Calling for an end to cold-war analogs for info-war situations
By Michael Tanji
Bob Gourley, an old and trusted colleague in the national security arena, asks if we are any closer to achieving a cyber deterrence policy. While it is worth having the discussion as an academic exercise, it couldn't be less practically relevant to keeping our country's resources secure from digital threats. The problem of course is that its a lot easier to attempt to focus on a narrow set of legacy futures rather than to start to develop new ideas. Whether history repeats or rhymes, there is no rule that says we need to mimic the most recent tune on the radio when there is an epic playlist to consider. Rather than spend countless hours and billions of dollars trying to shoe-horn Vint Cerf thinking into a Paul Nitze world, how about looking around for more appropriate metaphors - or considering something original - for the security problems of the actual physical and digital worlds in which we operate?
Let's start by walking through the points Bob addresses in his paper on the subject from last year. He didn't invent them: they're just the major points most of those who operate in this space consider when they're talking about trying to make sense of things.
Attribution. As the Internet is constructed and operates today there is no way to achieve proof-positive attribution (as you could in the good old days with the launch of an ICBM) without violating local laws and the tenants of good Internet behavior (or other untoward actions). Two wrongs rarely make a right, and things get considerably more difficult if that first wrong is a knock-out punch that takes you off-line for hours. Absent fast and reliable mechanisms that allow for such a granular picture into adversary action, attribution is always going to be an educated guess and adversaries will always have some kind of "out" that they can use to justify their own action or press for redress.
Adversary Knowledge. Always a good thing to have, but there is rarely enough or enough good information to make a sound decision. Sure, there are books and papers about the subject published by those we presume would be our adversaries online, but the most prolific and successful adversaries in cyberspace don't publish doctrine. Those that study these issues are reading the wrong sorts of books. The clear and present danger online is more Red Mafiya than The Main Enemy.
Secrecy. Keeping quiet about how we know what we know is old hat in the intelligence business. When everyone is operating more or less on equal terms however, once an adversary figures out the jig is up, discovering your leak is fairly straight forward. Tradecraft online is computer science, not cloak and dagger, and the dark arts in that domain are public knowledge (more on that train of thought in a bit).
Delineating Behavior. In the cold war you didn't want the other side to turn the key and push the button on the ICBM launch control. The goal was preventing nuclear war; there was no such thing as a nuclear slap-fight. The same is not true in cyberspace because the building blocks of almost any sort of malicious activity online - whether the motivation is intellectual, criminal, or political - are the same. Delineating what to monitor and deter would require capabilities we do not currently have, and the way things are going, probably not achievable in a meaningful time frame.
Effective Responses. I largely agree with the points made here as far as actual delivery is concerned. Our ability to respond to a threat is rarely questioned: stories of our capability to do just that have been leaking out at a steady pace for years. I submit that this is the simplest and most effective approach to take and that not a lot of heavy thinking need be applied going forward. After all, what facet of warfare are we not dominant in? What eight-digit grid coordinate can we not turn into a smoking hole in the ground? The only thing our adversaries need to know is that one way or another we're going to get them.
Dominance over the Operational Environment. Of course to be effective you also have to factor in time as a part of your response. Barring a radical change in how our cyber defense and offense capabilities operate however, there is almost no chance that we will be able to detect and respond to an adversary attack in a timely fashion. Take a look at what is involved in just monitoring and reporting cyber threats across the military. You think the decision-making capability in that spaghetti is able to respond in minutes? Hours? And just how would decision-makers in such an enterprise vet their information? Using present-day solutions? Let's face it: serious national assets get pwned so regularly it's like we're just pretending to care (in radical cases they don't even bother pretending), so this emphasis on responding is largely a horse-and-burning-barn exercise.
All of the aforementioned points are good things to want, but the idea that we're going to achieve them in a meaningful time frame is folly. I'm not even the grayest beard in this business and I know that we're approaching decade-three of talking about the issues (decade-seven if you're an old crow) but not significantly closer to solving them. From Hiroshima to On Thermonuclear War only took 15 years and except for the delivery mechanisms and yield, a nuke is a nuke: cyberspace today is nothing like ARPANET, and in ten years it'll look nothing like it is today.
So to move forward in this area I think it would be useful if we drew from different historical analogs, or simply made our own history. Cold warriors still set policy, so I expect the comfort level to drop precipitously and I have no hope of traction, but like the proverbial lieutenant who suggested that putting armor where returning bombers weren't shot to pieces by the Luftwaffe was a better approach than reinforcing where the holes were, someone has to sound off.
