Security Experts:

The Active Defense Folly: Exploring The Cyberwar Doctrine Debate

Let He Who is Free of Vulnerabilities Cast the First Exploit.

In a recent Threatpost Article, Dennis Fisher stated that a US Cyberwar Doctrine would make little sense without international consensus in the form of agreements or multilaterally shared doctrines. His main argument is that a unilateral declaration of cyber doctrine based on “Active Defense” would be ineffective, primarily due to the problem in reliably identifying any attacking party, as well as not being able to enforce it beyond government agencies.

The article was enjoyable and made some very good points. However, I believe that the main argument of the US requiring international consent for a national Cyberdoctrine to be effective was not appropriate. Why? Because, in this particular case the two are not necessarily the same thing, nor are they mutually exclusive.

International Cyber Doctrine The US Government adapting a Cyberwar Doctrine to provide guidance and instruction on dealing with cyber threats and cyber operations does not rule out or prevent the creation of an international agreement or treaty. In addition, defining a Cyberwar Doctrine is a prudent measure considering the current threat-scape and cybersecurity developments in the past few years. The only real mystery is why it took so long. With Stuxnet as a suspected US and Israeli cyber-operation, this may just be a matter of formalizing something that is already in practice—either way it is a necessary step.

The point that Fisher made regarding the Cyberwar Doctrine not being applicable beyond US Agencies is also entirely correct considering the context. However, it is also well known by the current administration and defense chiefs and does not appear likely to be addressed by this particular measure. We have seen other activity on that front. Several attempts have been made at passing a cybersecurity act, as well as the much discussed Executive Order.

Nevertheless, Dennis Fisher's well-made point stands, that an international agreement is a sensible and necessary step and should be on the agenda of policy makers and diplomats everywhere.

Another piece written by Antone Gonsalve provides an interesting hypothesis for the lack of action: “The general consensus is that those nations are not in the mood to make any kind of deal that would limit their online activities”. In other words, everyone sees too great an advantage and too much to gain by not restricting cyberoperations, with John Felker of SCI Consulting Services being quoted as adding, "The price of entry is low” for the development of devastating cyberweapons.

The entry price is low, the rewards high, and the risk virtually nonexistent, if you’ll pardon the pun.

Without a binding and enforced agreement or deterrent, and based on historical precedents, an arms race will now ensue. More so than for most arms races, this one will greatly favor offensive developments over defensive ones. The reason for that is simple: the offensive weapons will be easier to develop, will have a higher rate of success and a higher return on investment, especially in the short term, whilst defensive measures will be difficult to develop and actually practically implement, in particular over the entirety of the potential attack surface that an average nation state offers.

Simply put, it is far easier to find an exploit in an application or a system, than to fully secure it. At least in a manner that is scalable, affordable and can be implemented without interrupting the production of whatever it is that pays the actual bills. So far, few businesses or public bodies have been able to keep out criminals, so the chances of keeping out professional military or intelligence grade hackers are slight, especially once the field matures somewhat.

Most governments and defense organizations know this – they have learned it the hard way, and can’t reliably secure their own networks and systems. This brings us to the doctrine of “Active Defense”, essentially the attempt to deter cyberattacks by the threat of retaliation, or possibly preemptive attack.

Parallels are being drawn between cyberweapons and nuclear arms. I think that that makes sense in terms of the types of solutions to proliferation and the nature of treaties that can be applied to controlling cyberweapons and offensive cyberacts. However, beyond that the loaded nature of any terms related to nuclear weapons invites too many comparisons that just do not apply.

Would an “Active Defense” Doctrine ever provide the same sort of deterrent as Nuclear Arms? To me, that seems unlikely. The reason why it worked for Nuclear Arms is due to the Mutually Assured Destruction (MAD) Doctrine. In essence, it states that you cannot win a Nuclear War without being destroyed yourself by the guaranteed retaliatory counterattack. Both sides will have time to launch their nuclear arsenal, thus ensuring that both are blown to smithereens, and meaning that any victory would be entirely pyric in nature. Only an insane person would start such a war.

The MAD Doctrine has had a far greater influence and bearing on preventing a nuclear confrontation than the actual Nuclear Non-proliferation treaties themselves, although they have reduced the risk and provided means to communicate during any eventual incident to prevent accidental escalation. It was the full realization of what MAD practically meant though, utter annihilation of all involved parties, that was actually the main driver for these International Agreements in the first place.

