Real Bullets for Digital Attacks

Thursday, February 09, 2012

Don Eijndhoven

44a2e0804995faf8d2e3b084a1e2db1d

In May of last year, the US Government published its International Strategy for Cyberspace.

The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table.

More specifically, the US government stated that it 'encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate' [emphasis mine].

This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems.

Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.

Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation's Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF).

In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn't have to read it all to get to the end.

One especially important aspect of this discussion is the much-debated problem of attribution. Since retaliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern. Libicki describes various scenario's such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences.

Suffice to say that if you, as an attacker, hide your tracks well enough (don't forget the cyber intelligence aspect!), you won't have much problems with retaliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage. Considering that retaliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.  

You might be wondering what the point is of declaring retaliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution - No problem. So why make a public statement about how you're going to strike back if everyone knows its highly unlikely?

Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won't copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides.

Besides, and here is the succinct point of it all, even though you declare that you may use kinetic military options as a retaliatory measure doesn't mean you are immediately obliged to actually do so.

In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy.

It doesn't worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it.

See the "Questions from .GOV" series (part 1)(part 2)(part 3). I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?

About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA at Nyenrode Business University. Among a long list of professional certifications he obtained are the titles CISSP, CEH, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the Founder and CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.

Cross-posted from ArgentConsulting.nl

Possibly Related Articles:
6386
Network->General
Military
Government Military Cyberwar Attacks Cyber Warfare Deterrence Netherlands Cyber Defense Attribution cyber weapon Retaliation Don Eijndhoven Digital Warfare Martin C. Libicki Niels Groeneveld
Post Rating I Like this!
86e4c8d1a5d5e6fa959e3d2e670e81a1
Mikel Gore Currently striking back has been limited to talk of the machine/s involved in the attack. Nothing about the nation state hosting/protecting the machines from investigation and interrogation. Retaliation with most weapons systems is like in kind or use of a similar weapon as those used in the attack. I think in this case if our power grid (for example) is attacked by cyber means, they intend to have access to the machines attacking us or will in turn shut down said nation/s protecting the attackers power grid in kind, by kentic means if need be.
1328817814
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.