More Weapons, not Weapons Control. Digital arms control, cyber deterrence . . . it all sounds great. The problem? Cyber weapons are really computer code; computer code is rooted in math: Good luck trying to control math. What's your arms control inspection regimen going to be: reviewing foreign textbooks? Inspecting 9th grade classrooms? Controlling the movements of math professors? Are you going to nationalize Microsoft? Declare Bill Gates a munition? Haven't we learned the futility of that sort of thinking?
A better approach would be the equivalent of a concealed carry policy. Why? To coin a phrase: an armed populace is a polite populace. Crime goes down in areas where people can carry concealed weapons, because even the dumbest criminal wants to avoid a Crocodile Dundee moment.
"But how do you avoid turning cyberspace into the wild west?" you ask? Well, how exactly would that be different than the situation we're in today? At least this is an approach that doesn't mandate victim-hood. If too many "gunfights" broke out, it would drive all authoritative bodies concerned to develop a solution before life online became unlivable. Nothing spurs action like bodies.
Privateering. If cyber space is to be compared to any other environment or construct, I think it should be the open ocean (circa 1700s). Long-time readers are probably tired of hearing about this from me, but I haven't found anyone to say it doesn't make sense or wouldn't work. Gen Hayden is right: we don't expect Wal-Mart to participate in missile defense or blue-water naval operations, but such activities benefit Wal-Mart just the same. So make a decision: service providers and those who own and manage cyberspace have the right defend themselves, or such responsibility falls exclusively to the government: what's it going to be?
/*At this point it is worth noting that the primary focus of the private sector is on the bottom line and up-time, not national security. So any strategy that involves the private sector in earnest but falls short of nationalization is going to have to accept compromises that the fathers of deterrence didn't have to consider. There is no information infrastructure enterprise that doesn't take steps to ensure that its investment and services are not protected against threats, but threats to the infrastructure and threats to the consumer are not necessarily the same thing. Security also need only be sufficient - not perfect - because the closer you get to perfect, the less effective you are as a going economic concern. Hate the game, not the player.*/
Razor, not Barbed Wire. It looks similar from a distance, but they're very different up close. You can breach a barbed wire barrier fairly easily, but razor wire will ruin your day, and it might take a good part of the day to get through it. Digital concertina (a/k/a the firewall) is over 20-years old and still a building block of every online security systems known to man, but a fat lot of good it does against a serious or sufficiently creative assault (which is what we are facing). What other industry do you know of continues to employ ineffective solutions and still retains a market share that is measured in tens of billions? What army goes to war in a Mark V? Odds are you'd get fired for submitting plans for a security architecture that didn't involve firewalls, intrusion detection systems, and signature-based anti-virus: all of which fail with alarming regularity. Developing a security strategy for cyber space means recognizing that almost nothing you are doing today works well as-is; it means thinking Blitzkrieg when the guy next door is building his wall.
Mine Fields. If you can only protect a limited number of paths to your door, or you are drastically outnumbered by an array of forces, a mine field is an excellent tool. Trust me: nothing stops a brigade of infantry, or even an armored column, like the word "mines." Given that processing and memory is so cheap, and connectivity nearly ubiquitous, how come no one has figured out how to build a computing environment that intentionally becomes unusable if things become too hostile? Such a system would 'blow up' sending legitimate users to an alternate environment and forcing attackers to start their hunt for targets anew? How come we're spending so much time and money on a solution that intentionally makes it easier for our adversaries to perform targeting?
Fight the War We're In Now. Why talk about surprise attacks when we've been fighting for years? Why do we look toward theories that sought to avoid global holocaust when we're presently engaged in attrition warfare? Why worry about fighting under a future legal regime that no nation on earth is ever going to ratify (the benefits to being a 'rogue state' far outweigh the benefits of being in the global security club)? To some this is an advocation for frontier justice, but what choice do you have if security is your number one priority and the Marshal is a three-days ride away (and it our case, we're the ones trying to play Marshal)?
When I say there is "no hope" for a strategy similar to nuclear deterrence of course I mean there is some hope, just not enough to factor into practical decision-making. No one - not even the US - has a vested interest in seeing cold-war practices adapted to an information-war environment. There is far too much at stake - yet simultaneously almost no long-term risk - that efforts to walk down the paths blazed by Nitze and Kahn are really just conference fodder and cyber salon chit-chat. You would think that there were no other theories of warfare (generational or otherwise) one could look to for guidance. One could argue that cold war strategy is a good place to look because it worked, but you're working off of an awfully small data set and overlaying that construct onto an entirely different world than the one that existed 50 years ago.