Defending a new domain 4

William J. Lynn III makes this statement:

In cyberspace, the offense has the upper hand. [1]

And the reason for this?

The Internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower priorities. For these structural reasons the U.S. government’s ability to defend its networks always lags behind its adversaries’ ability to exploit U.S. networks’ weaknesses.

His summary of the “structural reasons” is simply pitiful, but given what he says, what is to prevent “low barriers to technological innovation” from including technical innovations that improve security?

Nothing. In fact, that’s exactly what has happened. Where a need appears, people innovate.

As the internet has evolved from the days when a single hosts file was retrieved periodically by the few hundred computers linked in the network, the need for and importance of security has grown, so there has been tremendous, inexorable technical innovation in the area of security. Security oriented tools — firewalls, virus scanners, spam filters, wireless encryption algorithms, etc, etc… — have proliferated and become highly sophisticated. And the way we do things has changed. Do you still attach a Windows box directly to the net with file and print sharing enabled? I’ll bet you don’t. Your 12-year old getting familiar with linux knows ssh, but if she’s heard of it at all, she thinks “telnet” has something to do with fat televisions, like the one in the attic.

If Mr. Lynn wanted to identify a “structural reason” that could plausibly explain why offense would have the upper hand, he could have used this paragraph from later in his essay:

On average, it takes the Pentagon 81 months to make a new computer system operational after it is first funded. Taking into account the growth of computing power suggested by Moore’s law, this means that by the time systems are delivered, they are at least four generations behind the state of the art.

Yes, that could explain why the U.S. military, on defense, would be at a disadvantage with respect to, say, 4 or 5 Russian teen-agers taking the offense.

But using that as an explanation for a special advantage enjoyed by the offense in cyberspace, is problematic: it doesn’t explain why offense per se is superior to defense per se. It would support the idea that a technically lagging network will be at a disadvantage, defensively, against a relatively cutting edge offense. And it would explain the “always” in this statement: “...the U.S. government’s ability to defend its networks always lags behind its adversaries’ ability to exploit U.S. networks’ weaknesses.

A poorly defended network will always be at a disadvantage when up against clever and energetic attackers, and perhaps even against an attacker with mediocre skills who happens to get lucky. The “significant compromise” Mr. Lynn describes in his essay’s introduction could be cited as an example of an indifferent offense that overwhelmed the military’s inept network defenses.

Does offense have a special advantage over defense in “cyberspace”?

No. The question doesn’t even make sense without particulars. The only reasonable response to that question is a clarifying question: What defense, and what offense?

Given some specific information about the defense and about the offense, you could argue for the advantage of one over the other, in a particular case.

Offense: worm exploiting Windows autorun
Defense: homogenous network of Microsoft operating systems, with autorun typically enabled
Prediction: Offense overwhelms defense initially; defense eventually wins because vulnerability is easily eliminated and unwanted files easily found.

That “Prediction” is what actually happened in DOD vs. Agent.btz.

PB

——

[1] Foreign Affairs, September/October 2010: “Defending a New Domain”

About pmbarry

One of these days a man's gonna walk up to you with a shoe on one foot and a boot on the other, and he's gonna tell you 'bout things you ain't never heard of.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s