Sunday, January 24, 2010

Australia and Cyber-warfare Book on Attacks from China

Cover of Australia and Cyber-warfareThe book "Australia and Cyber-warfare" is very useful for putting the new Australian Cyber Security Operations Centre (CSOC) into perspective. The section on "China’s cyber-attack capability" is relevant to Google's recent allegations of attacks from China.

There are very well formatted free web and mobile versions of the book available online, as well as a print on demand edition.

Australia and Cyber-warfare

Gary Waters, Desmond Ball and Ian Dudgeon

Canberra Papers on Strategy and Defence No. 168

ISBN 9781921313790 (Print version) $19.95 (GST inclusive)
ISBN 9781921313806 (Online)
Published July 2008

This book explores Australia’s prospective cyber-warfare requirements and challenges. It describes the current state of planning and thinking within the Australian Defence Force with respect to Network Centric Warfare, and discusses the vulnerabilities that accompany the use by Defence of the National Information Infrastructure (NII), as well as Defence’s responsibility for the protection of the NII. It notes the multitude of agencies concerned in various ways with information security, and argues that mechanisms are required to enhance coordination between them. It also argues that Australia has been laggard with respect to the development of offensive cyber-warfare plans and capabilities. Finally, it proposes the establishment of an Australian Cyber-warfare Centre responsible for the planning and conduct of both the defensive and offensive dimensions of cyber-warfare, for developing doctrine and operational concepts, and for identifying new capability requirements. It argues that the matter is urgent in order to ensure that Australia will have the necessary capabilities for conducting technically and strategically sophisticated cyber-warfare activities by the 2020s.

The Foreword has been contributed by Professor Kim C. Beazley, former Minister for Defence (1984–90), who describes it as ‘a timely book which transcends old debates on priorities for the defence of Australia or forward commitments, [and] debates about globalism and regionalism’, and as ‘an invaluable compendium’ to the current process of refining the strategic guidance for Australia’s future defence policies and capabilities. ...

Table of Contents

Abstract
Contributors
Acronyms and Abbreviations
Foreword by Professor Kim C. Beazley
Chapter 1. Introduction: Australia and Cyber-warfare
Chapter 2. The Australian Defence Force and Network Centric Warfare
Introduction
The ADF’S NCW Concept
Networks
Shared situational awareness
Self-synchronisation
Balancing risks and opportunities
The NCW Roadmap
The human dimension
Accelerating change and innovation
Defence’s Information Superiority and Support Concept
Networking issues
The ADF’s capability planning for NCW
Maritime
Land
Aerospace
ISR
Joint force
Coalition
Conclusion
Chapter 3. Information Warfare—Attack and Defence
Introduction
The value of information
Open source information
Information Warfare
How would an adversary attack us?
China’s cyber-attack capability
What should we do?
Conclusion
Chapter 4. Targeting Information Infrastructures
Introduction
The information society
Information Infrastructures: the NII, GII and DII
The National Information Infrastructure
The Global Information Infrastructure
The Defence Information Infrastructure
Information Infrastructures: Some key characteristics
Components
Connectivity
Bandwidth
Functional interdependence
Ownership and control
The Importance of Information Assurance
Targeting Information Infrastructures: who and why?
Nation-state targeting
Targeting by non-state organisations
Targeting: objectives
Targeting: capabilities required
Psychological operations
Database management
Computer Network Operations (CNO)
Other weapons and methodologies
Media
HUMINT assets
Additional capabilities
Targeting: vulnerability and accessibility
Vulnerabilities
Accessibility
Intelligence
Conclusion
Chapter 5. Protecting Information Infrastructures
Introduction
Balancing information superiority and operational vulnerability
Vulnerabilities
Balancing security and privacy in information sharing
Managing security risk
Managing privacy risk
Dangers in getting privacy wrong
Cyber-security
Critical Infrastructure Protection in Australia
Securing the Defence enterprise
Trusted information infrastructure
Addressing the national requirement
Conclusion
Chapter 6. An Australian Cyber-warfare Centre
Introduction
The relevant organisations and their coordination
Research, planning and preparation
Offensive activities
Information Warfare and the intelligence process
Command issues
A premium on ante-bellum activities
Rules of engagement, doctrine and operational concepts
Capability planning
Location of a Cyber-warfare Centre
Regional developments
Conclusion
Bibliography
Index

