Article Entry
30 Apr 2009
Comments:3
U.S. Lacking Offensive Cyber Warfare Strategies
Added by USGIF Category: Daily Intelligence Brief
The news cycle has been dominated by stories about how vulnerable we are to cyber attacks. We have not seen too much coverage about offensive strategies by the U.S. government. That is until now, and the news is not good. According to recent report from a panel of military, diplomatic, legal and IT security experts assembled by the National Research Council, the U.S. government lacks a comprehensive policy about how it will engage in cyber warfare. The report states that the U.S. government also lacks a person or office to coordinate cyberattack. So, does this mean that nothing is happening on the offensive front??
The report also states that U.S. needs to engage in a national dialog about its government’s use of cyberattacks against other nations. Here’s a quote from the NRC press release:
“Cyberattack is too important a subject for the nation to be discussed only behind closed doors,” said Adm. William Owens, former vice chairman of the Joint Chiefs of Staff and former vice chairman and CEO of Nortel Corp., and Kenneth Dam, Max Pam Professor Emeritus of American and Foreign Law at the University of Chicago School of Law, who co-chaired the committee.
So, our earlier question points to this…are we not doing anything on the offensive front? Here’s what we think..many folks protecting our nation work on highly classified projects. Cyber warfare would certainly fall into this category — obviously they cannot publicize their offensive strategies, especially with something this sensitive. We agree that more needs to be done – that is a given. But what do you all think about this?
Tags: cyber attacks, Cyber Security, cyber security strategies, cyber warfare, Defense and Intelligence, National Research Council, USGIF
I think that the Admiral is 100% correct when he says that “Cyberattack is too important a subject for the nation to be discussed only behind closed doors,” The subtext is that our military does not want to be hung out to dry by our politicians. So they want everybody to be absolutely clear about what we are comfortable doing on offense.
This means, of course, that we are going to be doing absolutely nothing on offense because we are never going to arrive at a consensus until we have a Cyber 9/11. By then it will too late. Democracies are not good on offense.
I disagree there is no point having a weapon if your opponents do not know about, unless your intent is to ambush them with an attack. I don’t think it is any different than nuclear weapons and applicable strategies; e.g. MAD, second strike capability etc.
Also it is worth while to remember the starwars initiative; hopefully for a weapon system to be effective you don’t have to use it and it is not required to work; as long as every one else things it may work; and as long as they don’t want to take the risk; we are all safer.
Physical security analogies often map poorly to logical security.
For example, national physical security is often assured through a combination of strong defenses, a ready offensive capability, and the occasional strategic surgical strike to knock out potential enemy offensive capabilities before they become imminent threats.
Strong physical defenses have good logical analogues; we are all familiar with them, no more on them here.
What are the analogues to a ready offensive capability and the surgical strike?
I’m tempted to write that there are none, based on the perspective that the global communications network is so inter-connected as to be more akin to one large organic body than to physically separate states. (How does the hand launch a surgical strike at the foot without damaging the body? Perhaps it it sometimes necessary, but it is a one-time-use last resort. And the hand forever lives with the cane….)
But I know this to be at least partially untrue. For example, dormant botnets could make for effective surgical strike capabilities.
I cannot help but think that any organization wishing to have such capabilities must mimic the capabilities of the most sophisticated malware authors and controllers.
And heaven help us should they fail to contain their tools.