Strategic Cyber Defense: Which Way Forward?

Kenneth Geers Cooperative Cyber Defence Centre of Excellence U.S. Naval Criminal Investigative Service

ABSTRACT

Cyber security has evolved from a technical discipline to a strategic, geopolitical concept. The question for national security thinkers today is not how to protect one or even a thousand computers, but millions, including the cyberspace around them. Strategic challenges require strategic solutions. This article considers four nation-state approaches to cyber attack mitigation. 1. 2. 3. 4. Technology: Internet Protocol version 6 (IPv6) Doctrine: Sun Tzus Art of War Deterrence: can we prevent cyber attacks? Arms control: can we limit cyber weapons?

These threat mitigation strategies fall into different categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deterrence is a mix of military and political considerations, while arms control is a political/technical approach. Technology and doctrine are the most likely strategies to provide shortterm improvement in a nations cyber defense posture. Deterrence and arms control, which are more subject to outside politcial influence and current events, may offer cyber attack mitigation but only in the longer-term.

INTRODUCTION Cyber security has quickly evolved from a technical discipline to a strategic concern. In 2000, information technology (IT) played no role whatsoever in NATOs Strategic Concept. When the document was rewritten in 2010, cyber attacks were deemed capable of threatening Euro-Atlantic prosperity, security and stability.1 Today, all political and military conflicts have a cyber dimension, whose size and impact are difficult to predict. From the propaganda war over Chechnya in the 1990s to the cyber assault on Estonia in 2007, from Code Red in 2001 to the ongoing fallout from Stuxnet, world leaders have been personally involved in cyber attack and defense issues. In 1948, Hans Morgenthau wrote that national security depends on the integrity of a nations borders and its institutions.2 However, as our national critical infrastructures, including everything from elections to electricity are computerized and connected to the Internet, cyber attacks may evolve from a corollary of real-world disputes to a lead role in future conflicts. The nature of a security threat has not changed, but the Internet provides a new delivery mechanism that can increase the speed, scale, and power of an attack. Military planners have begun to move beyond the technical, tactical aspects of cyber security such as how to configure a firewall or monitor an intrusion detection system to defending the cyberspace of a nation-state. This article examines four strategic approaches to cyber attack threat mitigation: 1. Technology: can Internet Protocol version 6 (IPv6) improve strategic cyber defense? 2. Doctrine: can the worlds best military treatise Sun Tzus Art of War encompass cyber warfare? 3. Deterrence: is it possible to prevent cyber attacks? 4. Arms control: can we limit cyber weapons? These four strategies fall into different categories. IPv6 is a technical solution; Art of War is military. The third and fourth are hybrid: deterrence is a mix of military and political considerations, while arms control is a political/technical approach.

1 2

Active Engagement 2010. Morgenthau, 1948.

1. TECHNOLOGY Vint Cerf, one of the Internets inventors, confessed that security was not an important consideration in its original design. If he could start over, I would have put a much stronger focus on authenticity or authentication.3 First and foremost, governments will seek to mitigate the threat of cyber attacks through new and improved technology. This is a logical approach: it is best to fix a technical problem with a technical solution. In 2011, the strongest candidate to have a strategic impact is IPv6, which is replacing IPv4 as the new language of computer networks. IPv6 has a high learning curve and the pace of IPv6-specific application development has been slow. Nonetheless, most governments and large organizations understand that the technology is superior to IPv4, and have made the transition a priority. In the U.S., federal agencies are required to enable IPv6 on publicfacing websites by 2012 and on internal networks by 2014. IPv6 instantly solves the worlds shortage of computer addresses. IPv4 has around 4 billion addresses, which are insufficient for our computing needs today. IPv6, by contrast, has 50 octillion addresses for every human on planet Earth! In the military, every bullet and stick of butter will have its own, permanentlyassociated number. In a nation, the same could apply to people according to Chinese Internet Society chairwoman Hu Qiheng, there is now anonymity for criminals on the Internet in China with the China Next Generation Internet project, we will give everyone a unique identity on the Internet.4 From a law enforcement and counterintelligence perspective, IPv6 could help to solve the problem of anonymous cyber attacks. However, human rights groups fear that governments will use this new capability to quash political dissent by reducing online anonymity and privacy. IPv6 possesses better security features than IPv4, chief among them mandatory support for Internet Protocol Security (IPSec), a group of communications protocols used to authenticate and encrypt Internet traffic. The use of IPSec under IPv6 is not required but its inherent presence gives network security administrators a powerful weapon in their arsenal against hackers. Over time, the percentage of Internet traffic that is encrypted is constantly on the rise. Eventually everything on the Web could be unreadable to third parties, including network security personnel. Therefore, the need for the authentication mechanisms inherent in IPSec will also rise in order to know with greater certainty with whom one is communicating.
3 4

