Cybersecurity & cyberwar

Cyberwar: The Pentagon Cyberstrategy

Summary:  In the the first in a series by guest author Marcus J. Ranum, he describes what might become one of the primary forms of conflict in the 21st century.  How real is the threat?  Is the Department of Defense approaching this in a logical way?

“Mr. President, if that’s what you want there is only one way to get it.  That is to make a personal appearance before Congress and scare the hell out of the country.”

— Senator Arthur Vandenberg’s advice to Truman about how to start the Cold War.  On 12 March 1947 Truman did exactly that.  From Put Yourself in Marshall’s Place, James P. Warburg (1948); in 1941 Warburg helped develop our wartime propaganda programs.


  1. Introduction
  2. A source of network security breaches
  3. Suxnet
  4. About the author, including links to other posts in this series
  5. For more information

(1)  Introduction

Unless you’ve been sleeping under a rock for the last decade, you’ve probably heard that the US Government is deeply concerned about foreign penetrations into agency networks and critical infrastructure systems. There have been accusations flung, sabers clutched (if not rattled outright) and patriotic calls for help – and money. Rehashing the whole situation is not possible in this space, nor would it be productive, but there are depressing realities about this new field of conflict that we should not sweep under the carpet.

“To prepare our military for emerging cyber threats, we have developed a DoD Cyber Strategy. This strategy holds that our posture in cyberspace must mirror the posture we assume to provide security for our nation overall. Namely, our first goal is to prevent war. We do this in part by preparing for it. And we do so while acknowledging and protecting the basic freedoms of our citizens.”

Remarks on the Department of Defense Cyber Strategy by Deputy Secretary of Defense William J. Lynn III at the National Defense University, 15 July 2011

First, and foremost among them, cyberspace is not a “battlefield” like any other. There’s a search for analogies, as people who really don’t understand computer security try to map concepts onto other, more familiar, concepts in an attempt to dumb them down, but that does not and will not work. If we wish to defend (or attack) successfully in cyberspace, our government needs to understand cyberspace, not militarize cyberspace into something comprehensible. This problem is deceptive because at the level of grand tactics some analogies work, or appear to work: yes, it’s always a good idea to see the enemy before they see you. But, does that apply in an environment in which the defender’s position is always known and the attackers’ is irrelevant?


Recently, someone I was talking to offered the position that “in cyberspace, the best defense is still a strong offense!” until I asked him “why?” All of Napoleon’s smart quips about the military art still sound smart when applied to cyberspace, but they are as useful as forming square to repel cavalry would have been in Afghanistan. Because the notion of location is arbitrary, and the size and shape of the battle-space are dynamic, and grand tactics rooted in space (and therefore time) ought to be suspect. Perhaps, in cyberspace, the best defense is a strong defense. In fact, if you think about it for a few minutes you’ll realize that because the attacker controls space and time and the defender’s location is fixed, that’s the only way it can be.

I don’t want us to get bogged down in that particular example, though; the broader point is that most of what we think we understand about warfare in cyberspace is probably wrong. For another example, we ought to be talking about logistics if we’re in a battle-space in which our enemy can upgrade their defenses from one moment to the next and disarm us of an entire stack of stockpiled weaponry. Such problems raise the question of whether we even understand what “weaponry” is in cyberspace — or whether we are choosing to avoid the pain of making a sober assessment of the issue. I have written about this more extensively elsewhere {see about the author below} so I won’t repeat myself here.

A more serious problem is that our strategic approach to Information Technology (IT) in the government (and to a lesser degree, the private sector) is running counter-current to improving our defensive posture. At the same time that the government is deeply concerned about the cyber-threat, it is in the process of the greatest-ever migration of technical skills from government employment into the private sector. While we talk about improving our network defenses, we are rushing to outsource management of those networks (and their defenses) thereby making them cheaper, on paper, for the short-term. This mirrors the way in which military logistics has been increasingly outsourced in the real world and similarly it secures its true objective: the transfer of public wealth into private hands. But, in IT you run into a problem, which is that something can be deeply broken but still appear functional until a critical time. It’s hard, in the real world, to build a supply chain that appears to work, but in cyberspace you can easily build a network that appears to be secure – but isn’t.

(2)  A source of network security breaches

What we are seeing, over and over again, is that IT security breaches happen because someone was trusted to build a secure network, and they didn’t — but that its weakness went unnoticed because the people who bought and paid for the network have lost any IT security skills that they had, when their brain-trust took higher-paying jobs working for contractors. This is not a new problem, and ought to be familiar to anyone who’s ever taken their car to a mechanic and wondered “what is a ‘framis joint’ and why did I just pay $1000 for one?” If you don’t know the rudiments of how a car works, you are wearing a sign on your back that reads, “Kick me.”

