Michael Hayes CTO of B-4-U Inc.: Blackhat 2010 – Cyber War … are we at war now?
July 2010 by Marc Jacob
The second keynote address was given by General (Ret.) Michael Hayden with a very interesting perspective on how he thinks the DOD is approaching Cyber Warfare today.
The first challenge of course is to define; what is Cyber warfare and how does this newly stood-up Cyber Command view Cyber Warfare? Cyber Command and many of the proponents in this space in the Federal Government are thinking about this a lot, but “Not very clearly”. Part of the problem is that Cyber Space is a domain not unlike any of the other traditional domains (Land, Sea, Air or Space). In fact as the knowledge of Cyber command expands around the realities of this space it is altering its basic precepts around the definition of Cyber Warfare.
Cyber Command, Military Doctrine and the American Armed forces think about Cyber Warfare. To determine what this space they need to know the space or domain. In many cases it was all about history, the law or the geography. In the Context of Cyber space this is all new thinking, the law of the sea is 100’s of years old, the concept of Cyber Space is 10’s of years old.
Cyber Space is characterized in terms of great speed, maneuverability, virtualization, anonymity, a non-real space that is anchored by physical connections to other parts of the geographic world. “What is a simple distinction, God made the first four domains, and you technologist with ARPA made and evolved the 5th”. Another great characteristic is that this space is a extensive collection of connected nodes, “As an analogy to the physical world it look like the North German plain flat with little interrupting terrain, then of course we bitch and moan that we get invaded from all directions”. Geography is everything in the other four domains, and the internet is as flat as it can get and is a great place to play offense and has no geography to play defense. Rivers, Hills, Mountains and Canyons in the real world are an offices friend; with no defensible terrain security is tough. Technical people create the geography that helps the defense, but is still a plain and a pain.
Cyber Space is the Fifth domain, the first four we can look at history for precedents on how to fight a war and how to fight crime. “Cyber Space is a learned space but you can never do anything in the Fifth domain, without impacting something in the other 4”.
So in the end, Cyber War is still not understood on the Policy Level, the Law (Commercial, Criminal or International) in the U.S. and in most countries in the world. So a clear definition is still not articulated, having said that, there are some precepts that are understood.
A triangle of key military tenets follows: “Cyber Command identifies Computer Networks Operations (CNO) around;
CNO - Offense – Attack,
CNO - Defense and
CNO - Exploitation - Espionage”
CNO – Attack is the responsibility of the Armed Forces, CNO – Defense is the responsibility of Home Land Security and CNO – Exploitation is the responsibility of the Security Agencies within Homeland Security and the Armed forces. With these tenets outlined a first level of responsibility can be defined. Cyber Warfare can be anchored at one point with CNO Offense giving a clear military set of parameters that can be defined by Delay, Deny, Disrupt, Destroy and Degrade. CNO – Defense is clearly a civilian responsibility and CNO - Exploitation works within the framework of traditional espionage operations, like remaining on an adversaries network for an extended time period, extracting information on an advisories capabilities of CNO to Attack, Defend and to Spy, eventually to , Defend, Delay, Deny, Disrupt, Destroy and Degrade in the event of a real war.
Wait, there is still a problem, all the technologies and methods used by the three tenets and their associated functions is the same, also each of the organizations have to perform the same functions to be effective, so the definition of Cyber Warfare is still more complex.
There is also another problem, “the ambiguities of Cyber War, compared to a Nuclear War or other war in the real world, no third parties, or private firms are expected to defend themselves in a Nuclear War that is the role of the armed forces. In Cyber Warfare to survive a country’s private firms and 3rd parties will have to defend themselves. Additionally if we impact or attack an agency in another country, there is no telling that this was Cyber Warfare attack from that country, and will not impact parties in other countries or even in the United States given the inter-connection of the internet”. Collateral damage is very unpredictable in cyber Warfare.
So another way to approach this is; what constitutes a Cyber Attack? In the American Military mind and Military law it is when one of the D things is perpetrated against the U.S. or its interests. Well in traditional physical terms Exploitation or Espionage is not an attack, Espionage by states is done all the time. Yet a Denial of Service attack against a counties Financial or Electrical GRID via the Internet is clearly an attack even if it is not state sponsored, but by whom?
“We have a good body of thought on defense, a good idea on what to do on Exploitation, the Attack thing is a big one we don’t have an idea, about 90% of their thinking in Cyber Command is about attack, but 90% of the work is around defense”.
Policy decisions are clearly behind technology, setting precedents without understanding policy is tough, how to explain the issue of computer technology attack. Jihadist WEB sites, we all hate them, we can agree they are offensive, think of the policy debate, we ought to take it down, and how many are out there. How fast can they come back? What if the site is hosted in the U.S. and is protected by our constitution. Bring the site down results in something happens behind the screen, this could be in Houston, protected by the 4th amendment, much more complicated than it seems.
Ok, let’s get down to the brass tacks, what is the change the game issue to help us fundamentally deal with these ambiguities? Well we need to fundamentally re-architecture the internet to add terrain and add choke points, and basically build some boundaries. Of course based our own Secretary of State, Hilary Clinton wants open borders, a free internet and an un-encumbered information and commerce flowing freely on the net. Hmmmmm.
Of course no other nations wants to add these encumbrances, take for example the Great Firewall of China, IRANs choking and blocking the Net, Pakistan blocking access to services on the WEB and maybe even Australia with their own Great Wall of Australia taking shape. These countries to name a few are adding blocking terrain to the network. Once boundaries are established and once anonymity reduced, the internet becomes a more definable space. Just a side note, most companies have added a bit of terrain to the landscape, with access controlled by firewalls, IPS and other security features. SOX 404 to Privacy Legislation, Security Standards and Compliance are adding bumps in the landscape.