By Madison O’Day
Special Contributor to In Homeland Security
The Department of Defense’s newly-released Cyber Strategy isn’t strongly worded by any means, but it does state unambiguously that the U.S. cyber strategy revolves around deterrence. While there is some ambiguous language amounting to a nod in the direction of offensive or retaliatory policies, the primary focus of the strategy is defensive which begs the question – what options do we currently have with deterrence?
According to Scott Jasper in the Strategic Studies Quarterly, deterrence is more complex than a one-dimensional plan to keep aggressors out. Deterrence by denial, deterrence by punishment and the newly-coined deterrence by entanglement are all strategies embodied within the overarching policy of general deterrence.
It has been U.S. policy to confine our defense almost exclusively to deterrence by denial: by attempting to eliminate the ability of an aggressor to successfully obtain a payload. This strategy requires seamless defense–the ability to anticipate and guard against highly motivated attackers in a dynamically evolving field. Deterrence by punishment, or the practice of placing a cost on the aggressor’s decision to attack, has been widely debated by policymakers and security professionals and affiliated with active defense or “hack back” practices. The final option, deterrence by entanglement, has only recently become a discussed option: the concept that mutual interests and shared political, economic and diplomatic relationships encourage responsibility and nonaggression on the cyber front. The latter strategy stands apart as more of a diplomatic solution than a policy one, so for the purposes of this discussion we’ll focus on the first two deterrence methods.
It is a huge step for the Pentagon to acknowledge an active federal interest in deterrence, whatever the means. However, it is only a first step. We must strategically dissect the options available to both public and private sectors under the overarching umbrella of deterrence – whether through bolstered, flexible defense or active countermeasures.
Intriguing inroads have been made recently in the area of more flexible and effective defense. The backbone of deterrence is the assumption that, if sufficient resources are leveraged, the U.S. can successfully ward off the most sophisticated attacks. However, until recently, there was not significant evidence to indicate that western security professionals would be able to turn the tide in massive data breaches and security failures.
Dmitri Alperovitch may have singlehandedly turned the tide in information security for the 21st century.
CEO of Crowdstrike and security expert extraordinaire, Alperovitch has presented evidence that his company was able to systematically deter two attacks from the Chinese group HURRICANE PANDA. Anonymous firms which had been targeted by a cyberexploitation campaign employed the security firm immediately after detecting the first intrusions – and sat back for a very interesting game of moves and countermoves.
The specifics of Crowdstrike’s ingenious defense will not be explored here. What will be examined, however, are the economic and policy implications for the future of information security and network defense, both in the private and public sector. In light of the Department of Defense (DoD) cybersecurity strategy and stated goals of deterrence, it is important to explore what options might be on the table to enhance federal deterrence strategies
The overarching goals of defenders are quite simple: to keep the bad guys, or the wrong guys, out. Translated into incentives, one could say that the whole point of defense is to make the act of attacking too expensive to continue. Whatever resources the attacker is expending – time, manpower, money or political/diplomatic leverage – they must feel that the cost/benefit ratio of continuing the attack is overly expensive and undesirable.
Right out of the starting gate, defenders have two primary disadvantages: cost/resource consumption and “position of interior”: the theory that defenders are centrally located and tasked with the defense of the entire wall, while attackers simply need to find and exploit one mistake or weakness. These two disadvantages are linked and can be simplified to one very critical asset: resource usage. Thus far, the cyber-terrain has cast defenders as expenders of colossal resources, and attackers as significantly more sustainable.
Crowdstrike’s strategy was simple: make it expensive, exhausting and frustrating to continue the attack. By engaging in an aggressive defense, burning tradecraft and frustrating more than four months of persistent attempts, Crowdstrike was able to discourage a sophisticated, presumably state-sponsored Chinese hacker cell with a very specific target.
Not long after Crowdstrike’s first success, they were called to address a second intrusion at a separate firm. After repulsing the initial attack, the defenders observed Hurricane Panda utilize an expensive zero day to execute commands to check if Crowdstrike was in the network’s memory. Immediately after finding evidence of the security firm’s presence, the attack was abandoned. Deterrence had succeeded.