Menn, 2011. Crampton, 2006.

One of the most unsettling aspects of IPv6 is that during the necessarilylong transition period from IPv4 there will be an increased attack surface as hackers exploit vulnerabilities in both IP languages at once. But when the switch is complete, IPv6 appears to have the potential to reduce the most important advantage of a cyber attacker today anonymity which in turn could improve the state of strategic cyber security.

2. DOCTRINE The establishment of U.S. Cyber Command in 2010 confirmed that cyberspace along with land, sea, air and space is a new domain of warfare.5 Computers are not only a target but also a weapon. Therefore military thinkers must find a way to incorporate cyber attack and defense into military doctrine as soon as possible. The worlds most influential military treatise is Sun Tzus Art of War. Its compelling and adaptive wisdom has survived myriad revolutions in technology and human conflict. Art of War tactics and strategies have been successfully applied to other disciplines including business, sports, and personal relationships. Future cyber commanders will also find Sun Tzus guidance beneficial. For example, on defense, Sun Tzu warns leaders never to rely on the good intentions of others or to count on best-case scenarios.6 This is sound advice in cyberspace because computers are attacked from the moment they connect to the Internet.7
The Art of War teaches us to rely not on the likelihood of the enemys not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. Art of War VIII. Variation in Tactics

On offense, cyber attacks are likely to play a lead role in future wars, where the nature of the fight could be above all over IT infrastructure. A cyberonly war might even please Sun Tzu, who argued that the best leaders can attain victory before combat is necessary.
The best thing of all is to take the enemys country whole and intact supreme excellence consists in breaking the enemys resistance without fighting. Art of War III. Attack by Stratagem

5 6

Pellerin, 2010. Sawyer, 1994. 7 Skoudis, 2006.

In theory, cyber warfare might be a good thing for the world if future conflicts are shorter and cost fewer lives, which could facilitate economic recovery and postwar diplomacy. There are many aspects of cyber conflict, however, that are truly revolutionary, and for which it may be difficult to write military doctrine. Here are no fewer than ten to consider: 1. The Internet is an artificial environment that can be shaped in part according to national security requirements. 2. The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them. 3. The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography. 4. Software updates and network reconfiguration change cyber battlespace unpredictably and without warning. 5. Contrary to our historical understanding of war, cyber conflict favors the attacker. 6. Cyber attacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure. 7. The difficulty of obtaining reliable cyber attack attribution lessens the credibility of deterrence, prosecution and retaliation. 8. The quiet nature of cyber conflict means that a significant battle could take place with only the direct participants witting. 9. The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking. 10. There are few moral inhibitions to cyber attacks because they relate primarily to the use and abuse of data and computer code; so far, there is little perceived human suffering. The worlds top military thinkers, including Sun Tzu, can help modern organizations fill the gaping holes in their cyber defenses, but it will take many years to incorporate all of the revolutionary aspects of cyber conflict into military doctrine.

