Should We Fire the First Shot in a Cyberwar?
Defending against an attack is so hard that some think a stronger offense is required.
Military bureaucracies around the world are likely to see offensive capabilities as increasingly attractive in any cyberwar, suggests the head of the computer research arm of the National Academy of Sciences.
“Offensive cybertechnology and operations are inherently stronger than defensive operations—that is, offense beats defense in cyberspace, in most cases, and given enough time,” says Herbert Lin, chief scientist at the Computer Science and Telecommunications Board at the National Research Council. Lin spoke last week at an MIT workshop on the fast-emerging cyber dimension to international relations.
Cyberattacks could damage or disable military networks or civilian infrastructure like power grids, or they could involve the theft of military and corporate secrets. Experts warn that such attacks could occur at light speed and be difficult to trace, especially if data is routed through computers in many different countries.
“Since you don’t know how to do good defense, you can’t prevent offensive dominance. And you can’t do good deterrence because effective retaliation is hard, so if you want to take advantage of cyberspace, you will do offensive operations for nondefensive purposes,” Lin says. “I’d really like to be wrong about that, but I fear that’s where we are going.”
Lin contributed to a 2009 National Academies report which argued that the situation calls for talks with other nations to establish the rules of the road, open debate in Congress on U.S. strategy, and the development of better tools to detect and measure threats. A later report described the tricky landscape of deterrence.
Last month, General Keith Alexander, head of the National Security Agency and the U.S. Cyber Command, said the U.S. military needs better capabilities to not only defend against cyberattacks, but also to potentially launch them. Speaking at the U.S. Strategic Command’s Cyber and Space Symposium in Omaha, Nebraska, he told an audience of 1,500 military and defense contracting officials that the U.S. military should have the power to attack other countries in cyberspace. “We can’t just defend,” Alexander said.
He noted that, in general, the United States needed to fight back against countries that have conducted cyber espionage on U.S. companies and defense contractors, as many experts have suggested China and Russia have done. (Technology Review described the interlocking landscape of cybercrime, espionage, and war in this report last year.)
One underlying reason for the escalation of cyberwar is that it’s hard to identify emerging threats and put them in perspective. An interdisciplinary MIT effort is building a cyber data dashboard that stitches information on cybersecurity and crime together with political, economic, and demographic data, to allow users to find patterns and correlations.
Someone using the dashboard could find, for example, the number of computer viruses detected as a function of the number of a nation’s Internet users, or see how cybercrime relates to GDP across different nations. The dashboard can be used publicly and does not yet require a password for access.
That data effort is echoed by a recent call from Harvard Law School professors Jonathan Zittrain and John Palfrey for more research to produce better Internet data—such as on activities within social networks relating to cybercrime.
At last week’s MIT workshop, David Clark, an MIT computer scientist who was the Internet’s chief protocol architect in the 1980s, said that the Internet will need to be engineered to both resist attack and to make it difficult for individual regimes to shape it to their liking.
“Did we design it to be resilient to attack and control? The answer is no,” Clark said. “We thought about it being resilient to failure, and that’s different. We need now to think about a discipline of designs relevant to control.”
Clark added: “The future is not centered on performance, but centered on control and power. We are not trained, as computer scientists, to evaluate things from that perspective.”