Cyber War Pre-emption Is The Key to Defense

The United States' best defense against a crippling cyber attack could be a more visible offense, military leaders and other experts recently suggested at the Army War College in Carlisle. Then they stopped talking.
The nation's cyber attack capabilities are so cloaked in secrecy that they could not say anything specific in an unclassified forum — even an invitation-only, closed-door strategy session.

That mystery could be a problem for deterring adversaries, says Mark Troutman, a participant in the forum and director of the Center for Infrastructure Protection and Homeland Security at George Mason University in Fairfax, Va.
“If you want a deterrent effect, the capability has to be known,” Troutman said, “and there has to be the perception that the resolve is there to use it.”

Or as Dr. Strangelove put it in Stanley Kubrick's Cold War thriller: “The whole point of the doomsday machine is lost if you keep it a secret. Why didn't you tell the world, eh?”
Increasingly, top security officials worry about computer attacks that could shut down the nation's systems for energy, banking, communications and more. A computer problem last month — which might or might not have been triggered by Anonymous hackers — closed the New York Stock Exchange for more than three hours.
Many former Cold War warriors believe prevention should start with the computer-age equivalent of nuclear deterrence and a promise of mutually assured destruction.
“The deterrence issue here is harder,” said Paul Kaminski, chairman of the Defense Science Board. “We have to give this more thought. As complicated as nuclear deterrent was, this is more complicated because there's less clarity in the actions.”
He and some others interviewed for this story were not at the war college talks.
After World War II, no one doubted that the United States possessed atomic power and would use it with devastating effect, experts said.
“Remember, the nuclear deterrent involved catastrophic weapons, and so nobody was fooling around with nuclear weapons, not even in tiny wars,” said Patrick Morgan, former Tierney Chair for Peace & Conflict at the University of California, Irvine. “But in cyber, we get attacks all the time. ... The rate at which cyber attacks go on is just astronomical.”
No rules is the rule

Cyber attacks often are more similar to intelligence operations or crimes than acts of war by the military, said Will Goodman, vice president for policy at the National Defense Industrial Association, an Arlington, Va., trade group.
“What the cyber domain needs most is a clear set of normative behaviors ... that, by custom or agreement, are allowed and not allowed,” Goodman said.

It's not clear what the United States can do online or how it will respond to specific attacks. Last month, National Intelligence Director James Clapper said the country lacks the substance and the psychology of deterring cyber incidents.
“Until such time as we come up with a form of deterrence that works, we're going to have more and more (computer attacks),” he said at The Aspen Institute's annual security forum in Colorado.
When word of possible exploits leaks out — such as the Stuxnet attack on Iran's uranium enrichment program — the nation's leaders avoid taking credit.

Even after President Obama blamed North Korea for hacking into computers at Sony Entertainment last year, the nation's response remained unclear. Some speculated the United States shut down North Korea's Internet, but Clapper said the only action was to sanction individual North Koreans.
“It was a conscious decision not to reciprocate in-kind,” he said.
Cyber deterrence can be harder to accomplish because of the nature of the attacks, Kaminski said. For nuclear detonations, it's typically clear who set off the bomb and what impact it had. Computer attacks can take place quietly with little evidence of where they started, although experts say attribution is getting easier.

While the United States might be able to deter foreign countries from carrying out computer attacks, others — terrorists, activists and individual computer experts — are gaining expertise that rivals small nations, experts said.
Secrecy can be important to the nation's cyber military programs, Kaminski said. The United States often wants to be stealthy about its sources and methods for online activity.
“Talking more about our cyber capabilities could cause our adversaries to fear our retaliatory capabilities,” Goodman said. “But it could also inform our adversaries about where they are vulnerable and help them improve their defenses.”
Some secrecy can be good as long as other countries over-estimate the United States' cyber capabilities, said Jim Lewis, a security expert at the Center for Strategic & International Studies, a Washington think tank.
But deterrence will not work if adversaries believe the United States will not retaliate, he added.

The Office of Personnel Management has said its systems were hacked and that the records of 22 million federal employees, contractors and people who applied to work for the government were stolen. The Obama administration has been largely silent on the source of the attacks except for Clapper, who said: “You have to kind of salute the Chinese for what they did.”
For a while after the intrusion became public, Chinese leaders were worried about what would happen, Lewis said.
Then nothing did.
“There's a whole range of things you could do,” Lewis told the Trib. “What we tend to be good at is generating excuses not to use them. ... The Chinese know that we know it's them, and we haven't done anything. So that's the message we're sending.”
For deterrence to be effective online, the United States will have to be more assertive about the consequences for intrusions, he said.
“We know that what we're doing now doesn't work,” Lewis said. “... I can see being cautious, but coming up with excuses about why we can't do anything mean to the Chinese only emboldens them.”

TribLive: http://bit.ly/1IEo058

 

« Gateway For Hackers
Australian Degree Course on Cyber War and Peace »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Security Research Labs (SRLabs)

Security Research Labs (SRLabs)

Security Research Labs is a Berlin-based hacking research collective and consulting think tank.

ARC Advisory Group

ARC Advisory Group

ARC is a leading technology research and advisory firm with expertise in both information technologies (IT) and operational technologies (OT)

4iQ

4iQ

4iQ fuses surface, social, deep and dark web sources to research and assess risks to people, infrastructure, intellectual property and reputation.

Digital Guardian

Digital Guardian

Digital Guardian is a next generation data protection platform designed to stop data theft.

NEC

NEC

NEC offers a complete array of solutions to governments and enterprises to protect themselves from the threats of digital disruption.

Innotec Security

Innotec Security

Innotec Security is a Spanish company specializing in cybersecurity-as-a-service, cyber resilience and cyber risk management.

Cyber Security Academy (CSA)

Cyber Security Academy (CSA)

The CSA aims to educate professionals who wish to contribute to strengthening the digital defensibility of states, organisations and individual citizens.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Coralogix

Coralogix

Coralogix are rebuilding the path to observability using a real-time streaming analytics pipeline that provides monitoring, visualization, and alerting capabilities without the burden of indexing.

Ostra Cybersecurity

Ostra Cybersecurity

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

RapidSpike

RapidSpike

RapidSpike is the only website monitoring solution that focuses all three key aspects of website health: performance, reliability AND security.

Praxis Security Labs

Praxis Security Labs

Praxis Security Labs is a research driven cybersecurity company that helps our customers to reduce risk and improve security.

Redefine

Redefine

Redefine are Crypto-Native, Cyber Experts, and Blockchain Believers. We are here to make Web3 anti-fragile, safe and accessible to all.