3. DETERRENCE World leaders have begun to look beyond reactive, tactical cyber defense to proactive, strategic cyber defense, which may include international military deterrence. Deterrence theory gained prominence during the Cold War when the United States and Soviet Union created enough firepower in the form of nuclear weapons to destroy human civilization on our planet. The American military strategist Bernard Brodie wrote that, in the nuclear era, the purpose of armies had shifted from winning wars to preventing them.8 Cyber attacks per se do not compare to a nuclear explosion. However, as a powerful means to a wide variety of political and military ends, they pose an increasing threat to international security. In 2010, for example, the Stuxnet worm demonstrated that computer code alone is capable of destroying physical infrastructure such as nuclear centrifuges.9 Pentagon officials have therefore begun to articulate a nascent cyber attack deterrence policy. National security insiders now believe that computer sabotage could even be an act of war which could trigger a conventional military response: If you shut down our power grid, maybe we will put a missile down one of your smokestacks.10 There are two primary strategies, according to deterrence theory, available to nation-states proactive denial and reactive punishment. Both strategies have three basic requirements capability, communication, and credibility.11 Deterrence by denial is a strategy in which an adversary is physically prevented from acquiring a threatening technology. This is the preferred option in the nuclear sphere because there is no practical defense against a nuclear explosion, which can demolish reinforced concrete buildings three kilometers away.12 Deterrence by denial is a philosophy embodied in the Non-Proliferation Treaty (NPT) and a major reason behind current international tension with North Korea and Iran.13 Unfortunately, deterrence by denial is unlikely to succeed against cyber attacks. Nuclear technology is difficult to acquire, but hacker tools and techniques are not. Amazingly, there is little visible difference between expertise in computer network defense and computer network offense they are essentially one and the
8 9

Brodie, 1946. Broad et al, 2011. 10 Gorman & Barnes, 2011. 11 Interview with Prof. Peter D. Feaver of Duke University. 12 Sartori, 1983. 13 Shultz et al., 2007.

same discipline. A good hacker may be described as someone who simply understands your computer network better than you do, and uses that knowledge for nefarious purposes. The second deterrence strategy, reactive punishment, seeks to prevent an attack before it is launched by threatening painful or even fatal retaliation. In cyberspace, this is the only realistic option. There are two vexing cyber security challenges, however, which undermine the credibility of deterrence by punishment attacker attribution and attack asymmetry. First, the byzantine, international nature of the Internet almost guarantees that the anonymous hacker problem will not go away soon. Second, there are countless ways to show the asymmetric power of networks, such as in 2001 when a single teenager hacker, MafiaBoy, caused over $1 billion in corporate losses after a successful denial-of-service attack.14 A final comparison to the Cold War relates to the concept of Mutually Assured Destruction (MAD). By 1968, Soviet mastery of nuclear technology made one-sided nuclear deterrence meaningless,15 and the two Superpowers were forced into a position of mutual deterrence. If cyber attacks are both effective and impossible to eradicate, we may now live in a world of Mutually Assured Disruption.16

4. ARMS CONTROL Former CIA Director Michael Hayden posed this question during a 2010 Black Hat keynote address Why might it be better to bomb a factory than to hack it? No one responded. Hayden explained that one can choose to bomb a factory at any time, but sophisticated cyber attacks take months if not years of painstaking subversion. In turn, this means that even during peacetime, nations may hack their adversaries critical infrastructures in order to prepare for war. This is not only a recipe for perpetual network chaos, but it also seems likely that the first shots of the next World War have already been fired. Given the dim prospects for cyber attack deterrence and a looming cyber arms race, world leaders may decide to negotiate a cyber arms control treaty or a non-aggression pact for cyberspace. The Russian government has long argued that an agreement similar to those which have been signed for weapons of mass destruction (WMD) could be

14 15

Verton, 2002. This refers to the Soviet Unions ability to mass produce nuclear weapons, and to compete in the nuclear arms race. 16 Pendall, 2004; Derene, 2009.

