Right Strategy, Wrong Century

Facing a New World with Cyber Weapons

As a baby boomer who grew up during the Cold War, I can still remember getting under my desk in elementary school as we tried to protect ourselves from a nuclear attack. Yes, we actually did that. For the past 244 years, the United States military has defended our country with great valor and distinction on the battlefield. The American homeland and its citizenry have been protected by two great oceans and more recently, a strategic doctrine known as “Mutual Assured Destruction.” For decades, the Soviet Union and the United States, both superpowers with nuclear capability, were in a virtual stand off because each country understood the destructive power of those weapons and did not want use them. But with the “information age” in the 21st century and the total integration of computers into physical systems (i.e., cyber-physical convergence), that situation has changed significantly.

The Visible Versus the Invisible

Kinetic warfare is all about tanks, bombers, and missiles with all of the destructive power that can be observed when it is unleashed. Cyber warfare is different. It can be silent, stealthy, and deadly—like cancer cells attacking vital human organs while you are still feeling healthy. Well placed malicious code can disable weapons systems, bring down aircraft, turn off the lights in large cities and small towns across America, disrupt transportation systems, cause satellites to be inoperative, and corrupt manufacturing processes. A never ending stream of new and innovative technologies, our near complete dependence on those technologies, and a fully interconnected world have brought the front lines of cyber warfare to “main street” and into our businesses and homes. The speed of “cyber” and modern technologies are literally game changers. Defending the nation in the 21st century can no longer be the sole responsibility of the United States military. The ubiquitous use of computers has blurred the traditional lines between national and economic security. Commercial technologies—including the products, systems, and services produced in complex multitiered supply chains—are now used in everything we care about throughout society. And that is changing the balance of power and how we protect ourselves and the nation.

New Centers of Gravity

In the 21st century, our adversaries are employing new strategies and tactics to attack the United States. The term “Center of Gravity” is used by the military (originally defined by the 19th century military strategist Carl Von Clausewitz) to describe the source of power that provides moral or physical strength, freedom of action, or the will to act. The Center of Gravity is usually seen as the “source of strength.” The United States military considers a friendly Center of Gravity as that element—a characteristic, capability, or locality—that enables its own forces to accomplish their objectives. Conversely, an adversary’s Center of Gravity is that element that prevents our military forces from accomplishing their objectives.

Given that historical context, one could argue that the new friendly Center of Gravity for the United States is our technological superiority. From the adversary’s perspective, the Center of Gravity for the United States might be viewed as our technological dependency—that is, our complete reliance on technology—including computing technology—for everything we do. This would include every sector in the United States critical infrastructure and how the complex systems—made up of trillions of lines of code, millions of applications, and billions of devices—are at the very epicenter of an extensive national capability. Without appropriate defenses, the vulnerabilities in these complex systems can be exploited, sometimes rather easily, by determined adversaries.

It is also important to consider that our adversaries don’t see any delineation between traditional espionage targets and commercial targets. Compromising a government agency is no different than going after a company building wind turbines. The adversary may desire to establish a foothold or “presence” inside an organization developing a particular technology in order to potentially take down critical infrastructure in the future or steal the technology for its own use. To further confuse the situation, some nation-state adversaries may be moonlighting and sharing their capabilities with more financially motivated attackers. This means that the lines are not clear between organizations that may have been obvious targets in the past, and those organizations not typically targeted by nation-states. Every public or private sector organization, large or small, is a potential target and may become a gateway to another organization.

Good Offense or Good Defense

In a recent article in the New York Times, Paul R. Kolbe described the playing field of modern cyber warfare. There is a comprehensive discussion of both offensive and defensive cyber operations. We are all familiar with the old adage “The best defense is a good offense.” It has been applied to many fields of endeavor, including warfare. In fact, it is one of the basic principles of war. However, with the recent “arms race” of offensive cyber weaponry, much of it now in the hands of non nation-state actors, can we still rely on that foundational principle applied in kinetic warfare? While this principle has held up favorably for centuries in the context of kinetic warfare, I believe that principle fails miserably in the age of modern cyber warfare. Why is that? There is actually a very simple explanation.

