On Monday, JustSecurity published an article by Mike Schmitt titled Preparing for Cyber War: A Clarion Call. Its a great article that highlights a bunch of the thorny issues in International law that remain unresolved that we ought to take the time to sort out before a conflict arises that demands immediate answers. The biggest of these, in my mind, is the question of whether or not or when destruction of data meets the criteria of an armed attack. I think Schmitt is absolutely right here - real world events are going to demonstrate that destruction of data can be significant enough to alter the strategic course of nation states.
One thing that struck me about the narrative of the article is how quickly the possibility of defending a nation against attacks is dismissed:
In kinetic warfare, it is usually possible to eventually develop a counter-measure that deprives a weapon of its effectiveness, at least until development of a counter-countermeasure. For instance, Israel’s Iron Dome has achieved a very high success rate against rockets fired at urban areas. In cyber space, however, such a “fix” with respect to protecting the civilian population is less likely for three reasons. First, malware is very diverse and one size fits all countermeasures are usually unattainable. Second, the general population does not patch and update systems with sufficient frequency and care to reliably protect them from attack. Finally, technical attribution can be very difficult in cyber space, thereby making shooting back problematic.
The article then proceeds to dig into the third point - looking at different ways in which strike back is complicated by attributional factors and the potential for collateral damage. Although those concerns raise a number of great legal questions, which is really the focus of the article, from a practical standpoint in terms of preparedness, I think the first two points demand greater scrutiny as well.
I've spent years designing Intrusion Detection technology, and I don't think the countermeasure situation is necessarily all that different from the kinetic example Schmitt references. A variety of aspects of an attacker's TTPs can be embedded into network signatures, including the vulnerabilities targeted, the malware, the command and control points and protocols. Part of the trouble is the amount of time it takes to get that information embedded into network defenses (Schmitt's second point). However, that response time could be reduced by building better operational processes that allow threat information shared by the government to be put into production by network operators and managed security service providers in an automated fashion. The more integrated these systems are, the better equipped the government will be to rapidly respond when its necessary. We need to tighten the OODA loop here.
I don't understand why it is taking so long to put these kinds of operational capabilities into place. Progress is being made. A few years ago there was very little useful cyber threat information coming from the federal government into the general information security community. Today, there is more, but the information is often shared in formats that aren't conducive to automation. There are important standards efforts underway that will help that, but adoption is progressing at a snails pace. Once the technology is in place, we'd still need to talk about operational processes that can be enacted in an emergency situation. No one is talking about that, anywhere.
Instead, we appear to be pretending to talk about it in Congress, by debating legislation (CISPA) which is being sold as if it is needed in order to authorize some part of this. In fact most of what needs to be done is already perfectly legal, and the Congressional dialog is probably a foil for something else that is orthogonal to the question at hand.
We don't need to create exceptions to privacy laws in order to get most of this done. The people who protect networks know that they are under attack by foreign state actors already, and value any information or capability that they can get that will help them better defend themselves. They already take threat information from the government, willingly, and deploy it. They already report attack activity back to the government when they see it. They will voluntarily deploy more automated capability to tighten this loop, if its presented in a way that leaves them in control of what ultimately happens with their networks and data.
I think the problem here is one of priorities - defending the nation against cyber attacks is going to require tight coordination between public and private entities. Instead of focusing on the 95% of that coordination that can happen voluntarily, our government seems focused on the 5% that must be coerced. Instead of focusing on how we can protect our assets from attack, the government is focused on attribution and strike back, which are not always practical things to do. I think its a matter of culture and of perspective, and I think that the priorities need to shift. There are a whole lot of valuable things that can get done here that no one is standing in the way of, and if we really think there are dark days on the horizon, we ought to be getting the easy stuff taken care of right now, and leaving the stuff we disagree about for later.