Editor’s Note: In a speech to the Cyber, Space and Intelligence Association, Ralph Langner observes that the United States has utilized the last decade to identify cyberspace as a domain for military operations and become the unchallenged leader of cyber offense. With militaries around the world now building their own offensive capabilities, however, cyber power is much more complicated.
Understood by few, the U.S. has utilized the last decade not only to identify cyberspace as a domain for military operations, but also to occupy the position as the unchallenged leader in this domain. This was largely achieved by visionaries like Gen. Michael Hayden, and certainly also by investing in the development of offensive cyber capability. According to Peter Singer from the Brookings Institution, the U.S. military spends roughly three to four times more on cyber offense than on cyber defense. For military decision makers, the business case must have been clear: Offensive capability directly translates to power, whereas the value of defensive capability can only be measured by more or less complex and fuzzy risk assessments. If the risk of getting cyber-attacked is perceived to be low, then the value of cyber countermeasures is also low.
But now that militaries around the globe are building up their cyber forces, sometimes along with the help of loosely organized patriotic hacker groups, cyber power based purely on offensive capabilities is being challenged. There are several reasons for this.
First, there is a limit to what cyber weapons can achieve. This is for the simple reason that for a cyber-physical attack, part of the weapon – the hardware – is actually owned by the victim, quite a difference from kinetic weapons. The potential effects of a cyber weapon are confined by the design and architecture of its very target, so that at some point in the development more budget can no longer buy more firepower. This puts a limitation to escalatory deterrence, potentially arriving at a threat equilibrium: In the future, adversaries will be able to cyber-strike the US as hard as they can be hit themselves, or even harder if we think about non-industrialized adversaries like North Korea.
Second, the U.S. is moving towards ever more complex and integrated cyber systems at gigabit speed, thereby creating new vulnerabilities just like feature sets. The bulk power system, as an example, will be much more vulnerable in five to ten years than it is today, because many of its critical components are in the process of being “upgraded” to digital technology. Along with this we see an understandable move towards standardized solutions rather than a diverse mix of architectures for the sake of lower maintenance cost. On top of the vulnerabilities that come with this upgrade we place new layers of complexity, also known as the smart grid. The implied vision is systems that are much more flexible and economical than today’s installations – but at the same time also much more vulnerable, with more entry points of attack, and, because of their increasingly tightly coupled integration, much higher cost of consequence. Those systems of tomorrow will make our present risks from cyber insecurity of critical infrastructure look small – they are harbingers of a more dangerous time to come.
Third, the capabilities required to launch sophisticated cyber attacks are often overestimated. To many, a cyber-physical attack as we have seen it in Stuxnet appears as a miracle, requiring black magic that only the world’s best hackers are capable of. It is high time to de-mystify these capabilities. Cyber-physical attacks do not require black magic or extreme resources (like stealth technology, ICBMs, or nuclear submarines). They basically rely on an engineering discipline that combines IT and factory automation. The resources required are more analogous to those for IEDs than for advanced kinetic weapons. And as it appears, our adversaries will have much less reservations about using cyber for pure destructive purposes, as evidenced by the attack against Saudi Aramco that left 30,000 computers unusable. Quite similar to kinetic force, the more brutal attacks are easier to implement than the subtle and stealthy ones, and thus will most likely be favored by adversaries that are not as much scrupulous about ethical and legal concerns.
The rules of this cyber arms race thus include a speed limit, preventing the front-runner from keeping his distance to the runners-up forever. Other strategies need to be identified soon. The potentially most powerful game changer in this environment would be substantial advances in cyber defense. A position where the US would not only be superior in offense, but pretty much invulnerable at the same time, may sound too good to be realistic. Yet the point can be made that at least for the most critical cyber systems both in military and civilian infrastructure environments, it is achievable, especially when aiming at reasonable goals. Such goals should include making significant cyber attacks by non-state actors virtually impossible, and to deny attack reliability and scalability for nation states.
Before getting to work, we should honestly acknowledge two things.
First, we need to acknowledge that cyber-secure designs, architectures, and systems are inherently more expensive, less convenient and less flexible than insecure ones. A policy that by default favors low cost and convenience will lead to less secure installations.
Second, we should acknowledge failure, and the need to think out of the box. It is quite obvious that the prevailing wisdom about how to secure cyber systems didn’t really work so well over the last decade, evidenced by the fact that even the best secured systems both in the private sector and in the military have successfully been compromised. Yet major market and policy forces still argue to expand existing strategies by doing more of the same, more often, and quicker. Understandably, the security industry has many reasons to argue this way in their best interest.
What we should encourage is transformation and paradigm shift. New, promising ideas that can make a difference will most likely not come from consensus-based standard bodies, regulatory authorities, or national institutes that compile best practices, but most likely from innovators that may object to conventional wisdom. Here are examples of some ideas and concepts that hold the promise to change the game significantly for our most critical cyber-physical systems.
First: High-fidelity modeling. A basic truth is largely unknown to most business and political decision makers: for the majority of digital control, protection and safety systems, communication pathways, digital interfaces and dependencies are poorly understood — and when they are sometimes understood they are rarely properly documented. That is one reason why we try to kill malware by blindly throwing all kinds of “security controls” at it without being able to demonstrate how these controls would actually be effective. It is puzzling to see that a society which manages to build software products that model everything from battlefields to complete cities in real-time failed to put this technology to good use in order to model (and thereby fully understand) their most critical cyber systems.
Second: Hybrid control and protection. For programmable digital systems, we can only try to reduce vulnerabilities, but we can never really eliminate the risk of a successful cyber attack. While most have already accepted this as fate and “accept the risk” with a shrug of their shoulders, alternatives are available. One solution is to go “back to the future” and implement the control and protection of most critical systems with analog circuits. Today this can be done cost-efficiently by leveraging technological breakthroughs. Such analog controllers can be interfaced with digital technology that provides all the complex computations and human interfaces. However, it will create a solid last line of cyber defense.
Third: Lean and locked-up system components, designed to be not more complex and flexible than required for the mission. It is well understood in IT security that complex systems with many communication interfaces are virtually impossible to secure. The remedy here is obvious. As it appears, so far it hasn’t been accepted well by the market because it requires full system understanding to segment and segregate system functions that presently are spread throughout loosely-planned networks, implemented in spaghetti code. It also provides a challenge for business decision makers to understand and accept that a system that does less will actually cost more.
These are only a few examples of some promising concepts that hold a high potential of making a difference in defending our most critical systems. The most important message is: Passive cyber defense is achievable to a high degree. We can actually do this. As it is often the case, the bigger challenge will be to stimulate acceptance of the need, recognition of the paths to improvement, and acceptance of the required costs in organizational priorities and dollar expenditures to move us to a more secure position.