Part 4 of Marcus Ranum’s series on cyberwar is now up on the Fabius Maximus site:
Parsing Cyberwar – Part 4: The Best Defense is A Good Defense
Let me rephrase some of his points:
1. Cyberwar is not war in the Sun Tzu/Clausewitz sense. As Ranum notes:
The big scenarios of cyberwar — “putting a country back to the pre-industrial era” — are overblown and ridiculous; generally they appeal to those who don’t really understand data networking or system administration. There are plenty of examples of successful attacks against individual point targets, but the big scenario does not follow logically as a consequence of a lot of small ones
2. As in other areas of group-on-group conflict, Einheit is critical:
At this point, we can be sure that anyone who builds a gas centrifuge cascade is going to be a little bit more careful about their software than usual; perhaps they won’t rely on the lowest bidder to configure it. And that, in a nutshell, is the whole problem. Cyberwar forces organizations to re-examine their trust-boundaries: who do they get to do what, and how can they tell whether their service providers and supply chains are tamper-proof? For a government like the US’, that seems eager to outsource practically everything, that appears to be the opening of a gigantic and very nasty can of worms.
3. Because of the nature of software, operating inside the OODA loop is critical. If you play offense in this field, you have to do what you’re going to do and then move on before your intrusion is discovered, analyzed, and the details of your attack disseminated to the world:
Since it has been revealed to the community and dissected at length, Stuxnet has done more to justify improvements in security systems than anything else; in that sense it was self-defeating. It is a stone thrown by people who live in a glass house, that will serve to encourage more stone-throwing.
Ranum appears to be making the point that defense is the stronger form of this conflict. At the level of the individual company or home user, this may well be true (This is why I say that “On the internet, the best defense is a strong defense.”) But as with real war, the situation is more complex. For one thing, attackers often can succeed in their initial attack. And cyber conflict, as Ranum notes, needs to be considered within the larger arena of state-vs-state competition, where hacking and malware are only one tool.
Interesting series — suggest you check it out.
And, for that matter, state-vs-nonstate conflict.