US government has no idea how to wage cyberwar: Ranum

The US government's offensive approach to 'cyberwar' demonstrates that it doesn't understand that strategies and tactics used in the physical world simply don't apply to the online world, according to Tenable Security's security chief.
Written by Michael Lee, Contributor

Military strategies and tactics that may work in the physical world do not have a place in guiding "cyberwarfare", and those that attempt to use them demonstrate a key lack of understanding, according to Tenable Security's chief of security Marcus Ranum.

Marcus Ranum.
Image: Michael Lee/ZDNet

Ranum, who spoke at AusCERT 2013 at the Gold Coast, Queensland, on Friday, highlighted several methods that strategists and tacticians use that simply do not work in the online world.

The concept of castle defence, for example, is commonly used as a metaphor for firewalls, but many of the strategic reasons that castles were useful in terms of defence don't apply. Perimeter defence has long been dismissed by security experts as ineffective, he said, and the advantages of "high ground" to see attackers coming from a long way off — tactical surprise — simply don't apply online.

"The term tactical surprise is completely meaningless in cyberwar, because you will always be surprised. Even if Anonymous says, 'I'm attacking you on Wednesday', they're probably not going to tell you, 'and it's coming from this IP address on this port, why don't you put a block in'."

Manoeuvre warfare, a basic concept in many modern armies, is also equally irrelevant to the online space, Ranum said.

Seen as a way to encircle adversaries, cut them off from supplies and help, and reduce their morale, Ranum said that it simply doesn't apply, because routers don't move and networks don't yet reconfigure themselves.

"Are you talking about moving your routers around? That doesn't make any sense. Are you talking about reconfiguring your networks? That doesn't make any strategic sense, either. If you could actually think about some way that changing your network around would actually help, then we could maybe talk about it."

And while the relevance of pre-emptive attacks in the online world have been debated before, Ranum said it is impossible to even see whether an enemy is mounting an attack.

"The enemy is gathering behind this IP address and they're going to attack us, so let's knock them off," he said sarcastically. "What? This is absolutely nonsensical."

The only case in which a pre-emptive strike might be actually useful is when it is known that someone is in the midst of setting up their website, and hasn't yet set up their defences, he said.

However, tactics like these are the ones that the US military is using, he said, saying that it is doing the only thing it knows how: Making itself appear so powerful that no one would dare attack, which is a form of a strong offence acting as a defence.

This simply doesn't work in the online space, Ranum said, because unlike the physical theatre of war, when one side loses 1,000 tanks, they have to rebuild them; online, if 1,000 IP addresses are blocked, it is trivial to circumvent or find replacements. Similarly, given that anyone could be a potential adversary on the internet, it is impossible to take pre-emptive action and get the first punch in.

"If we wanted to imagine this room as a cyberwar [battlefield], I don't know which of you is about ready to attack me. I have no way of knowing. So I'm going to punch this guy in the front row because he's in the front row? Because he's within reach?", he said gesturing to an audience member.

The nature of the internet also means that the traditional sense of victory — where opponents are completely neutralised or driven away for good — does not exist online.

"What's going on with a lot of the US government pointing at China and shrieking, 'Cyberwar! Cyberwar! Cyberwar!' ... it's basically saying, 'We don't understand this problem at all. Please kick our a** some more'," he said.

"The Chinese — who, by the way, do actually read Sun Tzu, for some reason — all I can figure is that they're probably just face palming."

Editorial standards