The Cyber Secure Institute (CSI), a group looking to raise awareness about cyber security, has released it’s first whitepaper in a new series about cyberwar. This whitepaper, written by retired USAF General Eugene Habiger, addresses the need for a new approach towards viewing cyberwar. Gen. Habiger goes on to validate his claims with real-world examples, showing that our “rotary-phone-era stratgies are not well suited for today’s digital world.”
One of the main focuses of this whitepaper is showing that our tried-and-true methodologies of preemption and deterrence aren’t well suited to digital warfare. While both shouldn’t be left out of the cyberwarfare playbook, General Habiger builds the case for needing an alternative that is more suited for the digital battle ground.
Preemption relies on being able to detect an attack before it happens and respond in a way that prevents the attack. In the physical world preemption is a game of “I spy” watching troop movements and gathering intelligence; then responding with force directed at the aggressor. When we look at a similar strategy in the digital world, it becomes much more difficult. Detection before-the-fact because a bit more of a guessing game. It’s very possible to create or recruit a botnet, discover an 0-day, or gather intelligence on a target without any visible or detectable signs. Beyond simply finding a cyberattack in order to preempt it, there also are issues inherent in the response. In many cases attackers may be distributed across various nations (including the one being attacked) making it very hard to deliver a decisive blow and stopping the attack all together.
Deterrence, on the other hand, has a lot to do with stopping an attacker in the planning stages of an attack. The idea is when an attacker looks to make a move, they have to take into account the repercussions of their decision. To take a page from the history books, the cold war is a perfect example of deterrence. Any nation foolish enough to launch an offensive nuclear weapon would be met in kind. When we try and map this concept to the cyberwar, we reach an interesting conclusion: we’ve got a lot more to lose than they do and as with preemption, we have to be able to know who did it.
General Habiger concludes the paper with a call to arms for inherent security – security that is built in, not an after thought. He goes on to suggest that security be made so inherent that the basics would be taught in school or shown as public service announcements. This “paradigm shift” to inherent security creates an environment where security is within every layer of the internet, from the end-user to the hardware an application runs on. While such a methodology provides no obvious offensive strategies, it does harden the infrastructure and provide a much more appropriate defense.