MAD always hangs in a tenuous and uncomfortable balance because it is only assured under certain circumstances. Only when neither side can destroy the other’s retaliatory capabilities is this balance maintained. Sometimes, it can even just come down to geographical distance. If you can hit your enemy before he can get his nukes to launch, you win.

To provide a historical anecdote, that was the background to the Cuba Missile Crisis. The missiles based there could have potentially hit Mainland USA with very little prewarning, potentially invalidating the MAD Doctrine. For the same reasons, Russia is ever wary of the closer creeping NATO Missile Shield and aggressively works against any placement too close to its borders. Lastly, it is the reason why we have so many submarines cruising the oceans packing nukes. It is to ensure retaliation even if HQ is hit – and thus deter.

Comparing Cyberwarfare to Nuclear Arms is, as such, disingenuous. Apart from in extraordinary unfortunate circumstances, the damage and the threat from offensive cyber-operations could and should never be compared to the world-ending and terrible consequences of a full-out escalated nuclear war. The one can cause a global extinction event without little parallel; the other can, at best, yield secret and sensitive information to a hostile party, or cause limited physical damage or logistical havoc.

The main objectives that cyberwar operations now, and in the future, will have to meet, have historically been achieved via human intelligence collection, sabotage or covert operations.

Having offensive cyber-operational capabilities will not work as a reliable deterrent, especially with certain attribution of attacks being the thorniest issue to untangle.

It should be noted that intelligence and defense agencies do not have to solely rely on just virtual tracks and evidence. They can consolidate multiple intelligence sources to identify attackers, something that Information Security Researchers lack. They also have better means of collecting forensic and incident data from different sources that would not share and pool this kind of information directly with each other. They do have better sources, in general, than the Infosec Community, and many are not purely digital. But, that will most likely only solve the attribution problem in a limited number of cases, and often not without reasonable deniability or doubt, especially if the intention is to implicate an innocent party is involved.

Another issue also arises. Not only is it difficult to reliably attribute a cyberattack, it is also notoriously slow and time-consuming. Active Defense would seem a whole lot less active if it takes two months to work through all of the forensic data and hopefully find any trace that can be trusted. You can track where a missile comes from with radar, but the same is not true of an APT, unless you have an extraordinary measure of security.

Cyber AttacksThe question of the nature and precise targeting of retaliatory or preventative measures will not be solved that way either. If you can prove that a nations’ intelligence agency spied on Coca-Cola, what would constitute a measured response? DDoS’ing Huawai? A trade embargo against the Ukraine? At which point does a virtual attack warrant a physical response? Where do we draw that red line?

In equal measure, how would we feel about Iran retaliating by hacking into Haliburton and fiddling with army procurement orders in response to Stuxnet? I doubt it would be seen as a ‘measured response’ in Washington. The risk of any offensive cyber-activity is always that it will escalate into physical violence. With all of the unknowns and the confusion involved when a breach is first identified, it is highly likely that escalation may occur for less than rational and reasonable grounds.

That another nation state would for example sabotage a nuclear power station to cause a meltdown without arousing suspicion and expecting to get away with it, is not just technically unlikely, it is also unrealistic. Such an act would always be considered an act of war, regardless of the means and medium used to cause it, and a violent response is virtually guaranteed.

The truth is that the target surface is potentially so great, with our inter-tangled and complex supply chains and economic ecosystems, that full spectrum defense is almost impossible – like catching rainwater in a sieve.

Offensive capabilities on all sides will advance so quickly, with defense and security already struggling to keep pace, that escalation will be the most likely outcome. Let he who is free of vulnerabilities cast the first exploit. Or to put it another way, you shouldn’t be throwing stones when you are sitting in a greenhouse. This rule will apply to some more than others – after all, who is going to take punitive measures against one of the superpowers if they catch them with their fingers in the digital cookie jar?

It is precisely because of the ambiguities and problems of definition and categorization that an International Agreement on acceptable and agreed cyber operations is the wisest and safest course of action.

The real dangers lie in starting a pointless arms race that may tie up useful resources and know-how where no one can really hope to be the real winners, leading to the escalation to economic and eventually physical confrontation. It must be clear to everyone that strong offensive cyberwar capabilities will not be of any benefit, if you are unable to sufficiently secure or defend your own assets as well. Although nuclear arms and cyberweapons have little in common, without international agreement one could lead to the other.

Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.