Product Description

Cyberspace, where information--and hence serious value--is stored and manipulated, is a tempting target. An attacker could be a person, group, or state and may disrupt or corrupt the systems from which cyberspace is built. When states are involved, it is tempting to compare fights to warfare, but there are important differences. The author addresses these differences and ways the United States protect itself in the face of attack.

Product Details

• Amazon Sales Rank: #130167 in Books
• Published on: 2009-11-25
• Original language: English
• Number of items: 1
• Binding: Paperback
• 244 pages

Features

• ISBN13: 9780833047342
• Condition: New
• Notes: BUY WITH CONFIDENCE, Over one million books sold! 98% Positive feedback. Compare our books, prices and service to the competition. 100% Satisfaction Guaranteed

About the Author
Martin C. Libicki is a senior management scientist at the RAND Corporation whose research and analysis focuses on the relationship of information technology to national and domestic security. Selected publications include How Terrorist Groups End: Lessons for Countering al Qa'ida and Conquest in Cyberspace: National Security and Information Warfare. He previously taught at the National Defense University and received his Ph.D. from the University of California at Berkeley in 1978.

Customer Reviews

Lack of operational security experience undermines argument
As background, I am a former Air Force captain who led the intrusion detection operation in the AFCERT before applying those same skills to private industry, the government, and other sectors. I am currently responsible for detection and response at a Fortune 5 company and I train others with hands-on labs as a Black Hat instructor. I also earned a master's degree in public policy from Harvard after graduating from the Air Force Academy.

Martin Libicki's Cyberdeterrence and Cyberwar (CAC) is a weighty discussion of the policy considerations of digital defense and attack. He is clearly conversant in non-cyber national security history and policy, and that knowledge is likely to benefit readers unfamiliar with Cold War era concepts. Unfortunately, Libicki's lack of operational security experience undermines his argument and conclusions. The danger for Air Force leaders and those interested in policy is that they will not recognize that, in many cases, Libicki does not understand what he is discussing. I will apply lessons from direct experience with digital security to argue that Libicki's framing of the "cyberdeterrence" problem is misguided at best and dangerous at worst.

Libicki's argument suffers five key flaws. First, in the Summary Libicki states "cyberattacks are possible only because systems have flaws" (p xiii). He continues with "there is, in the end, no forced entry in cyberspace... It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to the extent they want to be. In no other domain of warfare can such a statement be made" (p. xiv). I suppose, then, that there is "no forced entry" when a soldier destroys a door with a rocket, because the owners of the building are vulnerable "to the extent they want to be"? Are aircraft carriers similarly vulnerable to hypersonic cruise missiles because "they want to be"? How about the human body vs bullets?

Second, Libicki's fatal understanding of digital vulnerability is compounded by his ignorance of the role of vendors and service providers in the security equation. Asset owners can do everything in their power to defend their resources, but if an application or implementation has a flaw it's likely only the vendor or service provider who can fix it. Libicki frequently refers to sys admins as if they have mystical powers to completely understand and protect their environments. In reality, sys admins are generally concerned about availability alone, since they are often outsourced to the lowest bidder and contract-focused, or understaffed to do anything more than keep the lights on.

Third, this "blame the victim" mentality is compounded by the completely misguided notions that defense is easy and recovery from intrusion is simple. On p 144 he says "much of what militaries can do to minimize damage from a cyberattack can be done in days or weeks and with few resources." On p 134 he says that, following cyberattack, "systems can be set straight painlessly." Libicki has clearly never worked in a security or IT shop at any level. He also doesn't appreciate how much the military relies on civilian infrastructure from everything to logistics to basic needs like electricity. For example, on p 160 he says "Militaries generally do not have customers; thus, their systems have little need to be connected to the public to accomplish core functions (even if external connections are important in ways not always appreciated)." That is plainly wrong when one realizes that "the public" includes contractors who design, build, and run key military capabilities.