Labels: , , , , ,

Friday, October 16, 2009

Cyberdeterrence and Cyberwar

Cover: Cyberdeterrence and CyberwarCyberdeterrence and Cyberwar (Martin C. Libicki) is a RAND report for the US Airforce which details the difficulties of dealing with attacks on military and civilian computer infrastructure. It argues that the traditional military doctrine of a threat of a cyber attack to deter an aggressor will not be effective in cyberwarfare. Also conventional military force will have limited value in responding to a cyberattack, due to the difficulty of identifying the attacker.

The book is available as a free e-book: Summary Only (File size 0.3 Mbytes) and Full Document (1.8 Mbytes, 240 Pages), as well as a printed paperback.
Contents

Preface iii
Figures ix
Tables xi
Summary xiii
Acknowledgements xxi
Abbreviations xxiii

Chapter One
Introduction 1
Purpose 5
Basic Concepts and Monograph Organization 6

Chapter Two
A Conceptual Framework 11
The Mechanisms of Cyberspace 12
External Threats 13
Internal Threats 20
Insiders 20
Supply Chain 21
In Sum 22
Defining Cyberattack 23
Defining Cyberdeterrence 27

Chapter Three
why Cyberdeterrence Is Different 39
Do We Know Who Did It? 41
vi Cyberdeterrence and Cyberwar
Can We Hold Their Assets at Risk? 52
Can We Do So Repeatedly? 56
If Retaliation Does Not Deter, Can It at Least Disarm? 59
Will Third Parties Join the Fight? 62
Does Retaliation Send the Right Message to Our Own Side? 64
Do We Have a Threshold for Response? 65
Can We Avoid Escalation? 69
What If the Attacker Has Little Worth Hitting? 70
Yet the Will to Retaliate Is More Credible for Cyberspace 71
A Good Defense Adds Further Credibility 73

Chapter Four
why the Purpose of the Original Cyberattack Matters 75
Error 76
Oops 76
No, You Started It 77
Rogue Operators 78
The Command-and-Control Problem 78
Coercion 79
Force 82
Other 86
Implications 90

Chapter FIve
A Strategy of response 91
Should the Target Reveal the Cyberattack? 92
When Should Attribution Be Announced? 93
Should Cyberretaliation Be Obvious? 94
Is Retaliation Better Late Than Never? 96
Retaliating Against State-Tolerated Freelance Hackers 98
What About Retaliating Against CNE? 102
Should Deterrence Be Extended to Friends? 104
Should a Deterrence Policy Be Explicit? 106
Can Insouciance Defeat the Attacker’s Strategy? 108
Confrontation Without Retaliation 109
The Attacker’s Perspective 112
Signaling to a Close 114

Chapter Six
Strategic Cyberwar 117
The Purpose of Cyberwar 118
The Plausibility of Cyberwar 121
The Limits of Cyberwar 122
The Conduct of Cyberwar 125
Cyberwar as a Warning Against Cyberwar 126
Preserving a Second-Strike Capability 127
Sub-Rosa Cyberwar? 128
A Government Role in Defending Against Cyberwar 129
Managing the Effects of Cyberwar 131
Terminating Cyberwar 135
Conclusions 137

Chapter Seven
Operational Cyberwar 139
Cyberwar as a Bolt from the Blue 143
Dampening the Ardor for Network-Centric Operations 149
Attacks on Civilian Targets 153
Organizing for Operational Cyberwar 154
Conclusions 158

Chapter eight
Cyberdefense 159
The Goal of Cyberdefense 160
Architecture 165
Policy 167
Strategy 169
Operations 170
Hardware 171
Deception 171
Red Teaming 173
Conclusions 173

Chapter Nine
Tricky Terrain 175
viii Cyberdeterrence and Cyberwar

Appendixes
A. what Constitutes an Act of war in Cyberspace? 179
B. The Calculus of explicit versus Implicit Deterrence 183
C. The Dim Prospects for Cyber Arms Control 199
references 203 ...
Summary

The establishment of the 24th Air Force and U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space. All this might lead to a belief that the historic constructs of war—force, offense, defense, deterrence—can be applied to cyberspace with little modification.

