Martin Libicki's recently published a book, Cyberdeterrence and Cyberwar (also available here as a free PDF), in his words, "presents the results of a fiscal year 2008 study [performed by the Rand Corporation and funded by the US Air Force], 'Defining and Implementing Cyber Command and Cyber Warfare.' It discusses the use and limits of power in cyberspace, which has been likened to a medium of potential conflict, much as air and space domains are."
Libicki's key conclusion is the Air Force should not invest heavily in cyber warfare because: (1) the difficulties of being sure of the source of a cyber attack and (2) the losses due to cyber attacks are not severe enough to warrant strong offensive capabilities. In his own words:
"It is thus hard to argue that the ability to wage strategic cyberwar should be a priority area for U.S. investment and, by extension, for U.S. Air Force investment. It is not even clear whether there should be an intelligence effort of the intensity required to enable strategic cyberwar."
I am uncomfortable with Libicki's conclusions in part because he makes assertions which cause me to question his understanding of cyberspace in general and "cyberattacks in particular." Note this paragraph on page 143
Cyberattacks are about deception, and the essence of deception is the difference between what you expect and what you get: surprise. This is why operational cyberwar is tailor-made for surprise attack and a poor choice for repeated attacks: It is difficult to surprise the same sysadmin twice in the same way.
In other words, according to Libicki, since the United States does not believe in surprise attacks and cyber war is oriented to surprise attacks, then cyber war is not appropriate for the US. Just because we don't subscribe to surprise attacks like Pearl Harbor does not mean that our military does not attempt to use surprise and misdirection in attacks.
Also, there is no reason to assume that an attacker would have only one method of attack or that it couldn't be used repeatedly. First, the breadth of attack vectors is huge and has the same sort of asymmetry as terrorist attacks. I think by now it's accepted wisdom that anti-terrorism must be proactive and have major offensive components. (The current anti-terrorism debate is more about degree and tactics.) By analogy, the asymmetric nature of cyber attacks due to the same difficulty of defending every inch of the attack surface leads one to conclude that offensive capabilities are needed.
Second, as to repeating the same attack over and over, one only needs to look at the history of the Conficker worm, which is now over one year old and still infecting systems!!
Richard Bejtlich, an IT Security practitioner at a Fortune 5 company and a former member of the Air Force CERT, wrote a much more comprehensive review of Libicki's book on Amazon and on his blog. Bejtlich claims Libricki's analysis contains five key flaws which I have quoted as directly as possible from Bejtlich's review:
- Libicki is wrong when he says, "cyberattacks are possible only because systems have flaws."
- Libicki's fatal understanding of digital vulnerability is compounded by his ignorance of the role of vendors and service providers.
- The "blame the victim" mentality is compounded by the completely misguided notions that defense is easy and recovery from intrusion is simple.
- Libicki makes no distinction between "core" and "peripheral" systems, with the former controlled by users and the later [sic] by sys admins.
- In addition to not understanding defense, Libicki doesn't understand offense.
Here are the final two paragraphs of Bejtlich's review:
Furthermore, by avoiding offense, Libicki makes a critical mistake: if cyberwar has only a "niche role," how is a state supposed to protect itself from cyberwar? In Libicki's world, defense is cheap and easy. In the real world, the best defense is 1) informed by offense, and 2) coordinated with offensive actions to target and disrupt adversary offensive activity. Libicki also focuses far too much on cyberwar in isolation, while real-world cyberwar has historically accompanied kinetic actions.
Of course, like any good consultant, Libicki leaves himself an out on p 177 by stating "cyberweapons come relatively cheap. Because a devastating cyberattack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive (especially if the Air Force can leverage investments in CNE), an offensive cyberwar capability is worth developing." The danger of this misguided tract is that policy makers will be swayed by Libicki's misinformed assumptions, arguments, and conclusions, and believe that defense alone is a sufficient focus for 21st century digital security. In reality, a kinetically weaker opponent can leverage a cyber attack to weaken a kinetically superior yet net-centric adversary. History shows, in all theatres, that defense does not win wars, and that the best defense is a good offense.
My final comment on the book is that it's analysis is too static considering the constantly evolving technologies, government and business uses of cyberspace, threats, and economics. It seems to ignore the importance and impact of research and resulting game changing breakthroughs that could impact the feasibility, strategy, and tactics of cyber warfare and cyber deterrence.
