Three related events this week caught the attention of security professionals and news organizations everywhere.
The first was when defense contractor Lockheed Martin announced it had been hit by a cyberattack. The second was when a Pentagon spokesman said the U.S. might consider a cyberattack to be an act of war (and might respond with physical force). The third news story was of another attempted penetration of Google’s systems from China, this time phishing for Gmail account information from senior U.S. officials.
These events are a continuance of the ongoing trend of digital attacks. They are noteworthy in context because they’re helping us see how cyberspace is finally being formally integrated into international policy.
Last night, I was back on BBC radio, where we discussed many of the issues surrounding the formalization of cyberdefense policies. During the interview, it became clear that there were a bunch of questions people on both sides of the pond had about what these new policies mean, and if they indicate a new aggressiveness on the part of the United States.
To clear up some of the confusion, I’ve listed ten things you should know about America’s new cyberdefense policies.
1. Attacks can by symmetrical or asymmetrical.
In warfare, the attackers and defenders aren’t always evenly matched. We’ve all seen what modern bombers can do to a small village, but many people don’t realize that cyberwarfare flips the equation, making it much more costly to defend than attack.
For example, any small group with a pile of PCs (or even PlayStations) can mount a hugely damaging attack, especially if they make use ofzombie botnets as a force multiplier.
This means that while the attackers only have to aim at one target, the nation states have to defend every possible target from every possible attack. The cost of defense can be wildly more expensive than the cost of attack.
This changes the entire budgetary calculus of war. Take tank warfare, for example. Back in the days of tank warfare, each side needed to come up with the necessary resources to build and buy tanks — an expensive endeavor. The nuclear race was even more costly, costing in the billions (and, nearly — in today’s dollars — the trillions) to develop.
By contrast, a PC capable of launching a digital attack of mass destruction might cost a few hundred bucks. Defending against those attacks could cost billions.
2. Responses can be proportionate or disproportionate.
Most so-called civilized nations try to practice what’s called a proportionate response when attacked. You shoot down one of our passenger airplanes, we’ll shoot down one of your military jets. The idea is that for each action, there’s a relatively equal reaction.
Most Western nations distinguish between valid military targets and those of unarmed civilians. Many less-than-civilized nations often take advantage of our perception of right and wrong, and use human shields to safeguard high-value military targets.
The problem with a cyberattack is that the attacking force could be scattered across the countryside. One guy could be working out of Mom’s basement, while another attacker might be working out of a barn in a cornfield. It’s quite difficult, therefore, to pinpoint on exact base of attack and simply destroy that.
It’s difficult, but not impossible. We are capable of surgical strikes, whether from the air or with feet on the ground. Digital attackers will do their best to hide or misrepresent who they are or where an attack is coming from. This makes a physical response to a cyberattack difficult, but not impossible. Remember that once you move beyond the digital domain, forensics, research, and good old investigatory skills still work.
Attackers need to eat, they need a network connection, they need to communicate, and all of these activities leave footprints that a defender can find and use as a basis for retaliation.