Fourth, he makes a false distinction between "core" and "peripheral" systems, with the former controlled by users and the later by sys admins. He says "it is hard to compromise the core in the same precise way twice, but the periphery is always at risk" (p 20). Libicki is apparently unaware that one core Internet resource, BGP, is basically at constant risk of complete disruption. Other core resources, DNS and SSL, have been incredibly abused during the last few years. All of these are known problems that are repeatedly exploited, despite knowledge of their weaknesses. Furthermore, Libicki doesn't realize that so-called critical systems are often more fragile that user systems. In the real world, critical systems often lack change management windows, or are heavily regulated, or are simply old and not well maintained. What's easier to reconfigure, patch, or replace, a "core" system that absolutely cannot be disrupted "for business needs," or a "peripheral" system that belongs to a desk worker?

Fifth, in addition to not understanding defense, Libicki doesn't understand offense. He has no idea how intruders think or the skills they bring to the arena. On pp 35-6 he says "If sufficient expenditures are made and pains are taken to secure critical networks (e.g., making it impossible to alter operating parameters of electric distribution networks from the outside), not even the most clever hacker could break into such a system. Such a development is not impossible." Yes, it is impossible. Thirty years of computer security history have shown it to be impossible. One reason why he doesn't understand intruders appears on p 47 where he says "private hackers are more likely to use techniques that have been circulating throughout the hacker community. While it is not impossible that they have managed to generate a novel exploit to take advantage of a hitherto unknown vulnerability, they are unlikely to have more than one." This baffling statement shows Libicki doesn't appreciate the skill set of the underground.

Libicki concludes on pp xiv and xix-xx "Operational cyberwar has an important niche role, but only that... The United States and, by extension, the U.S. Air Force, should not make strategic cyberwar a priority investment area... cyberdefense remains the Air Force's most important activity within cyberspace." He also claims it is not possible to "disarm" cyberwarriors, e.g., on p 119 "one objective that cyberwar cannot have is to disarm, much less destroy, the enemy. In the absence of physical combat, cyberwar cannot lead to the occupation of territory." This focus on defense and avoiding offense is dangerous. It may not be possible to disable a country's potential for cyberwar, but an adversary can certainly target, disrupt, and even destroy cyberwarriors. Elite cyberwarriors could be likened to nuclear scientists in this respect; take out the scientists and the whole program suffers.

Furthermore, by avoiding offense, Libicki makes a critical mistake: if cyberwar has only a "niche role," how is a state supposed to protect itself from cyberwar? In Libicki's world, defense is cheap and easy. In the real world, the best defense is 1) informed by offense, and 2) coordinated with offensive actions to target and disrupt adversary offensive activity. Libicki also focuses far too much on cyberwar in isolation, while real-world cyberwar has historically accompanied kinetic actions.

Of course, like any good consultant, Libicki leaves himself an out on p 177 by stating "cyberweapons come relatively cheap. Because a devastating cyberattack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive (especially if the Air Force can leverage investments in CNE), an offensive cyberwar capability is worth developing." The danger of this misguided tract is that policy makers will be swayed by Libicki's misinformed assumptions, arguments, and conclusions, and believe that defense alone is a sufficient focus for 21st century digital security. In reality, a kinetically weaker opponent can leverage a cyber attack to weaken a kinetically superior yet net-centric adversary. History shows, in all theatres, that defense does not win wars, and that the best defense is a good offense.

Worth Reading
Well, this book has certainly stirred up some emotion. If you're on the fence about reading this book, you can get the PDF at the RAND web site and make up your mind about whether it belongs in your library (it is in mine).

This is a good book on a timely topic and adds quite a bit to the debate about the utility of the principle of deterrence through cyberweapons. Keep this focus in mind as this is not a general book about information/network security or even cyber warfare and its conclusions should not be taken out of context (which I humbly suggest Bejtlich did).

So, if you're interested in whether it makes real sense for the US to develop cyberweapons in the hope that our ability to do unto others will deter them from doing unto us, then do read this book as its conclusions may surprise you.

Voice of sanity in cyber offense debate
This is the first cogent look at the efficacy of waging strategic cyber war and I hope will serve to slow the rhetoric coming from the US Defense community about acquiring cyber offensive capability. I wrote before about the National Resource Council's report, "Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities". That report explored many of the same difficulties addressed by Libicki but came to different conclusions.

An introductory statement from Libicki:

All this might lead to a belief that the historic constructs of war--force, offense, defense, deterrence--can be applied to cyberspace with little modification.
Not so. Instead, cyberspace must be understood in its own terms, and
policy decisions being made for these and other new commands must
reflect such understanding. Attempts to transfer policy constructs from
other forms of warfare will not only fail but also hinder policy and
planning.

