Wednesday, November 25, 2009

Review of Martin Libicki's Cyberdeterrence and Cyberwar

Amazon.com just posted my three star review of Martin Libicki's Cyberdeterrence and Cyberwar. I've reproduced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review in its entirety here because I believe it is important to spread cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word to any policy maker who might read this blog or be directed here. I've emphasized a few points for readability.

As background, I am a former Air Force captain who led cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion detection operation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT before applying those same skills to private industry, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sectors. I am currently responsible for detection and response at a Fortune 5 company and I train ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs with hands-on labs as a Black Hat instructor. I also earned a master's degree in public policy from Harvard after graduating from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Academy.

Martin Libicki's Cyberdeterrence and Cyberwar (CAC) is a weighty discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 policy considerations of digital defense and attack. He is clearly conversant in non-cyber national security history and policy, and that knowledge is likely to benefit readers unfamiliar with Cold War era concepts. Unfortunately, Libicki's lack of operational security experience undermines his argument and conclusions. The danger for Air Force leaders and those interested in policy is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will not recognize that, in many cases, Libicki does not understand what he is discussing. I will apply lessons from direct experience with digital security to argue that Libicki's framing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "cyberdeterrence" problem is misguided at best and dangerous at worst.

Libicki's argument suffers five key flaws. First, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Summary Libicki states "cyberattacks are possible only because systems have flaws" (p xiii). He continues with "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end, no forced entry in cyberspace... It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to be. In no ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r domain of warfare can such a statement be made" (p. xiv). I suppose, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is "no forced entry" when a soldier destroys a door with a rocket, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owners of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 building are vulnerable "to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to be"? Are aircraft carriers similarly vulnerable to hypersonic cruise missiles because "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to be"? How about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human body vs bullets?

Second, Libicki's fatal understanding of digital vulnerability is compounded by his ignorance of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of vendors and service providers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security equation. Asset owners can do everything in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir power to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir resources, but if an application or implementation has a flaw it's likely only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor or service provider who can fix it. Libicki frequently refers to sys admins as if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have mystical powers to completely understand and protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environments. In reality, sys admins are generally concerned about availability alone, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are often outsourced to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lowest bidder and contract-focused, or understaffed to do anything more than keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lights on.

Third, this "blame cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim" mentality is compounded by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 completely misguided notions that defense is easy and recovery from intrusion is simple. On p 144 he says "much of what militaries can do to minimize damage from a cyberattack can be done in days or weeks and with few resources." On p 134 he says that, following cyberattack, "systems can be set straight painlessly." Libicki has clearly never worked in a security or IT shop at any level. He also doesn't appreciate how much cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military relies on civilian infrastructure from everything to logistics to basic needs like electricity. For example, on p 160 he says "Militaries generally do not have customers; thus, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir systems have little need to be connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public to accomplish core functions (even if external connections are important in ways not always appreciated)." That is plainly wrong when one realizes that "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public" includes contractors who design, build, and run key military capabilities.

Fourth, he makes a false distinction between "core" and "peripheral" systems, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former controlled by users and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 later by sys admins. He says "it is hard to compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same precise way twice, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periphery is always at risk" (p 20). Libicki is apparently unaware that one core Internet resource, BGP, is basically at constant risk of complete disruption. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r core resources, DNS and SSL, have been incredibly abused during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few years. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are known problems that are repeatedly exploited, despite knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir weaknesses. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, Libicki doesn't realize that so-called critical systems are often more fragile that user systems. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, critical systems often lack change management windows, or are heavily regulated, or are simply old and not well maintained. What's easier to reconfigure, patch, or replace, a "core" system that absolutely cannot be disrupted "for business needs," or a "peripheral" system that belongs to a desk worker?

Fifth, in addition to not understanding defense, Libicki doesn't understand offense. He has no idea how intruders think or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skills cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y bring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arena. On pp 35-6 he says "If sufficient expenditures are made and pains are taken to secure critical networks (e.g., making it impossible to alter operating parameters of electric distribution networks from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside), not even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most clever hacker could break into such a system. Such a development is not impossible." Yes, it is impossible. Thirty years of computer security history have shown it to be impossible. One reason why he doesn't understand intruders appears on p 47 where he says "private hackers are more likely to use techniques that have been circulating throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacker community. While it is not impossible that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have managed to generate a novel exploit to take advantage of a hicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rto unknown vulnerability, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are unlikely to have more than one." This baffling statement shows Libicki doesn't appreciate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skill set of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 underground.

Libicki concludes on pp xiv and xix-xx "Operational cyberwar has an important niche role, but only that... The United States and, by extension, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Air Force, should not make strategic cyberwar a priority investment area... cyberdefense remains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force's most important activity within cyberspace." He also claims it is not possible to "disarm" cyberwarriors, e.g., on p 119 "one objective that cyberwar cannot have is to disarm, much less destroy, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of physical combat, cyberwar cannot lead to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 occupation of territory." This focus on defense and avoiding offense is dangerous. It may not be possible to disable a country's potential for cyberwar, but an adversary can certainly target, disrupt, and even destroy cyberwarriors. Elite cyberwarriors could be likened to nuclear scientists in this respect; take out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scientists and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole program suffers.