The age of modern cyber warfare is enabled by advanced technology—mostly commercial products that are part of the extensive infrastructure of complex systems that form the “nerve centers” of governments, businesses, and industries around the world. Those complex systems are, in many cases, extremely vulnerable to cyber-attacks which helps ensure the ongoing success of offensive cyber operations [1]. To use a football analogy, if a football team focuses the majority of its time and resources building a “world class” offense at the expense of developing a credible defense, they will likely win games, sometimes by big margins. But that “soft” defense must also go up against the offenses of opposing teams and at some point during the season, the opposing offenses may begin to surpass your “stellar” offense. And that’s when you start to lose games. In the world of advanced technology and cyber warfare, the old adage “The best defense is a good offense” no longer applies when it comes to systems security. Simply put, weak or nonexistent defenses in our systems can lead to severe or catastrophic consequences from well-orchestrated cyber-attacks—potentially rendering all elements of national power ineffective. The only way to ensure success and to win is to have a strong offense and a strong defense—this applies to football and warfare, and is especially important in the world of cybersecurity.

Solid Foundation or House of Cards

If we don’t rapidly strengthen the foundations of our systems to include a renewed emphasis on security architectures and security design concepts brought about by “engineering-based” systems development processes, we will continue to be susceptible to the ongoing cyber threats and subversion that are commonplace in modern cyber warfare. Consider how much we learned during World War I and World War II. Imagine if the strengths and weaknesses of the allied opponents’ capabilities weren’t taken into consideration as new tanks, ships, submarines, and aircraft were being designed and mass produced by the allies. That critical information was brought into the systems design process to ensure we had a good chance of targeting their weaknesses and “strengthening” our defenses.

We have become so enthralled with today’s technology (some may say addicted), that we have let down our guard in a fundamental and dangerous way. Cyber-attacks can be detectable or undetectable (i.e., stealthy). Installing malicious code in a system or in the commercial products developed in the supply chain that will be incorporated into that system, has the potential to neutralize a critical capability, facilitate the theft of information including intellectual property, cause inadvertent operator actions and system failures, and establish a local foothold in order to trigger future hostile actions at a time of the adversary’s choosing. The absence of a secure foundation for our systems means the dedicated security professionals who are asked to help defend those systems may be working with a “house of cards” that will inevitably be compromised [2].

Give Up the Ship or Grab the Life Preserver?

It is important to learn from our past mistakes. There are several things that we can and must do if we are to put the nation on the right course again—and, as you might expect, they involve "the essential partnership"—that is, a collaboration among government, industry, and academia.

• Make security, like safety, a “priority” in commercial products that provide the foundational components for systems 
• Educate the next generation of “security engineers” so they can serve on development teams as part of a secure-by-design, engineering approach to system protection [3]
• Move rapidly to “technology refreshes” built on a new foundation of security architectures tightly coupled to enterprise architectures
• Engineer systems for “assurance” and “resilience” to perform and protect despite unknown future capabilities of adversaries [4]
• Engineer systems for “agility” and “disposal” to facilitate timely transitions before adversaries may be reasonably expected to compromise those systems
• Favor and reward developers who make “security” a priority in their products, systems, and services
• Change the way we measure the “security state” of our systems to align with the state-of-the-art practices in systems security engineering

How Difficult Can This Really Be?

The short answer is pretty darn difficult, but not impossible. Why? Because in our country, the free market determines the best solutions, typically by maximizing profits, and many times at the expense of whatever stands in the way. Too often, it seems what is standing in the way is “doing what is right.” As with most difficult problems, there are no easy solutions. Ironically, doing what is right with regard to security, in the long run, will be less expensive and provide better protection for organizations and the nation. Continuing to hemorrhage intellectual property and operate critical systems with the uncertainty that comes with a growing number of unknown or “zero-day” vulnerabilities does not inspire confidence or trust in the technologies we purchase and use. It also continues to put the nation at great risk. Now is not the time to practice “duck and cover.” We need to invest in deliberate, active, and effective defenses. Great football teams have great defenses. Ask any die-hard Bears, Steelers, Dolphins, Ravens, or Packers fan.

[1] R. Ross, “The Adversaries Live in the Cracks”

[2] R. Ross, “Cybersecurity Professionals—'In the Arena'"

[3] R. Ross, “The Mysterious Disappearance of Systems Security Engineering”

[4] R. Ross, “Rethinking Our View of System Security”

A special note of thanks to Mark Winstead, Keyaan Williams, Greg Touhill, Tony Cole, and Malcolm Harkins, long-time SSE and cybersecurity colleagues, who graciously reviewed and provided sage advice for this article.