And:

As long as nations rely on computer networks as a foundation for military
and economic power and as long as such computer networks are
accessible to the outside, they are at risk. Hackers can steal information,
issue phony commands to information systems to cause them to
malfunction, and inject phony information to lead men and machines
to reach false conclusions and make bad (or no) decisions.

Continuing:

Yet system vulnerabilities do not result from immutable physical
laws. They occur because of a gap between theory and practice. In
theory, a system should do only what its designers and operators want it
to. In practice, it does exactly what its code (and settings) tells it to. The
difference exists because systems are complex and growing more so.
In all this lies a saving grace. Errors can be corrected, especially
if cyberattacks expose vulnerabilities that need attention. The degree
to which and the terms by which computer networks can be accessed
from the outside (where almost all adversaries are) can also be specified.
There is, in the end, no forced entry in cyberspace. Whoever
gets in enters through pathways produced by the system itself.1 It is
only a modest exaggeration to say that organizations are vulnerable to
cyberattack only to the extent they want to be. In no other domain of
warfare can such a statement be made.

Elaborating:

The salient characteristics of cyberattacks--temporary effects and
the way attacks impel countermeasures--suggest that they be used
sparingly and precisely. They are better suited to one-shot strikes (e.g.,
to silence a surface-to-air missile system and allow aircraft to destroy
a nuclear facility under construction) than to long campaigns (e.g., to
put constant pressure on a nation's capital). Attempting a cyberattack
in the hopes that success will facilitate a combat operation may be prudent;
betting the operation's success on a particular set of results may
not be.

Questioning:

But can strategic cyberwar induce political
compliance the way, say, strategic airpower would? Airpower tends to
succeed when societies are convinced that matters will only get worse.
With cyberattacks, the opposite is more likely. As systems are attacked,
vulnerabilities are revealed and repaired or routed around. As systems
become more hardened, societies become less vulnerable and are likely
to become more, rather than less, resistant to further coercion.

Answering:

Can cyberattacks disarm cyberattackers? In a world of cheap
computing, ubiquitous networking, and hackers who could be anywhere,
the answer is no.

Warning:

Can escalation be avoided? Even if retaliation is in kind, counterretaliation
may not be. A fight that begins in cyberspace may spill
over into the real world with grievous consequences.

And concluding:

The United States and, by extension, the U.S. Air Force, should not
make strategic cyberwar a priority investment area. Strategic cyberwar,
by itself, would annoy but not disarm an adversary. Any adversary that
merits a strategic cyberwar campaign to be subdued also likely possesses
the capability to strike back in ways that may be more than
annoying.

Lubicki is cafeful to make the distinction between espionage (CNE) and cyberattack which seeks to disrupt or corrupt.He also makes the point that attack is cheaper than defense. Thus deterrence could save money neeeded for defense but goes on to say:

The better one's defenses, the
less likely it is that an attack will succeed and so the less often a cyberdeterrence
policy will be tested. The longer such a policy goes untested,
the more credibility it acquires, if only through precedent.

Another good point:

...a good defense adds credibility to the threat to retaliate,
much in the way Herman Kahn argued that having bomb shelters
made nuclear deterrence more credible.

Libibki is not omniscient though.

Footnote 20 on page 11:

A fiendish variant is to attack computers that control manufacturing processes to retard the production of, ruin, or render dangerous the products of the processes. Such an attack could have nasty echoes. It is not clear, however, why any manufacturing process should be exposed to the outside world without very high levels of network protection.

From my discussions with manufacturers they have done little to segregate their production

environments from the Internet. They have even deployed Windows system down to the machine cell for management and reporting. Systems that do not lend themselves to frequent patching/rebooting schedules. Manufacturing is very vulnerable to these "fiendish variants".

Moving on, Libicki's conclusion from chapter 6:

It is thus hard to argue
that the ability to wage strategic cyberwar should be a priority area for
U.S. investment and, by extension, for U.S. Air Force investment. It
is not even clear whether there should be an intelligence effort of the
intensity required to enable strategic cyberwar.

And I cannot resist lauding a final conclusion that I have oft said:

This investigation suggests that, in this medium, the best defense is not necessarily a good offense; it is usually a good defense. -Excerpted from [...]