about how to attack its foes’ electronic networks and defend its own.”
  2. Securing the Information Highway – How to Enhance the United States’ Electronic Defenses“, Wesley K. Clark and Peter L. Levin, Foreign Affairs, November/December 2009
  3. Obama knows how to lead America by exploiting our fears,  5 June 2009 — About cyberwar
  4. Defending a New Domain – The Pentagon’s Cyberstrategy“, William J. Lynn III, Foreign Affairs, September/October 2010

This post originally appeared at Fabius Maximus and is reproduced here with permission.