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, by avoiding offense, Libicki makes a critical mistake: if cyberwar has only a "niche role," how is a state supposed to protect itself from cyberwar? In Libicki's world, defense is cheap and easy. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best defense is 1) informed by offense, and 2) coordinated with offensive actions to target and disrupt adversary offensive activity. Libicki also focuses far too much on cyberwar in isolation, while real-world cyberwar has historically accompanied kinetic actions.

Of course, like any good consultant, Libicki leaves himself an out on p 177 by stating "cyberweapons come relatively cheap. Because a devastating cyberattack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive (especially if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force can leverage investments in CNE), an offensive cyberwar capability is worth developing." The danger of this misguided tract is that policy makers will be swayed by Libicki's misinformed assumptions, arguments, and conclusions, and believe that defense alone is a sufficient focus for 21st century digital security. In reality, a kinetically weaker opponent can leverage a cyber attack to weaken a kinetically superior yet net-centric adversary. History shows, in all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365atres, that defense does not win wars, and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best defense is a good offense.

9 comments:

DeLepster said...

With such a devastating review, how come he still gets three stars?

Richard Bejtlich said...

Just because his argument is flawed doesn't mean it's not worth reading. :)

Bryon said...

I think your argument against "no forced entry" is flawed. A soldier knocking down a door is inherently different than anything in a 'cyber' realm. This kind of 'real life' allusion/metaphor does not translate or equate to how computer systems work and really just confuses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue.

I think all Libicki is trying to say is design flaws are what allow system compromises.

Now, countering his argument by saying that design flaws are provably never going to be completely removed (halting problem), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re you might have something...

Richard Bejtlich said...

Bryon, I don't agree. Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that you can destroy a door a "design flaw" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 door? What if you create an app and take every precaution you can given a certain threat model, and a new threat model appears that renders cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old one useless?

The point is any attack is "forced entry". The word "attack" implies force by itself.

Bryon said...

Your threat model analysis is an accurate critique of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impossible nature of actually trying to build a functional and secure system that operates under Libicki's model (and I agree). It does not however show how Libicki's model is incorrect or flawed.

The word 'attack' when considered in a 'cyber' world needs to have its physical connotations set aside. But again I agree that Libicki should refrain from using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word and choose 'exploit' or something similar.

only.Samurai said...

I haven't read all Libicki's work, so I may have missed this. But his claim that systems are only as flawed as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir technical components completely disregards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 less-technical methods an attack may employ. Social engineering and phishing come to mind. I've worked penetration tests before where we were unable to compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems directly, but were able to gain access through exploiting an employee. A cyberattacker could use similar methods to gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r valid credentials, at which point cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good majority of defensive technology is useless.

Anonymous said...

It's hard to take Libricki's analysis seriously when his underlying knowledge of cyber security is so weak.

For example, on page 143 he says: "Cyberattacks are about deception, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 essence of deception is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between what you expect and what you get: surprise. This is why operational cyberwar is tailor-made for surprise attack and a poor choice for repeated attacks: It is difficult to surprise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same sysadmin twice in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way."

Why would one assume that an attacker would have only one method of attack and use it repeatedly? The breadth of attack vectors is huge and has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same sort of asymmetry as terrorist attacks. At this point I think it's accepted wisdom that anti-terrorism must be proactive and have major offensive components.

Anonymous said...

I just realized I left out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last sentence of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comment I posted at 6:50pm. Here it is:

By analogy, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asymmetric nature of cyber attacks leads one to conclude that offensive capabilities are needed, although I am not saying that it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sole justification for developing offensive cyber war capabilities.

Richard Bejtlich provided several ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r arguments in his post.

Also I noticed I spelled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author's name wrong. It should be Libicki.

Stiennon said...

Richard: I usually find myself in agreement with your analysis so it surprised me to see you come down on Libiki so hard. I read his book cover to cover and found it to contain cogent thinking on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue of deterrence, and defense versus offense. Thinking that is much better than what has been produced of late by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hand wringers and chicken littles that have been crying cybergeddon! and cyberkatrina!

Libiki shines a light on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deterrence argument that needed shining. There appears to be a mad scramble for dollars from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various branches of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y reach for new money for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir pet projects. But why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sudden interest in developing offensive capability when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US military has demonstrated that it is having trouble protecting critical systems from attackers. The Pentagon, NIPRNet, Sandia, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs have all suffered major breaches.

I am still in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 camp that says cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best cyber defense is a good cyber defense. Until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US can demonstrate proficiency in defense I will not expect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to effectively manage offensive cyber war capabilities.