I am concerned that policy and the legislative agenda is making basic assumptions about the relationship of information assurance and security and cyber-warfare that may not be accurate. Some of the issues are illuminated when government and corporate information security officers talk about restricting access to the Internet or otherwise securing assets as part of preparations for cyber-warfare defense. The issue is that in securing assets with technology or physical barriers are analogous to conventional warfare responses to perceived risk.
Any brilliant analogy will fail under the harsh criticism of over utilization but lets try it until if breaks. If cyber-warfare is related to asynchronous attack such as insurgency or terrorism then barriers only inform the enemy of what is worth attacking. If cyber-warfare is related to conventional military action then entrenching and creating castles of protection for information systems make sense until the enemy devises analogous trebuchet or airplanes.
If the standards of information assurance and security (IAS) is one-hundred-percent security in the knowledge that cyber-war will occur have we set up our technical staff? Have we as a form of analogy told our IAS frontline troops drive around this dangerous land in your truck and you’ll be fired if blasted by an improvised explosive device (IED)?
Cyber-warfare sits in between all of the aspects of terrain and warfare. Whether, land, air, or sea the communication channel linking the services creates the environment for cyber-warfare. It appears cyber-warfare is both a separate terrain and a tool as a force multiplier for other aspects of war. If we can’t agree that cyber-warfare can have kinetic effect we can at least agree that it can increase the lethality and enhance targeting of enemy systems. Cyber-warfare does exist in the realm of actions less than all out war.
Much of the literature and “cyber Pearl Harbor” scenarios that have been written are more about fear mongering than considering the strategic and realistic issues. Fighting cyber-warfare with firewalls and black boxes is like sending a Stryker vehicle into combat without a crew. Many of the authors of crisis literature have not learned much from the current war and considering counter insurgency or conventional war. Somehow authors think that war due to cyber is suddenly going to change even though technology throughout history rarely changes the actual models of conflict.
If cyber warfare is an asynchronous attack (and we are not talking about information warfare such as psychological operations), then we need to think about how best to protect people and property. Are virtual forward operating bases with ready response teams needed? Perhaps a giant “green zone” for monitoring hostile Internet actions is required. Unfortunately the Internet is not thousands of miles away from the homeland. The casualties of cyber-war and cyber-terrorism are not people in a far off place but the ones in your office and neighborhood. Now thinking about that how many Americans are going to accept a forward operating base filled with Marines in their neighborhood? I believe you reach a threshold where people just say no.
That is the problem with analogies they both enlighten and fail as quickly. There will be people who will say that virus and trojan threats are the cyber version of IEDs. To forestall that debate I think it is wrong. The cyber version of IEDs are hospitals dispensing medicines due to computer foul ups that kill children. Cyber attacks are about more than Internet hooliganism and distributed denial of service attacks. Spying is about violating the confidentiality of the subject and as in the previous example violating the integrity of a system is just plain dangerous.
Are we setting up our IAS teams to drive around in trucks looking for IEDs? To be held accountable when they unfortunately find them? In other words are we holding our IAS engineers to a standard of 100 percent perfect security where getting fired is the result of failure? Imagine if you went to Iraq and told a company commander that he would be fired and drummed out of the service if even one of his trucks got hit by an IED. If we are talking about cyber “warfare” I would suggest that we are setting ourselves up for failure until we have a better idea of what that means.