10 things you should know about the Pentagon's new cyberwarfare strategy

10 things you should know about the Pentagon's new cyberwarfare strategy

Summary: Without a doubt, someday, you, too will have to defend against a cyberattack.

TOPICS: China, CXO, Security

Three related events this week caught the attention of security professionals and news organizations everywhere.

The first was when defense contractor Lockheed Martin announced it had been hit by a cyberattack. The second was when a Pentagon spokesman said the U.S. might consider a cyberattack to be an act of war (and might respond with physical force). The third news story was of another attempted penetration of Google's systems from China, this time phishing for Gmail account information from senior U.S. officials.

These events are a continuance of the ongoing trend of digital attacks. They are noteworthy in context because they're helping us see how cyberspace is finally being formally integrated into international policy.

See also: The Obama Cyberdoctrine: tweet softly, but carry a big stick

Last night, I was back on BBC radio, where we discussed many of the issues surrounding the formalization of cyberdefense policies. During the interview, it became clear that there were a bunch of questions people on both sides of the pond had about what these new policies mean, and if they indicate a new aggressiveness on the part of the United States.

To clear up some of the confusion, I've listed ten things you should know about America's new cyberdefense policies.

1. Attacks can by symmetrical or asymmetrical.

In warfare, the attackers and defenders aren't always evenly matched. We've all seen what modern bombers can do to a small village, but many people don't realize that cyberwarfare flips the equation, making it much more costly to defend than attack.

For example, any small group with a pile of PCs (or even PlayStations) can mount a hugely damaging attack, especially if they make use of zombie botnets as a force multiplier.

This means that while the attackers only have to aim at one target, the nation states have to defend every possible target from every possible attack. The cost of defense can be wildly more expensive than the cost of attack.

This changes the entire budgetary calculus of war. Take tank warfare, for example. Back in the days of tank warfare, each side needed to come up with the necessary resources to build and buy tanks -- an expensive endeavor. The nuclear race was even more costly, costing in the billions (and, nearly -- in today's dollars -- the trillions) to develop.

By contrast, a PC capable of launching a digital attack of mass destruction might cost a few hundred bucks. Defending against those attacks could cost billions.

2. Responses can be proportionate or disproportionate.

Most so-called civilized nations try to practice what's called a proportionate response when attacked. You shoot down one of our passenger airplanes, we'll shoot down one of your military jets. The idea is that for each action, there's a relatively equal reaction.

Most Western nations distinguish between valid military targets and those of unarmed civilians. Many less-than-civilized nations often take advantage of our perception of right and wrong, and use human shields to safeguard high-value military targets.

The problem with a cyberattack is that the attacking force could be scattered across the countryside. One guy could be working out of Mom's basement, while another attacker might be working out of a barn in a cornfield. It's quite difficult, therefore, to pinpoint on exact base of attack and simply destroy that.

It's difficult, but not impossible. We are capable of surgical strikes, whether from the air or with feet on the ground. Digital attackers will do their best to hide or misrepresent who they are or where an attack is coming from. This makes a physical response to a cyberattack difficult, but not impossible. Remember that once you move beyond the digital domain, forensics, research, and good old investigatory skills still work.

Attackers need to eat, they need a network connection, they need to communicate, and all of these activities leave footprints that a defender can find and use as a basis for retaliation.

Next: New battlespace, new strategy »

« Previous: The form of attack

3. With every new battlespace comes new policies, strategies, and rules of engagement.

This isn't the first time nations have had a new battlespace to explore. Back in ancient times, boats couldn't get very far from shore. But once they could, deep sea battles became possible, and a whole new array of policies, strategies, and rules of engagement became necessary. Once the battle went undersea and up in the sky, still new warfighting techniques needed to be developed.

Cyberspace is merely another battlespace. The weapons are different, but the bottom-line is still the same: defend against attacks, and teach attackers that it's a very, very bad idea to ever attack again.

The United States is currently working on formulating its new rules for the new battlespace. This is a good thing (if you're on our side, of course).

4. In cyberwar, like in real war, the combatants aren't only nation states.

We often think of war as being fought between nations. But the reality of war is that it's often fought by many different factions, with vague and changing loyalties to different flags. Terrorism is a good example of this. We're not fighting an individual country, but a series of groups, often supported and helped by various countries practicing their own personal form of plausible deniability.

Cyberwarfare has the same challenge. This week, two companies were attacked: Google and Lockheed Martin. It's not clear that either attack originated from a nation state (although the attack on Google apparently originated in Jinan, a Chinese town with a big military installation and Lanxiang Vocational School, an educational institution with strong military/industrial ties).

