Three related events this week caught the attention of security professionals and news organizations everywhere.
The first was when defense contractor Lockheed Martin announced it had been hit by a cyberattack. The second was when a Pentagon spokesman said the U.S. might consider a cyberattack to be an act of war (and might respond with physical force). The third news story was of another attempted penetration of Google's systems from China, this time phishing for Gmail account information from senior U.S. officials.
These events are a continuance of the ongoing trend of digital attacks. They are noteworthy in context because they're helping us see how cyberspace is finally being formally integrated into international policy.
See also: The Obama Cyberdoctrine: tweet softly, but carry a big stick
Last night, I was back on BBC radio, where we discussed many of the issues surrounding the formalization of cyberdefense policies. During the interview, it became clear that there were a bunch of questions people on both sides of the pond had about what these new policies mean, and if they indicate a new aggressiveness on the part of the United States.
To clear up some of the confusion, I've listed ten things you should know about America's new cyberdefense policies.
1. Attacks can by symmetrical or asymmetrical.
In warfare, the attackers and defenders aren't always evenly matched. We've all seen what modern bombers can do to a small village, but many people don't realize that cyberwarfare flips the equation, making it much more costly to defend than attack.
For example, any small group with a pile of PCs (or even PlayStations) can mount a hugely damaging attack, especially if they make use of zombie botnets as a force multiplier.
This means that while the attackers only have to aim at one target, the nation states have to defend every possible target from every possible attack. The cost of defense can be wildly more expensive than the cost of attack.
This changes the entire budgetary calculus of war. Take tank warfare, for example. Back in the days of tank warfare, each side needed to come up with the necessary resources to build and buy tanks -- an expensive endeavor. The nuclear race was even more costly, costing in the billions (and, nearly -- in today's dollars -- the trillions) to develop.
By contrast, a PC capable of launching a digital attack of mass destruction might cost a few hundred bucks. Defending against those attacks could cost billions.
2. Responses can be proportionate or disproportionate.
Most so-called civilized nations try to practice what's called a proportionate response when attacked. You shoot down one of our passenger airplanes, we'll shoot down one of your military jets. The idea is that for each action, there's a relatively equal reaction.
Most Western nations distinguish between valid military targets and those of unarmed civilians. Many less-than-civilized nations often take advantage of our perception of right and wrong, and use human shields to safeguard high-value military targets.
The problem with a cyberattack is that the attacking force could be scattered across the countryside. One guy could be working out of Mom's basement, while another attacker might be working out of a barn in a cornfield. It's quite difficult, therefore, to pinpoint on exact base of attack and simply destroy that.
It's difficult, but not impossible. We are capable of surgical strikes, whether from the air or with feet on the ground. Digital attackers will do their best to hide or misrepresent who they are or where an attack is coming from. This makes a physical response to a cyberattack difficult, but not impossible. Remember that once you move beyond the digital domain, forensics, research, and good old investigatory skills still work.
Attackers need to eat, they need a network connection, they need to communicate, and all of these activities leave footprints that a defender can find and use as a basis for retaliation.
Next: New battlespace, new strategy »
« Previous: The form of attack
3. With every new battlespace comes new policies, strategies, and rules of engagement.
This isn't the first time nations have had a new battlespace to explore. Back in ancient times, boats couldn't get very far from shore. But once they could, deep sea battles became possible, and a whole new array of policies, strategies, and rules of engagement became necessary. Once the battle went undersea and up in the sky, still new warfighting techniques needed to be developed.
Cyberspace is merely another battlespace. The weapons are different, but the bottom-line is still the same: defend against attacks, and teach attackers that it's a very, very bad idea to ever attack again.
The United States is currently working on formulating its new rules for the new battlespace. This is a good thing (if you're on our side, of course).
4. In cyberwar, like in real war, the combatants aren't only nation states.
We often think of war as being fought between nations. But the reality of war is that it's often fought by many different factions, with vague and changing loyalties to different flags. Terrorism is a good example of this. We're not fighting an individual country, but a series of groups, often supported and helped by various countries practicing their own personal form of plausible deniability.
Cyberwarfare has the same challenge. This week, two companies were attacked: Google and Lockheed Martin. It's not clear that either attack originated from a nation state (although the attack on Google apparently originated in Jinan, a Chinese town with a big military installation and Lanxiang Vocational School, an educational institution with strong military/industrial ties).
5. Nations will always ultimately reserve the right to respond with force to a deadly threat.
I was asked by BBC presenter Giles Dilnot if the Pentagon statement speaking of the "use of force" scenario indicated that the United States was more serious about cyberattacks. To some degree, the answer is "Yes". The U.S. has always been serious about attacks of any nature, it's just that we're beginning to integrate this new battlespace into our more formal planning.
No matter what any diplomat (from any country) will tell you, nations always, always reserve the right to respond with force to a deadly threat. One of the fundamental purposes of governance is the protection of the population and the interests of the State. Therefore, no responsible government can rule out using whatever means is necessary to protect its people.
6. Nations are always researching new weapons systems, both offensive and defensive.
So here's the $60,000 question: if the U.S. has acknowledged it's working on defensive digital weaponry, does that mean the U.S. is also working on offensive weaponry, digital weapons to attack the digital attackers?
Quite obviously, I can't answer that in any detail. But I can tell you that nations are always researching new weapons systems. It would be foolish to only research defensive systems.
Next: Will it be put to use? »
« Previous: New battlespace, new strategy
7. Just because there's a policy in place, that doesn't mean it's going to be put to use.
A related question I was asked was whether or not the Pentagon's stance implied they're going to start attacking digital adversaries. My answer is that given the number of cyberattacks (they're virtually constant), it's certainly likely that a retaliatory attack will happen at some time in the future.
But that's not the point. The point is that civilized nations plan, they work through eventualities, they establish chains of command, they determine spans of authority, they develop rules of engagement -- and they do all this, hopefully, before there's any immediate plans for attack or escalation. So, just because we're putting professional warfighting policies in place, that doesn't mean we're planning on attacking anyone tomorrow.
8. Just because powerful nations can attack any target, that doesn't mean they will.
I was asked a funny question. I was asked that now that this policy is taking form, did that mean that if someone attacked the U.S., we'd turn around and attack their social health care system or something similar.
Separating out the obvious fact that we've been too busy destroying our own health care system to mess with that of another country, and that no attacker can do more damage to health care policy than our very own precious politicians, the answer is pretty much "no."
Here's the thing. We don't attack civilian targets unless they're specifically being used as weapons of war. If a large group of soldiers is using the Internet to attack core systems in the United States, we may retaliate, but our goal would be to stop the attacks and shut down the attackers' facilities. It wouldn't be to randomly target, for example, hospitals and schools.
Of course, if some rogue nation were to build a network solely for the purpose of housing an attacking engine, specifically as an attempt to mislead (or play a PR war), then the scope of the response would reflect the scale of the threat.
9. Your single best course of action is to be our friends, not our enemies.
The bottom line in this is simple. If you try to hurt the United States, the United States is continually refining its capabilities to respond. It's a much, much smarter (and safer) strategy to simply play nice with Uncle Sam.
10. Learn more about cyberthreats and cyberattacks.
I've written a lot on this topic over the years. Here's some good reading that'll bring you up to speed.
There you go. That's a lot to digest in one sitting, but if you're going to be in IT, you need to be aware of this issue. Without a doubt, someday, you, too will have to defend against a cyberattack.