I’ve worked my professional career as a cyber-weapons designer of sort, starting with firewalls in the late 1980s, intrusion detection in the 1990s, and then log analysis and vulnerability management — and I can tell you that none of this technology is special, and there’s no rocket science. It is absolutely crucial for people to understand that there is no super-secret special intrusion detection algorithm that the DoD will be able to get which is not commercially available right now: because in cyberspace, unlike in real warfare, governments have not been able to monopolize the availability of weaponry. Our government (or any other!) will not be developing whole new kind of firewall that is dramatically better than the state of the commercial art — simply because the commercial side is where the talent and the evolutionary pressure are: if a system engineer for Palo Alto Networks can figure out a better way to do application screening, they can dominate that market and make a ton of money — there’s zero benefit to keeping that technology under wraps for militarization.

From the opposite side, market pressures are co-evolving attack tools extremely quickly because the Mafiosi (who are making millions on online fraud) will commission new attack tools and immediately field them. Once again, cyberspace does not look like a traditional battle-space: weapons evolution is fast and furious and must be constant and deeply redundant. Microsoft could push out a new operating system patch, tomorrow, that obsoletes a whole class of attack tools — or a new bug could be discovered, outed, and fixed — all during the course of a weekend.

Imagine trying to explain to a Marine that his way cool battle rifle might suddenly cease to function if the enemy is able to develop a patch against it. Or, that your castle walls could suddenly fall down, Jericho-like, at an extremely inconvenient time. Because there is this huge army of cybercriminals and a substantial core of commercial cyber-weapons builders like myself, the rapid rate of co-evolution in cyberspace is going to make establishing a targeted set of tools extremely expensive. Additionally, a target might be highly individualized — suppose a particular country’s government gets a good deal on a locally manufactured router/switch technology — now, in order to attack them, an attacker would have to develop a whole new weapons stack if they wanted to dominate the target’s router infrastructure.

(3) Stuxnet

A final case in point, of which I hope to write more later: Stuxnet. It’s a very interesting combination of in-the-wild attack tools/techniques with a few custom-developed penetration techniques and a payload targeted at a specific subsystem. It is a perfect example of the kind of rapid co-evolution that I’m talking about — whoever put it together did something very timely, very customized, and knew it had a short life-span before it would be found and dissected.

The best defense against something like Stuxnet could not possibly be a strong offense – how can you pre-empt something unknown that was released without attribution? Stuxnet was exactly adequate for its job. How do you prevent such a thing from working on you? You do exactly the opposite of what we’re doing everyplace: you in-house security, in-house IT, and begin to build your infrastructure so that there are unpredictable and unknown barriers within it, including critical sections that are air-gapped and closely monitored. Yes, that is expensive and inconvenient. The question is whether the alternative is even more expensive and inconvenient.

(4)  About the author

See the About the Authors page for information about Marcus J. Ranum

Other publications by Ranum:

The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

  1. The Pentagon Cyberstrategy, 2 September 2011
  2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  3. Conflating Threats, 14 September 2011
  4. About Stuxnet‏, the next generation of warfare?, 29 September 2011
  5. When the Drones Come To Roost, 8 October 2011
  6. About Attribution (identifying your attacker), 21 October 2011

(5)  For more information

  1. War Logs On: Girding America for Computer Combat“, Bruce D. Berkowitz (RAND, coauthor of Best Truth: Intelligence in the Information Age), Foreign Affairs, May/June 2000 — “In Kosovo, America stumbled into the age of computer warfare. Now Washington must think hard about how to attack its foes’ electronic networks and defend its own.”
  2. Securing the Information Highway – How to Enhance the United States’ Electronic Defenses“, Wesley K. Clark and Peter L. Levin, Foreign Affairs, November/December 2009
  3. Obama knows how to lead America by exploiting our fears,  5 June 2009 — About cyberwar
  4. Defending a New Domain – The Pentagon’s Cyberstrategy“, William J. Lynn III, Foreign Affairs, September/October 2010
  5. The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive“, Peter W. Singer and Noah Shachtman, Brookings Institute, 15 August 2011 — Both authors are with the 21st Century Defense Initiative.
  6. The Calm Before the Storm“, Joel Brenner, Foreign Policy, 6 September 2011 — “Cyberwar is already happening — and it’s about to get much, much worse. A veteran cyberwarrior explains how America can prepare itself.”




9 replies »

  1. Ranum’s point about location is very much like quantum physic’s non-locality principle. Only where we focus is it ‘real’. Einstein and his colleagues used verbal thought experiments (imagination) to change particle physics. Very low-tech. Perhaps the weapons of the future isn’t a weapon as such, but a different form of intelligence. One that isn’t over-focused on the technology.


    • Bill Joy (Sun Microsystems) wrote a famous article for Wired years ago that dealt with artificial intelligence and other advanced technology threats to human existence (as we know it).

      “Ray [Kurzweil] gave me a partial preprint of his then-forthcoming book _The Age of Spiritual Machines_, which outlined a utopia he foresaw – one in which humans gained near immortality by becoming one with robotic technology. On reading it, my sense of unease only intensified; I felt sure he had to be understating the dangers, understating the probability of a bad outcome along this path.”

      Artificial Intelligence is predicted to reach current levels of human intelligence by the year 2050. This event is referred to as the “Singularity”. Please note that the pace of advancement of artificial intelligence will not stop at that point, but continue, unlike “raw” human intelligence.

