Never Fight A Land War in
Cyberspace: The Best
Defense is a strong Defense
Marcus J. Ranum
For you twits: @mjranum
Marcus works for
Tenable Network Security, Inc.
Apology in Advance
• This is going to sound like a bunch of neeping
– But it’s relevant
– Computer security is in line to become another US
disaster area of foreign policy
– We need to keep an eye on what the armchair
cyberwarriors are doing because they’re busy
developing cinder-block throwing techniques for
the department of glass houses
So, What’s Up?
• The people who are pushing the US to
become a cyberwar power are preparing the
same strategies that have failed to work in the
past
– It’s important to deconstruct and understand
strategy in a domain before you can drop down
into tactics
– Otherwise: “Tactics without strategy is the noise
before defeat”
– This affects us all in the security community
Some Terms
• “Cyberwar” - ‘conflict in cyberspace’
• “Topological warfare” - conflict in realspace;
where distance, time, position, logistics and
he constraints of reality apply
• I used to think “cyberwar is bullshit” in the
science fiction novel sense
– If you take the narrower definition, it’s real enough
Strategy / Tactics
• Strategy is the big “why” and big “how”
– Generally at the level of conflict and purpose
• Tactics is the details of how to get the thing
done
– Generally at the level of battlefields and terrain
• The question, then, is whether we have a
useful sense of how cyberwar is fought
The Argument That Follows
• Our concept of conflict is so deeply
embedded with topological artifacts that we
are unable to think clearly about cyberwar
tactics or strategy
– If we’re going to do it, we should understand it
– If we’re going to defend against it, we should
understand it
• Our understanding of “offense” and “defense”
is profoundly flawed
“The Best Defense…”
• Military maxim going back … probably forever
• There are sound reasons why it’s good,
rooted in topological warfare
– Spoiling attack*
– Defeat in detail
– Control of time, place, and rhythm
* For purists, these are all really the same thing
Spoiling Attack
• Attack your enemy as they are marshalling
their forces
– Hit them while they are preparing to maneuver
and are off-balance
– Takes control of time/space/initiative away from
them
• When cyberwarriors talk they are often
casting cyberwar as a spoiling attack
Defeat in Detail
• Good example: Caesar at Alesia
– If your opponent’s maneuver elements cannot
tactically support eachother …
… attack one, then the other
– Sun Tzu formulates this as:
• Have your best troops attack your enemy’s
second best troops, your second best troops
attack their worst troops, and have your worst
troops try to delay their best troops long
enough for the best/2nd best to finish their work
Control of Time, Place,
Rhythm
• John Boyd’s notion of OODA (Observe Orient
Decide Act) loops is a popular way of thinking
about this
– The simpler form is to acknowledge that if you
attack first your opponent must respond to defend
at a time and place you chose
– You can always attack a weaker place (thereby
maximizing your forces)
– or attack to “draw” a counter (thereby controlling
their movements)
How This Works in Samurai
Movies or Spaghetti Westerns
• You attack the opponent who has the greatest
apparent situational awareness
– Go for the opponent who’s going for their gun, or
who is maneuvering to get behind you
– Down them, then go for the one who is
maneuvering next most effectively
– etc
How This Ends in Samurai
Movies or Spaghetti Westerns
• Eventually the bad guys realize you’re
mowing them down and stop being bad guys
– This is called “deterrence”
The Problem
• Those principles of maneuver only have
meaning in topological space
– For one thing, they are deeply rooted in the
historical land-war notion that you know where
your enemy is and who your enemy is and how
many enemies you have
• How does that apply to cyberspace?
• The theme that forces support each other by
proximity also does not apply at all*
* For purists: combined arms go out the window
For Another Thing
• The idea of deterrence goes completely out
the window
– When you have enemies you don’t know you
have you can hardly threaten them …
… Unless your strategy is to be so terrifying and
ruthless that anyone who’s even thinking of going
up against you is too scared to try
Two Possibilities
• Possibility 1:
– The proponents of cyberwar utterly do not
understand what they are doing
• Thus they are “the noise before defeat”
Two Possibilities (2)
• Possibility 2:
– There is an underlying, unspoken, strategic
direction to achieve such a level of dominance that
no opponent that exists or might arise can offer
a plausible threat
– Right? Because unless you can utterly dominate
everyone, someone better than you can
materialize; in cyberspace you can’t preempt them
Defense
• In a domain where you may have multiple
unknown foes
– Who can attack at any time
• In a place of their choosing
You have to defend everything well against
everyone
– I hate to say this but that vindicates the strategy
most people have followed with firewalls!
Defense (2)
• In fact, the observation that strong defense in
depth is pretty much the only thing that has
ever been shown to be at all effective in
cyberspace …
… kind of argues my point
– Having reality on your side really doesn’t hurt
Military Maxims of Cyberwar
#1: In cyberspace, every attack is always a
surprise attack
#2: In cyberspace, the best defense is a strong
defense
Why This Matters
• Cybersecurity has become an issue of foreign
policy
– US has threatened “retaliation” against N Korea
for Sony break-ins
– US has threatened sanctions against China
– US NSA hasn’t done anything to penetrate other
countries’ critical infrastructure at all
• Our question is “does the US’ cybersecurity
strategy” actually make sense?
Why This Matters (2)
• Back in 2008 I started floating the idea that
cyberwar may become a “weapon of
privilege”
– Other weapons of privilege: nuclear WMD
• Unfortunately, US cybersecurity strategy
continues to point in that direction
– That has serious and sobering implications
We’re At The Front Line
• In cyberwar the “best defense is a strong
defense” paradigm means acknowledging
that everything/everyone is a potential
target and hardening them all accordingly
– That’s why US government policy regarding
cyberwar should scare you
– If the government’s systems were actually
outstandingly tough…
… you’re the remaining target
What Should We Do?
• Continually press the US for a sensible and
egalitarian policy toward cybersecurity conflict
internationally
• Continually press the US to defend
government systems appropriately
• Continue to stress the point that orienting
towards offense does not strengthen defense
• Keep defending our systems
Top Related