Gaining the Upper Hand in Cyberwarfare
Cyberwarfare and cybersecurity are hitting the campaign trail as both U.S. presidential candidates discuss their national security positions. We’re witnessing verbal attacks between Hillary Clinton and Donald Trump on the topic, and even their vice presidential candidates are throwing out barbs as seen in the recent debates.
Unfortunately, while the rhetoric seems to loom aplenty, the topic of cyberwarfare is very serious and complex. Even the notion of who is a good actor or bad actor is one that is becoming highly subjective with obfuscation, misdirection and stealth — which is becoming the norm.
There are two key points that were relevant in the recent debates around cybersecurity. The first focused on “asymmetric enemies” and the second centered around information sharing and building alliances. Both of these topics are important to delve further.
Many nation-states with limited warfare capabilities have invested in cyberwarfare as a means to gain strategic military and political advantages. Investing in cyberwarfare can level the playing field or even gain them a geopolitical edge. The reason is cyberwarfare by its very nature is highly asymmetric. The victim or targeted group needs to defend against all forms of an attack, while the threat actors only need to find just one weakness to break through.
This inherent asymmetry between the attacker and defender is one that highly favors the attacker and tilts the scales in their favor, particularly in cyberwarfare where backdoors, bugs and vulnerabilities abound. Consequently, we are seeing increased investments by nation-states.
The inherent asymmetry between the attacker and defender follows the key notion that organizations cannot keep the attackers out. They are already in your networks. Security organizations must implement advanced threat-defense strategies based on rapid detection, remediation and containment from within.
Once the attacker infiltrates, the asymmetry reverses. The attacker has to evade all forms of detection while security ops hunt to find one footprint that can lead to the attacker. This is an important mindset shift as it pertains to cyber strategy.
Clearly we won’t hear the presidential candidates talk about this, since admitting that someone can break through our defenses is alarming. But it is already happening and it is important to acknowledge.
So, what can organizations do? Information sharing and building alliances came up during the vice presidential debates. This is important. In fact, critically important. The reason is that both the attacker and defender are constantly in a feedback loop.
Military face-offs follow in a similar suit. Col. John Boyd, a U.S. Air Force pilot, developed the OODA loop concept explaining how Air Force pilots who face each other are in a constant feedback loop. OODA, which stands for observe, orient, decide, act, demonstrates how battling pilots are continuously observing, orienting themselves and building situational awareness. Using this awareness, they could quickly adjust and decide on a course of action, execute and then re-observe to assess a new situational awareness, and so on. The pilot who could close his loop faster was able to get inside and disrupt the loop of the other pilot, thereby gaining the upper hand.
This approach can be applied to cyberwarfare strategy. Once we realize the attacker has breached our defenses, detecting their activities and containing them is very much a game of shortening our own OODA loop. The same approach applies; how quickly can organizations reach situational awareness, the observe and orient phases, and take immediate action?
Points made in the vice presidential debate advocated information sharing through strong alliances. It is a critical piece in the observe and orient phases. If we can build strong alliances among our security community to share threat data and intelligence via a common platform, we have the ability to shorten the observe and orient phases of the cycle. We can quickly make decisions, take action and re-vector faster than the attacker. In doing so, we disrupt the lateral movement of the attacker and increase our abilities to detect footprints and trace behaviors and activities that lead to containment.
With the presidential elections quickly approaching, the candidates continue their cybersecurity and cyberwarfare debate. More to come as we cover developments as it relates to our industry.
Originally published in FederalTimes