Cyberstrategics

It is not common knowledge, but we began discussing the need for a cyber command in the mid-1990s; but it was the Langley Cyber Attack in 1997 that started the momentum toward making a future cyber command a reality.   I don’t want to rehash well-documented historical events in this post.  Instead, I will focus on some commentary.

One of the untold stories of the Langley Cyber Attack is that there were a number of folks in the uniformed military who wanted to launch counter-attacks.  However, I was lucky enough to have the support of the senior leadership at that time and formulated both tactics and strategies I called “The Black Hole Strategy”, which was completely defensive and focused on intelligence gathering, which I will paraphrase below:

• Do not provide any feedback to hackers or attackers.
• Create defenses that minimize any damage.
• Passively upgrade systems under attack so they have room to maneuver (if required).
• Store and archive message and traffic for forensic evidence.

In other words, the strategy was defensive, not offensive.  I believed then, and still believe, that you will learn much more about a cyberspace adversary from defensive measures, for example honeypots, sniffers, and log file  analysis.   My strategy became USAF (and DOD) internal policy (it was briefed to Presidential Commissions, Science Boards, etc.)

Interestingly enough, when web home pages became more popular (toward the late 1990s and early 2000s), we would discuss the implications of an adversary defacing a military-owned public-facing (not internal) web page.   My position was basically “not a big deal”.   We can easily have backups and automated scripts to restore the defaced web page.  In addition, if we are clever, we can learn about the attacker and their methods.

However, my position, which made perfect sense to me (a non-military type of consultant) was not well received by a number of people.    There were many people who said that “well, the enemy will be encouraged if they can deface our sites” - we cannot permit it.    My counter-argument was that if an enemy feels satisfied that they can deface a web page, then we should be happy they are so easily satisfied, because at least they did not kill anyone in the real world.   In addition, I argued, we can use the fact that an enemy believes they have hacked a site to provide them with misinformation, bogus files, links to honeypots, etc.

Today, I do believe that offensive and defensive capabilities are required in a military cyber command.   However, offensive capabilities should be “low keyed” and not aggressively advertised.  The mission must be primarily (1) cyber defense and (2) cyber-adversary intelligence gathering.   I will write more on this mission soon.

Filed under: Cybersecurity, Cyberstrategics, Intrusion Detection, Network Monitoring, Requirements, Threats and Vulnerabilities