Thursday, June 2, 2011

Pentagon's Cyberwarfare Strategy

by  David Gewirtz

Three related events this week caught the attention of security professionals and news organizations everywhere.

The first was when defense contractor Lockheed Martin announced it had been hit by a cyberattack. The second was when a Pentagon spokesman said the U.S. might consider a cyberattack to be an act of war (and might respond with physical force). The third news story was of another attempted penetration of Google’s systems from China, this time phishing for Gmail account information from senior U.S. officials.
These events are a continuance of the ongoing trend of digital attacks. They are noteworthy in context because they’re helping us see how cyberspace is finally being formally integrated into international policy.

Last night, I was back on BBC radio, where we discussed many of the issues surrounding the formalization of cyberdefense policies. During the interview, it became clear that there were a bunch of questions people on both sides of the pond had about what these new policies mean, and if they indicate a new aggressiveness on the part of the United States.

To clear up some of the confusion, I’ve listed ten things you should know about America’s new cyberdefense policies.

1. Attacks can by symmetrical or asymmetrical.

In warfare, the attackers and defenders aren’t always evenly matched. We’ve all seen what modern bombers can do to a small village, but many people don’t realize that cyberwarfare flips the equation, making it much more costly to defend than attack.

For example, any small group with a pile of PCs (or even PlayStations) can mount a hugely damaging attack, especially if they make use of zombie botnets as a force multiplier.

This means that while the attackers only have to aim at one target, the nation states have to defend every possible target from every possible attack. The cost of defense can be wildly more expensive than the cost of attack.

This changes the entire budgetary calculus of war. Take tank warfare, for example. Back in the days of tank warfare, each side needed to come up with the necessary resources to build and buy tanks — an expensive endeavor. The nuclear race was even more costly, costing in the billions (and, nearly — in today’s dollars — the trillions) to develop.

By contrast, a PC capable of launching a digital attack of mass destruction might cost a few hundred bucks. Defending against those attacks could cost billions.