5. Nations will always ultimately reserve the right to respond with force to a deadly threat.

I was asked by BBC presenter Giles Dilnot if the Pentagon statement speaking of the "use of force" scenario indicated that the United States was more serious about cyberattacks. To some degree, the answer is "Yes". The U.S. has always been serious about attacks of any nature, it's just that we're beginning to integrate this new battlespace into our more formal planning.

No matter what any diplomat (from any country) will tell you, nations always, always reserve the right to respond with force to a deadly threat. One of the fundamental purposes of governance is the protection of the population and the interests of the State. Therefore, no responsible government can rule out using whatever means is necessary to protect its people.

6. Nations are always researching new weapons systems, both offensive and defensive.

So here's the $60,000 question: if the U.S. has acknowledged it's working on defensive digital weaponry, does that mean the U.S. is also working on offensive weaponry, digital weapons to attack the digital attackers?

Quite obviously, I can't answer that in any detail. But I can tell you that nations are always researching new weapons systems. It would be foolish to only research defensive systems.

Next: Will it be put to use? »

« Previous: New battlespace, new strategy

7. Just because there's a policy in place, that doesn't mean it's going to be put to use.

A related question I was asked was whether or not the Pentagon's stance implied they're going to start attacking digital adversaries. My answer is that given the number of cyberattacks (they're virtually constant), it's certainly likely that a retaliatory attack will happen at some time in the future.

But that's not the point. The point is that civilized nations plan, they work through eventualities, they establish chains of command, they determine spans of authority, they develop rules of engagement -- and they do all this, hopefully, before there's any immediate plans for attack or escalation. So, just because we're putting professional warfighting policies in place, that doesn't mean we're planning on attacking anyone tomorrow.

8. Just because powerful nations can attack any target, that doesn't mean they will.

I was asked a funny question. I was asked that now that this policy is taking form, did that mean that if someone attacked the U.S., we'd turn around and attack their social health care system or something similar.

Separating out the obvious fact that we've been too busy destroying our own health care system to mess with that of another country, and that no attacker can do more damage to health care policy than our very own precious politicians, the answer is pretty much "no."

Here's the thing. We don't attack civilian targets unless they're specifically being used as weapons of war. If a large group of soldiers is using the Internet to attack core systems in the United States, we may retaliate, but our goal would be to stop the attacks and shut down the attackers' facilities. It wouldn't be to randomly target, for example, hospitals and schools.

Of course, if some rogue nation were to build a network solely for the purpose of housing an attacking engine, specifically as an attempt to mislead (or play a PR war), then the scope of the response would reflect the scale of the threat.

9. Your single best course of action is to be our friends, not our enemies.

The bottom line in this is simple. If you try to hurt the United States, the United States is continually refining its capabilities to respond. It's a much, much smarter (and safer) strategy to simply play nice with Uncle Sam.

10. Learn more about cyberthreats and cyberattacks.

I've written a lot on this topic over the years. Here's some good reading that'll bring you up to speed.

See also:

There you go. That's a lot to digest in one sitting, but if you're going to be in IT, you need to be aware of this issue. Without a doubt, someday, you, too will have to defend against a cyberattack.

Topics: China, CXO, Security


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You make some worrisome assumptions

    The most troubling one is your assumption that an attack on Google or Lockheed Martin is equivalent to an attack on the US Government or citizens. Where does that definition end? Hacking Walmart.com or iTunes counts too? Then we will be "at war" with pretty much every country in the world that a hacker could call home.<br><br>Even if foreign governments are involved, there is still a big difference between intelligence-gathering (spying) and destructive attacks. The US has practiced intrusive intelligence operations against Russia and China for decades, but they have not resorted to general retaliatory strikes against US installations or territory, although I guess it remains an option available to them.<br><br>Cyberwarfare is a gross misnomer that is ripe for abuse. Is it "war" if an American criminal steals the credit card number of a Chinese citizen somewhere in the globe? No. Is it "war" if the NSA monitors Google and Baidu searches (which they do) as part of intelligence operations? Maybe. Is it "war" if a foreign power hacks a Predator data feed and crashes a drone on a combat mission? Probably. Is it "war" if anyone hacks a SAC control system and attempts to launch a nuclear missile? Certainly. Yet people seem to equate cyberwarfare with all of these activities.<br><br>Finally, a lot of this is old news. Our company network is "attacked" about 1500 times per day. This doesn't include brute-force scanning or spam floods. As you mention, it is expensive to defend against so many different kinds of attacks, but then so are the fences, doors, locks, and security guards that protect us from physical harm. It's just part of life now.
    terry flores
    • Thank you.

      @terry flores

      Thanks Terry. That's pretty much what I was thinking.

