Acts of cyber aggression have continued to increase to levels not seen before, and they have driven policy issues in the executive branch of governments around the world. Most cyber warfare strategists and military experts, as well as national security policy makers, agree it is extremely difficult to control the widespread proliferation of cyber weapons in the arsenals of modern militaries and terrorists around the world. That position has substantially impacted discussions, research and analysis into many aspects of cyber deterrence.
Current cyber deterrence thinking seems to focus on three specific areas:
1. Penalties and Retaliation (Traditional deterrence approach)
2. Interdependency (What hurts one hurts all)
3. Futility (Limited impact due to resiliency and defenses)
One example that clearly demonstrates the complexity and difference from other national security threats is the use of insiders. Historically, our security approach centered on external threats that have been separated by geographic boundary. This threat model is outdated when it comes to cyber security. The only thing that differentiates a cyber weapon from a security testing tool is the intent of those behind the event or events.
One of the most concerning areas evolved out of a call by a military official who made statement that we would treat all acts of cyber aggression as a law enforcement issue and not an act of military aggression. This position is very dangerous and should be discouraged.
Developing and implementing a comprehensive cyber deterrence program will not be easy and will require the cooperation of the computer industry and others in the private sector. Traditional national security strategies of deterrence may have little impact on the supercharged proliferation of cyber weapons. Deterrence is further hampered by the significant issues surrounding the current and near term capabilities for definitive attribution (determining those behind the attack). In that cyber deterrence is directly dependent upon the nature of the attack as well as who is behind the attack, deterrence measures must be based on the numerous attack groups (example, cyber criminals, cyber terrorists, hacktivists, rogue-nations and others).
{ 11 comments… read them below or add one }
The difficulty of positively determining the origin of an attack is shown by the debate over whether China was really behind the Google attacks of a few weeks back. Evidence may be faked, incomplete or simply misinterpreted. Cyber attacks are also well suited to targeting economic as well as military targets.
Because of these factors, no matter how much "cyber weapons" seem like a military problem, they may be better treated as an intelligence problem.
Cyber attacks won't stop until corporations develop MINIMUM standards for computer proficiency and enforce those standards at the time of hiring. You think a degree is mandatory? Well, now being a smart computer user is mandatory.
Think about it: A company full of dual-booting, ThinkGeek-shopping gamers, vs. a company with today's mix of 30 – 60 year old average folk. Which company is more vulnerable? We all know the answer.
Cyber-social proficiency must be screened at the hiring point, with no exceptions. We need to get this into the minds of the Directors out there, so they can trickle it down from the top.
..Right after we help them with WeatherBug, CometCursor and WebShots.
I am a US Citizen and have been under constant attack for years now. At this point I am being shot with electromagnetic torture especially at night times to deprive me from sleep.
Also, I get shot on a regular basis with harmful chemicals, most of these I do not recognize. I was told by the police that this is done to me in retaliation for suing a Mental Health Clinic in federal court for illegal Sexual Harassment on the Job.
I am developing a sudden pain from time to time on my head.
I have no criminal records and am cosidered a whissleblower for the cases I brought to cour instructed by the local human rights division and police officers to do so.
My cases all have merits and were moving in court until I went under serious attakcs. Now I am the victim of abuse and torture through electronic weapons for years.
Can you tel me where can I report this so that somebody will help to put a stop to it? Your direction will be greatly appreciated.
Thank you very much for your attention.
Sincerely,
Silvia T. Osorio
The Brits, at least mi5, are awake: "A leaked MI5 report seen by Times Online claims businessmen who receive free USB disks or digital cameras at Chinese trade shows or during company visits better watch out, as this type of gifts has been found to contain Trojan horses that enable Chinese intelligence agencies to hack into corporate networks" (read in De Pers)
Here is an online poll created so you can express your opinion.
http://www.learnmyself.com/poll37153x0f2449Ec
Go to the above URL and vote.
It almost echoes the problem the US is having now in determining if Terrorists should be tried as military combatants or civilians. The terrorists are intent on causing harm and loss to the nation, and are led by a foreign power, but many times are acting alone or in small groups.
The same is true with some of the cyber war we are facing now. We are being attacked by groups that are backed, and in some cases trained, by foreign powers, but the host countries are denying involvement. Also, tracing back the attack vector is like tracing the money trail involved with the terrorist cells. But the longer we wait on how we respond the more determined our enemies will become.
Along with educating US computer users, (civilian and government), deterence is our best bet. Putting forth a strong, technical, and united face will be needed to stem the tsunami of infiltration attempts.
Treat it as a law enforcement issue? Sure, why not? Cyber warfare, terrorists, lets treat everything as a law enforcement issue. Yep, that sounds like a winner to me……
The US government needs to lead by example before considering undertaking new responsibilities when the existing are poorly managed. Accountability and responsibility needs to be put back into our judicial system.
Until that happens, our country is going to fall to other countries that are developing more rapidly. Funny thing is, most of these countries are using our many of our ideas and making them actionable in a realistic time frame; in this century.
The only thing that still makes this country a great place to live are the people. Given that all the checks and balances have fallen by the wayside for a few extra dollars and what politicians and lawyers call politics, many of those same people feel they have to be the same way to survive. Pretty sad if you ask me.
I'm not convinced that the issue of law enforcement vs. military has to be separate in dealing with cyber attacks. It seems pretty easy to me that you develop the channels, process, and responses (prioritized by critical impact) to deal with the issue. Keep in mind that outside of the proactive side, much of the law enforcement we are talking about here is after the fact. Develop the litmus test that includes critical systems and consequences and deal with it. Then, let law enforcement clean up any pieces that meet the requirements of law. IF military action "ruins" the law enforcement case, so be it – a price to pay if it is a critical system under attack.
Yes,
and when the Chinese hack into our military computer systems and steal intelligence I am sure they will call the FBI.
And they will do what?