Everybody who has studied cyber warfare has heard the theory that offense would have an advantage over defense. While this is often used in a technical/tactical sense and can be debated (as I will show later), it certainly is true in politics. While cyber offense is sexy and has easy access to juicy budgets, cyber defense is boring, advocated by few, and has to get along on sparse resources. Such disproportion became clear yet another time last week in a speech by US secretary of defense Leon Panetta.
Offense: 3 billion, defense: 10 million. Offense wins.
As Panetta revealed, the Pentagon’s budget for cyber activities is over $3 billion annually, mostly invested in manpower:
Our most important investment is in the skilled cyber warriors needed to conduct operations in cyberspace. Just as DoD developed the world’s finest counterterrorism force over the past decade, we need to build and maintain the finest cyber operators.
To put things into perspective, ICS-CERT, the Department of Homeland Security’s branch for protecting critical infrastructure against cyber attack, has to get along with a meager $10 million per year. In other words, the US government is dedicating 300 times higher “priority” to offensive cyber capability than to the protection of critical infrastructure, as “priority” is simply another word for budget distribution. There would be little reason to complain about such implicitly expressed political will if it wouldn’t conflict with the explicitly expressed political will by the same government, expressed for example in president Obama’s recent opinion piece in the Wall Street Journal.
However, the argument goes far beyond cheap criticism of political rethorics. It can be argued that a more balanced allocation of budget, such as an even split between offense and passive defense, would actually make the US, or any other country, more cyber-secure, and even stronger in military categories. Here’s why.
Minimizing the threat vs. responding to it
In many military elaborations on cyber, the threat as taken as given, so the course of action is to respond to it – not very surprising in the context of conventional military wisdom. In cyber, however, things are different. In cyber, a threat can become credible only where there is a vulnerability that can be exploited. In traditional military domains, threats can originate anywhere where large firepower is present, because large firepower can destroy almost anything on land, in air and space, or at sea. Not so in cyber. Even the largest cyber firepower on earth can only attack vulnerable cyber systems. For example, countries like Afghanistan are pretty immune against cyber attacks because there simply isn’t much to attack by cyber in a country where mules are a predominant way of transportation, leaving the plagued country with one problem less to worry about. But I’m not advocating going back to analog and pre-electricity. As a high-tech example, a company like Amazon doesn’t need to worry much about DDoS attacks as their computing power and bandwith is so large that they hardly even recognize one when it happens. As for more sophisticated attack vectors it can be shown that for most critical systems, a.k.a. digital control and safety systems, fixing vulnerabilities is technically possible at least to the extent that reliable exploitation even by nation-state adversaries is no longer realistic.
Different from any other military domain, the cyber battlespace is man-made. It is basically created by the presence of vulnerable systems; systems which, in critical infrastructure, haven’t been designed with cyber security in mind, and are continued to be designed and commissioned that way till today – every day. Again, this is not by nature but by human decision making. If cyber systems are vulnerable and subject to threats, the root cause for this is not the presence of an adversary (there will always be adversaries) but the fact that those systems are way too vulnerable for the importance of the function they are performing. The argument can even be stretched to the point that if a country will be experiencing a cyber attack against its critical infrastructure, this is as much the responsibility of the people who chose to keep the critical digital systems insecure as the responsibility of the attackers. Unfortunately, the general public and most decision makers still have no idea about how insanely vulnerable most of these systems are, and that more often than not, vulnerabilities are introduced by purpose simply for convenience of operation and maintenance.
Information sharing – what for?
A reactive mindset of the military can be seen even deeply in the details. For example, the defense secretary also elaborated on information sharing in his speech, being quite explicit about the information content that needs to be shared:
To defend those (critical civilian) networks more effectively, we must share information between the government and the private sector about threats in cyberspace.
In general, the emphasis on information sharing ranges among the more bizarre misconceptions in the cyber security debate. The basic idea is that fellow asset owners in the same vertical might use threat intelligence from peers to prepare against identical or similar threats, hopefully with some help by the government. Unfortunately, a hardcore cyber attack against critical infrastructure needs only hours to unfold. Therefore, there will likely not be enough time left for any preventive action. The truth is that thousands of US critical infrastructure owners don’t have a clue of what to do if knowing that a large-scale cyber attack was imminent, and some within DHS seem to believe that they will be able to figure out on the fly. Given the fact that the implementation of sound protective countermeasures will easily take a year or longer in most industries, the idea that an unfolding attack can be successfully countered after a credible threat has been identified seems quite a stretch. Protection is possible, but only if it is started long before a credible threat becomes visible. It can be done by fixing the vulnerabilities which is, regrettably, hindered by the prevailing policy for information sharing.
Information sharing could actually be valuable if it was about vulnerabilities rather than about threats. However, more than one critical vulnerability has not been “shared” by DHS because offensive forces in the same government wanted to be able to take advantage of it. A prominent semi-public case in point is the Aurora vulnerability on how to destroy electrical generators by a cyber attack. Things inside the private sector aren’t much different as powerful vendors have often used their resources for a little blackmail against speakers who might talk about design vulnerabilities at security conferences, to make sure that such vulnerabilities are kept under the carpet.
The public-private partnership
To the defense secretary’s credit it has to be mentioned that he does briefly focus on proactive measures in critical infrastructure:
We’ve got to work with the business community to develop baseline standards for our most critical private-sector infrastructure, our power plants, our water treatment facilities, our gas pipelines. This would help ensure that companies take proactive measures to secure themselves against sophisticated threats, but also take common sense steps against basic threats.
While there is no disagreement about that, anyone familiar with the critical infrastructure protection debate has heard that same message countless times during the last decade. So far, it never translated into action. At the same time the Pentagon is accelerating a cyber arms race with very little political discussion on the specifics of its strategy, if there is one. No one identified that gap better than David Sanger in chapter 10 of Confront and Conceal, titled “The dark side of the light footprint”. Over at the light sight of the force, critical infrastructure protection is debated to death and still without “priority” in terms of budget. But as everybody knows from the Star Wars movie, the dark side of the force, while not more powerful, is quicker and easier to obtain. You know how that one ended.