      I had a "stop in tracks, poop pants" moment first time I heard WMD, I believe it came in vogue in the Clinton era.

      Anyhow, my being a Vet and a SAC Trained Killer/ Nuclear Warrior WMD is a Nuke.

      But they started tossing the term around in reference to Chem/ Bio. Chem and Bio kill and murder but they don't 'destroy' anything. Least not like my weapon system.

      So now Cyber Attack is going to ean everything from someone trying to hack my PC to getting inside a Nuclear Powerplant and forcing it to go to Chernobyl?

      (Shakes head, walks away muttering about the cheapening of language).
    • Assumptions aside the reality is...

      @terry flores The difference is really in who is making the determination of war. Since we are the dominant military power on this planet we have the luxury of defining acts of war however we please, be it an attack on US soldier and citizens or an attack on US military contractors. I'm not necessarily saying that that's right or wrong what I'm saying is for good or for ill we are the only nation in any position to make that type of determination and as such if we decide to call it an act of war then it is, for all practical intents and purposes, an act of war simply because there is no one else who can oppose us, either for lack of military might or for their own self interest.

      Until we have a proper opposite number in the geo-political scene we can act unilaterally in determining what constitutes an attack and our level of response, which will likely be grossly disproportionate to the actual attack itself. While China comes close to being that opposite number the fact that their industrial base is fueled by our rampant consumer culture they have nothing to gain by opposing us in any serious way. They might rattle the sabre and oppose us politically in the UN but, they need us to buy their cheap crap just as much as we need them to keep making it. The fact of the matter is during and immediately after World War II we created a geo-political pattern that favors us and now the world is locked into that pattern. Barring a catastrophic change I don't see anyone breaking us out of it and so we will continue to enjoy the freedom of projecting military force however we see fit and defining our enemies however we see fit.
    • Everything was honky dory and believeable until ....

      @terry flores
      .... he threw his political views into the discussion.
      Bad stratagey. Makes even the best logic look questionable!
    • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

      @terry flores
      Well said. And, to boot, does the West really think there are no nerds in China who might be looking for some fun. Maybe some sort of gov't to gov't tit-for-tat, but then again not. This evil mantra Gewirtz has about China advances nothing about UNDERSTANDING China and shows his '50s brainwashing about how the world operates.
  • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

    Hmm yes we have too as Nation , we dont want the movie Live free or Die hard played out in real life and Security professionals and defenders we have to make right steps to secure our customers and clients and networks we paid to secure make the more work I.T firms to either partner up or Alliance with eachother in Security Business remember RSA Security was hacked not too long ago and Lockhead Martin i dont need to say anymore because this reprensents clear and present danger for everyone in the US and US allies we are covering our bases
  • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

    LOL not if you dont use computers and software. See if we abandon this useless technology then cyber attacks will not happen
    • not if you dont use computers and software


      you first
      • Luddite is a misused term


        Luddites are commonly portrayed as being anti technology when in reality the Luddite movement was trying to assure they would have a place in the new technologies.

        It was a thing about the talent being taken from the hands of the Craftsman/woman and being put into machines.

        Luddites were just trying to make sure they could still eat.
    • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

      @Luddite24 So, why are you on this site again?
  • Suggestion for an interesting article

    There's lots of ways in which cyberwarfare is in fact an all-new, <i>different</i> modality of attack. It would be interesting to hear discussion of that as well.
  • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

    "To clear up some of the confusion, I?ve listed ten things you should know about America?s new cyberdefense policies."

    You never said where you assimilated that info from. Was it from the meetings or simply your own opinions and comments?
    • RE: Opinions

      @tom@... I've been reading this blog for long enough to fairly safety be able to say most of this is from his own opinions. Not that I disagree with a lot of it.
  • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

    You know what the scariest implication of cyberwarfare is? The way it interacts with copyright abuse.

    The DMCA makes it legal for a copyright owner to hack your computer in the name of protecting their copyright interests. Once that's legal, we've seen an explosion of DRM technology that just keeps getting scarier to those paying attention.

    A lot of computers being sold today have what's called a TPM chip, which is designed as hardware-based DRM that integrates directly with the OS and the hardware at the lowest levels. It's designed to make DRM harder to crack, and if you have one of these, your computer does not belong to you in a very real sense.

    These computers are being sold to consumers, corporations and governments, and that ought to terrify anyone with any knowledge of security. It means that all an unfriendly nation needs to do to be able to launch a devastating cyber-attack at will 5-10 years down the road is infiltrate one engineer into the right division at Microsoft. And it's difficult to imagine any scenario short of a full-scale nuclear attack that could do as much damage to America as quickly as that could.

