Cybersecurity policy – Cyber war by well-funded military groups
19 June, 2021, 5:05 pm
The primary difficulty of cybersecurity isn’t technology—it’s policy.
At the extreme end there’s cyber war: destructive actions by governments during a war.
Cyber war is conducted by capable and well-funded groups and involves military operations against both military and civilian targets.
Along much the same lines are non-nation state actors who conduct terrorist operations.
Although less capable and well-funded, they are often talked about in the same breath as true cyber war.
Much more common are the domestic and international criminals who run the gamut from lone individuals to organised crime.
They can be very capable and wellfunded and will continue to inflict significant economic damage.
Threats from peacetime governments have been seen increasingly in the news.
The US worries about Chinese espionage against Western targets, and we’re also seeing US surveillance of pretty much everyone in the world, including Americans inside the U.S.
The National Security Agency (NSA) is probably the most capable and well-funded espionage organisation in the world, and we’re still learning about the full extent of its sometimes illegal operations.
Hacktivists are a different threat.
Their actions range from internet-age acts of civil disobedience to the inflicting of actual damage.
This is hard to generalise about because the individuals and groups in this category vary so much in skill, funding and motivation.
Hackers falling under the ‘anonymous’ aegis—it really isn’t correct to call them a group—come under this category, as does Wikileaks.
Most of these attackers are outside the organisation, although whistleblowing— the civil disobedience of the information age—generally involves insiders like Edward Snowden.
This list of potential network attackers isn’t exhaustive.
Depending on who you are and what your organisation does, you might be also concerned with espionage cyber attacks by the media, rival corporations or even the corporations we entrust with our data.
The issue here, and why it affects policy, is that protecting against these various threats can lead to contradictory requirements.
In the US, the NSA’s post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organisation.
The NSA’s need to protect its own information systems from outside attack opened it up to attacks from within.
Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying?
European countries may condemn the US for spying on its own citizens, but do they do the same thing?
All these questions are especially difficult because military and security organisations along with corporations tend to hype particular threats.
For example, cyber war and cyberterrorism are greatly overblown as threats—because they result in massive government programmes with huge budgets and power—while cybercrime is largely downplayed.
We need greater transparency, oversight and accountability on both the government and corporate sides before we can move forward.
With the secrecy that surrounds cyber-attack and cyberdefence it’s hard to be optimistic.
Cyberscurity is a tradeoff, a balancing act between attacker and defender.
Unfortunately, that balance is never static.
Changes in technology affect both sides.
Society uses new technologies to decrease what I call the scope of defection — what attackers can get away with — and attackers use new technologies to increase it.
What’s interesting is the difference between how the two groups incorporate new technologies.
Changes in cybersecurity systems can be slow.
Society has to implement any new security technology as a group, which implies agreement and coordination and — in some instances — a lengthy bureaucratic procurement process.
Meanwhile, an attacker can just use the new technology.
For example, at the end of the horse-andbuggy era, it was easier for a bank robber to use his new motorcar as a getaway vehicle than it was for a town’s police department to decide it needed a police car, get the budget to buy one, choose which one to buy, buy it, and then develop training and policies for it.
And if only one police department did this, the bank robber could just move to another town.
Defectors are more agile and adaptable, making them much better at being early adopters of new technology.
There’s one more problem: defenders are in what military strategist Carl von Clausewitz calls ‘the position of the interior’.
They have to defend against every possible attack, while the defector only has to find one flaw that allows one way through the defences.
As systems get more complicated due to technology, more attacks become possible.
This means defectors have a first-mover advantage; they get to try the new attack first.
Consequently, society is constantly responding: shoe scanners in response to the shoe bomber, harder-to-counterfeit money in response to better counterfeiting technologies, better antivirus software to combat new computer viruses, and so on.
The attacker’s clear advantage increases the scope of defection even further.
Of course, there are exceptions.
There are technologies that immediately benefit the defender and are of no use at all to the attacker — for example, fingerprint technology allowed police to identify suspects after they left the crime scene and didn’t provide any corresponding benefit to criminals.
Still, we tend to be reactive in security, and only implement new measures in response to an increased scope of defection.
We’re slow about doing it and even slower about getting it right.
Be blessed this weekend and hopefully you’ve been jabbed (or not).
- ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on email@example.com