The most troubling one is your assumption that an attack on Google or Lockheed Martin is equivalent to an attack on the US Government or citizens. Where does that definition end? Hacking Walmart.com or iTunes counts too? Then we will be "at war" with pretty much every country in the world that a hacker could call home.
Even if foreign governments are involved, there is still a big difference between intelligence-gathering (spying) and destructive attacks. The US has practiced intrusive intelligence operations against Russia and China for decades, but they have not resorted to general retaliatory strikes against US installations or territory, although I guess it remains an option available to them.
Cyberwarfare is a gross misnomer that is ripe for abuse. Is it "war" if an American criminal steals the credit card number of a Chinese citizen somewhere in the globe? No. Is it "war" if the NSA monitors Google and Baidu searches (which they do) as part of intelligence operations? Maybe. Is it "war" if a foreign power hacks a Predator data feed and crashes a drone on a combat mission? Probably. Is it "war" if anyone hacks a SAC control system and attempts to launch a nuclear missile? Certainly. Yet people seem to equate cyberwarfare with all of these activities.
Finally, a lot of this is old news. Our company network is "attacked" about 1500 times per day. This doesn't include brute-force scanning or spam floods. As you mention, it is expensive to defend against so many different kinds of attacks, but then so are the fences, doors, locks, and security guards that protect us from physical harm. It's just part of life now.
Three related events this week caught the attention of security professionals and news organizations everywhere.
The first was when defense contractor Lockheed Martin announced it had been hit by a cyberattack. The second was when a Pentagon spokesman said the U.S. might consider a cyberattack to be an act of war (and might respond with physical force). The third news story was of another attempted penetration of Google’s systems from China, this time phishing for Gmail account information from senior U.S. officials.
These events are a continuance of the ongoing trend of digital attacks. They are noteworthy in context because they’re helping us see how cyberspace is finally being formally integrated into international policy.
See also: The Obama Cyberdoctrine: tweet softly, but carry a big stick
Last night, I was back on BBC radio, where we discussed many of the issues surrounding the formalization of cyberdefense policies. During the interview, it became clear that there were a bunch of questions people on both sides of the pond had about what these new policies mean, and if they indicate a new aggressiveness on the part of the United States.
To clear up some of the confusion, I’ve listed ten things you should know about America’s new cyberdefense policies.
1. Attacks can by symmetrical or asymmetrical.
In warfare, the attackers and defenders aren’t always evenly matched. We’ve all seen what modern bombers can do to a small village, but many people don’t realize that cyberwarfare flips the equation, making it much more costly to defend than attack.
For example, any small group with a pile of PCs (or even PlayStations) can mount a hugely damaging attack, especially if they make use of zombie botnets as a force multiplier.
This means that while the attackers only have to aim at one target, the nation states have to defend every possible target from every possible attack. The cost of defense can be wildly more expensive than the cost of attack.
This changes the entire budgetary calculus of war. Take tank warfare, for example. Back in the days of tank warfare, each side needed to come up with the necessary resources to build and buy tanks — an expensive endeavor. The nuclear race was even more costly, costing in the billions (and, nearly — in today’s dollars — the trillions) to develop.
By contrast, a PC capable of launching a digital attack of mass destruction might cost a few hundred bucks. Defending against those attacks could cost billions.
2. Responses can be proportionate or disproportionate.
Most so-called civilized nations try to practice what’s called a proportionate response when attacked. You shoot down one of our passenger airplanes, we’ll shoot down one of your military jets. The idea is that for each action, there’s a relatively equal reaction.
Most Western nations distinguish between valid military targets and those of unarmed civilians. Many less-than-civilized nations often take advantage of our perception of right and wrong, and use human shields to safeguard high-value military targets.
The problem with a cyberattack is that the attacking force could be scattered across the countryside. One guy could be working out of Mom’s basement, while another attacker might be working out of a barn in a cornfield. It’s quite difficult, therefore, to pinpoint on exact base of attack and simply destroy that.
It’s difficult, but not impossible. We are capable of surgical strikes, whether from the air or with feet on the ground. Digital attackers will do their best to hide or misrepresent who they are or where an attack is coming from. This makes a physical response to a cyberattack difficult, but not impossible. Remember that once you move beyond the digital domain, forensics, research, and good old investigatory skills still work.
Attackers need to eat, they need a network connection, they need to communicate, and all of these activities leave footprints that a defender can find and use as a basis for retaliation.