    Remember back in the 90s, all the hoopla about the US government classifying encryption technology as "munitions"? They really need to revisit that attitude and classify DRM of any type, especially something as low-level as the TPM chip, as "weapons of mass destruction."
  • Let us first define the term &quot;war&quot;.

    Most dictionaries list the first definition of war as: "A state of armed conflict between different nations or states or different groups within a nation or state". Other definitions are: "A state of competition, conflict, or hostility between different people or groups" or
    "A sustained effort to deal with or end a particular unpleasant or undesirable situation or condition" http://www.google.com/#hl=en&q=war&tbs=dfn:1&tbo=u&sa=X&ei=KrnnTfjTJsH2gAem_LyUCw&sqi=2&ved=0CBoQkQ4&fp=53cf7641f0395678&biw=1173&bih=811, 2 Jun 2011.

    I come from a military background. Competition, conflict, or hostility, or a sustained effor to deal with or end something is not a war. High schools do not "go to war" with each other. Husbands and wives do not normally "go to war" with each other. My mother-in-law and I are not "at war" with each other. And merely keeping beavers from eating my blueberry bushes is not a "war".

    A war then, is a state of conflict in which violence and destruction are used to achieve a specific goal. The use of arms is how you cause that violence and destruction.

    A cyber attack is not automatically an act of war. If it is by one person or a small Non-Governmental Organization, it's not war. It might be merely an act of espionage, viewing or copying the information found. It might be an act of vandalism, where a tag or message is placed on a web page saying, "We were here", or "You have a hole in your security." These are not acts of war, as no violence has been done, and while annoying, no real destruction has occurred. We're talking about cyber crime and cyber criminals.

    A cyber attack is an act of war if information is destroyed either by deletion or modification; or access to that information has been degraded by altering logins, file table alterations, or a DDOS. A cyber attack is an act of war if by means of deletion, modification, or denial, it causes injury to a person or damage to property. Hacking into a metro transportation message board causing drivers on the freeway to have an accident is one example. Hacking into the controls of a nuclear plant and causing a release of materials is another. Hacking into the robotic controls to trash a Toyota manufacturing plant is yet one more. The other component for this to be a war is that these atttacks must be conducted by a group under the auspices of a nation, state, or moderate to large NGO.

    You can have a war between the Hatfields and McCoys (although that's more of a feud, not big enough to be a war, as NGOs the families are too small), the Crips and the Bloods, between two Mafia families, between the U.S. and al Qaeda, or between the U.S. and Iran or North Korea, or China.

    One last bit on cyber war. Cyber war (and cyber crime) is pure guerrila warfare. The attackers always strike from concealment, almost always without warning. And the attackers usually are flying under false colors; either to obscure who they are, or to implicate an enemy into being punished by a third party.
    • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy


      Outstanding, good 'Doctor'. The only thing you and David didn't add is that 'serious looking/sounding' threats, diplomatic blackmail and Policies specifically designed to cause psychological weakness in the fabric of the motivation of potential attackers can also be used because they are legal and can be extremely effective.
      A Sovereign nation under any percieved threat reserves the right to defend, or try to defend, itself by any means possible barring devastating consequences.
      Shigan bi ekun
    • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy


      Outstanding, good 'Doctor'. The only thing you and David didn't add is that 'serious looking/sounding' threats, diplomatic blackmail and Policies specifically designed to cause psychological weakness in the fabric of the motivation of potential attackers can also be used because they are legal and can be extremely effective.
      A Sovereign nation under any perceived threat reserves the right to defend, or try to defend, itself by any means possible barring devastating consequences.
      Shigan bi ekun
  • My Cyberendoctrine . . .

    What if your stick is outsized? and perhaps your soft tweets are loudly projected and heard, by the <i>wrong</i> people?

    [First, carry a big stick, then tweet softly, and if you're really paranoid, then just don't give anyone a reason to want to intrusively hack your computer network in the first place... - this is in my opinion the only and truest way to be safe! ]
  • My question is,

    Why the Hell are core systems accessible via the internet in the first place?

    I know, I know, Its cheap and easy.

    Well, Kids, not everything is easy.

    If one wants things like the Power Grid and nuclear weapons, or systems that could cause destruction / collapse, but don't want to make the hard decision of implementing actual private networks, then the wrong person is in the position of making those decisions.
  • RE: 10 things you should know about the Pentagon's new cyberwarfare strategy

    "but many people don?t realize that cyberwarfare flips the equation, making it much more costly to defend than attack."

    Disconnect my computer from the Internet, switch my iPod to airplane mode. Seriously doubtful I'll want to be on the Internet while a "cyberwar" is raging. Wait for the "cyberwar" to finish. Solved.