helpful in securing the Internet.17 In 1998, Russia successfully sponsored United Nations Resolution 53/70, which stated that while modern information and communication technology (ICT) offers civilization the broadest positive opportunities it was nonetheless vulnerable to misuse by criminals and terrorists.18 No pre-Internet model is a perfect fit for cyberspace or cyber conflict. But there are three aspects of the 1997 Chemical Weapons Convention (CWC), which compels signatories to destroy CW stockpiles and forbids them from producing any more, that could be beneficial: universal appeal, political will, and practical assistance. First, everyone is a neighbor on the Internet but the jurisdiction of law enforcement ends every time a network cable crosses a border. In the short term, this is a major obstacle to cyber attack mitigation, but as politicians, diplomats and the public grow more Internet-savvy, there may be a common realization that the only way to solve this problem is through closer international cooperation. CWC is less than 15 years old, but it has already been ratified by 98% of the worlds governments and encompasses 95% of the worlds population. Second, strategic cyber defense may eventually receive a boost from the worlds political leadership. In 1997, Presidents Bill Clinton and Boris Yeltsin decided to issue a joint statement endorsing CWC in order to banish poison gas from the Earth.19 The perceived threat from cyber attacks is growing, based on nation-state capabilities as well as the fear that terrorists will master the art of hacking. The 2010 attack on Google was serious enough to begin discussion in the U.S. on the creation of an ambassador-level post, modeled on the State Departments counterterrorism coordinator, to oversee international cyber security efforts.20 Third, CWC offers practical aid to its members in the form of advocacy, weapons destruction and the advancement of peaceful uses for chemistry. A cyber weapons treaty could create an internationally-staffed institution to help signatories improve cyber defenses, respond to attacks and promote peaceful uses for computer science. Computer security is not an easy discipline proper configuration, management and incident response require more resources than most organizations and even many countries now have available. There are two essential aspects of arms control, however, that are difficult to apply in cyberspace at this time: prohibition and inspection. First, it is difficult to prohibit something that is hard to define, such as malicious code. Anti-malware firm Kaspersky reported that it detected and neutralized over 200 million malicious programs in the month of March 2011
17 18

Markoff & Kramer, 2009. 53/70 1999. 19 The Presidents News Conference... 1997. 20 Gorman, 2010.

alone.21 But this can only be an estimate of the true number in existence, and it likely includes a wide range of everything from true nation-state attacks to simple, annoying advertisements. And if somehow an organization could be malwarefree, professional hackers are adept at using legitimate paths to network access such as by exploiting a default or easily-guessed password to undermine the security of a target network. Second, it is hard to inspect something as big as cyberspace. In CWC, there are around 5,000 industrial facilities worldwide that are subject to inspection at any time this is a large but manageable number. Compare that to a single USB Flash drive which can now hold up to 256 GB or 2 trillion bits of data, or to the 439 million Internet-connected computers located in the U.S.,22 or to modern software in general, which is so complex and its lines of code so numerous that it is almost impossible to understand completely.23 In theory, a cyber weapons convention could require inspection at the Internet Service Provider (ISP) level. However, such regimes are already commonplace, such as Chinas Golden Shield Project, the European Convention on Cybercrime, Russias SORM,24 and the USA PATRIOT Act. Each is unique in terms of guidelines and enforcement, but all face the same problem of overwhelming traffic volume. One significant but politically difficult step would be the international instrumentation and observation of the Internet and its network traffic flows. This may seem to be an extreme solution, but it could be the only way to slow fastmoving cyber threats such as botnets and distributed denial-of-service attacks.

CONCLUSION Cyber security has evolved from a tactical to a strategic concern, for which nation-states must develop strategic cyber defenses. This article highlights four technology, doctrine, deterrence, and arms control. 1. Technology: Next-generation Internet technologies such as IPv6 can redress some of the Internets current security shortcomings. However, IPv6 is not a silver bullet, and it will unfortunately create some new problems to solve, including a long and dangerous transition phase from IPv4. Still, IPv6 represents a logical at21 22

Monthly Malware Statistics 2011. The World Factbook, Central Intelligence Agency, 2011. 23 Cole, 2002. 24 - or System for Operative Investigative Activities.