Not so. Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must reflect such understanding. Attempts to transfer policy constructs from other forms of warfare will not only fail but also hinder policy and planning.

What follows focuses on the policy dimensions of cyberwar: what it means, what it entails, and whether threats can deter it or defense can mitigate its effects. The Air Force must consider these issues as it creates new capabilities.

Cyberattacks Are Possible Only Because Systems Have Flaws

As long as nations rely on computer networks as a foundation for military and economic power and as long as such computer networks are accessible to the outside, they are at risk. Hackers can steal information, issue phony commands to information systems to cause them to malfunction, and inject phony information to lead men and machines to reach false conclusions and make bad (or no) decisions. ...

Operational Cyberwar Has an Important Niche Role, but Only That

For operational cyberwar—acting against military targets during a war—to work, its targets have to be accessible and have vulnerabilities. These vulnerabilities have to be exploited in ways the attacker finds useful. It also helps if effects can be monitored. ...

Strategic Cyberwar Is Unlikely to Be Decisive

No one knows how destructive any one strategic cyberwar attack would be. Estimates of the damage from today’s cyberattacks within the United States range from hundreds of billions of dollars to just a few billion dollars per year. ...

Cyberdeterrence May Not Work as Well as Nuclear Deterrence

The ambiguities of cyberdeterrence contrast starkly with the clarities of nuclear deterrence. In the Cold War nuclear realm, attribution of attack was not a problem; the prospect of battle damage was clear; the 1,000th bomb could be as powerful as the first; counterforce was possible; there were no third parties to worry about; private firms were not expected to defend themselves; any hostile nuclear use crossed an acknowledged threshold; no higher levels of war existed; and both sides
always had a lot to lose. Although the threat of retaliation may dissuade cyberattackers, the difficulties and risks suggest the perils of making threats to respond, at least in kind. Indeed, an explicit deterrence posture that encounters a cyberattack with obvious effect but nonobvious source creates a painful dilemma: respond and maybe get it wrong, or refrain and see other deterrence postures lose credibility. ...

Can retaliators hold assets at risk?

It is possible to understand the target’s architecture and test attack software in vivo and still not know how the target will respond under attack. Systems vary by the microsecond. Undiscovered system processes may detect and override errant operations or alert human operators. How long a system malfunctions (and thus how costly the attack is) will depend on how well its administrators understand what went wrong and can respond to the problem. Furthermore, there is no guarantee that attackers in cyberspace will have assets that can be put at risk through cyberspace. ...

will third parties stay out of the way?

Cyberattack tools are widely available. If nonstate actors jump into such confrontations, they could complicate attribution or determining whether retaliation made the original attackers back off.

Might retaliation send the wrong message?

Most of the critical U.S. infrastructure is private. An explicit deterrence policy may frame cyberattacks as acts of war, which would indemnify infrastructure owners from third-party liability, thereby reducing their incentive
to invest in cybersecurity. ...

Responses to Cyberattack Must Weigh Many Factors

In many ways, cyberwar is the manipulation of ambiguity. Not only do successful cyberattacks threaten the redibility of untouched systems (who knows that they have not been corrupted?) but the entire enterprise is beset with ambiguities. Questions arise in cyberwar that have
few counterparts in other media.

what was the attacker trying to achieve?

Because cyberwar can rarely break things much less take things, the more-obvious motives of war do not apply. If the attacker means to coerce but keep its identity hidden, will the message be clear? If the attack was meant to disarm its target but does so only temporarily, what did the attacker want to accomplish in the interim?

Military Cyberdefense Is Like but Not Equal to Civilian Cyberdefense

Because military networks mostly use the same hardware and software as civilian networks, they have mostly the same vulnerabilities. Their defense resembles nothing so much as the defense of civilian networks—
a well-practiced art. But military networks have unique features ...

Implications for the Air Force

The United States and, by extension, the U.S. Air Force, should not make strategic cyberwar a priority investment area. Strategic cyberwar, by itself, would annoy but not disarm an adversary. Any adversary that merits a strategic cyberwar campaign to be subdued also likely possesses the capability to strike back in ways that may be more than annoying. ...

From: Cyberdeterrence and Cyberwar, Martin C. Libicki, RAND, 2009

Labels: , , ,