Cyber Security Not Just About Hardening Systems

Stephen DeAngelis

March 29, 2007

When non-technical people think about cyber security, they think about anti-virus software, firewalls, anti-spyware, and so forth. It is, of course, much more than that. Taking a page from the sporting world, the Department of Defense has adopted the philosophy that, even in cyber space, the best defense is a good offense. Writing in the USA Today, Jim Michaels discusses how the Pentagon is putting this philosophy into practice [“Military beefs up Internet arsenal,” 28 March 2007]. Michaels writes:

“The U.S. military is quietly expanding capabilities to attack terrorist computer networks, including websites that glorify insurgent attacks on U.S. forces in Iraq, military officials and experts say. The move comes as al-Qaeda and other groups fighting in Iraq and elsewhere have expanded their activities on the Internet and increased the sophistication and volume of their videos and messages. Much of the material is designed to raise money and recruit fighters for Iraq. ‘You should not let them operate uncontested’ on the Internet and elsewhere in cyberspace, said Marine Brig. Gen. John Davis, who heads a military command located at the National Security Agency. The command was established to develop ways to attack computer networks. Davis and other officials declined to say whether the military has actually attacked any networks, which would require presidential authorization. The techniques are highly classified.”

Even though concerns about big brother arise anytime the government or military is mentioned in the same sentence as the Internet, the fact is that those charged with U.S. security understand that neither a real nor virtual “fortress America” is a possible or desirable strategy. Passive, robust defenses have never really fully worked. The great wall of China, Hadrian’s wall in Britain, and the Maginot Line, although great engineering achievements, never provided complete security. Real security — real resilience — requires a dynamic response capability and a proper combination of hardening and proactive measures. The balance between passive and active measures, according to Michaels, is not easy to achieve.

“The growth in offensive capabilities signals a shift in military thinking from just monitoring terrorist websites for intelligence to attacking those sites. ‘The offensive is increasingly on leaders’ minds,’ said John Arquilla, a professor at the Naval Postgraduate School who also works for the Defense Department on cyberwar issues. Some officials say cyberattacks can result in losing critical intelligence. ‘You always have the built-in tension between the operator who wants to destroy the target and the intelligence officer who wants to use the target to gain more information,’ said Lani Kass, director of the Air Force’s cyberspace task force. ‘Our opponents do a heck of a lot more than just watch us in cyberspace,’ Davis said. ‘They are acting in cyberspace. We need to develop options so that we can … dominate cyberspace.’ Cyberattacks can take different forms, including eliminating terrorist websites and creating doubts among insurgents about their networks’ security, said Arquilla, who favors an offensive approach he calls a ‘virtual scorched-earth policy.'”

I’m not sure what a “virtual scorched-earth policy” entails, but this “Sherman’s march-to-the-sea” approach is not what I have in mind when I talk about dynamic response. Offensive capabilities are obviously required and U.S. taxpayers expect their security forces to protect all the commons (air, sea, space, and cyber). A dynamic response approach enhances defensive posture by constantly monitoring complex events and automatically triggering contingency plans when adverse events are detected. Michaels limits his discussion to countering Web sites that spew propaganda or recruit followers to terrorist groups, but that activity is obviously only a tiny part of a much bigger and more complicated picture.

“Armed groups in Iraq videotape nearly all of their attacks on U.S. forces to help magnify their impact. ‘Everything they do in Iraq and Afghanistan is geared toward propaganda,’ said Rep. Jim Saxton, R-N.J., who’s on the House Armed Services Committee. The videos and messages are ‘getting more and more professional,’ said Andretta Summerville of iDefense, a private contractor that monitors terrorist activity on the Internet. Some sites find recruits and push ‘them toward a pipeline that ends in suicide attacks,’ said Lt. Col. Matthew McLaughlin, a spokesman for Central Command, which runs the wars in Iraq and Afghanistan. Attacking websites may have limited value, said Ben Venzke of IntelCenter, a contractor that monitors terrorist websites and Internet forums. ‘The problem is the nature of the Internet itself,’ he said. ‘It can always come back up in 10 seconds.'”

A dynamic response approach doesn’t attempt the impossible (bringing down the Internet — which is a dumb idea anyway), but is more surgical in its approach and is as persistent as those who virtually try to attack the U.S. A dynamic response approach includes information assurance so that when classified data is sent or received it is shared only with appropriate personnel. In other words, a dynamic response approach is the ideal blending of offensive and defensive capabilities.