Excerpt from Joe’s original blog post – “Hunting the Chimera”
The term “cyber” is commonly included with land, sea, air, and space when referring to warfare, though debates about threats prevail. The Department of Homeland Security monitors and controls a collection of cyber assets – or the ‘critical infrastructure’– through various cyber controls and systems. According to the Department of Homeland Security, “our society depends upon such ‘infrastructure’ that if it were damaged or destroyed, it would have a significant impact on our ability to function. Think of the nation’s power grid or banking system. The Internet. Water treatment facilities. Nuclear power plants. Transportation. Our food supply chain and agriculture.” However you assess the realities of cyberwar, we must look at the costs—economic, political, and not least of all, social—of abstaining or engaging in it.
Some argue that though cyber crime is rampant, it doesn’t qualify as warfare. Many claim that talk of cyberwar is merely scaremongering so industry can reap financial benefits and government can increase its power. While individual Internet freedoms are denied, the public is coerced into trading civil liberties and online privacy for the promise of increased security. Substantiating these warnings are programs such as NSA’s recently announced “Perfect Citizen”, a surveillance program intended to protect primarily privately owned critical infrastructure systems.
In contrast, others warn that the public is ignorant of ongoing attacks and underestimates consequences that equate to a looming “electronic Pearl Harbor.” Vivid, traumatizing scenarios are presented, such as that from former Director of National Intelligence and the NSA, Mike McConnell in an Intelligence Squared cyberwar debate on June 8, 2010:
“Let me give you just a way to think about it. The United States economy is $14 trillion a year. Two banks in New York City move $7 trillion a day. On a good day, they do eight trillion. Now think about that. Our economy is $14 trillion. Two banks are moving $7 trillion to $8 trillion a day. There is no gold; they’re not even printed dollar bills. All of those transactions, all those transactions are massive reconciliation and accounting. If those who wish us ill, if someone with a different world view was successful in attacking that information and destroying the data, it could have a devastating impact, not only on the nation, but the globe. And that’s the issue that we’re really debating.”
However you view cyberwar, everyone generally acknowledges that if real war were to erupt, cyber would be a theater, and we are currently not prepared for engagement, either defensively or offensively. In the face of colossal levels of cyber threats and cyber crime, what is appropriate mitigation? Herein is the crux of the debate: could any amount of government surveillance or militarization of the Internet prevent cyberwar or manage a full attack? Fundamentally, it’s about openness, transparency, anonymity, and privacy; and it’s a question of trust.
Why does the government propose controversial technologies such as identity systems, data collection, and DPI (deep packet inspection)? To spy on their citizens? To stir public discontent? To squander taxpayer dollars?
Technology arms the hunt for two elusive targets in the cyber domain – “Attribution” and “Situational Awareness” (SA).
Attribution, the accurate identification of an actor or agent, is an elusive beast in cyber space. In the real-world, actions can generally be traced to sources. The Internet, however, provides the perfect environment for virtualization, abstraction, and indirection. IP addresses aren’t trustworthy as traffic can be tunneled through proxy servers and onion routers, either to conceal identities and location, or maliciously implicate other parties. Even if hosts are identified, connection between actor and host isn’t certain, because attackers can use botnets, or simply because we cannot know for certain who was using the keyboard.
Simply put, Situational Awareness (SA) is gaining omniscience of a situation—what’s happening and what’s about to happen. Less evasive than attribution, SA is the more formidable quarry. We pursue it through combinations of DPI and log, netflow, and statistical analysis, identifying events of interest with finite automata, heuristics, and algorithms, but these all rely on signatures, rules, pre-classification, and prediction. So long as we can describe events, we can detect and prevent them, but the moment they escape the realm of the predictable (as the more highly evolved adversarial attacks do) they become invisible.
Since we cannot predict everything, SA must pursue retrospection. Conceding our inability to predict the future, we look to the past and contrast it to the present to gain a more reliable view of the future. Data collection and the persistence of surveillance information are critical to any serious security program, because of the retrospection component.
Though perfect attribution and situational awareness remain lofty goals, we can benefit from the pursuit. The perfect cannot be the enemy of the good, nor should an irrational fear of government deny us improved defenses. We must continue the hunt for these targets. Privacy advocates and those who use the slippery-slope argument about the perils of ceding rights to the government are advised to seriously consider the part in the Constitution’s preamble, “provide for the common defense,” and apply it to the 21st century. We must accept that in our virtualized, interconnected, malware infested cyber-dependent world, the enemy is among us, and it is government’s charter to defend us.
