I recently read Richard Clarke’s book Cyberwar. I was prepared not to like it, honestly – the whole “cyberwar” concept has been hyped pretty badly, and I wanted to read something on the topic quickly just to see what was out there. I won’t say the book was life-changing, by any means – but the guy makes some pretty good points, and his writing style is far less dry than one might imagine.
The most interesting point he makes in the book is one of asymmetry in information security overall. What this means is that certain organizations and countries stand to be hurt significantly more than others in the case of “cyberwar”, or really any electronic attack scenario. This takes a number of factors into account, including:
- Overall dependence on the Internet and networks in general
- Capabilities to wage electronic warfare, both offensive and defensive
- “Connectedness” as a country or entity
For example, a country like North Korea is actually a very dangerous adversary in the potential case of an electronic conflict. They have very little in the way of connected assets, so they’re less worried about the damage we could do to them. On the flip side, we are extremely dependent on networks and the Internet, and any attacks they launch could easily cripple many systems and capabilities we have. Although they may not have the total offensive capacity that the US has, they are at much less risk in terms of being impacted themselves, while still having a fairly competent offense. Not a good scenario. The same applies for countries like Russia and China – both stand to gain more than they lose, in all likelihood, especially given the current state of defensive measures for critical infrastructure like the electric grid.
Asymmetry is not a new concept in warfare theory, by any means. Nor is nonlinearity (basically think predictability of outcome based on input factors). However, I think there are some interesting points to muse about for all of us in infosec, not just those in the military. Our industry has been pissing and moaning about “change” for a while now, which I am definitely fed up with up (as this post of mine states pretty clearly). There are certainly things that would be NICE to see change – more focus on appsec, general computing users with a clue, less bullshit in general (read: APT). But overall, our problem is one of asymmetry – attackers have MUCH more to gain by attacking us, and really very little to lose based on a) current electronic crime law and precedent, and b) the fact that many of the attackers are in countries where they’re likely to never be found. In general, though, our best offense is a good defense. We can’t legally “hack back” and cause damage to attackers’ systems in almost every case. What we can control is the difficulty of hacking us. And that’s where we should focus our time, making ourselves less attractive as a target. You’re probably saying, “But Dave – that’s what we ARE doing.” Cool. Then what needs to change again, exactly