In short, then: it is possible to force an attacker through cost-benefit analysis to abandon a targeted attack for no reason other than the fact that it is too expensive to continue? While Dmitri Alperovitch has been cautious to declare these successes a trend, he has nonetheless demonstrated that persistent defense is a match for persistent attacks. From a policy perspective, Crowdstrike’s success comes at a vital time. The DoD’s freshly-minted cyber-deterrence strategy relies on an unsubstantiated assumption: that Western defenses can reverse the tide of breaches and data loss and recover lost ground in a protracted and state-sponsored cyberwar.
We may safely conclude, then, that deterrence by denial is expensive but potentially wildly successful. But it is only one of many possible strategies.
Deterrence by punishment has been at the center of a lengthy ongoing debate regarding the propriety of an offensive as well as defensive cyber strategy. Active defense/hackback is based upon the premise that offensive behavior on the part of the victim may dissuade an attacker by increasing the cost of the attack. While there are many levels of active defense which might be discussed, the same objections exist across the entire spectrum of options: the difficulties posed by attribution, and the risk of escalation.
Cyber resilience is based upon the premise that breaches will occur, regardless of security precautions and defensive measures – statistically, the defender will not always win. However, we can become increasingly agile at mitigating damage and at ensuring the attacker does not get away with a cheap and easy victory. There are multiple levels of active defense or “hacking back,” which span from gathering basic intelligence on the attacker’s IP to entering the aggressor’s network to seize or destroy data. Honeypots, intuitive data, and other similar methods lay somewhere between these two extremes and represent a moral and ethical gray ground that has yet to be fully examined at a policy level.
The DoD’s most recent cyber strategy included a nod at potential federal-level cyber retaliation. The prospect of expanding the private sector’s range of offensive options, however, is still stonewalled in every dialogue. Difficulties involved in attribution, existing law and the prospect of escalation effectively silence the conversation before it can take place. If we are to break through to the next generation of policy talks designed to combat a whole new breed of threats, we must be willing to discuss the benefits of active defense instead of focusing solely on legal roadblocks or ill-founded fears of vigilantism.
After all, there’s no such thing as “no hack backs” – there are only “no legal hack backs.” A survey conducted at the 2013 Blackhat conference in Las Vegas revealed that nearly a third of security professionals admitted to engaging in offensive behavior at some point during an attack, and that number could plausibly be much higher. At the end of the day, then, we’re not focused on the right issues: the question is not whether or not current law supports hackback (it undeniably does not) but instead rather or not our laws ought to evolve as necessity dictates (a much more palatable debate).
Once policymakers have established an answer to that question in this context, we’ll engage on the issue of rather or not the risks of hackback outweigh the potential benefit. There is no doubt that the U.S. is losing the cyberwar on multiple fronts today. With news of Russia and China striking non-aggression agreements, a growing Iranian cyber threat and the rise of politically- and espionage- driven attacks on both the private and public sectors, we should focus on a solution sooner rather than later.
The game is deterrence, but the field rules change rapidly and without warning. The United States is playing for a hefty prize – billions of dollars of intellectual property, international prestige and the integrity of our public and private networks, not to mention critical infrastructure and sensitive intelligence. Deterrence ought to be a two-pronged strategy, but thus far we’ve barely managed to capitalize upon one prong. Until we open up the conversation to openly discuss the pros and cons of a new type of cyber deterrence, we remain mired in tomorrow’s problems with yesterday’s tools.
Critical progress has been made in acknowledging the role of enhanced cyberdeterrence in national defense planning. However, we have to move the conversation to the next level: discussing untapped strategies and the necessity of an evolving understanding of cyberwar. While innovative companies like Crowdstrike have demonstrated encouraging progress in the field of deterrence by denial, it is clear that the U.S. is falling behind in state-sponsored cyberwar. As much as policymakers voice fears of vigilantism and misattribution, it is an undeniable fact that the landscape is changing with each passing year. Robust, open dialogue is critical to the health and vitality of our national security – as well as the preservation of our industry and intellectual property.
It doesn’t matter how thoroughly you’ve planned your plays – if the other team has seen every single strategy, a superior team has no choice but to develop new plays. In the same way, we must not fight tomorrow’s cyberwar with yesterday’s policies. Our enemies expect it – and depend upon it!
About the Author
Madison O’Day will be pursuing a Law and Public Policy degree through the School of Public and Environmental Affairs at Indiana University, and plans on studying technology law after getting her bachelor’s. She is currently employed by the Center for Applied Cybersecurity Research and is particularly interested in the economics of information security and active defense.
Comments are closed.