      Some advanced future medical therapies will involve extensive organ replacement, with predictions of human lifespans reaching 120 to 150 years. These will eventually become human-robotic hybrids. Cognitive enhancements to such hybrids basically represent the evolutionary beginnings of one or more new “advanced” species.

      One possible positive outcome is that the limitations (recently discovered by anthropologists*) that purely human DNA place on social organization (“civilizations are scaled up, unstable supertribes”) will be overcome, and a true global civilization (and “world peace”) will be possible. {see here}

      Note: Richerson’s work was recently referenced by Geoffrey West of the Santa Fe Institute as being related to West’s work on scaling models and global economics. See Ceasar Hidalgo’s web site for some cool graphics from scaling algorithms.


  2. An interesting article taking the opposite view from that of this post:

    The Calm Before the Storm“, Joel Brenner, Foreign Policy, 6 September 2011 — “Cyberwar is already happening — and it’s about to get much, much worse. A veteran cyberwarrior explains how America can prepare itself.”


  3. Political Repression 2.0“, Evgeny Morozov, op-ed in the New York Times, 1 September 2011 — Excerpt:

    AGENTS of the East German Stasi could only have dreamed of the sophisticated electronic equipment that powered Col. Muammar el-Qaddafi’s extensive spying apparatus, which the Libyan transitional government uncovered earlier this week. The monitoring of text messages, e-mails and online chats — no communications seemed beyond the reach of the eccentric colonel.

    What is even more surprising is where Colonel Qaddafi got his spying gear: software and technology companies from France, South Africa and other countries.

    … Libya is only the latest place where Western surveillance technology has turned up. Human rights activists arrested and later released in Bahrain report being presented with transcripts of their own text messages — a capacity their government acquired through equipment from Siemens, the German industrial giant, and maintained by Nokia Siemens Networks, based in Finland, and Trovicor, another German company.

    Earlier this year, after storming the secret police headquarters, Egyptian activists discovered that the Mubarak government had been using a trial version of a tool — developed by Britain’s Gamma International — that allowed them to eavesdrop on Skype conversations, widely believed to be safe from wiretapping.

    And it’s not just off-the-shelf technology; some Western companies supply dictators with customized solutions to block offensive Web sites. A March report by OpenNet Initiative, an academic group that monitors Internet censorship, revealed that Netsweeper, based in Canada, together with the American companies Websense and McAfee (now owned by Intel), have developed programs to meet most of the censorship needs of governments in the Middle East and North Africa — in Websense’s case, despite promises not to supply its technology to repressive governments.

    … many of these tools were first developed for Western law enforcement and intelligence agencies.


  4. The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive“, Brookings Institute, 15 August 2011


    1. Peter W. Singer, Director, 21st Century Defense Initiative
    2. Noah Shachtman, Nonresident Fellow, Foreign Policy, 21st Century Defense Initiative


    For every big policy issue, there’s usually a parallel that can be found in the past. As Mark Twain once put it, “History does not repeat itself, but it does rhyme.”

    The problem for policymakers, though, is identifying which tune it exactly is that they are hearing. While applying lessons from the past can be a useful analytic tool, we frequently unearth old analogies that may not be the right fit for the new problem we face. Indeed, most often we turn to the songs we know best, the ones we hummed in our youth, when others may be more apt. For instance, senior Air Force officers during the Vietnam War clung to a strategic bombing campaign more suited to their early experiences bombing Nazi Germany than a Third World insurgency, while in turn, the recent debate about Afghanistan keeps echoing back to baby boomer concerns about whether a 21st century war would be “Obama’s Vietnam.”

    Today, the hit makers of Washington could be making a similar mistake when it comes to cybersecurity, trying to jam a new issue into the wrong historic framework. The new rhythms of online crime, spying and statecraft are unfamiliar. So, perhaps not surprising, they’re turning to an old parallel that they spent most of their professional lives working on: the Cold War.


  5. Cyber Command Builds ‘Cyber Warrior’ Capabilities“, American Forces Press Service, 27 September 2011 — Opening:

    Recognizing there’s no cookie-cutter formula for a “cyber warrior,” the outgoing chief of staff at U.S. Cyber Command said the strong, diverse capabilities already in place will provide the foundation for the military’s professional cyber corps.

    After his pivotal role in standing up U.S. Cyber Command and helping to mold its initial cyber force, Air Force Maj. Gen. David N. Senty noted the array of skill sets it brings to the mission of defending vital military networks.

    The cyber force includes experts not only in information technology, but also in signals intelligence, communications and military operations. Combat-arms forces among their ranks bring an operational mindset and military judgment to the equation, Senty said. …


  6. The Pentagon’s Cyberstrategy, One Year Later – Defending Against the Next Cyberattack“, William J. Lynn III (Deputy Secretary of Defense), Foreign Affairs, 28 September 2011 — Summary:

    More destructive cyberweapons are being created every day, and an increasingly sophisticated technology black market virtually guarantees that they will eventually land in the hands of the United States’ enemies. Robust defenses are no longer a luxury, they are a necessity.

    Not one word about Stuxnet. Only about US defenses. Our attacks don’t count. Any cyber arms-race is not our fault.


Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s