We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Should We Fire the First Shot in a Cyberwar?

Defending against an attack is so hard that some think a stronger offense is required.

Military bureaucracies around the world are likely to see offensive capabilities as increasingly attractive in any cyberwar, suggests the head of the computer research arm of the National Academy of Sciences.

“Offensive cybertechnology and operations are inherently stronger than defensive operations—that is, offense beats defense in cyberspace, in most cases, and given enough time,” says Herbert Lin, chief scientist at the Computer Science and Telecommunications Board at the National Research Council. Lin spoke last week at an MIT workshop on the fast-emerging cyber dimension to international relations.

Cyberattacks could damage or disable military networks or civilian infrastructure like power grids, or they could involve the theft of military and corporate secrets. Experts warn that such attacks could occur at light speed and be difficult to trace, especially if data is routed through computers in many different countries.

“Since you don’t know how to do good defense, you can’t prevent offensive dominance. And you can’t do good deterrence because effective retaliation is hard, so if you want to take advantage of cyberspace, you will do offensive operations for nondefensive purposes,” Lin says. “I’d really like to be wrong about that, but I fear that’s where we are going.”

Lin contributed to a 2009 National Academies report which argued that the situation calls for talks with other nations to establish the rules of the road, open debate in Congress on U.S. strategy, and the development of better tools to detect and measure threats. A later report described the tricky landscape of deterrence.

Last month, General Keith Alexander, head of the National Security Agency and the U.S. Cyber Command, said the U.S. military needs better capabilities to not only defend against cyberattacks, but also to potentially launch them. Speaking at the U.S. Strategic Command’s Cyber and Space Symposium in Omaha, Nebraska, he told an audience of 1,500 military and defense contracting officials that the U.S. military should have the power to attack other countries in cyberspace. “We can’t just defend,” Alexander said.

He noted that, in general, the United States needed to fight back against countries that have conducted cyber espionage on U.S. companies and defense contractors, as many experts have suggested China and Russia have done. (Technology Review described the interlocking landscape of cybercrime, espionage, and war in this report last year.)

One underlying reason for the escalation of cyberwar is that it’s hard to identify emerging threats and put them in perspective. An interdisciplinary MIT effort is building a cyber data dashboard that stitches information on cybersecurity and crime together with political, economic, and demographic data, to allow users to find patterns and correlations.

Someone using the dashboard could find, for example, the number of computer viruses detected as a function of the number of a nation’s Internet users, or see how cybercrime relates to GDP across different nations. The dashboard can be used publicly and does not yet require a password for access.

That data effort is echoed by a recent call from Harvard Law School professors Jonathan Zittrain and John Palfrey for more research to produce better Internet data—such as on activities within social networks relating to cybercrime.

At last week’s MIT workshop, David Clark, an MIT computer scientist who was the Internet’s chief protocol architect in the 1980s, said that the Internet will need to be engineered to both resist attack and to make it difficult for individual regimes to shape it to their liking.

“Did we design it to be resilient to attack and control? The answer is no,” Clark said. “We thought about it being resilient to failure, and that’s different. We need now to think about a discipline of designs relevant to control.”

Clark added: “The future is not centered on performance, but centered on control and power. We are not trained, as computer scientists, to evaluate things from that perspective.”

Keep up with the latest in cyber security at EmTech Digital.
Don't be left behind.

March 25-26, 2019
San Francisco, CA

Register now
Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.