tempt to solve a technical problem with a technical solution, and it could help to reduce the chief advantage of cyber attackers today anonymity. 2. Doctrine: Cyber attack and defense represent a revolution in national security affairs similar to the advent of artillery, rockets and airplanes. Even the worlds most influential military treatise, Sun Tzus Art of War, has difficulty encompassing many basic aspects of cyber war. Nonetheless, national security leaders must rewrite military doctrine so that people and processes are better aligned and resourced for cyber conflict, and Art of War can help. 3. Deterrence: U.S. military leaders have begun to articulate a deterrence strategy for cyberspace, but two vexing cyber security challenges diminish its credibility. First, it is difficult to prevent an adversary from acquiring effective hacker tools and techniques. Second, hackers are often able to conduct powerful attacks even while remaining anonymous, which undermine the threat of prosecution or retaliation. 4. Arms control: The persistence of ubiquitous IT vulnerabilities coupled with the proliferation of hacker tools may eventually force governments to sign a cyber arms control treaty or a nonaggression pact for the Internet. But two elements of arms control seem difficult to apply to cyber weapons: prohibition and inspection. It is difficult to define malicious code and it is hard to inspect something as big as cyberspace. In summary, investments in technology and doctrine are more reliable than deterrence and arms control because they are less subject to the whims of politics and current events. A cyber arms control treaty, despite its challenges, would have a key advantage over a deterrence policy alone namely, some kind of technical verification regime. Deterrence is exclusively a military/political approach that does not, by itself, address the most significant advantage of a cyber attacker today anonymity.

__________________ REFERENCES 53/70: Developments in the field of information and telecommunications in the context of international security, (4 Jan 1999) United Nations General Assembly Resolution: Fifty-Third Session, Agenda Item 63. Active Engagement, Modern Defence: Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organisation, (2010) NATO website: www.nato.int. Broad, W.J., Markoff, J. & Sanger, D.E. (15 Jan 2011) Israeli Test on Worm Called Crucial in Iran Nuclear Delay, New York Times. Brodie, B. (1946) THE ABSOLUTE WEAPON: Atomic Power and World Order (New York: Harcourt, Brace and Co) 76. Cole, E. (2002) Hackers Beware (London: New Riders) 727. Crampton, T. (19 Mar 2006) Innovation may lower Net users privacy, The New York Times. Derene, G. (2009) Weapon of Mass Disruption, Popular Mechanics 186(4) 76. Geers, K. (2011) Strategic Cyber Security (Tallinn: Cooperative Cyber Defence Centre of Excellence). Gorman, S. (23 Mar 2010) U.S. Aims to Bolster Overseas Fight Against Cybercrime, The Wall Street Journal. Gorman S. & Barnes J. (31 May 2011) Cyber Combat: Act of War, The Wall Street Journal. Markoff, J. & Kramer, A.E. (27 Jun 2009) U.S. and Russia Differ on a Treaty for Cyberspace, The New York Times. Menn, J. (11 Oct 2011) Founding father wants secure Internet 2, The Financial Times. Monthly Malware Statistics: www.kaspersky.com. March 2011, (2011) Kaspersky Lab:

Morgenthau, H.J. (1948) Politics among nations: the struggle for power and peace (NY: A. A. Knopf) 440. Pellerin, C. (18 Oct 2010) Lynn: Cyberspace is the New Domain of Warfare, American Forces Press Service.

Pendall, D.W. (2004) Effects-Based Operations and the Exercise of National Power, Military Review 84(1) 20-31. The Presidents News Conference with President Boris Yeltsin of Russia in Helsinki, (21 Mar 1997) The American Presidency Project, UC Santa Barbara: www.presidency.ucsb.edu. Sartori, L. (1983) The weapons tutorial-Part five: When the bomb falls, Bulletin of the Atomic Scientists 39(6) 40-47. Sawyer, R.D. (1994) Sun Tzu: Art of War (Oxford: Westview Press). Shultz, G.P., Perry, W.J., Kissinger, H.A., & Nunn, S. (4 Jan 2007) A World Free of Nuclear Weapons, The Wall Street Journal. Skoudis, E. (2006) Counter Hack Reloaded: a Step-By-Step Guide to Computer Attacks and Effective Defenses (NJ: Prentice Hall) 1. Verton, D. (2002) The Hacker Diaries: Confessions of Teenage Hackers (NY: McGraw-Hill/Osborne) xvii.