On Monday, JustSecurity published an article by Mike Schmitt titled Preparing for Cyber War: A Clarion Call. Its a great article that highlights a bunch of the thorny issues in International law that remain unresolved that we ought to take the time to sort out before a conflict arises that demands immediate answers. The biggest of these, in my mind, is the question of whether or not or when destruction of data meets the criteria of an armed attack. I think Schmitt is absolutely right here - real world events are going to demonstrate that destruction of data can be significant enough to alter the strategic course of nation states.

One thing that struck me about the narrative of the article is how quickly the possibility of defending a nation against attacks is dismissed:

In kinetic warfare, it is usually possible to eventually develop a counter-measure that deprives a weapon of its effectiveness, at least until development of a counter-countermeasure. For instance, Israel’s Iron Dome has achieved a very high success rate against rockets fired at urban areas. In cyber space, however, such a “fix” with respect to protecting the civilian population is less likely for three reasons. First, malware is very diverse and one size fits all countermeasures are usually unattainable. Second, the general population does not patch and update systems with sufficient frequency and care to reliably protect them from attack. Finally, technical attribution can be very difficult in cyber space, thereby making shooting back problematic.

The article then proceeds to dig into the third point - looking at different ways in which strike back is complicated by attributional factors and the potential for collateral damage. Although those concerns raise a number of great legal questions, which is really the focus of the article, from a practical standpoint in terms of preparedness, I think the first two points demand greater scrutiny as well.

I've spent years designing Intrusion Detection technology, and I don't think the countermeasure situation is necessarily all that different from the kinetic example Schmitt references. A variety of aspects of an attacker's TTPs can be embedded into network signatures, including the vulnerabilities targeted, the malware, the command and control points and protocols. Part of the trouble is the amount of time it takes to get that information embedded into network defenses (Schmitt's second point). However, that response time could be reduced by building better operational processes that allow threat information shared by the government to be put into production by network operators and managed security service providers in an automated fashion. The more integrated these systems are, the better equipped the government will be to rapidly respond when its necessary. We need to tighten the OODA loop here. ... [ Read More (0.3k in body) ]